The word on Information Security

Word games

Listed below are two sentences. Read each sentence in turn, close your eyes, and imagine the scene described:

1. An elderly gentleman waiting patiently.
2. An old geezer slouching in the corner.

How different were your mental images?
Were they of the same individual?
Who would you want to meet?

It is well known that the words we use have a noticeable effect on how we think and behave. This is generally referred to as marketing, propaganda, or more formally as persuasive writing. Used consciously, these specific word choices aid in conveying the full meaning intended. Compare the following two sentences that describe the same event:

• The zoo handler was mauled by the mountain lion.
• The zoo handler was nibbled by the mountain lion.

Of course the next sentence reads “I raised this one since she was a kitten and she always showers me with her affectionate kisses.” Intentionally or not, our word choices add meaning to the information we are attempting to convey. Words have meaning beyond their simple definitions. They have their own histories and double meanings handed down through the ages and we ignore them at our peril.

Let’s play a game.

“A strange game. The only winning move is not to play. How about a nice game of chess?”
- Wargames, 1983

The list below contains a pair of phrases with two possible ways of describing the same action or event. Imagine each event in your mind and think about the different emotional response each phrase evokes. For each pair, determine if your response would be different:

• Attacker – Criminal
• Web attack – Vandalism
• Phishing – Fraud
• Virus - Vandalism

Welcome to the current state of Information Security. In attempting to grapple with the unattended consequences of the mainstream adoption of a new disruptive technology – computers; we have created an industry specific lexicon of terms to define what we all are tasked to do on a daily basis. Beyond the spouse factor i.e. answering the dreaded “what did you do at work today dear?” question:

“I responded to a spyware outbreak on the corporate LAN and developed a long term risk mitigation strategy.”

Sounds much more impressive than:

“I dealt with a few low budget commodity untrained workers (management) goofing off and told them not to do it again.”

This lexicon of terms allows our industry to communicate about the Internet and the current methods of dealing with the challenges faced. In building this lexicon of terms, we have followed both methods of word invention: we have coined new terms such as the Internet and borrowed other terms such as virus, firewall, and defense in depth. It is my proposition that we have fallen for our own marketing. Let’s talk a bit about how it happened, what its effects have been, and where we can go from here.

Well how did we get here?

Blame it on a college student named Morris and his program that became known as “the Morris worm.” The Morris worm of 1988 had a huge impact to the fledging Internet and acted as a wake up call for securing this great collection of adult oriented graphical content. This sparked the formation of the Computer Emergency Response Team (CERT) by Defense Advanced Research Projects Agency (DARPA) in 1988. DARPA was and is part of the US Department of Defense and as such was greatly influenced by the military lexicon. Fortunately CERT came into existence when people were comparing self replicating code to biological viruses. The use of medical terminology and crisis response (triage) seemed to be a natural fit; this lead to the ideas of containment, virus, inoculation, and quarantine joining our industry lexicon. Those that can - do and then they write about it. It was only natural that our industry gained a split personality of battlefield response and biological foes. History has always belonged to the winners.

Using our battlefield response technique, the early industry pioneers launched Operation Sun Devil in May 1990 as the opening attack on the hacker army. Cities were invaded, children were captured at gun point, and lives were ruined. In the end this cyber-Vietnam changed nothing because there was no vast enemy to conquer. Realizing you can’t invade Detroit Michigan every time some 16 year old learns to program; military style response quickly became unpopular. Just ask Steve Jackson games:

“More than three years later, a federal court awarded damages and attorneys' fees to the game company, ruling that the raid had been careless, illegal, and completely unjustified. Electronic civil-liberties advocates hailed the case as a landmark. It was the first step toward establishing that online speech IS speech, and entitled to Constitutional protection...”
- Electronic Freedom Foundation, http://www.eff.org/legal/cases/SJG/.

Sticks and stone may break my bones ….

But the words we use define us. Our industry lexicon has been defined by the backgrounds of the security pioneers and I believe we have fallen for our own propaganda. We have defined the issues we face in military and medical terms without being faced by a foreign army or contagion. There is no vast army of pimply faced 16 year old hackers charging our defenses or biological weapons of mass destruction hiding inside our web browsers. These terms are not only inaccurate and degrading in and of themselves; they also lead us to find military or medical style solutions to deal these imaginary adversaries. Then we wonder why we seem to be losing … So what are we here for? Let’s start with Information Security.

Information - data: a collection of facts from which conclusions may be drawn; "statistical data" Security - measures taken as a precaution against theft or espionage or sabotage etc.

Or how about Risk Management?

Risk - expose to a chance of loss or damage. Management - the act of managing something.

So in avoiding all industry specific terms, let’s look at what we are actually supposed to be doing. Our job is to:

1. Protect stuff from bad things
2. Continually work to make it easier to do step 1.

Honest officer the virus did it …

Ok now we are getting somewhere! Lets look up step one again and dig a little deeper. So we are in the protection racket and we attempt to stop bad things from happening. We also try to reduce the chance that bad things happen. What are these bad things? Is it even a what, could it be who, how, where, or when? Using our current lexicon we protect stuff from: attackers, hackers, crackers, spyware, malware, adware, viruses, worms, terrorists, pirates, warez operators, script kiddies, etc. Take the term malware incident for example:

Malware - programming or files that are developed for the purpose of doing harm. Thus, malware includes computer viruses, worms, and Trojan horses.
Incident - an undesired event which under slightly different circumstances could result in harm to people, damage to property, loss to process, or harm to the environment.

So we diligently develop response plans to deal with malware incidents or “outbreaks” and track for trend analysis malware as a category, possibly with sub categories of spyware, adware, virus, etc. Can you see how the military and medical basis of our lexicon has come to haunt us? How valuable is our trend analysis? Can it be used to predict future events? Is all malware created equal? Should we define some global severity to malware incidents? What is an incident anyway? Is it a crime, accident, or random event? Again, our job is to protect.

Protect - shield from danger, injury, destruction, or damage.

So if our #1 goal is to protect stuff, then does the category malware incident work? Let’s replace the word "malware" with "guns" and look at a current headline:

Microsoft to protect users against malware with Windows OneCare.

Gets changed to:

Microsoft to protect users against guns with Windows OneCare.

Who’s on first

The obvious question becomes shouldn’t we protect our users from the bad person holding the gun? The problem is that the use of the term malware removes the source of the incident - the individual(s) who caused the incident. Malware is a program and a program is nothing more than instructions that a computer follows. It exists to serve the purpose of its creator. Is “virus” even the appropriate word? The current leading science theory states that a biological virus is a random result of evolution, unless used in a weapon of mass destruction, that has no intent. A computer virus has a creator who has a definite purpose. There is intent and that intent matters. By combining all replicating code incidents into a single category called “virus,” we lose the ability to measure the threat landscape. Our categories must be based on intent to allow the understanding of the current threat landscape.

When faced with a new technology we assume that we need new tools, terminology, and techniques to deal with it. This has been our failure. Our terminology assumed that a new tool somehow changed human behavior when in fact we are dealing with the same old greed, malice, envy, and violence. The answer is so simple and obvious we missed it. Computers are just a tool that allows the same old human nature to be expressed more efficiently. So our job is to protect stuff from crime committed by criminals. To move forward as a profession, Information Security needs to define its terms with a firm foundation that captures human intent.