Cyberwar. Cyber-weapons. Cyber super-power. Cyber-attacks…
The entire cyber jargon is tainted in camo colors, making it to look like a bloody battlefield. As with many other things, this too is to blamed on popular films and TV shows from that horrible decade, the 80’s, which created such a powerful image of the military hacker – playing with national level networks and nearly causing a nuclear war between the US and the USSR – that it remains with us to this day (funny enough, the military cyber capabilities of the time were way below what was depicted in popular media). And today, it is clear that military forces worldwide have embraced the digital battlefield and most nations now possess some very potent cyber weapons. But, as true as this may be, the fact that the military lingo has completely engulfed the cybersecurity lingo is detrimental to the very success of cybersecurity efforts in non-military organizations.
Because language creates perception and reality. When decision-makers are presented with estimations about their organization’s (which could be a retailer, pharma or education institute) capability to defend (a military word) itself against attackers (another) and their weapons (oops), they automatically rewind the film in their heads to that 80’s film and think “Cyberwar”. This is wrong on so many levels, and can have serious negative implications on this executive’s decision-making process.
First – while there are military actors in the cyberspace, the overwhelming majority of harmful activities are conducted by criminals and hacktivists. Thinking about a military adversary (yet another military term) is almost always looking at the worst case scenario, and as such, usually leads to paralysis – how can we defend against the Chinese/Russians/Americans?
Second – the majority of tools (not weapons) are not military grade, but are developed and sold by commercial entities operating in the grey area between legitimate software (and even InfoSec) companies and cybercrime. These tools are not Stuxnet-grade secret weapons no one knows about or can protect itself against – they are usually re-used malware which for the better part, have been known for years.
Third – looking at this problem from a military perspective distracts us from seeing what it really is – a business problem. Instead of calling the “bad guys” adversaries, let’s call them fraudsters or criminals (even the word “hackers” is too glorifying in my mind, as most people that deal with cybercrime have little to do with actual hacking or programing). The “weapons” there are using? Tools. Their goals – not to conquer or dominate, but to steal and disrupt. And our “defensive” jargon should be changed as well. Firewall, perimeter security, sensors, traps, etc. let’s call them what they really are – business risk reduction measures, no different than buying insurance, installing fire alarm or hedging currencies.
It is my belief that only once decision-makers, assisted by their technical counterparts (CISOs and their teams) will start making use of a business instead of military jargon, they will be able to make informed decision considering the business impact of cybersecurity (or lack there off). This will in turn force the technical folk to speak in business lingo – to present metrics, quantified data and KPIs – and will improve the cooperation between these two very different functions within the organization.
So please leave the military lingo at home, or even better – in 80’s style movies, and use the business lingo at your workplace. If you don’t wear uniforms to work, don’t sleep in a tent and don’t carry a riffle, you will be better off like this.