17 August 2017

Australia to try taming unruly cyber words

By Stilgherrian

"Language matters. We know that in the offline world, and online is no different," says Alastair MacGibbon, Special Adviser to the Prime Minister on Cyber Security.

"Until such time as we are better able to define and explain why we use certain words, the broader public can't be involved in a debate that is really necessary for all of society to be part of," MacGibbon told ZDNet on Friday.

MacGibbon had just finished hosting a two-hour roundtable at the Department of Prime Minister and Cabinet (PM&C) to discuss an early draft of a document titled Words Matter: Australia's Cyber Security Lexicon -- although that title will probably change.

The intention, according to MacGibbon, is "to help define, as best we can, what these words mean, so that we can all be on a common page as we discuss cybersecurity issues". It has the "express purpose of engaging the broader public in what is probably going to be the greatest existential threat that we face as an economy".

One such set of words -- one of the phrases the draft document labelled "contentious cybersecurity terms" and which were discussed at length in the roundtable -- is "cyber attack".

"That means certain things to government, and it means certain things in the mind of the public, but we need to make sure it means the same thing as each of us hears those words," MacGibbon said.

As the document itself notes:

'Cyber attack' is commonly used to describe generic malicious activity that is intended to cause harm to a computer network or system. But there are still significant variances in thresholds for the use of the term. 'Cyber attack' is used to describe a spectrum of events ranging from the innocuous (in the tens of thousands) through to singular destructive incidents. The use of a single term to describe such a broad spectrum of activity and impact has devalued the term and connotations associated with 'attack' have also led to an inflated sense of threat.

It has also led to confusion. One example is the government messaging during the 2016 Census debacle. Within the span of a few minutes, the denial of service attack both was and wasn't a "hack", and was and wasn't an "attack", depending on who was speaking.

The roundtable was held under a modified Chatham House Rule, with around 25 participants from key federal government departments, law enforcement and cybersecurity agencies, private industry, and academia. Your writer also participated.

As well as "cyber attack", the contentious terms listed in the draft were "cyber terrorism", "cyber warfare" and "cyberwar", "cyber weapons", and "active cyber defence".

The terms "cyber terrorism" and "cyber war" were seen as particularly difficult.

"'Cyber terrorism' implies terrorists have the ability to conduct sophisticated cyber operations that invoke terror in a population -- such as the destruction of dams or power stations," the draft read. "Although terrorists have never demonstrated that capability, the [term] 'cyber terrorism' is still frequently used to describe terrorist groups' use of the internet as a business tool for recruitment or propaganda, or low-level operations that in themselves do not instil any sense of terror."

"The term 'terrorists' use of the internet/social media' is almost always more accurate and appropriate than cyber terrorism."

The term "cyber terrorism" can be especially problematic in international contexts, because some nations' legal systems do classify the use of social media by dissidents as "terrorism".

"'Cyber warfare' and 'Cyberwar' are terms often used to sensationalise cyber activity between states, generally espionage, that does not equate to conventional definitions of warfare," the draft read.

"Avoid associating cyber incidents with warfare unless they equate to high-level tensions or conflict between states."

The draft also included seven "illustrative examples", which were short vignettes highlighting ways to improve cyber language.

One, for example, stressed the importance of clarifying any exaggerated or ambiguous consequences:

Statement: The cyber attack was highly damaging.
Better statement: The theft of sensitive information was a highly damaging act of cyber espionage.

The roundtable was the first step towards producing a final document. A new draft is expected in a matter of weeks, with a final version expected to be released well before the end of the year.

PM&C is also planning to develop "a range of social media products" based on the lexicon.

The roundtable didn't solve every issue, however.

The writer of the draft had strong views on the use of "cyber" as a prefix or adjective:

"The terminology used to describe security incidents and capabilities involving IT or the internet frequently employs 'cyber' as either a prefix or adjective. While both forms are often used interchangeably, the cyber prefix should be used when it creates a new concept with unique meaning (e.g. 'cyberspace') and the adjectival form should be used when limiting or framing a noun (e.g. 'cyber crime'). A space should be used when 'cyber' is used as an adjective (e.g. 'cyber policy') but not when used as a prefix (e.g. 'cyberspace')."

They also had strong views on the use of "cyber" as a noun or verb.

"'Cyber' should be used exclusively as a prefix or an adjective and does not have meaning as a standalone concept. 'Cyber' is often incorrectly used as a noun without a root term. For example: 'Cyber is a growing issue for both government and the private sector.' This form of usage encourages unclear thinking by encouraging the user to fill-in the blank with their preconceived notions. 'Cyber' should not be used as a verb."

One participant noted that "people seemed to be crying out for some sort of guidance in that space". However, your writer, as well as some other participants, felt that the world had already moved on.

One stylistic point was clear, though, best expressed by one participant.

"Hyphens are dead to us."

Disclosure: Stilgherrian travelled to Canberra as a guest of IBRS.

No comments: