Red Means Stop, Cyber Means Nothing
Overuse of the term has become a word hazard.
Emerging technology, state actors such as Russia and China, and nonstate actors including ISIS, are often quoted as some of the greatest threats to computer and network security. But before the United States can engage with these threats effectively, the war against words must take place.
One place to start is by eliminating the word “cyber” as a descriptor. The term has been used and overused, manipulated and exploited so many times and in so many places, it has become meaningless. What individuals or organizations mean or want when they use it is impossible to say. It’s time to scrap the word altogether and instead specify technical concepts at a more granular level.
Imprecise definitions early in the development of the Internet were likely one of the major causes of terminology misuse. Subsequent Internet Engineering Task Force (IETF) glossaries and many other attempts at capturing the etymology of the term cyber focus on the glamorous quality of the word, which causes these reference guides to discount the technical aspects of its meaning.
No one knows what cyber means because it is no longer a precise term. Only when technologists, policy and decision makers, leaders and warfighters use words that have specific definitions can they begin to discuss real solutions to technical problems.
It is always possible to replace cyber with more accurate words. For example, a cyber lab is usually a classroom filled with computers, so it should be a computer lab. Tesla’s new cyber truck runs on electricity, so it is an electric truck. The concept of cyber warfare is the idea of a war waged over computer networks, so it is computer network warfare.
The same is true about cybersecurity, which describes efforts to secure and defend networked devices. Actually, the accurate term is computer network security.
And, words are more complex than their dictionary definitions. For example, depending on the context, cybersecurity can mean information or physical security of network devices. This confusion is counterproductive to any practical security solution.
Another example is the concept of cyberspace, which is so comprehensive and abstract that it is impossible to know the topic without further explanation. Most agree cyberspace consists of the physical, logical and cognitive. Within each of these are even more categories. The physical aspect of cybersecurity could refer to computers, servers and networking devices such as routers and cabling, while the logical and cognitive aspects may involve data packet behavior on networks and user personas. Without further clarification, it is impossible to know which aspects are the topic of discussion.
People who defend using the term argue official publications, such as formal government and policy documents, often define cyber within the material. However, the organizations use the word so liberally, it is almost impossible to discuss the contents without using such terms. As a result, readers first must understand the given definition to interpret the body of the text.
Derivatives of cyber have been used in reputable publications that offer imprecise definitions. In 1993, the IETF defined “cyberspace” in Request for Comments (RFC) 1392 by citing William Gibson’s novel Neuromancer, which is not a technical definition suited for scientific operational use.
Many definitions use the term cyber in the definition itself, compounding confusion about the meaning of terms. For example, Joint Publication 3-12 defines cyberspace operations as “the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.”
While it is reasonable to say an overarching term that includes all three aspects of cyberspace is necessary, any such overarching concept should rarely be the default term. Overuse of blanket terms such as cyber or cyberspace only facilitates ambiguity and confusion unless explained in more detail. Those who talk about the concept of cyberspace are more likely to be too disconnected from the problem to offer a solution.
To implement a real solution to a technical problem requires people with technical expertise to identify threats and vulnerabilities and implement practical ways to defend from or eliminate them. The answer to every technical question is not a cyber solution: It is a software or a hardware solution. Perhaps a patch or a system update is needed. The solution depends on the problem, and the word cyber does not capture the nature of these problems.
This emerging field requires technologists as well as leaders who understand the nature of a threat. Before they can do that, they must be able to describe it. For example, when the June 2015 Law of War Manual uses the term cyber, it specifies the activities that fall within each context. It describes malicious cyber activities as “defacement of websites, network intrusions, the theft of private information, or the disruption of the provision of internet services.” This is a good practice. The solutions to any of these actions are specific, and the solution to one would not work for the others.
There are at least three ways to conduct war on technical terminology. First, funding for government, military, business or academic programs should not rely solely on word usage in job titles or the names of military units. Leaders of all trades must genuinely understand the activities and objectives at all levels within an organization. Realistically, this type of change could take an entire generation to achieve.
Second, as leaders across all industries become more technically proficient, higher echelons of the government should use buzz terms such as cyber with more discretion. These terms trickle down to all levels of government, military, business and academia, who blindly adopt them for everyday use, which impedes progress toward solutions to technical problems.
Third, individuals must recognize knowledge gaps in their own technical competence and seek technical expertise. As a result, they will be able to speak smartly about technical issues and implement practical solutions to problems at every level.
Disclaimer: The views expressed here are those of the author and do not reflect the official position or policy of the National Intelligence University, Department of Defense or its components, or the U.S. government.
M.D. Miller is a faculty member at National Intelligence University and is GIAC Penetration Tester (GPEN) certified.