The concept of “Cyber Security” is surely the attention grabber of the year. All security products and services enjoy a boost in their perception of importance, and sales, by merely prepending the word “cyber” to their description. But how is cyber security different than just security?
It differs, but it is not an entirely different domain, at least not from the technology perspective.
Security protects against malicious attacks. Attacks involve an attacker, an attack target, and the attack method, which exploits one or more vulnerabilities in the target. When speaking of cyber attacks, it is common to refer to a nation state attacking another, or to an organization attacking a state. Referring to unorganized individual hackers as executing “cyber attacks", while being a common trend, is a blunt misuse of the “cyber” term in its common meaning. And still, cyber security is not as dramatically different than traditional security.
When comparing to “non-cyber” attacks, in the “cyber” case, the attacker is often a more resourceful one, and the target of the attack is some system with national implications to its abuse, such as a large financial system, a nuclear power plant, a smart-grid, and the like. A cyber attack involves a highly capable attacker, targeting large scale targets. This is how a “cyber attack” differs from just an attack. No national security implication – no “cyber", please.
Non-intuitively, the factor that is not significantly different between cyber and non-cyber attacks is the technology involved, neither in terms of attacks nor in terms of defense. The methods for attacks are largely the same methods, and the vulnerabilities exploited are largely the same vulnerabilities; at least in the cases where the same standard systems are used. True, there are esoteric SCADA systems with proprietary software running in power plants and in other industrial facilities. These certainly require a lot of attention. However, most components that are involved in cyber attack events are the same platforms we already know. The critical infrastructure bank mostly uses the same operating systems and web servers as any other firm. It does not run a completely home grown operating system and web server just because it’s a “cyber” target.
The cyber attackers are way more sophisticated than the non-cyber ones. They are often state sponsored, and are presumably well organized. They are better funded, and may engage the best of minds. But what is the practical implication of this? – They have better research capabilities, and may have access to more zero-days. Stuxnet has presumably made a record by exploiting 4 of them (some say 6) in one piece of malware. Obviously, better funding and minds implies more zero-days. I argue, however, that from the defense perspective, both the “cyber” defender and the traditional defender of any large-scale corporate, assumes that the attacker has access to some zero-day capabilities. No competent IT security manager dares to assume that all malware his systems will ever confront consists of the known viruses that his anti-virus software knows how to handle. Anti-virus tools are to used to block the common 95%. but they are not a panacea. So, while the cyber defender has to defend against attacks involving 4 or 10 new unknown attack venues, the non-cyber defender is prepared to defend against one. Is this alone a qualitative difference between cyber and non-cyber defense? Probably just a quantitative one.
Cyber security is important, because it involves targets of higher profiles and attackers of stronger abilities. It thus requires more good security people doing their security work properly. It also involves, in some situations, additional skills pertaining to proprietary systems. Lastly, it requires to dust off holistic approaches and national security considerations, due to the sheer complexity of national security. Yet, at least from the technology perspective, it does not seem to qualify for an entirely new domain. It is the same security we know – just more of it.