Cyber security as a profession seems uniquely prone to acronyms and obscure jargon.
Even the name 'cyber security' has replaced what we used to more prosaically call information or IT security. This obsession with jargon leads to poor levels of reporting in the non-specialist press, hype in marketing campaigns and, at its worst, misplaced strategies from governments.
In a keynote speech at the 2009 New York Television Film Festival, Ron Moore, writer for Star Trek and creator of the re-imagined Battle Star Galactica, described the secret formula for writing Star Trek: The Next Generation scripts: writers just inserted the word ‘tech' into the scripts and let others fill in the blanks with scientific sounding words later. A typical script would read thus:
La Forge: "Captain, the tech is overteching."
Picard: "Well, route the auxiliary tech to the tech, Mr La Forge."
La Forge: "No, Captain. Captain, I've tried to tech the tech, and it won't work."
Picard: "Well, then we're doomed."
At which point Data would suggest they reverse the flow of the other tech through the deflector dish, and save the day. I am a big fan of ST:TNG. I am less of a fan of the security industry's habit of 'teching the tech'.
How often have you read a sentence such as this: “A sophisticated APT using customised HTTP and weaponised malware pose a significant threat to the IP of the targeted organisations”?
That sentence is as meaningless as the Star Trek script, and yet those terms can all be found frequently on security websites, press releases and subsequently in the mainstream press. Even expanding the acronyms doesn't help with clarity.
What is an advanced persistent threat, and what is meant by tactics, techniques and procedures? Is there non-weaponised malware? Even ‘malware' is meaningless to the average reader.
Clear language would help everyone immensely: “Clever, careful persistent hackers can, using a variety of tools and techniques, pose a significant threat to the corporate information of targeted organisations”. Using plain English is not hard, and moves cyber security from the realm of mysticism to the real.
Also language matters; we security professionals strive to get people to understand and do security better. We throw our hands up in collective despair when we read of the latest security fail resulting from common errors. We lament when management boards don't own cyber risk and allocate appropriate resource to solutions. Yet part of this problem stems from our collective use of jargon.
An APT is a vague and elusive problem, but hackers are real. Espionage is an understandable motive. Targeted emails and malicious software are concepts that need no specialist knowledge to understand, and about which countermeasures can be discussed and evaluated.
Proper understanding of cyber issues suffers from the flawed narrative. Too much is made in the media of nebulous concepts of cyber attack and cyber war, while politicians, who do not understand the issues, have to discuss them, publicly fall back on the same language. It's a vicious circle.
Even technical people struggle to translate security speak into English. How is an IT manager supposed to know what the threat of cyber attack means to their organisation, never mind justify spending money on the problem.
I'm not claiming that effective cyber security is an easy task. The modern business operates in a complex environment and needs to be able to make risk-based decisions. However, cyber security is underpinned by concepts that are well understood.
Computing is a scientific discipline. The underpinnings of the modern internet, and the hardware and software that contribute to it are principles and standards that are often decades old.
Even very technical security topics (encryption, forensic analysis, reverse engineering, obscure vulnerabilities) are concepts that anyone with an IT background will understand. Threat actors and consequent risks need no specialised knowledge.
Cyber security is neither magic nor theoretical physics. We do not need to deliberately obscure our methods, and should not assume that our readers are specialists, indoctrinated in the language and acronyms of the genre.
Clear language would not only help those trying to defend networks and systems, it would enhance the quality of public debate in a topic that is only going to grow in importance. It is time for the cyber security industry to embrace clarity, and say what it means.
Rob Pritchard is the director of Abstract Blue Consulting