Defining Cybersecurity

If You Can’t Properly Define Cybersecurity, How Can You Know What It Is?

Published in

The Startup

17 min readApr 14, 2020

It’s clear that the cybersecurity industry hasn’t been able to agree upon what cybersecurity is and isn’t. Even NIST, who is responsible for the definition of technical terms used by the U.S. Federal Government, has four different definitions of cybersecurity! At a minimum, there are dozens of different definitions of cybersecurity currently in use. Nearly all are incomplete in scope, some are horridly wrong, and nearly all fail to differentiate between cybersecurity and its information security cousin.

Background

If you look up the definition of “cybersecurity,” most of the answers you get are laughable. Most appear to be written by some “expert” with no actual concept of what cybersecurity is. Nearly all of those definitions sound as though they were written by an academic pontificating what he thinks cybersecurity theoretically should be, without himself ever having done any actual hands-on cybersecurity engineering.

Until July 2019, the sole “official” definition of cybersecurity (as defined by NIST) was: “The ability to protect or defend the use of cyberspace from cyber attacks.” Hyper-informative, wasn’t it? It’s about like telling a man who’s never seen a donut that, “A donut is a pastry shaped like a donut torus.” [See note 1.]

Then, just when you think it can’t get worse, it does. Now NIST can’t even agree within itself what cybersecurity is! It now four different definitions of cybersecurity! None of them tell you anything particularly useful about cybersecurity. Those definitions of cybersecurity are: [2]

Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.
The ability to protect or defend the use of cyberspace from cyber attacks.
The process of protecting information by preventing, detecting, and responding to attacks.
The prevention of damage to, unauthorized use of, exploitation of, and — if needed — the restoration of electronic information and communications systems, and the information they contain, in order to strengthen the confidentiality, integrity and availability of these systems.

If you search online for a definition of cybersecurity, most definitions are just as bad — if not worse — than the definitions NIST provides. Here are some examples:

Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack. [3]
The art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information. [4]
May also be referred to as information technology security. [5]
The preventative techniques used to protect the integrity of networks, programs and data from attack, damage, or unauthorized access. [6]
The practice of protecting systems, networks, and programs from digital attacks. [7]
The protection of information assets by addressing threats to information processed, stored, and transported by internetworked information systems. [14]

Notice the pattern? The definitions all talk about defending computers, networks, and data. That isn’t what cybersecurity is. That’s what information security is! Plus, the scope is strictly digital in many cases. Clearly, whoever wrote those definitions have no experience with industrial controls security, where even analogue devices can be at risk of attack. [8]

We have two problems here. First, we have failed to adequately or accurately define what cybersecurity is. Worse, we are trying to somehow shoehorn cybersecurity into being either the same as information security or some subset of information security. It isn’t, and I’ll go into detail why in a minute.

So, if we can’t even agree upon what cybersecurity is, how can we possibly expect to create reasonably secure systems and products that depend upon an in-depth understanding of cybersecurity?

Clearly, we can’t.

And, the problem is compounded by the mindset that the same tools and techniques used for information security are applicable to cybersecurity. Yes, most information security tools and techniques can be applied to cybersecurity, but cybersecurity requires tools and techniques which go far beyond those of information security.

How can we expect to secure our systems when we are using the wrong tools? Or, at best, an incomplete set of tools?

Again, clearly, we can’t.

In my professional opinion, the root of the problem we’re facing is that too many “cybersecurity experts” began their careers as “information security experts” and never have had actual hands-on cybersecurity experience beyond applying partial aspects of cybersecurity to information systems. Thus, we are left with information-centric definitions of cybersecurity, where the “experts” have tried to mold cybersecurity into the shape of information security.

Well, it’s time to break that mold!

Let’s get started with a few definitions.

Definitions

First, let’s define security:
Security is the protection of assets from threats.

That’s fairly clear, but let’s dissect it to ensure the subtleties are covered:

Assets are anything tangible or intangible that has value. In the context of security, usage of the word “asset” usually refers to a “protected asset.”
Protected Assets are any asset protected by a security service. Examples of protected assets could include: data or information (electronic or physical), network and computing infrastructure, software, products and associated intellectual property, people (employees, customers, vendors), real estate and personal property, and utilities and other critical infrastructure. That is, anything of value is a potential protected asset.
Security Services are any threat reduction capability provided by security. There are five generally recognized security services: Confidentiality, Integrity, Availability, Authenticity, and Access-Control. (See the blog post, What Are The Fundamental Services Provided By Security? Hint: CIA Is Not The Answer for additional details.)
Threats are anything with the potential to cause harm. For example, the potential for an attack to occur. Threats can be either intentional (e.g., sabotage) or accidental (e.g., aircraft bird strike), and they can be both man-made events (e.g., human errors, cyber attacks, power failures, and network outages) or natural events (e.g., fires, floods, earthquakes, hurricanes, and tornados). Also, see security threats, below.
Attacks are any action taken against an asset with the intention of causing harm.
Security Threats are anything that may cause harm to a protected asset and/or associated entities. For example, whereas a security threat that discloses personally identifiable information would most likely inflict minimal harm to the asset that held the disclosed information, the disclosure itself could do considerable harm to both the organization’s brand and to the individuals whose information was disclosed. There are seven generally recognized categories of security threats: Denial of Access, Forgery, Spoofing, Repudiation, Unauthorized Access, Unauthorized Disclosure, and Unauthorized Modification (see blog post referenced in Security Services for more details.).
Entities, in the context of security, are anything that attempts to use a protected asset. An entity can be a person, software, robot, or anything else that attempts to use a protected asset.

Okay, I lied: That definition has a lot of subtly buried within it. Hopefully, now the definition of security has a deeper meaning for you.

So, that’s the definition of the mission of security across all of the organization’s security domains. In most organizations, there should be three top-level security domains:

Corporate Security
Information Security
Cyber Security

Now, let’s define each of those security domains.

Corporate Security

Corporate Security is those aspects of an organization’s security not directly related to technology.

That is, in general, corporate security is those aspects of security that pre-date technology or technological security solutions, or are unrelated to technology. Falling under the corporate security domain would be aspects of security related to employee services, safety, environmental services, or facilities; or which are intellectual property, legal, or regulatory in nature. (This is not an all-inclusive list.)

In other words, much of what you would think of as an organization’s security before the advent of digital technologies falls into the corporate security domain.

Today, corporate security often makes extensive use of technology. But, corporate security’s technology is often not under the auspices of information security or cybersecurity. Without close collaboration between security groups, serious gaps in security defenses will occur.

Worse, there often isn’t a corporate security group in the organization. Instead, you often find aspects of corporate security disbursed between multiple (and, often non-communicating) groups, such as human resources, facilities, safety, plant protection, legal, risk management, and environmental.

I plan to discuss corporate security in more detail in an upcoming blog post, Corporate Security: The Forgotten Security Domain.

Information Security

Information Security is the protection of information in any form and at all times.

That’s pretty much the classic paragraph-long definition of information security, summarized into one sentence.

Now, let’s dissect it to get a deeper understanding of what that means.

Security is the protection of assets from threats.
Protection is the rendering safe from harm. Protection is passive security. That is, security that does not offer a response to an attack. It is equivalent to putting a lock on a door to secure your house.
In any form means it includes both physical (e.g., printed documents) and electronic (e.g., files and databases) information.
At all times means the information must be protected, whether it is at rest (i.e., in storage), in use, or in motion (e.g., electronic information sent over a network, or a printed document transported by a courier).

Thus, we define information security as the protection of information. Note that we didn’t place any constraints upon the scope of protection. That is, if we have to protect computers and networks to protect information, then that would be within the scope of information security. But, keep in mind that the objective is the protection of information. Nothing more. Nothing less.

Cyber Security

We’ve already shown that there isn’t a commonly agreed-to definition for cybersecurity. Now, I’m going to propose a definition for cybersecurity which covers all aspects of cybersecurity — something which is lacking from other definitions — while providing a clear distinction from information security. [10]

Cybersecurity is the protection and defense of both analogue and digital electronic devices, their communications channels, and their processing-and-control logic and algorithms.

Now, let’s dissect that definition to get a deeper understanding of what it means and its ramifications.

