The term cyber has gradually increased in significance in recent years, alongside information security, and beyond specialist circles. It has become acceptable, and even if the sensationalism of the term has worn off a little, it is used readily and widely. However, it still has a dramatic, almost mythical connotation.

It often comes as a prefix, attaching itself to established terms to lend them a certain gravity and impact: cyber attack, cyber crime, cyber espionage, cyber security, cyber warfare, etc. It has become a universally applicable term of security discourse.

The origins of a word

Delving into the etymology of the word cyber, the first word we come across is cybernetics, the control sciences _of _cybernetics, thus the Greek kybernetes, helmsman, together with his kybernetike (techne), the helmsman’s art, and finally the primary word kybernan, to steer.

In the book What Philologists Love – 27 Word Histories by Klaus Bartels, you will find the following explanation:

This “Greek” kybernetes was an interloper in Greek, with no related words, and we do not know from which “barbarian” land it washed up on the Greek coast.

So this description might suggest why we should really think carefully about the cyber issue – it is precisely this menacing uncertainty, this doubtful, unforeseeable quality that can abruptly make its presence felt from out of nowhere that causes us concern. Just like the Greeks felt about the sudden appearance of the kybernetes.

And in more recent literature, references to the word cyber can be found. In 1982, the American science fiction author William Gibson wrote the short story Burning Chrome. The hacker’s software described in the story is called Cyber Space Seven.

In an interview with the New York Times a few years later, Gibson revealed that in fact the word had no meaning. But he liked it all the same, if only for the sound of the word.

Cyber for businesses

The fact that the term cyber is so widely used makes it all the more important from a corporate point of view to limit it to a specific perspective in order to ensure that the areas of activity are better delineated in context and appropriately defined.

This should extend to cyber security assuming the quasi status of a significant facet of information security and information security management. This reflects the fact that cyber security incorporates everything that the company may wish to protect against premeditated attacks, threats, vulnerabilities and their consequences.

Despite the polyvalent usage of the term, cyber security should be aligned with every other aspect of a company’s information security. Naturally, that includes management disciplines such as governance and risk management.

In contrast with traditional, more static information security, the leitmotif of cyber security stems from its pronounced dynamism, which has a highly situational focus and is, according to the threat level, permanently adaptable in order to address subjects as they arise. This characteristic entails a continual process of improvement that ensures all defined requirements can be fulfilled. These result not just from company-specific security objectives, but also evolve naturally from the development of good practices, legal framework conditions and regulatory rules of play.

Shift in security models

The action sphere of traditional information security is expanded to encompass all cyberspace as we know it. This includes all the technologies associated with the internet and other networks (including the Darknet) and takes into account extended communication paths, processes, applications, data streams and information. From this, one can draw the following conclusions.

Starting with the major business areas of a company, one can incorporate various perspectives of cyber security that can contribute to a greater understanding of reality in terms of the significance of effective risks and threats:

• Cyber security issues should be considered beyond individual points of view (e.g. of information security). Otherwise, this may lead to misjudgment and further inappropriate activities and measures.
• Cyber security is not a purely technical issue, rather, it is a question of company strategy, management and processes.
• Cyber security requires efficient, rational processes, because pseudo-complexity and inertia can significantly counteract the aim of agile security disposition.

The development of a tailor-made cyber security strategy, then, comes from taking a bird’s-eye view beyond the company’s industry-standard framework, in order that security innovations and emerging threats and trends from other channels (e.g. Dark Net) are registered and tracked minutely.

Furthermore, national and international advances, strategies and tactics from the fields of business, politics and other organizations or industry groupings can provide a valuable basis for orientation. These include:

• ISB – Cyber-risks NCS
• ISB – SN002: National strategy for Switzerland’s protection against cyber risks
• EU/ENISA – EU Cyber Security Strategy
• ENISA – An evaluation framework for Cyber Security Strategies
• ENISA – National Cyber Security Strategies: An Implementation Guide

Orientation and further development of cyber security measures and projects in terms of a commonsense comparison.

Regulatory positions

In the guideline Corporate governance principles for banks issued by the Basel Committee on Banking Supervision in July 2015, the theme of cyber security and cyber risks is mentioned for the first time.

(…) cyber risks have captured the attention of regulators and bank executives alike after large-scale and coordinated denial of service attacks on banks and high profile criminal hacking (…)

it is interesting that mention is made of cyber risks in the Annual Report of the Swiss National Bank SNB. In other words, cyber attacks are being documented as concrete risks in the financial system for the first time, specifically in the context of the Financial Stability Board:

The FSB promotes international financial stability; it does so by coordinating national financial authorities and international standard-setting bodies as they work towards development of strong regulatory, supervisory and other financial sector policies. It also represents the link between sector-specific standard-setting bodies and the G20.

In Switzerland, FINMA (Financial Market Supervisory Authority) is naturally also concerned with aligning the Swiss basis with international standards, such as the Basel Committee.

That means FINMA, too, is concerned with Summarizing Corporate Governance of Banks (internal control system risk management). Here, they have combined different provisions – previously distributed in various circulars – in one circular and adapted the provisions in the light of findings arising from the financial market crisis and updated international standards.

This results in stricter regulations for corporate governance, internal control systems and risk management, as well as the first use of the term cyber to cover management of IT and cyber risks. This principle of IT and cyber crime is taken up in the 2008/21 Circular: Operational Risks – Banks.

