Today, I would like to call your attention to a new paper from Microsoft Corporate Vice President for Trustworthy Computing Scott Charney called “Rethinking the Cyber Threat – A Framework and Path Forward.”

In my own opinion, this is a very important paper for industry and government, because the deconstruction helps define a common language and set of terms to enable discussions – and – can help us plan and make progress on the categories independently from one another.  For example, internationally, countries may be able to move forward rather quickly (in agreement) on the area of cyber crime, while more extended conversations take place to define norms on areas like cyber espionage.

There are three areas from the paper that I think represent key progress in terms of enabling us to separate issues that are too often conflated:

  1. Six distinct factors that make understanding and quantifying cyber threats a real challenge:  many actors; many motives;, indistinguishable attacks;, shared and integrated structure; unpredictable consequences; and potentially disastrous impact.
  2. The attribution problem and why it is key to classifying and taking appropriate action.
  3. Separating cyber threat into four related but independent categories around which government and industry can make progress:
    • Conventional Cybercrime: Where computers and people are targeted for traditional criminal purposes such as fraud and identity theft or used as tools to commit traditional offenses like the distribution of child pornography.  Traditional law enforcement mechanisms can and are helping address this issue.
    • Military Espionage: It happens and it is not cyber crime.
    • Economic Espionage: Economic espionage is distinct from crime and military espionage, plus culturally, different countries may hold very different opinions concerning appropriate response.
    • Cyber Warfare: Cyber warfare is a particularly difficult area, because the Internet is a shared domain and it’s difficult to separate military and civilian targets.

Note that all four categories depend strongly on developing better attribution so that it is even possible to identify the appropriate category so the right parties can be involved.  Another area emphasized in the paper is the need to figure out where action can be taken even when attribution is not 100%.  For example, if you detect someone attempting to change grades at the local high school, you may be able to categorize this to a high degree of probability without knowing the attacker’s identity.

Download and read:  Rethinking the Cyber Threat – A Framework and Path Forward.

Scott’s blog post on the “On the Issues” blog: The Cyber Threat - Deconstructing the Problem to Promote Comprehensive Dialogue and Action

I’d love to hear your thoughts on this paper and discuss with you, either here on the blog or on twitter @securityjones.

Best regards ~ Jeff