Security is the protection of assets from threats.
Protection is the rendering safe from harm. Protection is passive security. That is, security that does not offer a response to an attack. It is equivalent to putting a lock on a door to secure your house.
Defense is an action taken to resist an attack. Defense is active security. This means that you have dynamic security with ever-changing defenses — which can include offensive actions to stop an attack. It is the equivalent of confronting an intruder in your house with a loaded weapon.
Digital Devices are any electronic device that uses discrete data and processes for all its operations. This clearly includes computers, cell phones and tablets, routers, switches, WiFi access points, and firewalls, but it also includes all other digitally networked devices, such as all IoT devices, VoIP telephones, digital security cameras, smart badge readers, etc.
Analogue Devices are any electronic device that uses continuous data and processes for all its operations. This would include landline telephones, fax machines, most nuclear reactor control systems, older radar systems, older industrial controls, some satellite and other space systems controls, and literally thousands of other devices. In industrial controls situations, analogue devices often serve as failsafe backups to digital controls.
Communications Channels are the means by which a device is connected to other devices. For analogue device communications, this could be a simple wire or wire-pair, coax cable, analogue radio, or similar technologies. For digital device communications, it would include any type of wired or wireless network. For digital to analogue device communications, it could include any of the previously mentioned means of analogue device communications used to communicate to an analogue interface in the digital device.
Processing Logic and Algorithms are the means by which a device accomplishes its designated purpose. For analogue devices, this is all done in hardware. For digital devices, this includes both hardware and software (microcode, firmware, operating systems, applications, etc.).
Control Logic and Algorithms are the means by which a device regulates its processing. For analogue devices, this is all done in hardware. For digital devices, this includes both hardware and software (microcode, firmware, operating systems, applications, etc.).

Now, let’s put the phrases together and detail the bigger picture.

Is the protection and defense is cybersecurity’s first significant difference from information security. Cybersecurity not only offers protection like information security, but it also offers defense. In other words, cybersecurity can take the offensive actions necessary to defend systems.
Of both analogue and digital electronic devices is the next significant difference from information security, as information security’s tools seldom address analogue devices. It is also different in that information security offers protection of non-electronic information (e.g., printed), whereas cybersecurity only deals with electronic devices and their data. [11]

This definition means that protection and defense are also offered to the electronic devices (components) combined to construct a more complex electronic device. For example, protection and defense would be offered to CPUs, GPU, FPGAs, ASICs, NICs, DACs, memory, controllers, and all the other various analogue and digital components that comprise a modern end-purpose electronic device, such as a smartphone or a computer. In other words, cybersecurity protects and defends any security-sensitive electronic device, be it analogue or digital, and be it an end-purpose device or a component of such a device.
Their communications channels is again a difference between cybersecurity and information security. Cybersecurity provides both protection and defense of the electronic communications channels themselves, both analogue and digital. Whereas, information security only provides for the protection of the information conveyed over those communications channels.

Additionally, information security also provides for the protection of information communicated by non-electronic means (e.g., printed documents), which is outside the scope of cybersecurity.
And their processing-and-control logic and algorithms is the final difference between cybersecurity and information security. Cybersecurity offers protections to both hardware and software, and can take actions to defend both from attack. By contrast, information security only provides passive protection to information.

So, that is the definition of cybersecurity and an explanation of its scope.

To recap, cybersecurity provides security for all electronic technology, except for the information processed by such technology (information is protected by information security).

Or, another way to view the difference between information security and cybersecurity is that information security secures the information itself, and cybersecurity secures everything that creates, uses, processes, stores, or communicates that information.

Where Information Security Fails Us

In my blog introduction, I state that “trying to treat cybersecurity problems as though they are information security problems” is one of the fundamental mistakes we are making in security today. The lack of an understanding of the differences between information security and cybersecurity is the root cause of this problem.

As we have seen in the preceding definitions, information security is “data-centric,” and cybersecurity is “device-centric.” Trying to apply information security principals to “device security” creates two problems: First, you can’t adequately secure “hardware” using the same controls used to secure data; And second, there is nothing in information security that provides for an active defense.

Let’s look at some of the issues that the premises supporting information security fail to address. To do this, we’ll examine an example from product security.

The overwhelming insecurity of IoT products has filled the news recently. Why? Many would say that it’s a simple matter of companies trying to produce products on the cheap. However, I would argue that the issue is more likely the product’s designers’ failure to recognize the potential for security problems in their products.

I believe that fundamentally, such product failures are compounded by an incomplete view of security: a view driven by an information security focus. A focus that, for embedded systems products (such as IoT devices), is incomplete, at best. Why incomplete? Because most security issues with IoT devices are not information related. Rather the problems are with the devices themselves.

Let’s begin by listing some of the security questions that product designers should be asking, but are obviously not asking. And, with most product security practitioners coming from an information security background, those product security architects probably do not even know they should be asking these questions.

After all, why should they know better? Nothing they had learned in the scope of information security would indicate that these are issues with which to be concerned. The types of product security questions (that is, cybersecurity questions) which all product security architects should be asking include:

How do you prevent reverse engineering of the product?
How do you prevent tampering with the product?
How do you prevent the production of unlicensed clones of the product?
How do you prevent access to the hardware interfaces used for development debugging of the product?
How do you prevent access to the hardware interfaces used for manufacturing testing of the product?
How do you perform failsafe firmware updates of the product (such that a failed update does not brick the product)?
How do you prevent unauthorized modification of the product’s firmware?
How do you prevent your firmware from running on third-party devices?
How do you ensure the integrity of your supply chain?
How do you prevent unauthorized modification of the device itself?
How do you prevent misuse of the device from damaging the device itself (e.g., using a USB port on a device for other than its intended purpose, and drawing too much power)?
How do you prevent misuse of the device from creating a safety incident (e.g., using an aerosol can to create a vapor fog to trigger a motion detector to unlock a door)?
How can this device be abused by an attacker to cause harm?
How can we verify that our UI is always unambiguous to its intended audience?
How can we verify that our UX is always intuitive to its intended audience?
How can we verify that our UI creates neither security or safety issues?
How can we verify that our ID creates neither security or safety issues?

And this is just a very small sample of the questions that every product development organization should be asking, but which is clearly failing to occur.

Now, I can already hear the objections: “These are hardware engineering issues, not information security issues, and that’s why they’re not covered by information security.” Well, that’s half wrong and half right. Wrong, in that they are not hardware engineering issues; rather, they are hardware security issues. Right, in that they are not information security issues; rather, they are cybersecurity issues. [12]

These, and tens of thousands of other similar issues, are being left unaddressed during product development because information security doesn’t address these types of issues. Nor should it, as those issues are cybersecurity issues and not information security issues.

Nothing in an information security professional’s background or training would prepare them to even know that they should be asking the types of questions I posited. And, that’s what should be expected, because these are not information security issues and I would not expect an information security professional even to have half-a-clue that such problems exist. It’s for precisely this reason that cybersecurity exists and is different from information security.

The problem is really simple: Information security exists to protect information. Nothing in the fundamentals of information security was ever intended to secure anything other than information. Thus, we need to stop trying to use an information security mindset to secure “stuff” that isn’t information. We must recognize that cybersecurity’s scope is beyond that of information security, and thus apply cybersecurity principals to cybersecurity problems.

Defense

We also need to remember that cybersecurity allows for active measures to defend devices. There’s a reason that the military and intelligence agencies refer to their security operations as cybersecurity, and that’s because they take active countermeasures to attacks. You don’t do that when your objective is to secure information. In fact, that entire concept is an anathema to the information security principals and mindset.

Cybersecurity defense is a big rabbit hole I don’t plan to explore further in this posting, other than to remind you that cybersecurity’s objective is the protection and defense of assets.

Summary

There is an old saying, “When the only tool you have is a hammer, everything looks like a nail.” With no real cybersecurity experience, too many information security experts are trying to hammer cybersecurity into becoming an information security nail. We need to reset the thinking of those information security professionals and teach them that cybersecurity is more like a bolt than a nail, and that you use a wrench, not a hammer, when installing or removing a bolt.

Now, a quick review…

In most organizations, there are three security domains with which it must be concerned:

Corporate Security, which protects (and sometimes defends) people; and real, corporate, and intellectual property.
Information Security, which protects information (data).
Cybersecurity, which protects and defends: hardware, communications, and software.

The diagram below illustrates those relationships among the organization’s security domains.

We established the following definitions in support of those security domains:

Security is the protection of assets from threats.
Corporate Security is those aspects of an organization’s security not directly related to technology.
Information Security is the protection of information in any form and at all times.
Cybersecurity is the protection and defense of both analogue and digital electronic devices, their communications channels, and their processing-and-control logic and algorithms.

Trying to treat cybersecurity problems as though they are information security problems is one of the fundamental mistakes we are making in security today. We have to remember that information security is “data-centric,” and cybersecurity is “device-centric.” Trying to apply information security principals to “device security” creates two problems:

You cannot adequately secure “hardware” using the same controls used to secure data, and
There is nothing in information security that provides for active defense.

If you search the Internet, you will find that many so-called “information security experts” claim that cybersecurity is a subset of information security. But, compared to information security, cybersecurity has a substantially broader scope, addresses a more complex set of security threats, and offers active defenses not provided by information security.

If anything, we should view information security as a subset of cybersecurity. However, that’s not accurate either, as what those two domains are attempting to secure is different — data vs. hardware, software, and communications. Some overlap between the two is unavoidable, but at the most fundamental levels, they are attempting to solve different problems. [13]

Thus, we need clear, concise, unambiguous definitions of both cybersecurity and information security.

Hopefully, you will find the definitions provided here meet those criteria.

So, don’t let alleged information security experts try to tell you what is and is not cybersecurity! Those so-called “information security experts” are precisely that, and nothing more, because they clearly do not understand cybersecurity!

Please leave cybersecurity to actual cybersecurity practitioners.

Thank you!

Notes:

NIST IR 7298 Rev. 2. Glossary of Key Information Security Terms (Withdrawn, July 3, 2019).
NIST IR 7298 Rev. 3. Glossary of Key Information Security Terms: Cybersecurity (April 11, 2020)
Merriam-Webster Online Dictionary: Cybersecurity (April 11, 2020)
US-CERT: Security Tip (ST04–001) What is Cybersecurity? (April 11, 2020) Note also that they consider cybersecurity to be an “art” instead of an engineering activity! No wonder we have so many security issues if the organization responsible for advising on cybersecurity incident response can’t even get it right.
DigitalGuardian: What is Cyber Security? (April 11, 2020)
Palo Alto Networks: What is Cybersecurity? (April 11, 2020)
Cisco Systems: What Is Cybersecurity? (April 11, 2020)
Two points on this paragraph. First, in reality, many of those definitions are not pure information security definitions, as they are overlaps of both information security and cybersecurity. However, cybersecurity does not protect data, so they are not correct cybersecurity definitions, either, when they claim in their definition to protect data.

Second, the scope of analogue systems is actually much broader. I won’t even pretend to be able to list all the industries which are dependent upon analogue systems that are susceptible to attack. But, at a minimum, that list would include: any automated manufacturer, aerospace and defense, utilities, environmental and medical.
This is the security definition of a threat. In risk calculations, a threat is the frequency of potentially adverse events.
Just for clarity, there is no difference between “Cyber Security” and “Cybersecurity.” The former is the older way of writing the term, and the latter is the currently preferred manner. I used the older style when I seek to emphasize that “Cyber” is one of a family of security domains within an organization.
A more accurate statement may be that “information security’s tools do not address analogue devices,” as I can’t think of any that would apply to the analogue world. But, I was playing it safe by saying “seldom,” in the likely case that “never” could be used as an argument to discredit my premise.
Yes, not all of these are “hardware engineering” issues, per se. Some of them are UI/UX and ID engineering issues. But, all are cybersecurity issues.
In a complete view of security, we should point out that “Corporate Security” also overlaps with both cybersecurity and information security. Worse, corporate security often deploys technologies that should come under the purview of information security and/or cybersecurity, but frequently do not for historical and political reasons, creating security gaps and organizational-level vulnerabilities.
ISACA Glossary: Cybersecurity. (April 18, 2020)

Please check out my Blog Introduction and Index to find other postings about what we are doing wrong in security and how we need to fix it.

About The Blogger