The Council of Economic Advisers recently released a report that examines the cost of malicious cyber activity to the U.S. economy. The report cites many of the usual findings from the Verizon DBIR and Ponemon reports. Nothing new to those of us who live and breathe cybersecurity. However, the report caught my eye because it offers some very insightful definitions that may help the infosec community.

According to the report, there is still no common lexicon for categorizing malicious cyber activities. The report does not seek to solve that problem, but the authors may have unintentionally assisted in moving us closer to a common lexicon.

The report cites the NIST definition of a cybersecurity incident as a violation of an explicit or implied security policy. The report authors go on to distinguish the difference between successful attacks, specifically cyberattack and data breach:

As defined by the Director of National Intelligence, a cyberattack intends to create physical effects or to manipulate, disrupt, or delete data.  In contrast, a data breach may not necessarily interfere with normal business operations but it involves unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information, according to the Department of Homeland Security. (Italics are mine)

By combining two separate definitions from two sources, the Council has effectively made a very accurate distinction between two terms that are often improperly woven into one confusing, endlessly debatable mess. If that definition isn’t clear enough they include a perfect analogy:

Analogously to property rights terminology, a cyberattack destroys property or makes it unavailable for use, and a data breach amounts to property theft.

That is sweet!

The entire report is worth reading, and it is especially recommended to students who are new (Read more...)