What is Cybersecurity
While a a new standard on "Guidelines for Cybersecurity" (27032) is being developed in ISO/IEC JTC 1/SC 27/WG 4, the question of "what is cybersecurity" continues to be asked and debated by members of SC 27, in particular, those who have been active in WG 4. From the various meetings, and side conversations I had with individuals (experts in WG 4) two weeks ago in Kyoto, it is clear that many have different views and opinions of the notion of Cybersecurity. In one of the previous meetings, there were also discussions on whether it should be two words, or one, i.e., "Cyber security", or "Cybersecurity". It seems that the latter is more commonly used nowadays (than say five years ago), and when people use the single word, they probably hold a different view of Cybersecurity than those that use two words to denote their understanding of Cyber security. Perhaps Cyber security, as two words, also seems more user friendly as it would not be flagged as a spelling error by the spell checker. In the near future, I would think, the single word should be accepted by most modern dictionary.
There are two areas that I wish to discuss relating to Cybersecurity (and Cyber security). One relates to its scope of focus that needs attention and actions, and the other, which relates to my role as Convener of WG 4, is the role of standards in Cybersecurity (or Cyber security). Given the space and time here, I would blog about the latter in a later blog.
In many ways, Cybersecurity issues (I am using the one-word form since it saves one "space" character) are quite similar to green environment issues. Many years ago, many companies which built chemical plants and factories would only be concerned about the safety measures of their facilities, if they were concerned about safety at all, but would not care too much, in most cases, to dispose the toxic waste generated by their factories in a safe manner, especially if the toxicity is assessed as mild. Those waste therefore ended up polluting the environment, until the government and/or civil activists started to raise the issues and have the regulators impose tough measures against such inconsiderate practices. Cybersecurity, in many ways, are quite similar in nature, but need not wait for activists or government to make the first move. As we all (in WG 4) agree, it is about the security of the Cyberspace. Some experts believe that Cybersecurity is the same as Internet security, network security, or information security, and therefore, there’s no need to study it as a topic, or have standards to help improve it. However, I would defer on this. If we take the enterprise view of Internet, network, or information security, companies’ focus will be on how to secure their own Internet presence/business, own corporate network, and own information, just like the chemical factories owners of the past. Anything outside of their business (even for some governments) will be something for others to care about, not them. After all, they are only answerable to the shareholders but not users of the Cyberspace in general. If we don’t take care of it, we would not be able to reliably and securely make use of it for either our business or even to support our digital lifestyle.
In fact, the notion of Cyberspace itself may also be hard to grasp, as it is simply too "soft" a concept. I say that it is a concept as it does not exist in any physical form, but rather, the emergence of the Internet, plus the people, organizations, and activities on all sort of technology devices and networks that are connected to it. It is perhaps best described as a virtual environment.
Cyberspace security is therefore very much the virtual world’s safe/green environment equivalent of the physical world. This is one of the reasons that Cybersecurity is such a challenging topic, just like issues of green environment. So what are the problems when companies only look after their own network and information security needs, without considering the needs for Cybersecurity? I can think of a few here.
Just take Internet web hosting services for an example. As a web hosting services provider, the company’s focus on security would be on the security of the web sites that they host (if they do think about security), so that their tenants will be satisfied with their security and continue to pay rent every month. If the site gets hacked, they will consider moving to a more secure provider. However, without considering the security issues in Cyberspace beyond network or Internet security, like what happened just few years ago, some of the Spammers, Phishers, and even Botnet Controllers have started renting their Internet presence from web hosting services, with valid domain names registered instead of on hacked servers on the Internet. As long as they pay thei rents, the web hosting service providers would not bother whether their tenants are runnig a Spamming or Phishing web site. After all, their web sites are not being attacked, and their business will be affected if they did not have the rental fees to collect. To the Law Enforcement Agencies, it will however be a challenge to take down the related crime syndicate, and they will also need to apply for court permits to do their work. This is the kind of issues that are at the edge of the company’s Internet space. It is often a cost to the business, and when they spend resources on it, they do not see clear returns, either in goodwill or revenue. The ITU-T/SG17 Q6′s X.1207 Recommendation is one of the standards that tried to highlight this sort of issues in relation to Spyware, and provide guidance for best practices.
Beyond this kind of challenges, are security issues resulting from new phenomenons we are observing and experiencing in the Cyberspace, relating to such developments like Second Life, Facebook, MySpace, Blogging, Instant Messaging, and many more Web 2.0 innovations for the new digital lifestyle and workstyle. Each of these communities, or social networking developments have some kind of unique security issues to be considered, besides providing a new platform for old problems to live again (in a more innovative manner). For example, Instant Messaging has become a new platform for virus and worms distribution, child exploitation,and many old crimes, while at the same time introduces new capability for new forms of social engineering attacks. Second Life type of virtual world environment has also brought new crimes between the physical and Cyberworld, since real money is exchanged somewhere between the two worlds, and real people operates and uses these virtualities.
There are some experts who believe that Cybersecurity relates to critical infrastructure protection as well. This is not necessarily an incorrect view, since the availability and reliability of the Cyberspace in many instances rely on the availability and reliability of certain critical infrastructure services (e.g., telecommunications network infrastructure). From another perspective, to deal with Cybersecurity issues, we require substantial communications and coordination between different private and public entities from different countries and organizations. Again, this is also the kind of challenge in critical infrastructure protection. The things we learn and do in critical infrastructure protection may help in improving Cybersecurity then. However, there’s another issue. Critical infrastructure services, to some governments, are regarded as national security related services, and therefore something not always for the public to decide what to do and how to do. Furthermore, knowledge of critical infrastructure weaknesses, if not used appropriately, could implicate on national security directly. Critical infrastructure services such as water and gas, however, do not contribute to Cybersecurity issues. On the other hand, the lack of Cybersecurity protection may impact these services, if their operations are connected to the Cyberspace. Even if they are not today, many would envisage that they do one day. The overlaps, or influence between critical infrastructure protection and Cybersecurity therefore may be complex.
In summary, the discussion above, if have not got you confused, demonstrates one thing. Each of these areas, be it critical infrastructure protection, information security, Internet security, and network security, have its own objectives and scope of focus. By far, critical infrastructure overlaps with many other things that we try to do, but they focus on the reliability, availability, and coordination are more than anything else. Having information security, network security, and Internet security are just fundamental pieces, which must be accomplished before we can talk about critical infrastructure protection. Cybersecurity similarly has its own scope and objectives, which relates to security things that organizations and individuals should be doing for the common security-good of the Cyberspace environment. Cybersecurity relies also on information security, network security, and Internet security as fundamental pieces of building blocks. Cybersecurity is what we need for critical infrastructure protection as well, besides other aspects involved. At the same time, adequate protection of critical infastructure also contributes to the basic security needs (i.e., security, reliability and availability of critical infrastructure) for achieving the goals of Cybersecurity.