Originally published on SDI Cyber, July 11th, 2017
One undeniable fact: the 2016 elections brought the word “cybersecurity” into the mainstream. The problem that stemmed from that fact: nobody is actually sure what “cybersecurity” is. And as a result, we spin our wheels or head off into differing directions.For all the tech talk, commentary, and promise of some incredible “save you from all cyber threats” solution, lost in the conversation are the cybersecurity basics. It is a disservice to all when pundits use words, such as hack and leak, interchangeably. Those who have a more informed understanding of the issue know that these terms having incredibly different meaning. The same can be said for words such as stolen and copied. They are not the same and are often confused, even misused. And how about this one: the difference between authorized access by an unauthorized user and unauthorized access. The fine nuance between the two can entirely re-characterize the nature of an attack.
I have not conducted a formal study to know how many people know the differences or can spot the nuances, but from informal observation of my own experiences, about 95% of people cannot tell the difference and of the 5% that do, almost all of them have some form of security-type training or professional work experience. Another informal observation: even those who have the training still cannot always spot the difference.
Why is all of this important? Because if we cannot get the basics right, chances are everything that follows will be wrong, insufficient, or inadequate.
I start from this premise: we have finite resources. I do not think anybody serious would disagree with me on this premise. Therefore, let us be smart about how we use these resources. And part of being smart is asking the right questions and knowing the basics.
In the middle of serious cybersecurity policy debate, does it make a difference if a Senator asks a witness whether data was stolen or copied? Yes, it does. In trying to determine how an attack happened, does it make a difference when the Board asks its IT manager if the source of the attack came from authorized access by an unauthorized user or by unauthorized access? Yes, it does.
The human brain can only process so much information and the more complex we make the cybersecurity discussion, the increased likelihood of us mucking it up. Add into the mix a disregard or misunderstanding of the basics and the muck up is almost certain.