Attacks/Breaches
11/23/2015
11:05 AM
John B. Dickson
John B. Dickson
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

We Need A New Word For Cyber

It's time to find an alternative for 'cyber' (an adjective or noun) before the term - like 'google' -- becomes a verb.

One of the hits of Black Hat 2015 in Las Vegas was a T-shirt featuring a growling Sam Jackson from one of Pulp Fiction’s more memorable scenes. Pointing his oversized handgun downrange, Jackson’s character threatens, “Say Cyber One More Time…” There was at least one word at the end that added even more emphasis, but the message was clear. Some clever designer captured what many security folks at the conference quietly thought. The word “cyber” has become so overused it is nearly meaningless. The term “cyber” has risen to the level of “information superhighway” or “web 2.0” and is clearly a target for ridicule. At the same time, others, mostly .gov and .mil guys, still use it in a forceful and matter of fact way.

Coming off the annual Cybersecurity Month in October and having the opportunity to recently speak at CyberMaryland, I’m all “cyber’ed” out. At least I’m painfully aware when it’s used in casual conversation, and I even wince when I use the term “cybersecurity” to describe what I do to the vast unwashed masses. What’s becoming increasingly obvious is that we need a new word for cyber. I want to actively debate this and find an alternative before “cyber” (an adjective, or noun) becomes a verb, as Google is to “googling” something. I never want to hear that a client was “cyber’ed” by a nation state threat, or that someone “cyberfied” their network to make it more resilient to attack. That bleak prospect is so gravely serious that we need to put tongue firmly in cheek and start talking….

As Alcoholics Anonymous and other recovery groups state, admitting you have a problem is the first step towards recovery. Yes, we have a problem. I’ve known this for some time. This fact was driven home to me earlier in the year when a non-security guy stated emphatically, “John, you know it’s not just about cyber, right? It’s about cyber, big data, and cloud?” My initial response was to suggest he add mobile and DevOps, then he would have every buzzword in IT covered. But after my first, and possibly snarkier, response trailed off, I thought serious discourse about the use of the word “cyber” was needed.

By background, I’ve been a security guy for nearly 20 years. That’s how I self-identify, and that’s how people know me. Like Johnny Appleseed, I dispense solicited advice at cocktail parties, family reunions, and at my daughter’s soccer game. I answer questions that range from smartphone security, to when to update one’s Window’s box, to how best to select hard-to-crack passwords. So I’m on the frontline, like all of us who read Dark Reading. It’s in our best interest to have a better term before someone finds a worse term to describe our industry and what we do. To that end, I would humbly submit the following observations and suggestions for further discussion.

Let .gov and .mil guys keep “cyber” 
They are comfortable with the term, they use it in conversation without wincing, and would likely be a willing adoptive parent. There is the practical matter that there are so many instances where the term is baked into government code, into signage, into doctrine that a simple name change would cost taxpayers billions. In the military, the term “cyber” has been adopted to mean all things that don’t blow up bad guys. Fighter pilots, infantry officers, and naval officers may not understand what it is, but they do know it might prevent them from getting shot at. One request though.  Stop using the term cyber warfighter ... As an ex-Air Force Information Warfare Center alumni I’ve never been quite comfortable with the term. Those same folks who have actually been shot at might not be able to stomach the term and you might get your nose punched by a Navy SEAL in a bar talking about how you DDos’ed someone.

Don’t reuse stale terms!
If cyber does a poor job describing what we do, certainly older, well-trodden names are no better. Information security, or InfoSec for short, is seemingly hopelessly stuck in the 90’s. It might have worked then, when the scope was purely about the security of information, but not now. Related terms, like information protection and network security are similarly dated and also too narrow in scope.

The least worst current option - cybersecurity
An acceptable compromise, and one that seems to strike a happy medium, is the term many use to-date, “cybersecurity.” Don’t worry about if it’s one word, two, or hyphenated, it has the word “cyber” in it for the Feds, and “security” in it for most of the commercial types. You can say cybersecurity in a mixed audience and not get groans or a rolling of the eyes by the more grizzled security veterans. As a stopgap measure, cybersecurity works.

In a perfect world – just security
Here’s where I’ve arrived. I call it “security;” no need to further describe or elaborate. I self-identify as a “security guy.” I help clients with security services and product. Given the constant stream of front-page stories, I find security (read cybersecurity) being so mainstream that I don’t have to clarify, or distinguish myself from our physical security brethren. No guns, gates, or guards for me, and no, I’m not a mall cop. So I’m a security professional, providing security services that keep clients out of the news.

No matter what we end up calling it, we need to make sure that those who live and breathe security are the ones who dictate the term that is used. The art of what we do as IT security professionals has evolved into a sophisticated and critical part of everyday culture, not just business. We need to own what we do and come up with a term we can be proud to associate with our work; not one that makes us cringe every time we hear it.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
beldern
50%
50%
beldern,
User Rank: Apprentice
12/6/2015 | 1:35:21 PM
Re: New word for Cyber
Logical Security would be another term to seperate us from the physical realm.  
JVS3
100%
0%
JVS3,
User Rank: Apprentice
11/30/2015 | 11:04:00 PM
New Word for Cyber
Personally, cyber doesn't bother me that much.  It is what it is.  That said, "Void" seems a rather appropriate term if not a bit dated in the sci-fi world anyway.  Thank you Dan Simmons for the highly original and classic reference.  The internet and cyber space has become so analagous to everything not physical and immediatly tactile that void seems a legitimate term to me.  It would certainly represent the future of all thing cyber and the lack of any ability to control where it goes and how it is used.  I already reference it this way myself.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/28/2015 | 11:54:43 PM
Re: The perennial struggle
Well, we did go from calling it "cybersex" and "cybering" to "sexting."  I guess something similar is possible for cybersecurity, too!
jdickson782
50%
50%
jdickson782,
User Rank: Author
11/28/2015 | 12:03:06 PM
Re: The perennial struggle
Haven't accepted it yet! ;-)  I did hear from some of my DoD friends that there are now many who groan when they hear the term "cyber" even in DoD conversations, so perhaps the term will fall out of favor with most. Stay tuned.

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2015 | 11:42:25 PM
The perennial struggle
I remember my best friend and I having a discussion like this 20 years ago.

People talked about this in the '90s, and they haven't stopped.  Maybe we should just accept it already.
PaulV238
100%
0%
PaulV238,
User Rank: Apprentice
11/25/2015 | 8:38:29 AM
New word for Cyber
What about technical security? Seperates us from the physical guys, but is still broad enough to encompass IOT, mobile, network, PC . . .
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.