Miss-Use of the word "Attack" among Cybersecurity Professionals

One thing that continues to frustrate me is the continued miss-use of the vocabulary and terminology around Cyberspace Operations – in particular actions that, through this domain, are inherently offensive. I am talking most prevalently about the term “attack.” This term seems to have been adopted by the vast majority of corporate America to mean any malicious or offensive activity observed on a given network. In reality, using the term “attack” in this way is not only incorrect, but in many situations is also extremely irresponsible and may lead to greater damage to the organization or the nation. I have seen this incorrect usage of “attack” rampant throughout the commercial world as well as State & Municipal government organizations.

I will admit, it is easy and compelling to use this term when speaking of, say… an incident of a data breach. The word “attack” implies a malicious wrongdoing to which those committing the act are both witting and willing. However, when it comes to definitions within the realm of Cyberspace, the industry must learn to be far more reserved when seeking to use such a term. As much of the Cybersecurity industry here in the US focusing around the protection of critical infrastructure, we must be absolutely certain of how we choose to speak and what we say for any given incident. In the realm of Cyberspace Operations – to which Cybersecurity / Cyberspace Security is part – the term “attack” has a very specific and powerful meaning.

The fact is, the term “attack” when applied to activities or processes that are taking place within the Cyberspace Domain, has been previously and authoritatively defined; is documented and implies a very specific set of circumstances as well as potential response or retaliation actions that could occur. In this context, the term “attack” originates from the term “Computer Network Attack” – more recently re-defined & re-branded as “Cyberspace Attack.” Computer Network Attack (CNA) is one discipline of Computer Network Operations (CNO) just as the newer terminology of Cyberspace Attack (CA) speaks to one discipline of the new concept Cyberspace Operations (CO). CNO / CO are, in turn, part of a larger discipline known as Information Operations (IO).

Information Operations (IO), closely tied to Information Warfare (IW), is described in detail in Joint Publication (JP) 3-13. IO consists of both direct and indirect operations in either of the following disciplines:

·      Electronic Warfare (EW)

·      Cyberspace Operations (CO) – previously Computer Network Operations

·      Psychological Operations (PSYOPS)

·      Military Deception (MILDEC)

·      Operational Security (OPSEC)

Cyberspace Operations further breaks down into the following disciplines:

·      Cyberspace Security (CS)

·      Cyberspace Defense (CD)

·      Cyberspace Exploitation (CE)

·      Cyberspace Attack (CA)

Ref. Joint Publication (JP) 3-12

Each of these disciplines has a specific and defined function and purpose.

Some will be quick to point out that these are military terms and therefore are not and should not be applicable to Corporate America. While it is tempting to discount this vocabulary and go back to that previously used, doing so not only causes confusion but also, has the potential to cause real damage. While each of these terms were birthed by military experts, it does not discount there validity or applicability outside government entities. In fact, the broad adoption and use of this vocabulary by the entirety of the US Government is the very reason why the proper use of such terms is so critically important. Therefore the assumption that just because you are in the corporate world or you work for a State or Municipal government, you do not have to adhere to this vocabulary, is wrong.

So why is this vocabulary and the proper use of each of these terms so important? In short, because these terms have been defined as such, using them incorrectly (or even correctly as the case may be) can have real-world consequences. This is important because many Cybersecurity Professionals work with systems supporting functions that are considered vital to the interests of the United States – known as Critical Infrastructure. Critical Infrastructure of the US has been defined as any system (technical or otherwise) that supports vital functions, services, or capabilities critical to the continuity of the United States, its citizens, its government, and its societal and cultural foundations. Critical Infrastructure, under definition of the US Department of Homeland Security, includes any system(s) in or supporting any of the following industrial sectors:

