What Is Cybersecurity?
- Everyone Knows What "Cybersecurity" Means
- We Can Measure How Secure Our Systems Are
- The Primary Goal of Cybersecurity Is Security
- Cybersecurity Is About Obvious Risks
- Sharing More Cyber Threat Intel Will Make Things Better
- What Matters to You Matters to Everyone Else
- Product X Will Make You Secure
- Macs Are Safer Than PCs, Linux Is Safer Than Windows
- Open Source Software Is More Secure Than Closed Source Software
- Technology X Will Make You Secure
- Process X Will Make You Secure
- Faerie Dust Can Make Old Ideas Magically Revolutionary
- Passwords Should Be Changed Often
- Believe and Fear Every Hacking Demo You See
- Cyber Offense Is Easier Than Defense
- Operational Technology (OT) Is Not Vulnerable
- Breaking Systems Is the Best Way to Establish Yourself
- Because You Can, You Should
- Better Security Means Worse Privacy
- Further Reading
This chapter is from the book
This chapter is from the book
This chapter is from the book
A ship in harbor is safe, but that is not what ships are built for.
John A. Shedd
If you are reading this book, you are likely interested in cybersecurity. We present several ideas and lessons in this work that address more general topics in computing (and elsewhere). Still, the primary application area is cybersecurity. Whether you are a student, a practitioner, an executive, a regulator, or a criminal (tsk-tsk, unless you paid for a copy of this book, in which case simply tsk), the material we present has a bearing on what you do.
In this chapter, we will explore why the broad concept of cybersecurity is ripe with misconceptions, why the term is not defined well, and why we do not have any reasonable way to measure it.
Everyone Knows What “Cybersecurity” Means
In a book about myths in cybersecurity, there is no better place to start than with definitions. Sometimes this seems silly and trivial. Doesn’t everyone know the definition of cybersecurity?
It might surprise you that even experts disagree about the meaning of “secure.” The most salient reason is that there is no commonly accepted, precise definition of what cybersecurity is! For an area of such intense concern, and with nearly six decades of study, that seems inconceivable, but it’s true!
Let’s start with the term itself—cybersecurity. What does that mean? The immediate answer is “security of. . . cyber.” We see many people throw around the prefix “cyber” to describe computing and networks, as well as “cyberspace,” “cyberpunk,” and “cyber crime.” To start with, what the heck does “cyber” mean, exactly?
Most references we can find credit the mathematician Norbert Wiener for coining the term “cybernetics” in 1948 to describe the study of communications and control. “Cyber” in this context was likely derived from the Greek kybernetes meaning, roughly, to guide or govern. In 1982, William Gibson came up with the term “cyberspace” to refer to the virtual space of networks and computers experienced online. Before that use in science fiction, there was no cyber-X being bandied about to describe security or things online.
In the span 1960–1990, people mostly talked about “computer security,” “communications security,” “information security,” “network security,” and “data security.” Those terms were fairly compact and descriptive, except when discussing a more comprehensive view of things was necessary. Then it became “computer and network and data security,” which seems a tad unwieldy. Not only is that a lot to type every time someone wants to refer to the field, but it also does not have a good acronym as an alternative.
Perhaps that is why, in the late 1980s, when a U.S. Senate Committee held some hearings on the security of government systems, a staffer allegedly came up with the “cybersecurity” shorthand. This perhaps seemed exotic to the Senators, and maybe that is why it caught on—much to the dismay of many professionals who were working in the field at the time (and many since then).1 That term found its way into some of the reporting and was picked up by the trade press. The term “cyber” is not that exact, and it is easy to lose sight of it meaning the data, processes, people, and policies in addition to the computers and networks. The novelty might be why it caught on, especially among marketing staff who wanted to gain customer attention. (In Chapter 8 we discuss why terminology is important.)
OK, so we kind of know what “cyber” means—computers, networks, data, communications, and let’s be sure to include security of robotics, sensors and control systems, and AI2 as well.
What does “security” mean in this context? First, security and its derivatives can be both a verb and an adjective: we take actions to secure (verb) a system to help the system be secure (adjective). Here again, we run into issues as there is no formal definition with which everyone agrees. For instance, the online Longman dictionary3 defines cybersecurity as “things that are done to protect computer information and systems from crime.” That omits issues of controlling access, detecting non-criminal misuse, and incident response, as well as protecting networks.
The National Institute of Standards and Technology (NIST) defines cybersecurity in a much more expansive fashion: “Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation.”4 This is the same definition used in U.S. Department of Defense Policy 8500.1, although not all other U.S. Federal agencies use this definition. NIST uses at least three other definitions in their documents, further muddling the exact meaning. Here are some other definitions of security we have run across:
“A system condition in which system resources are free from unauthorized access and unauthorized or accidental change, destruction, or loss. (Compare: safety.)”5
“The process of protecting information by preventing, detecting, and responding to attacks.”6
“Protection of Internet-connected systems such as hardware, software, and data from cyberthreats.”7
“Technology, services, strategies, practices, policies designed to secure people, data and infrastructure from a wide range of cyber attacks.”8
A more succinct definition was put forth by Rob Joyce of the National Security Agency (NSA) in 2019: “Cybersecurity is everything that results in protecting information and underlying technology from theft, manipulation, and disruption.” That leaves a lot of things open to interpretation; however, it is closer to what most people think about when they think of cybersecurity. Even farther along that road is the 1990 definition from Garfinkel and Spafford9: “A computer is secure if you can depend on it and its software to behave as expected.”
Why is the definition important? In part, it is to be certain we are talking about the same concepts. It is also essential in defining metrics that allow us to gauge how effective some controls might be, compare them with each other, and judge the cost-effectiveness of those controls.
In summary, we do not have an agreed-upon definition. As a result, everything else is somewhat imprecise.