“Cyber” is a lazy term that references anything connected to a computer, network, the Internet, or information technology writ large
Even when connected with “security” the term can be misleading. How does cyber security differ from information security and is the difference that significant that it deserves a separate idiom? While “cyber” may be a simplified term to use, its use does nothing to help define or explain the information environment, and this becomes a problem when nation states try to collaborate on the implications of all things – security, intelligence, warfare, espionage – associated with “cyber.”
On the international stage, there is no consensus on the use or definition of “cyber” particularly among the global cyber powers. Countries like China and Russia approach cyberspace holistically, taking into account not only the technology in the architecture, but also the actual data that traverses or is stored on it. Conversely, the United States has maintained the position that cyberspace focus on technology and the systems and networks that comprise it. Without a consensual definition in place, it is unsurprising that the global community via international fora such as the Shanghai Cooperation or the United Nations Group of Experts in the Field of Information and Telecommunications in the Context of International Security (GGE) to date has continually failed to reach an agreement trying to codify a nation state norms of behavior in cyberspace. Case and point: while many hoped the June 2017 GGE meeting would prove to be a watershed moment in getting the elusive international consensus on cyber norms, it ultimately proved a failure calling into question if common ground will ever be achieved.
As governments try to develop security strategies and national level doctrines to address digital domain threats, it is apparent that those that view cyberspace in the narrow perspective of technology may not be fully understanding the full scope of the threat. There is a substantial amount of attention given to malware, botnets, and the types of attacks that can occur in the digital domain. The potential destruction of information systems as observed in 2010 with Stuxnet or the 2012 wiper malware that targeted Saudi Aramco, among others, underscores the fear of the types of attacks that could be directed against critical infrastructures. Cyber attacks against these targets have been observed against power, dams, nuclear power plants, SWIFT global bank messaging system, and a steel mill.
While protecting critical infrastructure and bolstering the security mechanisms around them is important, the potential use of information as an influencing agent may be a more dynamic and immediate threat. The types of information operations that allegedly occurred during some countries’ presidential elections demonstrates the low-cost, wide-reaching type of non-lethal attack that can achieve strategic objectives. Influencing audiences and destabilizing election processes are just some potential objectives that can be achieved. In some instances, information campaigns have helped drive changes in regime as the “Color Revolutions” and the “Arab Spring” have demonstrated.
What history has taught us is that a strategic use of information (via traditional media outlets, as well as social media platforms) can have a significant effect on a target audience without having to destroy or manipulate information systems. Failing any manipulation of information systems or information resident on them, none of these activities would be considered as falling under the criteria of what constitutes a cyber “attack” (e.g., denying, degrading, disrupting, destroying, or manipulating information systems and/or the information resident on them).
Somewhere along the line, “cyber” has become an ill-suited catch-all that can be interpreted in many ways. And that’s where it falls short. Some view “cyber” as a domain in which advanced tools and exploits can be leveraged to purposefully impact systems and/or the information resident on them to achieve maximum physical effect. And while these attacks remain a key tactical and complementary component of a larger information warfare campaign (more so now than in the late 90s due to improved connectivity and advanced technology), they are merely one facet. The move to the adoption of “cyber” has diminished acknowledgement of information’s integral role as an influencing agent in soft-power conflict that can undermine political, economic, and social stability, and that is a mistake.
Those focusing on the digital perspective risk being caught behind the eight-ball, by not acknowledging the potential information has in inspiring turmoil, and even regime change.
And that requires moving from a position that only technical attacks that shut down networks, destroy information, impact systems, in cyberspace is the only great threat deserving nation state attention.
About the author
Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals and blogs. Follow Emilio on Twitter