There is perhaps no term more overhyped, overused, overloaded and misunderstood in infosec and politics today than cybersecurity. Infosec and cybersecurity are often used interchangeably, and recent tweet thread begun by Chris Wysopal (@WeldPond) convinces me that each time we treat these as the same, we're conflating issues, and that there is considerable value in distinguishing one from the other.
In the thread, Chris Wysopal begins the thread by lamenting yet another plan to protect critical infrastructure, this time involving the use of secret IPS. He takes issue with the implication that the US can either secure the infrastructure or fix actual security defects, but not both. Chris believes, as I do, that we must protect the infrastructure, but in doing so we must not make the infrastructure brittle.
Why? Because Internet-based infrastructures must always strive to be resilient and adaptive, not brittle. As Chris explained, we want both protection and resiliency, and (implicitly) there's no need to sacrifice the latter for the former.
As the conversation unfolded, I commented that the term protection is as overloaded as cybersecurity. Cybersecurity plans of the sort Chris refers to often create opportunities to implement surveillance, offensive or retaliatory capabilities. This military-minded thinking is pervasive when cybersecurity is mentioned.
While we may need to have national security dialogs of the "we need advanced, persistent surveillance to eliminate the advanced persistent threat" kind, these are fundamentally different from dialogs of the kind "we need to improve how we develop software, how we configure systems, or how we manage mobile devices so that they are resistant to attack". Dialogs of these latter kinds are better discussed in the contexts of national health and wellness than national security.
The dichotomy - security as a military doctrine versus security as health care (wellness and hygiene) - is often blurred to indistinction because the knowledge base, tools, and expertise that we use to fight crime, terror, and wage war overlap with those used to improve health. The practices, however, are dissimilar in at least one critically important respect: the former is one element of a broad national security strategy while the latter seeks to fix actual security defects and is more accurately, global in scope.
In meatspace, we generally have no problem appreciating that a laser can be used to guide missile systems and that a laser can alternatively be used to perform precise surgery. The notion of prepending cyber to both use cases seems preposterous. Chris Wysopal's example - bioweapon research funded distinctly from vaccine research - similarly illustrates that we are capable of compartmentalizing military from medical research in funding, policy and practice.
Let's do the same with security in cyberspace. Label as infosec activities that seek to fix actual security defects (i.e., cure, manage or improve health). This would include categories like secure code development, best practices and technology to identify or mitigage suboptimal (vulnerable) configuration, SIEM, identity and data/privacy protection. Label as cybersecurity activities that are offensive, reliatory or surveillance (military intelligence).
The United States and other countries are struggling to enact comprehensive cybersecurity legislation. When SOPA, CISPA, and similar legislations are proposed throughout the world, they encounter strong opposition to language that sacrifices or violates (Constitutional) rights in favor of making a nation more secure, in part because politicians are choosing national security at the expense of national (global) health for the cyber world. Honestly, would comprehensive legislation of this kind play out any differently in a meatspace scenario; for example, if legislators were to propose a bill that perimitted gun club owners (or bank presidents) to forego subpoenas and share the contents of a member's locker (safe deposit box) "voluntarily"?
Rather than comprehensive legislation, perhaps it's time to consider legislation that is incremental, granular in scope, and that focuses either on matters of national security or on fixing actual security defects. Cybersecurity legislation can tag along with meatspace military legislation. Develop Internet health and wellness legislation, i.e., bills that seek to fix actual security defects, separately. Not only might these encounter less opposition, but such legislation might also have the collateral benefit of protecting critical infrastructures.
In case it is not obvious, the opinions in this post are mine and I've extrapolated or speculated based on Chris Wysopal's tweets.
We are not that far from agreement. If I read your comment correctly, we both distinguish cybersecurity and infosec protective measures similarly. I view infosec as then diverging towards wellness and preventative measures (nearly exclusively, because I think that the outcome of dedicated action in this direction reduces anticrime, counterterrorism).
I don't see cybersecurity as really being about controlling infrastructure as much as it is about political control or influence. Infosec IMO can't protect data if it can't control/protect infrastructure: I think of universal adoption of mitigation measures like BPC 38, BCP 140 as innoculations against DDoS, for example, as infosec not cybersec activities.
Cybercrime is basically crime. It's less common to find crimes (against property) perpetrated entirely in meatspace. Cyberwar is basically war: it's convenient to conflate cybersec with infosec for political reasons, and simplistic views of the tools of infosec trade make this an easy sell. Seriously, how many military assets do not have tech and networked components? Why is this different from a "secret IPS" that Chris mentions? Calling the latter out as a unique "cyber" (I so hate that term)activity is IMO no more than a useful finesse to broaden defense spending.
Posted by: security skeptic | Saturday, 01 June 2013 at 09:17 AM
Hmm, my head is now hurting as it appears you are attempting to redefine an already poorly defined term, and good on you for the attempt.
The industry marketers took ownership of the term cyber for their nefarious profit taking reasons. Having done so, the security carpet baggers coined cybersecurity which has now degenerated into something that can be defined depending upon your perspective and thus which stakeholder you represent.
To me, infosec means securely controlling the data upon which information is built in order to manage that information. Cybersec is securely controlling the infrastructure (logical & physical) over which the information traverses, rests or in which it is processed. Of course, you can only control it in so much as you have authority to manage that infrastructure.
Engaging in cyberwar or cybercrime is the act of subverting the controls placed on the infrastructure and data to access information to act upon it in such a way as to gain value from it whether it is an asset or liability for its original owner/custodian.
Posted by: Jack G Jessen | Saturday, 01 June 2013 at 12:38 AM