Cyber is hot property nowadays. There’s not a “thought leader”, an organisation, a think tank, an industry body, government body, and the list goes on and on and on. There’s only one slight problem: no one agrees what ‘cyber’ actually means and what is and isn’t cyber.
Every time I do risk related work I try to make sure everyone uses the same terms to mean the same thing, to reduce the risk of misunderstanding. It is such a simple and obvious step that most people forget about it.
Some definitions of cyber that I’ve seen so far##
Just about all the definitions (when white papers, reports, essays, … actually bother to define the term) fall into one of the two buckets:
Cyber is the collection of computers and data connected to a common network. In other words, cyber means the internet. Using this definition means that “Stuxnet” is not a ‘cyber weapon’ but just a very sophisticated malware.
Cyber is a collection of computers, networks, storage and data on those computers. Cyber is common good and underpins modern economy. This is just a fancy way of saying “information technology” and is nothing new or uncommon. It also means that the ‘cyberspace’ is synonymous with internet.
What is wrong with these definitions?##
Apart from what is already stated above for individual uses of the term, there’s another, deeper issue: we are neglecting well known and understood terms for a vague term that means different things to different people.
The definitions of cyber commonly used discuss logical domain (data on servers, software, OS, etc.) and physical domain (internet links, damage to physical systems Stuxnet-style, etc.). What they generally miss is the most important domain of them all: the cognitive domain.
The only exception to the above rule is the military use of the term ‘cyber warfare’, which generally means exactly the same as the decades old term ‘information warfare’. Whereas information warfare is understood to be broader, the ‘cyber warfare’ involves only computer-related operations and excludes psy-ops, propaganda, and other cognitive domain related operations.
The cyber triangle
Cyber as a new term only makes sense if it is applied to the three interconnected domains that are required in order for ‘cyberspace’ to exist: physical, logical and cognitive.
All the physical infrastructure, actual machinery and cabling is in this domain. The definition of cyber security has to include attacks on and protection of physical infrastructure such as undersea internet cables, the machinery controlled by ICS, the computer hardware.
This is what most papers define as the cyber domain that they’re so keen to protect. The software, regardless of what it is running on, data residing on computers and in databases, it all forms part of the logical domain. Majority of papers talking about cyber security or cyber risk typically also stipulate that in order to meet the definition of ‘cyber’ all these computers need to be connected (to the internet).
This is the domain that majority of papers on ‘cyber’ never mention. The cognitive domain is where interpretation of data into information happens. This is where past learnings, experiences, prejudices are applied as knowledge to data that logical domain provides and the result is new information.
It is typical to ignore this domain as part of cyber operations, primarily by all those that have never studied information operations around the globe. This in itself is the most dangerous part of this newfangled push towards ‘cyber everything’.
If the paper that is talking about cyber security or cyber risk does not include all three domains: physical, logical and cognitive ignore it. It is most likely just an IT paper (and likely not all that good, at that).