·      Chemical

·      Commercial Facilities

·      Communications

·      Critical Manufacturing

·      Dams

·      Defense Industrial Base

·      Emergency Services

·      Energy

·      Financial Services

·      Food and Agriculture

·      Government Facilities

·      Healthcare and Public Health

·      Information Technology

·      Nuclear Reactors, Materials, and Waste

·      Transportation Systems

·      Water and Wastewater Systems

The United States Government has firmly planted their foot with the stance: should any piece of Critical Infrastructure or any systems (technical or otherwise) in support of Critical Infrastructure come under attack by an adversary, the US has the authority and responsibility to respond and retaliate. Furthermore, the United States’ doctrine for response and retaliation to a Cyberspace Attack impacting any part of Critical Infrastructure allows for a full retaliatory response throughout any domain of operations (Cyberspace, Air, Land, Sea and/or Space). In the US, such Cyberspace Attacks can be classified as acts of war against the United States and its interests. What this all means in layman’s terms is that the US may (and in certain situations has) respond to Cyberspace Attacks against Critical Infrastructure (i.e. a Denial of Service incident impacting the electrical grid), through the use of military force (air strikes, invasions, and even the use of nuclear weapons). While it may seem far-fetched that an attack impacting a piece of Critical Infrastructure would illicit such a response as a nuclear strike against another country, the fact is, the US doctrine allow for such response. The real danger lies in how other nations have adopted this same stance within their own doctrines as well – including Canada, Great Brittan, Australia, New Zealand, Israel, China, and Russia.

If this MADDism stance brings back visions of Cold War times, this is simply because, in reality, the world has not changed or advanced much (geopolitics-wise) from when we were in the clutches of the Cold War and fearing nuclear bombs could drop at any moment. In fact, one could argue the Cold War never ended and is still alive and well today. A topic for another day…

This is why the vocabulary and using the proper terminology is so critically important. It is the responsible of each and every Cybersecurity Professional to ensure the proper use of terms such as “Cyberspace Attack”, “Cyber Attack”, …

As a Cybersecurity Professional, not everything you encounter can be classified as an attack. The true hallmarks of a Cyberspace Attack are Denial (Degradation, Disruption, and Destruction) and Manipulation – the manipulation of data or information for the purposes of Denial, Degradation, Disruption, and/or Destruction. This is to say, that an incident in which sensitive, proprietary or even classified information is exfiltrated from a system (assuming nothing else happened throughout this event) is not a Cyberspace Attack. Such an incident would be more appropriately classified as an act of Cyberspace Exploitation – another discipline of Cyberspace Operations.

While aggravating and damaging to the reputation of the agency and the people impacted, the breach of data from the US Department of Management and Budget (OMB) that exposed sensitive and personal information on millions of citizens holding Security Clearances was, in fact, not an attack. This campaign, largely thought to have been carried out by Cyberspace Operations components of the Chinese military, was an instance of espionage taking place within the Cyberspace domain – the very definition of Cyberspace Exploitation. Should the United States Government treated this activity as a Cyberspace Attack, the world would truly look very different today and we would have very likely gone to war with China. The fact is the US Government engages in Cyberspace-enabled espionage against other countries (foe and friend) on a daily basis. It would be exceptionally hypocritical and unacceptable by the international community if the US retaliated to such actions as they do to instances of Cyberspace Attack. Cyber Exploitation – the mechanism of cyberspace-enabled espionage – is a broad and even encompasses any actions taken within Cyberspace that may enable any future action (such as espionage or even attack) regardless of the operational domain the future action takes place through.

Outside of Cybercrime, there have been very few cases of Cyberspace Attack – this is because each nation with sophisticated enough operations to carry out such activity is fully aware of the potential consequences. One example would be the joint US-Israeli operation to disable and destroy Iranian nuclear centrifuges through the introduction of a malicious implant that would destabilize the centrifuges – Stuxnet.

In terms of Cybercrime, there are literally millions of examples of Cyberspace Attack along with just as many examples of US retaliation. While virtually unheard of, the US does engage in retaliation against cybercriminals who carry out Cyberspace Attacks on Critical Infrastructure. Most of this retaliatory response from the US Government is in tern carried out exclusively through the Cyberspace Domain and nearly invisible to the outside world.  The world rarely hears about these retaliatory operations as they are shrouded in secrecy and often carried out by members of the US Intelligence Community and its partners.

This is all why it is so critical to maintain the proper vocabulary and use the right terminology when discussing offensive actions that occur within the Cyberspace Domain. Failure to adhere to this accepted terminology can, at the very least cause confusion and delayed response; and, at the worst, lead to undesirable retaliatory actions being taken by a government with a very strict and aggressive doctrine. It is the responsibility of each Cybersecurity Professional to not only use the vocabulary, but to evangelize the continued adoption and proper use throughout each organization and industry. Organization should stop using inflammatory language (i.e. using the word “attack” when it does not apply) and should train their personnel in the proper use of such terms. Today, there is no excuse for an organization to call US-CERT or publish a news media article saying they have been “attacked” for an incident that was simply a data breach and nothing more.