Can You Define Cybersecurity?Answering That Question Isn't So Easy
See Also: Passwords Alone Aren't Enough
Sounds simple, yes? But, it isn't.
A just issued paper from the European Network and Information Security Agency states that a harmonized definition of cybersecurity is clearly lacking, and that could make international cooperation in cyber defense a major challenge:
"The understanding of cybersecurity and other key terms varies considerably from country to country. This influences the different approaches to cybersecurity strategy among countries. The lack of common understandings and approaches between countries may hamper international cooperation, the need of which is acknowledged by all countries."
The paper is part of an ENISA initiative to develop a Good Practice Guide on how to develop, implement and maintain a national cybersecurity strategy, which would create a lingua franca among IT security practitioners throughout Europe and around the globe.
Efforts such as those proposed by ENISA are important. To be effective, cybersecurity must be an international endeavor, and for that to happen, IT security terminology must not be lost in translation.
Being misunderstood on cybersecurity could have devastating consequences. Improving understanding, whether through language or by actions, is behind U.S. Defense Secretary Leon Panetta's joint announcement with Chinese Defense Minister Gen. Liang Guanglie earlier in the week that the two nation's will cooperate on cybersecurity. If politics makes strange bedfellows, so does cyber diplomacy. Many American leaders contend China is behind breaches of American government and business IT systems, pilfering military and trade secrets and intellectual property, a contention Guanglie dismisses.
Explaining the new cybersecurity cooperation, Panetta told reporters:
"It's extremely important that we work together to develop ways to avoid any miscalculation or misperception that could lead to crisis in this area."
Just as language evolves so do cyberthreats and the systems they target, a point made by the authors of the ENISA paper. Any document defining how best to approach IT security must evolve because of the constant development and evolution of cyberspace and cyber security issues:
"The strategy will have to be a living document."
And, as the ENISA experts point out, evolving IT security strategy shouldn't be limited to emerging threats and new risks. Organizations evolve, too, so a cybersecurity strategy should address changes how organizations improve and enhance the use of technologies.
That's true in any language.