The Council of Economic Advisers recently released a report that examines the cost of malicious cyber activity to the U.S. economy. The report cites many of the usual findings from the Verizon DBIR and Ponemon reports—nothing new to those of us who live and breathe cybersecurity. However, the report caught my eye because it offers some very insightful definitions that may help the infosec community. According to the report, there is still no common lexicon for categorizing malicious cyber activities. The report does not seek to solve that problem but the authors may have unintentionally assisted in moving us closer to a common lexicon. The report cites the NIST definition of a cybersecurity incident as a violation of an explicit or implied security policy. The report authors go on to distinguish the difference between successful attacks, specifically cyberattack and data breach:
As defined by the Director of National Intelligence, a cyberattack intends to create physical effects or to manipulate, disrupt, or delete data. In contrast, a data breach may not necessarily interfere with normal business operations but it involves unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information, according to the Department of Homeland Security. (Italics are mine)
By combining two separate definitions from two sources, the Council has effectively made a very accurate distinction between two terms that are often improperly woven into one confusing, endlessly debatable mess. If that definition isn’t clear enough they include a perfect analogy:
Analogously to property rights terminology, a cyberattack destroys property or makes it unavailable for use, and a data breach amounts to property theft.
That is sweet! The entire report is worth reading, and it is especially recommended to students who are new to infosec as it offers clean, palatable descriptions of most of the types of attacks most common to organizations. The report is written for a senior-executive audience, so the descriptions are written in a way that a non-technical audience can understand them. This is precisely the language a security person should use when explaining cybersecurity events to a non-technical audience. Definitions such as “Backdoor,” “Zero-day,” and “Firmware compromise” are crisply explained. These definitions are worth some study if not outright memorization. Many times, we infosec folks get a bit too lost in the beauty of the full description of a weakness and its accompanying exploit when speaking to an audience that just needs the quick update. If you are an old timer in infosec, the report is worth reading for other reasons. For example, we often see the term “material” in many of the regulations to which we must adhere, yet this is one of those business terms that are not well understood by many non-business folks. The Council’s report not only explains the meaning of “material” but also shows the weakness of that term that allows many organizations wide wiggle room to avoid reporting many cybersecurity events. Other reasons to read the report include some of the general findings and the method used to arrive at those findings. There is also a well-detailed reference section with plenty of links that you may find yourself using when writing your own reports. We civilians often poke fun at government institutions, remarking at their inefficiencies and blunders. However, here is a nice example of how they can also get it right. You can read the full report here. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
