There are a number of terms currently being used by security practitioners that really annoy me, such as ‘threat vector’ and ‘threat landscape’. The worst among these is ‘cybersecurity’. What a wonderful word. Its real beauty is that it means whatever you want it to. It is now shortened to ‘cyber’, and is used and misused across the world by serious professionals, semi-literate journalists, snake-oil merchants and associated charlatans alike.
Having said this, it has undoubtedly grabbed a lot of attention. Where ‘IT security’ and ‘information security’ failed (pretty spectacularly, to be honest), cybersecurity has fourished. Board members are concerned about ‘cyber’. Governments run scared of cyber-terrorists. Cybercriminals wait everywhere, desperate to desecrate ‘the Grid’ – the basic utilities we all think we need to survive.
Is this real, or is this hype? What has actually changed? The answer is simple. In terms of the basic threats we face, nothing has changed. In terms of risk, the picture is very different.
Let’s start with a bit of deconstruction. What does ‘cyber’ mean? The root of the word has become obscured. The term κυβερν?της (cybernetic) is based on an ancient Greek word that suggests someone is “expert in direction” – a steersman or pilot. It can also mean ‘rudder’. It suggests remote control. It did not mean security, but it does now.
Now I know that words evolve constantly. You can’t decide that once de?ned, a word stays the same in meaning ad infnitum. The word ‘jargon’ used to mean the “chattering of birds” (from the Old French gargun). It doesn’t mean that now, even though the ancient definition can be applied to many of the security talking heads I sometimes have to deal with. Perhaps this is why my initial deep annoyance with the term cyber is beginning to mellow. It may be a total aberration of the original term, but it has generated something – that being a growing awareness of the risks we all face. It may not be down to the word itself, but its increased use coincides with a real change in the way information risks are perceived.
Western society’s reliance on the internet and dependency on connected systems to manage utilities, transport, emergency services, finance, and so on, makes us very vulnerable – very vulnerable indeed. This is the stuff that grabs attention. Not ‘phishing’ attacks on individuals to gain banking system logon details. Such things are, on a global scale, an irritation.
Nor does this include the defacing of websites. Such defacements normally reflect highly emotional social issues (gay marriage, women clergy, animal rights, privacy matters and so forth) rather than life-threatening circumstances. The real deal is ‘life and limb’, and we have now reached a situation wherein truly critical systems are exposed to remote attack.
This situation is exacerbated by the manner in which these systems are closely connected. Disruption to electric power supplies will disrupt most other systems. Compromising the water supply affects everyone. Transport, logistics and food supplies are closely interlinked. In many Western countries, a light dusting of snow can cause basic systems, such as the railway network, to grind to a halt. It’s not difficult to extrapolate and understand how a targeted attack on utilities could cause signifcant collateral damage.
There are a number of subplots to this. We should, for all sorts of reasons, look to use local resources rather than having them brought in from a distance. Shortened supply chains tend to be more resilient and easier to repair than lengthy ones. They also generate less carbon. But we don’t always look to local solutions, and the lack of true operational resilience in Western societies will cause real problems if they are not addressed.
Which brings me back to ‘cyber’. My deep annoyance with the term is not an isolated instance. I’ve spoken to lots of other people (from all walks of life) who feel the same. Jargon and hyped terminology is often, for good reason, treated with skepticism and disdain. This is happening to the word cyber and will continue unless we intercede.
It is essential that we ensure people understand the true scale of the risks we face. People don’t look under the bonnet (or under the hood, if you’re American) except when things go wrong. A glimpse under the bonnet of our interconnected society suggests to me that we need to make sure it is capable of withstanding calculated, targeted, malevolent attacks. A scattergun approach when discussing such risks will reduce the overall effectiveness of our communications. We need to keep the snake-oil merchants at bay while passing on our message.
So, what is our message? What is cyber? Is it IT security? Does cyber enhance or replace information security? Is there an alternative? Suggestions on this are very much welcomed.
We are at a juncture that will, if we manage things well, help set up resilient systems across society. The longer we allow things to drift, and let the charlatans muddy the waters, the less capable our society will be in managing systemic failures when they happen.
Gregor Campbell is an information security consultant working in both the government and private sectors in the UK