When is a hack a "Cyberattack"?

razhael · 2017-01-12 12:28:55 UTC

Hey all, I'm an AP reporter and I'm looking into how we as journalists use the word "cyberattack." In particular, I wonder whether it's right that events such as (for example) DDoS, leaks, breaches, intrusions (or even scans!) are often described in the press as "cyberattacks." Vocabulary matters here; I'm told by former government lawyers that they sometimes had to talk down policymakers who propose phsyical retaliation 'because we've been attacked in cyber.'

What do you think? Is there a crisp, one-line definition of a "cyberattack" -- versus for example an intrusion or a denial of service? What's the threshold? Actual physical damage? Significant or wide-ranging disruption?

stuohy · 2017-01-13 15:11:39 UTC

There is a 2014 project from OTI that attempted to collect a variety of international government definitions in the cyber security realm. I'ts not exactly what you are looking for, but it is an interesting collection of definitions.

razhael · 2017-01-13 21:10:17 UTC

This is extraordinarily useful. Thank you.

ethannorth · 2017-01-19 12:32:33 UTC

Hi @razhael, this is a great question, with a frustratingly circular answer, I'm afraid.

The use and overuse of "cyberattack" and "cyberwar" largely came from government and policy making circles. These terms were and are convenient metaphors for military and policy/international relations people, because they fit the intellectual paradigms that already exist in those circles. This is extremely useful for military and policy people, since it allows them to sound authoritative on topics about which they know little* (we need to preserve cyberdeterrance) and since such terms make pushing for bigger budgets for their work easier (we have a cyber gap!).

Unfortunately, the "cyber" armed conflict metaphor and the scare tactics that go with it are part and parcel of the term, since it was largely popularized by people in government who wanted to increase their own influence by pushing the idea of "cyber" as a "fifth domain" of conflict (alongside air, sea, land, and space). Since ignorance is widespread, the first group who could convincingly articulate a policy paradigm for nation state competition and conflict on the internet was going to do well for themselves.

So, the situation where a policy maker has to be talked down from advocating physical retaliation for a hack is sadly ironic, since the whole purpose of "cyber" and it's over-use was to stoke fear and raise the profile of "cyber" as a paradigm of conflict, alongside traditional, "kinetic" forms of conflict, without actually having to develop any new theories of conflict (Jomini and Clausewitz in space! Jomini and Clausewitz in cyber! I am a military policy intellectual!).

The cyberreality is that 99% of cyber is espionage, and the other 1% is sabotage (think Stuxnet, or Flame). The word "cyber" is really just a product of a budget fight between intelligence community and the armed forces. Re-framing "cyber" as a conflict issue, rather than an intelligence issue, became increasingly vital for the military bureaucracies as the internet became more central to, well, pretty much everything that humans do.

All of these terms have their own social lineages, however. Terms like "breach" or "compromise" tend to be used in the private sector, because information security people in the private sector are strictly defensive and care exclusively about protecting their own networks and users. The term "hack" came out of the model train club at MIT, and generally refers to getting a system to perform an action that was not intended by the system's author(s). So, hack is a practitioner's term, since unlike "cyber" (which refers to where the action is happening) or "breach" (which refers to what just happened to you), "hack" actually says something about how one goes about compromising systems. Hackers misuse rules (usually software) that were written by others, in order to subvert the intent of these rules, while technically complying with them. This is the essence of hacking.

*Note: There are obviously some very knowledgeable and talented software engineers and hackers in government, but these are typically not the same people who are running around talking about "cyber" with metaphors they lazily borrowed from IR policy.

razhael · 2017-01-19 13:08:50 UTC

Ethan this is really helpful, thank you. It also tracks with what I've been hearing elsewhere.

I'd like to speak to as many people as I can about this topic -- in industry, law & government.

Any recommendations?

Raphael

ethannorth · 2017-01-19 14:04:46 UTC

I don't have any contacts, unfortunately, but if you ping the Harvard Berkman Klein Center for Internet & Society, there are policy & tech people there who think and write about these sorts of things for a living. They're more focused on "civil society" than IR or military strategic policy stuff, but it's a great starting point. They probably also have good contacts.

Quick tangent: The private sector has warmed up to the term "cyberattack" for their own, self-interested reasons. If your company is "hacked," then this makes you sound incompetent at your job (and potentially liable for negligence). The connotation is a pimply teenager breaking into a huge corporation.

On the other hand, if you company is the victim of a "cyberattack," then this suggests that the attacker was a nation state (even if the attacker remains unkown). Who can blame you for falling victim to a cyber army? We don't expect companies to defend themselves against airstrikes, so why should we expect them to secure themselves against cyber attacks?

So, it gets the company off the hook and plays better for them in the press.

razhael · 2017-03-29 09:32:36 UTC

FYI, this discussion did eventually result in a story. The outcome may not please everyone, but I hope it's a step in the right direction.