1. Introduction
3.6.2 Gartner advised: ‘Security leaders should use the term ‘Cybersecurity’ to designate only security practices related to the combination of offensive and defensive actions involving or relying upon information technology and/or operational technology environments and systems.’
3.7 Recommendations: The Gartner definition encompasses in spirit all the preceding definitions suggested by industry bodies, professional organizations and Government. It also clearly outlines the components of Cybersecurity and sets them in context with an illustration. However, it underlines an offensive element which may not apply to entities other than Government organizations with specific authorized mandates. Moreover, employment of such measures would amount to infringement of law in most parts of the democratic world. So, for understanding and implementation of Cybersecurity measures at an enterprise or entity level other than such Government organizations, the Gartner model is very suitable; however, it needs to be applied minus the offensive security measures. This does not alter the definition of Cybersecurity as such; rather it limits applicability or scope of Cybersecurity for enterprises.
5. Staying clear of the hype around Cybersecurity
1.1 Semantics often come in the way of common
understanding. The impact of semantic confusion can be extreme when the subject
under consideration is critical to business. Cybersecurity has been in use to
mean a wide variety of things in recent times; there is even dichotomy in the
term itself – it is also referred to as Cyber Security (I have adopted Cybersecurity
over Cyber Security for reasons explained in section 4 of this document). Whatever
the interpretation, it is concurred by all concerned that Cybersecurity matters
pose significant risks to Governments, to industry sectors and to the general
public. An entire industry itself has sprung to meet the perceived need around
managing these risks and is valued over $160 Billion [1]. There is also
consensus that Cybersecurity is closely related to domain of Information
Security [2]. Hence,
professionals working in the domains of Information Security need to develop a
good understanding to fulfil their mandates.
1.2 Being a practicing Information Security
professional myself, I have faced the same challenges myself and tried to develop
a clear firsthand understanding of Cybersecurity. Through this paper, I have
made an attempt to capture a brief summary of the same.
2. Origins of ‘Cyber’
2.1 The word ‘Cyber’ has Greek roots roughly
meaning one who guides a boat, such as a pilot or rudder operator. Plato
adapted this word to mean something like ‘governance’ and associated it with Government
control as the Governments steer society. In the twentieth century, American
mathematician and philosopher Norbert Wiener foresaw the rise of sophisticated
robots which would need artificial intelligence to control their actions.
Wiener coined the word ‘cybernetics’ borrowing from Greek roots to mean such
intelligent controllers and indicated that they would be difficult to design
and build. So Weiner retained the connection between technological control and
governance. Speculative fiction novelist William Gibson foresaw the ‘space’ of
virtual interactions in his 1984 novel ‘Neuromancer’ and coined this as
‘Cyberspace’ borrowing ‘Cyber’ from Wiener. Many adopters of the early Internet
were fans of Gibson’s work, so cyberspace became a standard name for the place
you went when you were on the Internet. Gibson’s usage however reversed the
context of governance in the word cyber as Internet inherently is not amenable
to central control systems.
2.2 Meanwhile, security experts had already settled
on the term ‘Information Security’ to mean securing of information and digital
systems, and it was considered synonymous to ‘Computer Security’ and ‘Network Security’.
The British Standards Institute (BSI) published the first set of standards
around Information Security, namely BS 7799 [3] in 1995, which
were later incorporated into the global standards from International
Organization for Standardization (ISO), namely the ISO 27000. The current
standards of Information Security are ISO/IEC 27001-2 [4] updated in 2013.
2.3 It is interesting how ‘Cybersecurity’ got
mindshare when we already had another useful term ‘Information Security’ for
the same thing. There is no clear research establishing this, but it is
attributable to combination of military influence, marketing hype and societal
acceptance. As digital technology became vital for business and Governments,
the military started preparing to defend national interests around this area. Conventional
military thinking being around defense and attack of some kind of space – terrain,
aero-space etc., cyberspace became a handy reference to the digital domain. Hence,
securing cyberspace became cybersecurity; and besides a lot of defense
measures, it also came with some offence measures as well. The term Cyber has
found easier acceptance with media and through it with the wider society. While
Information Security sounded formal and demanded deeper understanding of
technology aspects, Cybersecurity connected well with science fiction, and
popular imagination as it struck a chord with business leaders and industry
experts in the increasingly digital global commerce. No surprise then that the
accepted semantics was quick to overflow into other areas - cyber criminals, cyber attacks, cyber war, cyber defence, cyber
diplomacy etc.
2.4 Interestingly, with leading global Governments
increasing their Cybersecurity capabilities, designed to exert control and
exercise governance on Cyberspace, we have come full circle as regards the
meaning of ‘Cyber’ to Wiener’s vision of technocratic control, and Plato’s
vision of Government control.
3. Searching for a reliable definition
of ‘Cybersecurity’
3.1 Having understood the origin of the term, it
is essential to get an understanding of the term itself. There are quite a few close
variations in the meaning and scope of Cybersecurity, and there are some
outliers. I have summarized them in the succeeding paragraphs and in the end provided
recommendations that Information Security professionals may like to consider.
3.2 Dictionary Meaning: A
prominent online dictionary defines it as ‘measures taken to protect a computer or computer system (as on the
Internet) against unauthorized access or attack [5] .
3.3 General
understanding in Computer Security communities: Security aspects have
always lagged behind functionality in the world of computing. This has been an
oft repeated sequence at all stages of the Information Technology revolution – be
it mainframes, PCs, Internet, cloud, mobile, social media or cyber. However,
the time lag between the two has been narrowing with each stage of technology
advancement. Computer security [6] or IT Security has come
to be known as a discipline applied
to computing devices such as computers and smartphones, as well as computer
networks such as private and public networks, as also the Internet. It includes
‘all processes and tools by which digital
equipment, the information they contain and services provided using them are
protected from unintended or unauthorized access, change or destruction’.
Computer security has grown in importance due to the increasing reliance of
computer systems in most societies. It includes physical security to prevent
theft of equipment and information security to protect the data on that
equipment. In recent times, ‘Cybersecurity’ is often referred to synonymously
as Computer Security.
3.4 Views from Technology Media: Few
leading technology publishers have tried to define Cybersecurity:
3.4.1 Tech Target: ‘The body of
technologies, processes and practices designed to protect networks, computers,
programs and data from attack, damage or unauthorized access. In a
computing context, the term security implies Cybersecurity. [7]
3.4.2 Techopedia: ‘Preventative methods to protect information from being stolen, compromised or attacked in some other way. It requires an understanding of potential information threats, such as viruses and other malicious code.’[8]
3.4.2 Techopedia: ‘Preventative methods to protect information from being stolen, compromised or attacked in some other way. It requires an understanding of potential information threats, such as viruses and other malicious code.’[8]
3.4 Definition by Industry Sectors: The
International Telecommunication Union (ITU) defines Cybersecurity [9]
as ‘the collection of tools, policies,
security concepts, security safeguards, guidelines, risk management approaches,
actions, training, best practices, assurance and technologies that can be used
to protect the cyber environment and organization and user’s assets.’
Organization and user’s assets include connected computing devices, personnel,
infrastructure, applications, services, telecommunications systems, and the totality
of transmitted and/or stored information in the cyber environment. Cybersecurity
strives to ensure the attainment and maintenance of the security properties of
the organization and user’s assets against relevant security risks in the cyber
environment.
3.5 Definition by Govt.:
NIST defines [10]
Cyberspace as a global domain within the information environment consisting of
the interdependent network of information systems infrastructures including the
Internet, telecommunications networks, computer systems, and embedded
processors and controllers. A cyber attack is defined as an attack, via
cyberspace, targeting an enterprise’s use of cyberspace for the purpose of
disrupting, disabling, destroying, or maliciously controlling a computing
environment/infrastructure; or destroying the integrity of the data or stealing
controlled information. Consequently, Cybersecurity is defined as ‘the ability to protect or defend the use of
cyberspace from cyber attacks.’
3.6 Definition
by Research Firms: In June 2013,
Gartner acknowledged that there is confusion in the market over how the term
should be used, and published a research paper to defining ‘Cybersecurity’ [11] .
3.6.1 Analysts Andrew Walls, Earl Perkins and Juergen Weiss wrote that “use
of the term ‘Cybersecurity’ as a synonym for information security or IT
security confuses customers and security practitioners, and obscures critical
differences between these disciplines.” To help set the record straight, the
team defined the term: ‘Cybersecurity encompasses a broad range of
practices, tools and concepts related closely to those of information and
operational technology security. Cybersecurity is distinctive in its inclusion
of the offensive use of information technology to attack adversaries.’
3.6.2 The paper clarified that ‘Cybersecurity
is a superset of the practices embodied in IT security, information security, Operational
Technology (OT) security and offensive security’ and provided an
illustration to underline this.
3.6.2 Gartner advised: ‘Security leaders should use the term ‘Cybersecurity’ to designate only security practices related to the combination of offensive and defensive actions involving or relying upon information technology and/or operational technology environments and systems.’
3.7 Recommendations: The Gartner definition encompasses in spirit all the preceding definitions suggested by industry bodies, professional organizations and Government. It also clearly outlines the components of Cybersecurity and sets them in context with an illustration. However, it underlines an offensive element which may not apply to entities other than Government organizations with specific authorized mandates. Moreover, employment of such measures would amount to infringement of law in most parts of the democratic world. So, for understanding and implementation of Cybersecurity measures at an enterprise or entity level other than such Government organizations, the Gartner model is very suitable; however, it needs to be applied minus the offensive security measures. This does not alter the definition of Cybersecurity as such; rather it limits applicability or scope of Cybersecurity for enterprises.
4. Is it Cybersecurity or Cyber
Security?
4.1 In
addition to the multiple definitions of Cybersecurity, we also need to consider
the different ways of referring to the term itself - ‘Cybersecurity’ or ‘Cyber
Security’ [12]. These terms are getting more and more mixed
usage lately. There isn't any recognized authority on the subject per se, but we
could take guidance from the Associated Press, which still holds the throne
when it comes to news copy style, says it is one word – Cybersecurity: ‘Cyberspace
is a term popularized by William Gibson in the novel "Neuromancer" to
refer to the digital world of computer networks. It has spawned numerous words
with cyber- prefixes, but try to avoid most of these coinages. When the
combining form is used, follow the general rule for prefixes and do not use a
hyphen: cyberattack, cyberbullying, cybercafe, Cybersecurity.’ There are
some exceptions to the prefix rule, specifically around proper nouns, such as
‘US Cyber Command.’ Besides Associated Press, most of the credible sources
quoted in section 3 above use the single-word form.
5. Staying clear of the hype around Cybersecurity
5.1 There
are a few in the research community who have held out against painting
everything cyber, although their ranks are thinning due to the growing global
acceptance of the term from Governments, industries and even public in general.
Gartner VP and distinguished analyst, John Girard is urging enterprises to ignore the hype around cyber security
spending and look at areas of their business that need protection [13]. He adds that a lot of the activities labelled cyber security are not
only not new but could also be dangerous practices that should not be followed.
Girard suggests that executives need to question the use of Cybersecurity
budgets before making decisions on the subject as according to him, a lot of security vendors and practices in
cyber security tend to work the same way.
5.2 Girard recommends that enterprises should
engage in spending on core operational and procedural security rather than
investing lots of money in zero-day vulnerabilities, and country watching, and
sinking huge budgets to deal with advanced threats. He advised enterprises to
concentrate on core infrastructure security, application security and security
processes.
6.
Conclusion
6.1 I echo Girard’s sentiments as Security
Management is a function with which come expectations of very high trust and it
is belied by such hype. I can see a connection between the hype and the
offensive element in the definition of Cybersecurity. Thus, by discarding the
offensive element from the definition of Cybersecurity, enterprises can avoid
the associated hype as well.
6.2 Something is common to all enterprises –
the need to understand their business, document critical information
infrastructure, and deploy multi layered protection measures to provide a
tiered set of preventive, detective and corrective controls which define their
information security and OT Security framework. While doing so, a risk based
approach is an absolute must where residual risks, risk mitigation road map and
risk appetite should be clearly understood by security leadership and
articulated to executive leadership. There is no room here for hype while
developing this understanding, making recommendations for risk mitigation, and
taking executive decisions.
6.3
Offensive measures are out of scope
for enterprises being violations of law. However, enterprises in some critical
sectors may need to establish tight partnerships with suitable Government
establishments to report cyberattacks and the concerned Government
establishment may have the mandate for retaliatory or offensive measures.
References:
No comments:
Post a Comment