The term “weapons of mass destruction” first appeared in a 1937 London Times commentary by the Archbishop of Canterbury, William Lang. The term was used in direct reference to a series of aerial attacks on the town of Guernica during the Spanish Civil War: “who can think without horror of what another wide-spread war would mean, waged as it would be with all the new weapons of mass destruction.” Less than 10 years later, the varying interpretations of WMD were replaced by a single image: the atomic bomb. And in the following decades, as nation-states and non-state actors dabbled in the development, production, and even deployment of highly destructive biological, chemical, and radiological weapons, all were unhelpfully classified as ”WMDs”—a term that was at the same time too broad to carry descriptive weight, and too narrow in imagination for the post-Hiroshima world. By the 1990s, when I served as the Legal Adviser for the Nonproliferation Center at CIA and then as Executive Director for a blue-ribbon commission on WMD, it was clear that policymakers and the global public were ill-equipped to fully conceptualize the threat landscape and develop targeted policies. A primary problem was the decades-long practice of incorrectly conflating too many destructive weapon systems as “WMD,” as if it referred to only one thing. The weapons lumped together as WMDs have some common attributes, including the capacity for large-scale casualties. But they are different in important ways that make them susceptible to different approaches for risk reduction.
This is all to say, we need to stop talking about “cybersecurity” as if it, too, were one thing.
Using this broad term confuses the public. When Americans hear “cybersecurity,” they don’t know if it’s referring to the hassle of receiving a credit card every few months because of a breach or the potentially catastrophic impact of an attack on networks controlling military weapons. Or they might simply tune out altogether because they think it’s all about computer networks that they don’t understand.
As with WMD, the failure to disaggregate cybersecurity also frustrates the development of effective policies and capabilities for managing the various risks. An attack on an industrial control system is very different from the theft of intellectual property. There are some common elements; both exploit vulnerabilities in networked systems, but the means used, the challenges faced by the adversary, the motivation, and, importantly, the consequences are different. Recognizing these differences is essential to effectively managing the risk.
As an exercise, think through the numerous questions associated with targets that malicious actors could go after using cyber means. Are they targeting data or industrial control systems? Within data, attacks may be focused on personal information, business information, network configuration information, national security information, medical information, or building blueprints among other targets. Bad actors can target data at rest or data in transit. Are they stealing information, denying access to it, or altering the information? The objective may be espionage, financial gain, disruption, destruction, competitive advantage, or advocacy. That is just one possible rabbit-hole of cyber distinctions, and yet somehow all are to be publicly discussed and addressed broadly as “cybersecurity issues,” making no differentiation as to what actors, institutions, and sectors are involved in different sorts of attacks and what specific actions are needed to address the risks each poses.
Cybersecurity encompasses a range of threats, vulnerabilities, consequences, and countermeasures that are far more varied in type and consequence than were encompassed in “WMD.” Breaking it down to more meaningful categories will, therefore, be much harder. Moreover, there may not be a single way of disaggregating cyber-related issues and risks. But there is an urgent need to work on bringing greater clarity and specificity to the way we talk and think about them.
“Cybersecurity” and talk of “metrics for measuring cybersecurity” underestimates the important distinctions implied in these multiple categories. That said, the only idea worse than continuing to talk about cybersecurity generally would be to employ a multitude of uncoordinated and unconstructive frameworks. What is needed is a concerted drive to achieve consensus around a standard, but flexible taxonomy. Developing such a taxonomy can significantly advance awareness, strategy, and action, not to mention a more purposeful and skilled workforce involved in cyber-related issues.
Whenever possible, we should replace cybersecurity with more descriptive terminology. For example, Americans understand that bad actors are stealing their personal information from businesses to cause financial harm. If our discussions focused on that clear statement of the risk, rather than talking about cybersecurity, would consumers be more empowered to demand that businesses protect their information? If the differences in approaches for different types of risks were better understood by policymakers, would they be less inclined to push for another bad idea: the creation of a new Department of Cybersecurity? Would they be more likely to realize that a breach notification law, while important, will not address threats to critical infrastructure?
Identifying how and when we distinguish different types of cyber-related risks will improve communication efforts (to the general public, the media, policy makers, etc.) and, by extension, outcomes and impact of U.S. ‘cybersecurity’ efforts. In time, the coalescence around a taxonomy would help the U.S., as well as our allies and partners, shape the foundation for a more secure and more resilient ecosystem.
A few months back, a reporter at a high-profile German media outlet noted that while she would like to cover more cybersecurity stories, her editors were hesitant to focus on such stories because there did not seem to be a public appetite for them. The term cybersecurity is bloated and overused and, in the process, has made cyber-related issues seem distant and inaccessible. However, more so now than ever, the threats posed by cyber and the steps needed to detect, prevent, and mitigate the effectiveness of ongoing attacks require a wider appreciation of issues in this space.
We should stop talking about cybersecurity, not because “cyber issues” are over-hyped, but because the challenges and constantly evolving threat landscape involving cyber are so complex, and we cannot afford to continue operating under an already overextended definition. Though facially a matter of semantics, the way we talk and think about cyber issues has very real consequences. Ignoring that reality is a really bad idea.
(Photo credit: NSWC Crane Corporate Communications)