Please share your comments; critics make life meaningful!

Monday, March 30, 2015

Developing a common understanding of Cybersecurity

1.      Introduction
1.1       Semantics often come in the way of common understanding. The impact of semantic confusion can be extreme when the subject under consideration is critical to business. Cybersecurity has been in use to mean a wide variety of things in recent times; there is even dichotomy in the term itself – it is also referred to as Cyber Security (I have adopted Cybersecurity over Cyber Security for reasons explained in section 4 of this document). Whatever the interpretation, it is concurred by all concerned that Cybersecurity matters pose significant risks to Governments, to industry sectors and to the general public. An entire industry itself has sprung to meet the perceived need around managing these risks and is valued over $160 Billion [1]. There is also consensus that Cybersecurity is closely related to domain of Information Security [2]. Hence, professionals working in the domains of Information Security need to develop a good understanding to fulfil their mandates.
1.2       Being a practicing Information Security professional myself, I have faced the same challenges myself and tried to develop a clear firsthand understanding of Cybersecurity. Through this paper, I have made an attempt to capture a brief summary of the same.

2.      Origins of ‘Cyber’
2.1       The word ‘Cyber’ has Greek roots roughly meaning one who guides a boat, such as a pilot or rudder operator. Plato adapted this word to mean something like ‘governance’ and associated it with Government control as the Governments steer society. In the twentieth century, American mathematician and philosopher Norbert Wiener foresaw the rise of sophisticated robots which would need artificial intelligence to control their actions. Wiener coined the word ‘cybernetics’ borrowing from Greek roots to mean such intelligent controllers and indicated that they would be difficult to design and build. So Weiner retained the connection between technological control and governance. Speculative fiction novelist William Gibson foresaw the ‘space’ of virtual interactions in his 1984 novel ‘Neuromancer’ and coined this as ‘Cyberspace’ borrowing ‘Cyber’ from Wiener. Many adopters of the early Internet were fans of Gibson’s work, so cyberspace became a standard name for the place you went when you were on the Internet. Gibson’s usage however reversed the context of governance in the word cyber as Internet inherently is not amenable to central control systems.
2.2       Meanwhile, security experts had already settled on the term ‘Information Security’ to mean securing of information and digital systems, and it was considered synonymous to ‘Computer Security’ and ‘Network Security’. The British Standards Institute (BSI) published the first set of standards around Information Security, namely BS 7799 [3] in 1995, which were later incorporated into the global standards from International Organization for Standardization (ISO), namely the ISO 27000. The current standards of Information Security are ISO/IEC 27001-2 [4] updated in 2013.
2.3       It is interesting how ‘Cybersecurity’ got mindshare when we already had another useful term ‘Information Security’ for the same thing. There is no clear research establishing this, but it is attributable to combination of military influence, marketing hype and societal acceptance. As digital technology became vital for business and Governments, the military started preparing to defend national interests around this area. Conventional military thinking being around defense and attack of some kind of space – terrain, aero-space etc., cyberspace became a handy reference to the digital domain. Hence, securing cyberspace became cybersecurity; and besides a lot of defense measures, it also came with some offence measures as well. The term Cyber has found easier acceptance with media and through it with the wider society. While Information Security sounded formal and demanded deeper understanding of technology aspects, Cybersecurity connected well with science fiction, and popular imagination as it struck a chord with business leaders and industry experts in the increasingly digital global commerce. No surprise then that the accepted semantics was quick to overflow into other areas - cyber criminals, cyber attacks, cyber war, cyber defence, cyber diplomacy etc.
2.4       Interestingly, with leading global Governments increasing their Cybersecurity capabilities, designed to exert control and exercise governance on Cyberspace, we have come full circle as regards the meaning of ‘Cyber’ to Wiener’s vision of technocratic control, and Plato’s vision of Government control.

