The short-hand of terminology is essential. Used with best intentions, the coupling of a word to a complex idea allows those with shared knowledge to work efficiently. Ubiquitous in IT, our profession has become encased in a complex lexicon, accessible only to industry insiders. Though unavoidable, if unchecked, this creates the potential for misunderstanding and unmanaged risk. As a term which is frequently used but seldom examined, ‘cyber-vulnerabilities’ offers a prime example.
Swimming with our eyes closed
Pausing to consider this, our natural assumption is that any term as widely used as cyber-vulnerabilities must be intuitively understood. However, as illustrated by the writer David Foster-Wallace in his 2005 speech to college students in Ohio, life is full of important things we fail to recognise:
‘There are these two young fish swimming along and they happen to meet an older fish swimming the other way, who nods at them and says “Morning, boys. How’s the water?”
The two young fish swim on for a bit and then eventually one of them looks over at the other and goes, “what the hell is water?”’
Referring in this context to education, Foster-Wallace’s parable has equal value to technology. An invisible but all-encompassing force, technology has become, to most of us, what water is to fish; something we rely on but seldom consider.
The origins of cyber
If we are to reflect on cyber-vulnerabilities, we must therefore avoid taking its meaning on face value. Beginning by paring the term back to its constituent parts, we note that the origins of cyber can be traced to Norbert Weiner’s coining of cybernetics in his 1949 book Cybernetics: Control and Communication in the Animal and the Machine. A reuse of the Ancient Greek word kybernetes, meaning helmsman; cyber not only filled a gap in his study of control systems but also initiated a process of reimagination.
Initially embraced by the arts, prominent examples included Danish artist Susanne Ussing’s 1960’s exploration of man’s relationship with machines, and American writer William Gibson’s 1984 book Neuromancer which offered the first definition of cyberspace. Despite this detour, cyber was eventually re-appropriated by technologists. Ultimately becoming recognised as an adjective relating to the culture of computers, its true value has returned to be a prefix. Lending words a technical context, the term cyber-vulnerabilities with its connotations of exploitable weaknesses offers a textbook example.
Though the tethering of cyber to technology is now entrenched, a single definition of the term remains elusive. With dozens of alternatives offered, it is necessary for brevity to explore the arguments by dividing them into two definitional groups; system and network centric definitions and holistic definitions.
Endorsing the first, Joseph Nye, the US Assistance Secretary of Defence under President Clinton, defined cyber in his 2010 book Cyber Power, as a prefix standing for electronic and computer related activities. A standard approach, Nye’s view aligns with a large amount of contemporary academic and governmental literature. Given this breadth, one might assume that there is general agreement that cyber should be defined as being purely associated with systems, networks and digital information.
This assumption is, however, disputed by those with a more holistic view. For example, Dr Andrew Futter, an Associated Professor at the University of Leicester, suggests that cyber not only comprises software and hardware but also the people who engage with them. This interpretation is given depth by constructs of the cyber environment such as the UK Ministry of Defence’s (MOD) Layers of Cyberspace model. Detailed in the MOD’s Cyber Primer, this presents the ‘people layer’ as having equal importance to the ‘information and physical layers’.
Taken collectively, these arguments assert that, whilst cyber is an information environment, it is not purely virtual. Rather, as a manmade construct, cyber is defined as much by the cognitive world as it is by physical hardware or digital information. In considering this, we begin to challenge our pre-conceptions of cyber and the boundaries we associate with it.
Turning next to the second element, vulnerabilities; it is at its broadest level defined by the International Standards Organisation (ISO) as intrinsic properties of something resulting in susceptibility to a risk source. Refined in a digital context, the US National Institute for Science and Technology (NIST) defines it as being a flaw or weakness in systems security procedures, design, implementation, or internal controls.
Though originating from differing perspectives, both share a basic premise: a vulnerability is a weakness which, if exploited by a hostile actor, may cause loss or damage. The importance of understanding vulnerabilities is therefore clear; an organisation may have assets of value and a hostile actor may have the intent and capability to target them, but if vulnerabilities cannot be exploited, the hostile actor will fail.
Bringing the term’s constituent parts back together, the role of IT professionals charged with protecting digital systems should be simple; identify and remove all cyber-vulnerabilities. However, as those with experience will attest, this is easier said than done. To achieve it, one must isolate a system from the outside world and remove all physical connections, which, though effective, will also remove operational utility.
As abolishing vulnerabilities is not possible, defenders must identify and manage them. To achieve this information security, standards provide a guide to identifying exploitable vulnerabilities. Through directing the use of generic tools, they also allow approaches to vary depending on the system. Whilst suggesting a breadth of thinking, the reality is that virtually all frameworks are blinkered by the system and network centric definition of cyber.
From the depths to the shallows
To those with a holistic interpretation of cyber, the result of such blinkered activity is a failure to identify vulnerabilities. A concept that gives this assertion depth is ‘cyber littorals’. Re-appropriating an oceanographic term meaning the area of water near the shore, Paul Withers develops it to illustrate the point at which hardware and software meet the physical and cognitive world.
Linking this idea to the above definitions of cyber, we see that Withers acknowledges the value of embracing both schools of thought. Building on this, if we, as IT professions were to take the same path, we could, through his model, actively identify cyber-vulnerabilities in both the depths of the ‘blue oceans’ of networks and systems and the shallows of the ‘littoral zones’ of people, cognitive and physical spaces.
Offering a further step on the journey of reimagining cyber and its associated terminology, an acceptance of ‘cyber littorals’ as being an intrinsic part of cyber would ensure that blinkered thinking is removed. In turn, it would assist the IT profession to manage cyber-vulnerabilities in all their forms and, importantly, help us avoid encountering the risks we create by using terminology in too narrow a manner.
Swimming with our eyes open
Reflecting on this, the above discussion suggests that the IT profession would be advised to not accept our assumed knowledge of either cyber-vulnerabilities or the plethora of other terms we routinely employ. Rather, we should carve out the time to consider the words we use and, by doing so, ensure that our language is not restrictive or misunderstood. If achieved, we will, as a profession begin to remove an avoidable risk by changing our ‘water’ from something we blindly swim through to something we thoughtfully engaging with.