Cyber Security versus Information Security

Over at NovaSec @grecs has a post titled Cyber Security versus Information Security. He acknowledges that there are some problems in the lack of definitions. This has been a long time (eight decades) discussion in the field. First I have to admit that the concept of “cyber security” is a bit of a misnomer. It doesn’t exist currently in Joint Doctrine. I know. I know… We always talk about it but in fact it really is one of those conflated words. We even hold government accountable for it when it does’t really exist (pdf). Well it exists but to be honest is defined poorly (pdf).  To be sure I actually agree partially with his point but I think there is a lot more to this than definition wars we had back in the 1990s.

Good friend and mentor Dr. Daniel Kuehl writing chapter 2 in the book Cyberpower and National Security (Ed. Kramer, F., Starr, S., Wentz, L.) identifies several definitions for the idea of cyberspace. If you are going to secure something you had better understand what that something comes from. Unfortunately most people in the current information security or cybersecurity or cyber security or hacker community simply aren’t grounded in the history or reasoning behind some of these wildly swinging definitions. Ok be honest, who really cares but some of us ivory tower academics?

Dr. Kuehl for the definition cyber and information type things takes us back to the information warfare study done by Tom Rona in 1976. Based partially on spectrum warfare and partially on command and control science the Rona study pulls in the kybernetes and thus cybernetics discussion. Placing Rona at Boeing and knowing that Norbert Wiener and authors of Cybernetics in the 1950s  were working off the command and control aspect of information helps us understand the context of Rona’s work.

In the 1980s authors looking at command and control warfare started a few different discussions. By the early 1990s concepts like network centric warfare would be fully evolved and winning wars. Through the 1990s authors continued to push the bounds of what the information environment meant to the war fighter. A few interesting diversions were questions like how would emotions, vision, touch, and cognition be realized as part of that information environment.

Various authors took a humanistic approaches to the concept of “cyber” and in 1984 William Gibson writing the dystopian novel Neuromancer popularized cyberspace as a term. It would infect authors writing from then on, and become a touchstone of enduring editorial fever forever. Gibson’s version invigorated the community of information operations and psychological operations (sub-discipline of information operations), but the consensual delusion did not stick with cyber policy types. Some of this balance is between the political poles of technocracy and humanist information operations types. In a nutshell it is easy to measure bits and bytes compared to the morose quantitative environment of human emotions and cognition.

There was an in-depth discussion of these concepts over the 1990s beyond what I’m going to discuss here. However, Kuehl details the discussion by Edward Waltz “Information warfare: Principles and operations” (1998) and that the “cyberspace dimension refers to the middle layer.. the information infrastructure… of the three realms known as physical, infrastructure and perceptual.”

A point of order if you’ve got this far. Why the freaking heck on a biscuit do you care? Definitions matter. They determine who gets how much in their budget and what sort of power can be exerted. If something is part of the human experience it has particular rights. If that something is extant and non-human it is property and subject to other rights. Lawyers will quake at me boiling down their law degree to three sentences, but know that definitions matter because they can be used against you. I use the following pithy statement with my students, “Amateurs argue about crime and punishment. Professionals argue about authorities and budgets.” Definitions are the root of authorities.

Authors like my friend Dr Martin Libicki talks about cyberspace having a syntactic, semantic and physical layer. In the late 1990s several authors took the position that cyberspace had a cognitive component and that broke with official Department of Defense descriptions. By 2008 Deputy Defense Secretary Gordon England would by fiat define cyberspace as, “A global domain within the information environment…” Some of the original authors of “cyber policy” were looking at the overlapping issues of information operations versus electromagnetic spectrum warfare.  Russian doctrine had solidified around a spectrum warfare concept that was inclusive of the human cognitive structures. I always like to point out that hackers like Kevin Mitnick knew this when they were operating across the layers doing social engineering.

The definitions are important and arguing over them is extremely important. The craze is not new, and careers have literally flourished and floundered on the seas of this discussion. Currently “cyber security” is NOT considered a professional field. The definitions determine the level and relationship that practitioners can exist in government and industry. The technocracy has appeal to the hacker and Security Conference attending community, but a technocracy without humanist influence is a barren intellectual field. Definitions are important because they are used in the law and regulation which effects everybody. Definitions matter because they are the foundation of strategy, operations, and tactics.

Definitions will not win a war for you, but poor definitions can lose a war for you.

A list of definitions:

information assurance — Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Also called IA. See also information operations; information system. (JP 3-13)

information environment — The aggregate of individuals, organizations, and systems that collect, process, disseminate, or act on information. See also information system. (JP3-13)

information security — The protection of information and information systems against unauthorized access or modification of information, whether in storage, processing, or transit, and against denial of service to authorized users. Also called INFOSEC. See also information system. (JP 3-13)

cyber counterintelligence — Measures to identify, penetrate, or neutralize foreign operations that use cyber means as the primary tradecraft methodology, as well as foreign intelligence service collection efforts that use traditional methods to gauge cyber capabilities and intentions. See also counterintelligence. (JP 2-01.2)

cyberspace — A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. (CJCS CM-0363-08)

cyberspace operations — The employment of cyberspace capabilities where the primary purpose is to achieve military objectives in or through cyberspace. (JP 3-0)

cyber security. Measures taken to protect a computer network, system, or electronic information storage against unauthorized access or attempted access. (DoD Instruction 5205.13)

cybersecurity – The ability to protect or defend the use of cyberspace from cyber attacks. CNSSI-4009

Leave a Reply