Good day friends and colleagues,
A lot of people who have been working in our industry for the past few years, or decades for some of us, are wondering, why does the public now uses the “cyber security” denomination and why is there, almost all of a sudden, so much “marketing” and public talk going on about an old and well-known issue ?
It is an interesting question in itself; obviously, part of the answer might be the fact that the concept of “information security” was either too vague for the general public and/or that it was not connecting with their emotion; therefore, a new label was needed.
What is more interesting is that I feel that people came with the new term in a more holistic manner than “we” did the first time around. Apparently, the lay man did a better job than the aficionado.
In the past, at least for us, there was “physical security” and “logical/information security”. Those were the two main domains within which a specific set of controls was applied to protect clearly defined assets on one side and anything else in the large bin of information security on the other.
Now that they took over what we have been doing for the past 20 years and renamed it “cyber security”, we need to understand what it means to them so we can align our skills and discourse with their expectations and reality.
“Cyber space” is not a new term in itself; it goes back to the early 80’s when Sterling and Gibson launched the cyberpunk movement. This post-modernistic sci-fi literary style foresaw a society where everything and everybody would be interconnected. Hacking was just a profession among many others and large conglomerates of private interests where either controlling part of the economy or, in some cases, the full geopolitical agenda. In other words, a lot of high tech, but also a lot of low-life with a twist of conspiracy supported by greed and guess what, all of this happening between 2020 and 2070!
Does at least some of it sound familiar to you? Do you now start to connect with the new terminology? If you ask me, I know that when I was 10 years old discovering those authors and their fantastic “parallel reality”, it felt so cool but so unreal, so farfetched, that I would have never guessed it would hit me in the middle of my professional career!
With what I know, see and touch today, cyber security is, from my perspective and in the view of many, a more appropriate term. It is a concept closer to our current reality as it describes an ecosystem of forces that coexist or/and influence one another in both the virtual and the physical world, not just in some part of it and certainly are not independent from one another.
What triggered this change? Go back in time, no farther than a few years ago, the public was mainly talking about the issue as one affecting enterprises and probably some “obscure part of government”. How many of you heard at one point or another in their career “We don’t need this”, “You, IT folks, always make it more complicated than it is”, “We are not a bank” or “We are not the army, you know”?
Following the recent attacks that resulted in sensitive data leakage that sometime infringe our privacy, elements like identity theft that has been and remains an important issue, significant and noticeable service outage of our preferred online marketplace, gaming server, e-banking platforms; people (the remainder, obviously) are now “touched” by the problem on a personal level, their emotions finally connected with it and they named the phenomenon“cyber attacks”.
Cyber attacks are ultimately characterized by the fact that their impact is not limited to the computers or the bits and bytes. Cyber attacks need the technology for sure, but the impact is now visible to the public and it affects the non-geeky and the non-literate as it did enterprises and governments, and it does so without consideration who’s who. Actually, it affects people even more as most organizations have put some preventive measures in place over the past two decades.
Were those measures sufficient? Obviously not, but the show must go on – delivering results is important and security has to be constantly balanced against productivity, anybody claiming otherwise should seek a more peaceful path for their career to prevent depression.
Incidents are never pleasant but on the bright side, they raised the level of awareness on open issues. On top of previously mentioned attack cases, state sponsored attacks are real; you just have to read the papers, including serious ones, which are claiming that cold war is starting all over again. Threats to critical infrastructure are credible; security researchers demonstrated the level of exposure of SCADA infrastructure and specific malware is real. Finally, criminal marketplaces where you can buy physical goods using information stolen in the virtual world combined with the “commercial” availability of some other disturbing “services and goods” really do exists and demonstrate that there is a demand.
Those incidents coupled with increasing citizens’ concerns worry the elected officials. So much that even the most powerful feel they need to justify themselves and defend their right to govern by pouring enormous resources to solve the problem and to reassure their constituents. They all agree now that we need protection against what was science fiction 30 years ago and what they claimed to be paranoia on our part for the past 20.
That level of concern and commitment to solve the issue is, my friends, the reason why we must embrace the new paradigm and terminology.
Information Security is dead, long live Information Security; just remember to call it Cyber Security!
Best regards
Martin Dion
Kudelski Security Research 