The lack of a universal definition of Cyber Security is a challenge. Is it so expansive and dynamic that it is hard to define?
The World Economic Forum highlighted that two out of the top ten global risks in 2015 are Cyber Attacks and Data Fraud or Theft. The priority to secure the nation from such risks is getting bigger. So, the question that arises is, what all do we need to protect and how much should we do?
In the face of these fast moving developments in the technology sector coupled with strong interconnections amongst people and systems via cyberspace, the strategies and procedures for National Security need to adapt continuously. An effective strategy is needed to minimise new gaps that appear due to advancements in cyberspace. To go about this, we first need to look at
- the various types of Assets that need to be protected and how they can be classified
- the various Threats and Attacks possible and how they can be classified
- what measures are needed to protect these assets, how to prevent and deter such attacks and appropriately respond to, if an attack occurs.
National Security at a very broad level covers providing security of all assets that includes critical infrastructures and the citizens, protecting the economy and various operations, ensuring safety and health to public, countering any internal or external attacks, etc. Threats can be of various kinds like war attacks, terrorist attacks, etc. Tallinn Manual defines Cyber Attack as a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.
In all these set of assets, Information and Communication Technology (ICT) forms one key part of assets which need protection. ICT includes all forms of information storing and processing computer systems (hardware/software), electrical and electronic equipment, telecommunication equipment, etc. In cyberspace, in addition to the ICT infrastructure, information that is stored or transmitted is of prime value. Confidential information must be protected from illegal access and manipulation, and all information should be available for access when needed to the person(s) authorised . The goal of Information Security is to ensure the preservation of confidentially, integrity and availability of information stored in any form – be it digital (like in a hard-disk or memory device) or print like books or any other form that is possible. The term Information Security is used more in the corporate side to refer to information in the cyberspace.
To begin with, we can say that Cyber Security applies to security of ICT assets and all information related assets in cyberspace. ISO defines it as the “preservation of confidentiality, integrity and availability of information in the Cyberspace”. The Indian National Cyber Security Policy 2013 defines Cyber Security as a measure “To build a secure and resilient cyberspace for citizens, businesses and Government. To protect information and information infrastructure in cyberspace, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation.”
The paper by Rossouw von Solms and Johan van Niekerk titled From information security to cyber security makes this distinction between Information Security, ICT security and Cyber Security. It also widens the scope of cyber security to include assets like people who could be indirectly impacted due to acts which use ICT-based systems as one of the means to carry out them. The paper argues that all of Cyber Security is not necessarily a subset of Information Security. Instead, there are cyber security threats that don’t form part of the scope of Information Security. Examples highlighted are Cyber bullying, threat to non-information based home assets that are automated, Cyber Terrorism, illegal sharing of data, etc. The Venn diagram shown below gives a high-level picture using the concepts listed above.
So, given the wider scope, Cyber Security can be considered as measures adopted
- to protect the assets (including people), which are part of cyber domain or have links with the cyberspace, from threats of attacks
- to preserve confidentially of information, integrity and availability of networks and infrastructure and
- to build a resilient framework to prevent, deter any attacks and accordingly respond to them in any event.
In the next blog in this series, we will elaborate on the Venn diagram shown above to break-down the various assets and categorise them into different security types. We will also take a closer look at vulnerabilities, types of threats and causes for cyber attacks.
Sudeep Divakaran is a Research Scholar at Takshashila Institution