If the new Principle 4, which concerns the cyber security requirements of FINMA, is considered, one sees that the previously mentioned dimensions are almost congruent with current standards of cyber security (NIST Cybersecurity Framework).

Cyber security standards

You can now find established standards that form a good basis for development of cyber security strategies:

• ISO/IEC 27032:2012 Information technology – Security techniques – Guidelines for cybersecurity
• National Institute of Standards and Technology – NIST Cyber Security Framework
• NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
• NIST – Controls Database
• CIS – Center for Internet Security (a.k.a. SANS TOP 20) – Critical Security Controls for Effective Cyber Defense
• SANS TOP 20 Poster
• BSI Federal Office for Information Security
• BSI-CS_006 Basic Measures for Cybersecurity
• BSI-CS_013 Cybersecurity Exposure

The essence of cyber security

Cyber security takes more than just an uncritical compliance with regulations, standards and good practices. We have seen that the traditional, preventative perimeter security is no longer reliable enough. Today’s threats tend not to come from perimeter intrusions per se, as the regular, established point of view would have it.

With advanced persistent threats (APT), for example, it becomes clear that the defensive line has already been successfully breached at one or other of the sites of traditional information security and that hackers are able to lurk undetected behind enemy lines, perhaps without causing direct, visible damage at first.

The danger of attackers lurking for extended periods behind these apparent lines of protection is now more real than ever. This requires a paradigm shift among security experts and company management – a shift to security modeling.

In essence, it’s about aligning cyber security objectives with the anticipation of future, potential cyber risks and emerging threats with the objective of optimally preparing and positioning the company to offer the best defense against present and future developments.

The early discovery of targeted attacks through detection of anomalies (and by no means just technical anomalies) and rapid assessment of potential impact – that is, the optimal situational awareness of security in real time – are essential. And this is precisely the essence of cyber security.

This includes, in particular:

• Analysis of future cyber risks and threats, particularly from the perspective of changing technological, political and economical landscapes, to better forecast, anticipate and appropriately prepare for future dangers.
• Analysis of innovative anomaly-detection methods, by bringing together available network information, system logs and other data streams with new pattern mining approaches. High performance and scalability (big data) for comprehensive application – in conjunction and cooperation with others – beyond the company’s limits are vital.
• Design of module-based infrastructure models, which include diverse vertical levels from the present IT to perspectives of data streams, protected objects and service provision up to inter-organizational dependencies.
• Innovative strategies against attack scenarios (possible simulations), in order to forecast the impact of attacks on networked infrastructures and the effectiveness of counter-measures at various levels and from various starting positions.
• Unite to form interest groups, to bring together and combine cyber-related findings of each individual company and organization. This means the coordination of isolated anomaly-detection efforts and enabling and enhancing information exchange and mutual assistance between organizations and companies.

Conclusion

There is no simple Archimedean point of cyber security, only countless parameters, protection objectives, risks, threats and attack scenarios. The view of the whole is more than the sum of its parts. And the dangers also arise out of effects and tendencies the causalities and correlations of which we currently have little understanding.

Even the most refined cyber security strategy does not allow us to recognize, register, measure and detect everything. But that’s not to say that we should not engage intensively with cyber security. On the contrary – we find ourselves in a tricky center position. We know some things, we can get more in-depth information on others, and with a bit of imagination we can realistically recognize and register threat scenarios. From this perspective, cyber security is the concrete attempt to do our best for security.

About the Author

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

Links

• http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
• http://www.bis.org/bcbs/publ/d328.pdf
• http://www.fsb.org
• http://www.jetzt.de/wortschatztruhe/wort-ohne-bedeutung-539102
• http://www.nist.gov/cyberframework/cybersecurity-framework-archived-documents.cfm
• http://www.nzz.ch/nzzas/cyber-attacke-gegen-ruestungskonzern-ruag-russische-hacker-enttarnen-geheime-schweizer-elitetruppe-ld.18562
• http://www.snb.ch/de/mmr/reference/annrep_2015_komplett/source/annrep_2015_komplett.de.pdf
• https://books.google.ch/books?isbn=0060539828
• https://ec.europa.eu/digital-single-market/en/cybersecurity
• https://web.nvd.nist.gov/view/800-53/Rev4/home
• https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/downloads/BSI-CS_006.pdf?__blob=publicationFile&v=2
• https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/downloads/BSICS_013.pdf?__blob=publicationFile&v=2
• https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/cyber-sicherheit_node.html
• https://www.cisecurity.org/critical-controls/
• https://www.enisa.europa.eu/publications/an-evaluation-framework-for-cyber-security-strategies
• https://www.enisa.europa.eu/publications/national-cyber-security-strategies-an-implementation-guide
• https://www.finma.ch/de/~/media/finma/dokumente/dokumentencenter/anhoerungen/laufende-anhoerungen/rs-corpgovbanken/eb_rs_corpgovbanken_20160301_de.pdf?la=de
• https://www.isb.admin.ch/isb/de/home/ikt-vorgaben/strategien-teilstrategien/sn002-nationale_strategie_schutz_schweiz_cyber-risiken_ncs.html
• https://www.isb.admin.ch/isb/de/home/themen/cyber_risiken_ncs.html
• https://www.iso.org/obp/ui/#iso:std:iso-iec:27032:ed-1:v1:en
• https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf