I Am Security

Cyber, Cyber, Cyber. What are we talking about anyway?

by

iamit
in

A long draught (almost a month) in this blog is finally coming to an end after I had some great conversations with good friends at the cyber un-conference here in Israel. One of the obvious discussions is around the use of the term cyber (surprise). The general agreement is that the term has been violated pretty badly by security consulting firms and vendors trying to jump on the “cyber” bandwagon without a slim clue of what they are talking about (another shocker!).

But seriously now, we are all to blame for using the term once in a while (yours truly not excluded), while we all refer to different things. So, let’s try to get some order in the media hype and understand (at least the way I see it) what is this cyber we are talking about.

Disclaimer: this is what I believe that Cyber actually refers to. Your mileage may vary…

For me, cyber starts from way up. Beyond technology and Internet, and even beyond warfare and conflict. Cyber is first and foremost a domain. Much like air, land, sea, and space. A domain is (from the Merriam-Webster dictionary):

1. a. complete and absolute ownership of land
b. land so owned
2. a territory over which dominion is exercised

As such, domains that are not under the direct ownership, are treated by sovereign countries as first and foremost economical factors that affect their well-being. Most importantly, shared, or international domains are crucial to enabling international trade, communication, travel and freedom (especially air, sea and space). Such domains are referred to as “global commons“.

Now think of the Internet and the underlying parts that make it work. Computers, network equipment, cabling, satellite communications and other elements that are owned by a variety of private companies, governments, and are under different jurisdictions around the world. Because it is so hard to pinpoint the ownership of a specific part of the Internet, it is much simpler to treat it as a general domain, and as such, a global common. This is exactly how most modern countries act, and how it, much like the other global commons, became an element of conflicts when such countries escalate diplomatic efforts into actions. A good example of how this works can be seen in the work that NATO are putting to address this exact question. Note how a lot of the efforts are placed first on the legal and cooperative elements before addressing the battlefield (NATO and Cyber Defense – PDF) .

So we went from an economical domain that supports communications, trade and information, to an element which countries may use as part of their available conflict management against other countries. Enter: cyberwar. What most abuses of the term these days do not take into account, that cyberwar, much like airwar, seawar, spacewar and landwar is almost never a singular element in a conflict. It is part of a larger strategy and a mean of affecting diplomatic efforts to achieve some goal at a national or international level. Hence, cyber-weapons are never products or pieces of software, but more generally tactics that are deployed in order to gain an advantage in the cyber common in conjunction with other tactics and strategies used in other domains.

I’m sorry that this isn’t the “sexy” cool thing that some consultant that used to do vulnerability assessments is trying to pitch to you, or some product that a vendor is trying to sell you in preparation to the imminent cyberwar that will erupt any minute now and eject all the CD trays of the PCs in your organization. It’s more in the lines of a broader understanding of what elements that would be used in the cyber common would affect us as individuals, organizations, cultures and countries that we should be concerned about. It’s more about how countries are developing capabilities that would be used to gain an advantage over their adversaries in diplomatic conflicts. Whether on an ongoing basis – much like “normal” spying and intelligence gathering is done in times of peace, or in times when more active measures are taken.

The bottom line is that the “Cyber” term is first handled at the higher levels which may have nothing to do with some virus or worm hitting a nuclear plant, and only then translated to the tactics used to protect or attack assets which have some manifestation in that domain.

Now we can all get back to abusing the term. At least we knowhow we are going to abuse it :-).

Additional reading:
http://www.worldpoliticsreview.com/articles/6838/resetting-article-5-toward-a-new-understanding-of-natos-security-guarantees
http://security.cbronline.com/news/cyberspace-is-operational-domain-like-air-land-and-sea-us-150711

 

Comments

18 responses to “Cyber, Cyber, Cyber. What are we talking about anyway?”

  1. Uri, Infoseq Avatar
    Uri, Infoseq

    Hi Ian
    First of all, thank you for putting a new definition to my cybersex life, oh sorry, my domainsex… 🙂
    Second, I never had space sex but who knows, maybe in my next life cycle lol
    Back to the article – I really enjoyed reading it. I wrote about the subject two nights ago but thanks to the combination of a trip to Amsterdam and an ISP that respect the SLA almost as much as facebook respects my privacy I’m posting only now. Indeed, an important subject to talk about.
    I find your view very interesting. If I remember correctly this ‘domain’ started as an military, moved to academia, travelled to economical, migrated to military, and who knows where it will land next – recently it became a source of social-political development in the middle east, and perhaps the next will be spiritual revolution, who knows?
    To me, the cyberspace is a dimension. Why? Let’s look at Wikipedia:
    Dimension [is] the dimension of a space or object is informally defined as the minimum number of coordinates needed to specify any point within it a space or object is informally defined as the minimum number of coordinates needed to specify any point within it
    And this is vs. the definition of domain that you brought it:
    Domain:
    1. a. complete and absolute ownership of land
    b. land so owned
    2. a territory over which dominion is exercised
    (Merriam-Webster dictionary)
    Domain is all about ownership of the space, and dimension is all about a way to describe the space itself. Domain defines ownership, but it does not claim it has an understanding of the true nature of the space it declared as his.
    We invented the cyber dimension, and it expands not only our daily actions which we can quantify but also our consciousness and perception of reality.
    Like any dimension, it is our beliefs that define how we see the domain. This is shows a lot about the way we all perceive reality differently.
    To my sorrow like in the physical dimension governments, corporations and organizations (including religious ones) look at the dimension via a restricted perspective and when it seems to them as having coordinates they do not like they try to alter it.
    If the cyber was only a domain, it would have meant that if one owned it provided him control over it. The Internet is a dimension – and while one might try to control it the activity that occurs in it cannot be controlled. Like anything else inside and outside the universe – nothing is fully predicted and thank god to that. This is the nature of the universe and of our lives.

    In a sense the reaction to the Internet is similar to the reaction of the world leadership to psychedelics in the 60s and the 70s. Both cyberspace and psychedelics, when you are being used are exposing you to a new world, a new view of the world. They can either release you from a mental jail or put you in a new one.
    Like other dimensions, this dimension can be divided into objects. If in the physical dimension we have atoms and galaxies, in the cyber dimension we find IP objects and things like social networks. Social networks provide the human race an inter-collective human experience. Social networks expand our perception and send axons straight from us, a human neuron, to other neurons which are on the other side of the globe. It provides us a possibility for consciousness extension and expands our vision of the world. It can allows us to reunite with nature or dig deep into the world of gossip, it unmask the blindness we been living in for so long or blind us even more. Like in other dimensions it is our actions in the dimension that defines who we are and what will be the faith of the Internet. Like in other dimensions, the Internet is not something which is detached from us. It is us.
    Hope to hear your thoughts of my reply, and I might even mention it in my blog…
    Cheers
    Uri

    Reply
  2. Uri, Infoseq Avatar
    Uri, Infoseq

    I almost forgot the most important thing…
    The importance of the Internet is it’s energy, the ‘spirit’ of it – and in many ways it is a hybrid reaction of humans and machines – in both cases the belief systems (of both the human and the machines) derive a result which is a transformation of the energy that those systems hold, and that energy generates a change, an action.
    If in the physical universe it is the energy that dictates the behavior of the universe (as expressed in quantum physics), it is very much the human energy that defines the nature of the objects in the virtual/cyber dimension.

    We, humans, are the spirits of the cyber dimension.

    Uri

    Reply
  3. Spirits of the cyber dimension « Infoseq with a Q, like Quantum Physics

    […] Iftach Ian Amit wrote a very interesting post,  I encourage everyone to visit it and reply. […]

    Reply
  4. Ran Avatar
    Ran

    I think trying to define “cyber” is an act in futility, since it is a meme – a culturally defined generality (yes, i see the irony in defining meme to un-define cyber, thank you). The morphing of info-sec into cyber-sec just reflects the shift in how people (and by extension or by pretension, the media) see the intertubes these days

    Reply
  5. Izar T Avatar
    Izar T

    As always, you offer great analysis and some points to ponder.
    While I follow your argument, I think the most important (IMHO) part of it was diminished: “… to an *element* which countries may use as part of their available conflict management against other countries…”

    So if I understand the way you put it, more or less, cyberwar is simply the continuation of war by other means, much like war is the continuation of diplomacy by other means (making cyberwar, then, the continuation by other means of the continuation by other means of diplomacy – only that given its almost “victimless” nature currently, I believe it would be used before full war).

    More so, looking to the past, the areas in the world (the Middle East being a prime example) most victimized by constant war, conquest and re-conquest were those where the economic/communication lines crossed. A basic principle of strategy: control the flow of goods, people and if possible, intelligence and knowledge, and you win.

    In that vein, cyberwar would be nothing more than the application of that principle to nexus of communication/economic lines of today. And here I believe we disagree: rather than being a separated dimension/domain, cyber then becomes an extension of the battlefield. As any technological leap, the weapon platforms change and the rules of their application change – but the end effect remains.

    My point of contention is that by separating cyber into a domain, we basically lose the close integration it has with the other ones. Distinct domains created the framework of AirLand battle, that the US based their defense doctrine on from the 80’s to the 90’s: land units maneuvering quickly and aggressively with a strong air force presence attacking the strategic depth of the enemy. I would venture that this approach has been proven less than effective. Then the US went into “Network-centric warfare”: information sharing between units creating an agile force that can change focus according to real time information – and all of a sudden separate domains are not central anymore, since you are not using them as axis on which to proceed.

    I hope this makes some kind of sense – I just think that in the need of demistifying the term and focusing its use, it is useful to bring it down to its minimal representation – cyberwar tools being one more weapon platform to be used according to an overall doctrine, as you so well put.

    Reply
  6. APD Avatar
    APD

    I would say that it’s the manipulation of energy that dictates the behavior of the universe. When you think of it that way, by manipulating energy we created the cyber dimension and in doing so discovered that we have far fewer limitations in what we can create within that dimension than the one we exist in. What many people ( but not the intelligent ones ) missed was that it would be a two way exchange of manipulation. We have become our own self modifying code.

    Reply
  7. iamit Avatar
    iamit

    Izar – Great comment, and I believe that we are in agreement. The need was to have a somewhat concrete definition of what cyber actually means, of course that once that is done, integrating it into the rest of the elements of diplomacy (and by extension) war is done in a “no rules” manner.
    This means that it can (and should) be supportive/disruptive to other domains – much like you mention air-land.
    Most modern countries do treat it that way and the joint commands that were set up are a good example for it. Some examples of this integration can be viewed in the “alleged” attack on the Syrian nuclear plants by “alleged” Israeli fighters that “allegedly” had to pass over some territories where there was no sign of them on radar screens (see operation Orchard here: http://en.wikipedia.org/wiki/Operation_Orchard).

    Reply
    1. Izar T Avatar
      Izar T

      Good example – but that’s where I start having my doubts. To the best of my knowledge, “some countries” have not set up separate domain/commands for cyberwar, but instead, opted to extend cyberwarfare as part of electronic warfare, making it an inclusive use of new platforms instead of an exclusive “elevated” branch of the services. To me that would indicate that instead of a new domain, they see cyberwarfare as just one more capability to be enabled to them and negated to the enemy.

      Reply
      1. iamit Avatar
        iamit

        Izar – you should be in doubt… Sad to admit that some just don’t “get it”, and try to put a square peg in a round hole. All for the sake of checking off this cyber thing (think PCI compliance for countries – make it go away so I can keep spending money on the wrong stuff).

        Reply
    2. Jennifer Gold-Orlando Avatar
      Jennifer Gold-Orlando

      I agree this article goes into depth on the definition and contexts of terms. Domain being defined as . complete and absolute ownership of land b. land so owned 2. a territory over which dominion is exercised

      On the other hand Merriam defines Cyber as relating to, or involving computers or computer networks (as the Internet)

      a search for cyber domain or cyber-domain or cyberdomain came up empty handed.