3.      Searching for a reliable definition of ‘Cybersecurity’
3.1       Having understood the origin of the term, it is essential to get an understanding of the term itself. There are quite a few close variations in the meaning and scope of Cybersecurity, and there are some outliers. I have summarized them in the succeeding paragraphs and in the end provided recommendations that Information Security professionals may like to consider.
3.2       Dictionary Meaning: A prominent online dictionary defines it as ‘measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack [5] .
3.3       General understanding in Computer Security communities: Security aspects have always lagged behind functionality in the world of computing. This has been an oft repeated sequence at all stages of the Information Technology revolution – be it mainframes, PCs, Internet, cloud, mobile, social media or cyber. However, the time lag between the two has been narrowing with each stage of technology advancement. Computer security [6] or IT Security has come to be known as a discipline applied to computing devices such as computers and smartphones, as well as computer networks such as private and public networks, as also the Internet. It includes ‘all processes and tools by which digital equipment, the information they contain and services provided using them are protected from unintended or unauthorized access, change or destruction’. Computer security has grown in importance due to the increasing reliance of computer systems in most societies. It includes physical security to prevent theft of equipment and information security to protect the data on that equipment. In recent times, ‘Cybersecurity’ is often referred to synonymously as Computer Security.
3.4       Views from Technology Media: Few leading technology publishers have tried to define Cybersecurity:
3.4.1 Tech Target: ‘The body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, the term security implies Cybersecurity. [7]
3.4.2 Techopedia: ‘Preventative methods to protect information from being stolen, compromised or attacked in some other way. It requires an understanding of potential information threats, such as viruses and other malicious code.
3.4       Definition by Industry Sectors: The International Telecommunication Union (ITU) defines Cybersecurity [9] as ‘the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.’ Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment.
3.5       Definition by Govt.: NIST defines [10] Cyberspace as a global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. A cyber attack is defined as an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information. Consequently, Cybersecurity is defined as ‘the ability to protect or defend the use of cyberspace from cyber attacks.’
3.6       Definition by Research Firms: In June 2013, Gartner acknowledged that there is confusion in the market over how the term should be used, and published a research paper to defining ‘Cybersecurity’ [11] .
3.6.1 Analysts Andrew Walls, Earl Perkins and Juergen Weiss wrote that “use of the term ‘Cybersecurity’ as a synonym for information security or IT security confuses customers and security practitioners, and obscures critical differences between these disciplines.” To help set the record straight, the team defined the term: ‘Cybersecurity encompasses a broad range of practices, tools and concepts related closely to those of information and operational technology security. Cybersecurity is distinctive in its inclusion of the offensive use of information technology to attack adversaries.
3.6.2 The paper clarified that ‘Cybersecurity is a superset of the practices embodied in IT security, information security, Operational Technology (OT) security and offensive security’ and provided an illustration to underline this.

3.6.2 Gartner advised: ‘Security leaders should use the term ‘Cybersecurity’ to designate only security practices related to the combination of offensive and defensive actions involving or relying upon information technology and/or operational technology environments and systems.

3.7       Recommendations: The Gartner definition encompasses in spirit all the preceding definitions suggested by industry bodies, professional organizations and Government. It also clearly outlines the components of Cybersecurity and sets them in context with an illustration. However, it underlines an offensive element which may not apply to entities other than Government organizations with specific authorized mandates. Moreover, employment of such measures would amount to infringement of law in most parts of the democratic world. So, for understanding and implementation of Cybersecurity measures at an enterprise or entity level other than such Government organizations, the Gartner model is very suitable; however, it needs to be applied minus the offensive security measures. This does not alter the definition of Cybersecurity as such; rather it limits applicability or scope of Cybersecurity for enterprises. 
4.      Is it Cybersecurity or Cyber Security?
4.1       In addition to the multiple definitions of Cybersecurity, we also need to consider the different ways of referring to the term itself - ‘Cybersecurity’ or ‘Cyber Security’ [12]. These terms are getting more and more mixed usage lately. There isn't any recognized authority on the subject per se, but we could take guidance from the Associated Press, which still holds the throne when it comes to news copy style, says it is one word – Cybersecurity: ‘Cyberspace is a term popularized by William Gibson in the novel "Neuromancer" to refer to the digital world of computer networks. It has spawned numerous words with cyber- prefixes, but try to avoid most of these coinages. When the combining form is used, follow the general rule for prefixes and do not use a hyphen: cyberattack, cyberbullying, cybercafe, Cybersecurity.’ There are some exceptions to the prefix rule, specifically around proper nouns, such as ‘US Cyber Command.’ Besides Associated Press, most of the credible sources quoted in section 3 above use the single-word form.

5.      Staying clear of the hype around Cybersecurity
5.1       There are a few in the research community who have held out against painting everything cyber, although their ranks are thinning due to the growing global acceptance of the term from Governments, industries and even public in general. Gartner VP and distinguished analyst, John Girard is urging enterprises to ignore the hype around cyber security spending and look at areas of their business that need protection [13]. He adds that a lot of the activities labelled cyber security are not only not new but could also be dangerous practices that should not be followed. Girard suggests that executives need to question the use of Cybersecurity budgets before making decisions on the subject as according to him, a lot of security vendors and practices in cyber security tend to work the same way.
5.2       Girard recommends that enterprises should engage in spending on core operational and procedural security rather than investing lots of money in zero-day vulnerabilities, and country watching, and sinking huge budgets to deal with advanced threats. He advised enterprises to concentrate on core infrastructure security, application security and security processes.
6.      Conclusion
6.1       I echo Girard’s sentiments as Security Management is a function with which come expectations of very high trust and it is belied by such hype. I can see a connection between the hype and the offensive element in the definition of Cybersecurity. Thus, by discarding the offensive element from the definition of Cybersecurity, enterprises can avoid the associated hype as well.
6.2       Something is common to all enterprises – the need to understand their business, document critical information infrastructure, and deploy multi layered protection measures to provide a tiered set of preventive, detective and corrective controls which define their information security and OT Security framework. While doing so, a risk based approach is an absolute must where residual risks, risk mitigation road map and risk appetite should be clearly understood by security leadership and articulated to executive leadership. There is no room here for hype while developing this understanding, making recommendations for risk mitigation, and taking executive decisions.
6.3       Offensive measures are out of scope for enterprises being violations of law. However, enterprises in some critical sectors may need to establish tight partnerships with suitable Government establishments to report cyberattacks and the concerned Government establishment may have the mandate for retaliatory or offensive measures.

No comments: