There are a number of terms currently being used by security practitioners that really annoy me. Threat vector. Threat landscape. The worst is Cybersecurity. What a wonderful word. Itʼs real beauty is that it means whatever you want it to. It is now shortened to ʻcyberʼ- and is used and misused across the word by serious professionals, semi-literate journalists, snake-oil merchants and associated charlatans alike.
Having said this, it has undoubtedly grabbed a lot of attention. Where IT Security and Information Security failed (pretty spectacularly to be honest) - Cybersecurity has flourished. Board members are concerned about ʻcyberʼ. Governments run scared of ʻcyberterroristsʼ. ʻCybercriminalsʼ wait everywhere, desperate to desecrate ʻthe Gridʼ - the basic utilities we all think we need to survive.
Is this real, or is this hype? What has actually changed? The answer is simple. In terms of the basic threats we face, nothing has changed. In terms of risk, the picture is very different.
Letʼs start with a bit of deconstruction. What does ʻcyberʼ mean? The root of the word has become obscured. The term κυβερνήτης (cybernetic) is based on an ancient Greek word that suggests someone is ʻexpert in directionʼ - a steersman or pilot. It can also mean ʻrudderʼ It suggests remote control. It did not mean security. It does now.
Now I know that words evolve constantly. You canʼt decide that once defined, a word stays the same in meaning ad infinitum. The word ʻjargonʼ used to mean the “chattering of birds” (from the Old French gargun). It doesnʼt mean that now, even though the ancient definition can be applied to many of the self-aggrandizing security talking heads I sometimes have to deal with. Perhaps this is why my initial deep annoyance with the term ʻcyberʼ is beginning to mellow. It may be a total aberration of the original term, but it has generated something - that being a growing awareness of the risks we all face. It may not be down to the word itself, but its increased use coincides with a real change in the way information risks are perceived.
Western societyʼs reliance on the Internet and dependency on connected systems to manage power, water, traffic, financial services, mineral prospecting, food transport logistics, medical procedures, emergency response services etc etc - make us very vulnerable. Very vulnerable indeed. This is the stuff that grabs attention. Not ʻphishingʼ attacks on individuals to gain banking system logon details. Such things are, on a global scale, an irritation. Nor the defacing of websites. Such defacements normally reflect highly emotional social issues (gay marriage, women clergy, animal rights, privacy matters and so forth) rather than life-threatening circumstances. The real deal is ʻlife and limbʼ, and we have now reached a situation wherein truly critical systems are exposed to remote attack.
This situation is exacerbated by the manner in which these systems are closely connected. Disruption to electric power supplies will disrupt most other systems. Compromising the water supply affects everyone - deeply. Transport, logistics and food supply are closely interlinked. In many western countries, a light dusting of snow can cause basic systems, such as the railway network, to grind to a halt. Itʼs not difficult to extrapolate this and understand how a targeted attack on utilities could cause significant collateral damage.There are a number of subplots to this. We should, for all sorts of reasons, look to use local resources rather than having them brought in from distance. Shortened supply chains tend to be more resilient, and easier to repair that lengthy ones. They also generate less carbon. But we donʼt always look to local solutions, and the lack of true operational resilience in western societies will cause real problems if they are not addressed.
Which brings me back to ʻcyberʼ. My deep annoyance at the term is not an isolated instance. Iʼve spoken to lots of other people (from all walks of life) who feel the same. Jargon and hyped terminology is often, for good reason, treated with skepticism and disdain. This is happening to the word ʻcyberʼ and will continue to happen unless we intercede. It is essential that we ensure people understand the true scale of the risks we face. People donʼt look under the bonnet (or under the hood if youʼre American) except when things go wrong. A glimpse under the bonnet of our interconnected society suggests to me that we need to make sure it is capable of withstanding calculated, targeted, malevolent attacks. A scattergun approach when discussing such risks will reduce the overall effectiveness of our communications. We need to keep the snake-oil merchants at bay whilst passing on our message.
So - what is our message? What is ʻcyberʼ? Is it ʻIT Securityʼ? Does ʻcyberʼ enhance or replace ʻInformation Securityʼ? Is there an alternative? Suggestions on this are very welcome! We are at a juncture that will, if we manage things well, help set up resilient systems across society. The longer we allow things to drift, and let the charlatans muddy the waters, the less capable our society will be to manage systemic failures when they happen.
No comments:
Post a Comment