Cyber Defense Review

There Is No “Cyber”

By Dr. David Thomson | September 07, 2016

At the recent Joint Service Academy (JSA) Cyber Security Summit at West Point (20-21 April, 2016), the word “cyber” was used in multiple different facets. As a noun, cyberspace is the “Domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data…” [COL11]. This is perhaps the broadest definition possible, proposed as the Cyberspace Operations Lexicon by the Joint Chiefs of Staff.

While the ambiguity with the meaning of the proper noun “Cyber” provides a difficult framework to focus meaningful actions, our use of the words “Cyber”, “Digital” and their like as adjectives serves only to create artificial divisions among researchers, practitioners, and decision-makers in the area.

The term “Cyber Security” is of course ubiquitous, being the focus of the JSA Cyber Security Summit and one of the main foci of the Army Cyber Institute (ACI) at West Point; that is unavoidable. Cyber Security can be many things: at the JSA Summit it was identified as the agglomeration of practicing good hardware and software manufacturing and implementation, sourcing trusted components (again, from both a hardware and software side) and providing training and education for workers to avoid naively poking holes in those standards [CON16].

The term operational security (OPSEC) is used to describe our behaviors while conducting the mission. For those whose jobs have security considerations, OPSEC refers to not discussing their work in public places, even in an unclassified way. The phrase “Digital OPSEC” or even “Cyber OPSEC” is frequently used to discuss our behaviors on the internet, such as not connecting to public WiFi, using discretion with location services on our mobile devices and sanitizing our use of social media.

I would argue that adjectivizing “Digital” OPSEC and “Cyber” Security is unwittingly creating a division in the minds and considerations of the non-practitioner.

Criminals will always focus and prey on the naive and meek. “Cyber” criminals are simply criminals with an internet connection. That is to say, “Cyber” criminals are merely modern-world criminals. The novelty of a “Cyber” criminal is:

  • They have a large attack surface with new input vectors,
  • Even if found, they may be geographically located outside of local law enforcement’s reach,

3) They have a whole new pool of the non-“tech-savvy”. Some of the pool are simply behind the times, others are self-identified “troglodytes”.

A brief aside about those “troglodytes”. In conversation, when introducing myself as a mathematician, the usual response is some version of, “I was never good at math”. Sometimes, when my annoyance takes over, I will try to my point across with, “It’s OK, I was never much good at reading, either.” The mathematician in me is highly disdainful of societal acceptance of “innumeracy” [PAU01]. Turning to the cyber world, how often do we hear, “I just don’t get this tech stuff”? In the same way as with innumeracy, this response is more and more unacceptable: in the modern world, having bad habits with this “tech stuff” is becoming akin to illiteracy or innumeracy, and we should grow the same sociopolitical pressures to combat this bad tech hygiene.

On the other side of the coin, we should not succumb to the paranoia inspired by the proper noun “Internet of Things”, whose devices are often adjectivized as “Smart”. Consequences of badly-implemented “Smart” monitoring could provide criminals, in spirit, with even more information to break into our homes. But are our homes truly less safe as a result?

The oft-cited example of the insecurity expounded by the “Internet of Things” is in the use of “Smart” thermostats: we broadcast our behaviors by transmitting our power consumption into the “Cloud”. Classically, a criminal would have to wait outside our homes to see us leave, notice our cars are not in the driveway and see our lights not switch on in the evening. If theft is the concern, however, does “Smart” monitoring really provide different opportunities than previously? Or does it simply change the habits of criminals, who can now observe an insecure home from the comfort of their couch[1] as opposed to on traditional “stake-outs” in a white van parked on the street?

Removing the qualifiers of “Cyber” or “Digital” from many of today’s terms removes the counter-arguments or commonly-given excuses for not observing good hygiene:

– practicing “Digital OPSEC” is simply practicing “OPSEC”

– maintaining good “Cyber Security” principles is simply maintaining good “Security” principles.

– the “Smart Home” or “Smart Monitoring” or “Smart Devices” are simply the “Home”, “Monitoring” and “Devices” and should be treated as such.

As the noun Cyber has become ubiquitous; as a result, using it as an adjective has, in these and many other cases, become obsolete.

 

References

[CON16] C. Connolly (ed.), Proceedings of the Joint Service Academy Cyber Security Summit, Preprint, 2016.

[COL11] Cyberspace operations lexicon, Accessed July 6, 2016 http://www.nsci-va.org/CyberReferenceLib/2010-11-joint%20Terminology%20for%20Cyberspace%20Operations.pdf

[PAU01] J. A. Paulos, Innumeracy: Mathematical Illiteracy and Its Consequences, Holt McDougal, 2001.

[1] I was tempted to write “mothers’ basements” as a dig at criminals, but in the spirit of this blog, I think we must also do away with what are now off-base stereotypes such as this one.