There is perhaps no term more overhyped, overused, overloaded and misunderstood in infosec and politics today than cybersecurity. Infosec and cybersecurity are often used interchangeably, and recent tweet thread begun by Chris Wysopal (@WeldPond) convinces me that each time we treat these as the same, we're conflating issues, and that there is considerable value in distinguishing one from the other.
In the thread, Chris Wysopal begins the thread by lamenting yet another plan to protect critical infrastructure, this time involving the use of secret IPS. He takes issue with the implication that the US can either secure the infrastructure or fix actual security defects, but not both. Chris believes, as I do, that we must protect the infrastructure, but in doing so we must not make the infrastructure brittle.
Why? Because Internet-based infrastructures must always strive to be resilient and adaptive, not brittle. As Chris explained, we want both protection and resiliency, and (implicitly) there's no need to sacrifice the latter for the former.
As the conversation unfolded, I commented that the term protection is as overloaded as cybersecurity. Cybersecurity plans of the sort Chris refers to often create opportunities to implement surveillance, offensive or retaliatory capabilities. This military-minded thinking is pervasive when cybersecurity is mentioned.
While we may need to have national security dialogs of the "we need advanced, persistent surveillance to eliminate the advanced persistent threat" kind, these are fundamentally different from dialogs of the kind "we need to improve how we develop software, how we configure systems, or how we manage mobile devices so that they are resistant to attack". Dialogs of these latter kinds are better discussed in the contexts of national health and wellness than national security.
The dichotomy - security as a military doctrine versus security as health care (wellness and hygiene) - is often blurred to indistinction because the knowledge base, tools, and expertise that we use to fight crime, terror, and wage war overlap with those used to improve health. The practices, however, are dissimilar in at least one critically important respect: the former is one element of a broad national security strategy while the latter seeks to fix actual security defects and is more accurately, global in scope.
In meatspace, we generally have no problem appreciating that a laser can be used to guide missile systems and that a laser can alternatively be used to perform precise surgery. The notion of prepending cyber to both use cases seems preposterous. Chris Wysopal's example - bioweapon research funded distinctly from vaccine research - similarly illustrates that we are capable of compartmentalizing military from medical research in funding, policy and practice.
Let's do the same with security in cyberspace. Label as infosec activities that seek to fix actual security defects (i.e., cure, manage or improve health). This would include categories like secure code development, best practices and technology to identify or mitigage suboptimal (vulnerable) configuration, SIEM, identity and data/privacy protection. Label as cybersecurity activities that are offensive, reliatory or surveillance (military intelligence).
The United States and other countries are struggling to enact comprehensive cybersecurity legislation. When SOPA, CISPA, and similar legislations are proposed throughout the world, they encounter strong opposition to language that sacrifices or violates (Constitutional) rights in favor of making a nation more secure, in part because politicians are choosing national security at the expense of national (global) health for the cyber world. Honestly, would comprehensive legislation of this kind play out any differently in a meatspace scenario; for example, if legislators were to propose a bill that perimitted gun club owners (or bank presidents) to forego subpoenas and share the contents of a member's locker (safe deposit box) "voluntarily"?
Rather than comprehensive legislation, perhaps it's time to consider legislation that is incremental, granular in scope, and that focuses either on matters of national security or on fixing actual security defects. Cybersecurity legislation can tag along with meatspace military legislation. Develop Internet health and wellness legislation, i.e., bills that seek to fix actual security defects, separately. Not only might these encounter less opposition, but such legislation might also have the collateral benefit of protecting critical infrastructures.
In case it is not obvious, the opinions in this post are mine and I've extrapolated or speculated based on Chris Wysopal's tweets.