If you have your eye on the broad landscape of technology, you will find that the term “cyber” continues to grow in popularity, not unlike similar buzzwords like “data,” “analytics,” “AI,” “ML,” and others. This is significant, because cyberspace is the digital landscape that connects all our data, enables us to employ analytics, and catalyzes the other two (for example).
What is important, I believe, is that we understand and use these terms correctly — in this case, I’ll narrow my discussion down to “cyber” and its related terms. I do this because with these technical terms it’s important to understand that these words have particular meanings, and in some cases, those meanings have specific implications. What I would like to do here is create a baseline as I continue to research and develop a body of knowledge related to security — be it cyber, information, or other — in an effort to educate and create awareness among others. If I’m helping you learn, encouraging discussion, and getting people thinking, than I will consider my efforts a success.
To begin, I would like to reference two separate resources: The National Institute of Standards and Technology (NIST) and the Merriam-Webster dictionary. The first is an organization committed to, as the name implies, standards and technology. It is also responsible for publishing many documents that tie into the “cyber” discipline and serves as a standardized library of references related to cyber (and information) security. The second is an American-based dictionary responsible for standardized definitions of English words. I will note that both of these are based in the United States, so whatever biases come with that will naturally be present in this writing. That said, let me begin by taking a look at some definitions.
First, NIST defines “cyber” as “refer[ring] to both information and communications networks.” Merriam-Webster defines it as “relating to, or involving computer networks.” This is good. Both sources agree and so we have one less thing to worry about.
Regarding “cyberspace,” the two differ somewhat, with NIST defining the term as, “A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controller” and Merriam-Webster defining the same as “the online world of computer networks and especially the internet.” In any case, I will assume that we can agree: cyberspace is the space (or domain) through which all of our networks and associated devices are connected. This is a simplification.
Finally, “cyber security” is defined by NIST as “the ability to protect or defend the use of cyberspace from cyber attacks,” while Merriam-Webster defines it as “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.” The first defines it as something you have while the latter defines it as something you do, leaving some disparity between the two definitions. Otherwise, these definitions are similar enough to communicate the bottom line: cyber security involves the defense of systems operating in cyberspace against cyber-based attacks.
Now that I’ve laid out some definitions, I would like to provide some conceptualization. Please note my approach here is very simplified, but my intent is to provide a good point of reference particularly for those who are not as familiar with the concepts.
It’s like the suburbs…
Many Americans live in the suburbs, which I’ll define as a cluster (or clusters) of houses that generally sit on the outskirts of a large city. These clusters house people, allowing them to live nearby urban centers without having to necessarily deal with the sounds, sights, smells of inner-city living. For this example, your computer is represented by a house in the suburbs. This house is surrounded by a handful of other houses (your TV, game console, and other IoT devices) that sit on a street. That street is your home network (local area network, or LAN). Your LAN is connected to other networks outside of it, and to simplify it I will say that your LAN is connected to a variety of other LANs just like your street may be connected to several other streets (whether directly or indirectly).
Collectively, your LAN (or street) and all of the other LANs (streets) in a geographic area make up a wide area network (WAN). The city you live on the outskirts of is the internet, where websites are hosted, data is stored and accessed, cat pictures and videos multiply, and you go every day (for work or play). In a sense, all of this is like cyber. Networks connected to networks, LANs connected to LANs. Correspondingly, cyberspace would be the roads through which each of these networks are connected, enabling us to travel from our home PC to somebody’s website (like this one).
Now we can circle back around to cyber security. Cyber security is the capabilities, or the actions (depending on your definition), that can be implemented to protect each of these houses, apartments, and inner-city sites. “Wow, that’s really vague,” you might say. And you would be right to say so. But that is how broad the term “cyber security” can be, and why 1) we can’t just throw it out loosely as a catchall, and 2) why we need to work on understanding it a little bit more.
Why do I say this? Because you do not secure a house the same way you secure a street, a neighborhood, an apartment complex, a parking garage, a shopping center, a government building, and so on. It is like saying, “we need security” and leaving it at that. You might be right, but unless you’re a person so high up the chain in an organization where you have a staff of people under you figuring out all of the details, you risk sounding ignorant. What’s more, if you don’t actually know what you’re asking for, you run the risk of many different perspectives on what “right” looks like. This can lead to things like embellishment or gold plating, resulting in too many dollars spent (or not enough spent) to satisfy whatever requirements you may have supporting a desired end state (previously defined as “security”). At that point, if you are not educated enough, the idea that somebody is going to secure each of the houses using laser guided missiles sounds great. That should do the trick.
To be clear — I am oversimplifying. What I want to highlight, however, is the fact that we need to move towards a better understanding of these technical terms and their related concepts if we are going to be effective in their employment. There should be no argument that cyber, cyberspace, and cyber security are all important — so if that’s the case, why wouldn’t we give them a little bit more time and attention so that we can make more informed decisions?
Original securitydistilled.com post, November 11, 2020