      I do agree that a country who uses cyber capabilities within it’s domain should have jurisdiction and defend it if necessary like any other domain as you mentioned…But we have yet to make that link successfully. The subversive nature of the attacks and the indistinct nature of the cyber world makes current wording hard to accuse Whether consultants drop buzz words to make commissions and contracts, will not, in the long run fix this issue either way. A decision has to be made at a higher level and globally. Stay tuned for that a little longer….. Just imho as an observer.

      Reply
      1. Jennifer Gold-Orlando Avatar
        Jennifer Gold-Orlando

        ok so cyber is higher term but when someone attacks the SCADA is this a cyber attack? Is the SCADA our domain? Is there regulation to back that up. As in Air Water Land Attacks? We use all of those on a daily basis as we do Cyber but if they are threatened they are within our domain and can be defended….am I following you ?

        Reply
        1. iamit Avatar
          iamit

          When someone attacks a SCADA system they are taking into account (if they are smart) all the domains involved: the cyber one for carrying the attack itself and the communication mechanisms involved in it, the related domain in which the SCADA system operates (land/air/sea/space) and all the relevant systems connected to it.
          This includes the human factors of course, and the processes and operations around it…

          Reply
          1. Jennifer Gold-Orlando Avatar
            Jennifer Gold-Orlando

            I am very interested in the area of SCADA as I see it’s potential. So one last question..or I could go on.asking you questions. = ) If such an attack is a cyber domain attack yet we have no definition for this …what does that mean..SNAFU? Is it up to TPTB to clamp down and draw boundaries? What are your thoughts?

          2. iamit Avatar
            iamit

            Again – I wouldn’t completely separate the cyber domain from others. My aim was to define it, and then once it’s acknowledged integrate it into the strategic defense/offense of organizations.
            Hence – attacks would almost always involve at least two domains that we’ll need to address. How these would be addressed from a boundaries definition is another question that involves legal/politics/technology. Unfortunately there aren’t a lot of people that deal with it with the multi-disciplined approach that is needed…
            Hope this makes sense 🙂

          3. Jennifer Gold-Orlando Avatar
            Jennifer Gold-Orlando

            yes perfect sense! ty

          4. Carol Wickenkamp Avatar
            Carol Wickenkamp

            From my point of view, SCADA and the products of a SCADA system, be it chemical process control or flow of water/electricity, are the property of those who own or lease it, exactly as in a bricks and mortar or real estate situation. Interference or theft of the product of a SCADA system should be treated legally as any other crime against property. Since it is the product of that company that is eventually sold, it does have value, and should be protected by law as such.

            There would be no moral dilemma in arresting a person who threw steel shavings into one of General Motors’ manufacturing robots, preventing it from functioning. The same should be true of malicious interference with other manufacturing processes. Stealing a consulting company’s mail or courier communications is theft even though it occurs outside the walls of the company. Stealing or interfering with that company’s email should be treated as theft. The idea that processes, software, or communications are somehow different from more tangible assets if they are in “cyberspace” is going in the wrong direction, as I see it.

            The air we breath is in the “commons” (at least for now). We can’t see it or hold it in our bare hands, but the law protects it from abuse in the form of severe pollution in most areas of the world, as that pollution prevents everyone from using of the “commons” for the source of clean air to breath. So it should be in cyberspace.

            Approaching the question from the concept of boundaries ignores the concept that my property is my property even though it might be in your car. You can’t take the contents of my purse as yours, though your probably would not want to, just because it, and I, are riding within the boundaries of your car. An American Airlines aircraft belongs to that company, no matter which country’s boundaries it flies through.

          5. Jennifer Gold-Orlando Avatar
            Jennifer Gold-Orlando

            @Carol The Airplane analogy is very good. In the end it does come down to what belongs to whom. In the case of Iran and Stuxnet, it were discovered who the responsible party was, I suppose criminal charges would be brought forth as necessary. Just as any other crime. I only wonder about the domain side of it in regards to how the virus gets there, the legal implications. Would there eventually be ‘cyberdomains’ such as airspace..or not? I don’t know. But it is good food for thought. Thank you for sharing your insight sometimes by getting caught up in the abstract, the obvious gets lost. Cheers JGO

  8. Izar T Avatar
    Izar T

    I guess you couldn’t be more right, unfortunately 🙂

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.