Precise terminology is an essential building block for effective cybersecurity policies.
BSA recommends the following definitions for commonly used terms as policymakers craft new cyber laws.
Certification may be defined as “third-party attestation (i.e., issue of a statement) that specified requirements related to products, processes, systems or persons have been fulfilled.”
A civilian entity may be defined as “a government organization or government-sponsored organization that does not have primary responsibility for law enforcement, intelligence collection or analysis, defense, or the armed forces.”
Consistent with the Budapest Convention on Cybercrime, computer data can be defined as “any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function.”
Consistent with the Budapest Convention on Cybercrime, a computer system may be defined as “any device or a group of interconnected or related devices, on or more of which, pursuant to a program, performs automatic processing of data.
Continuous monitoring may be defined as “the ongoing or near real-time process used to determine if the complete set of planned, required, and deployed security controls within an information system continue to be effective over time in light of changing information technology and threat development.”
A countermeasure may be defined as “an automated or manual action or actions to modify, redirect, or block information known or suspected to contain cybersecurity threat indicators that is stored on, processed by, or transiting an information system that is for the purpose of protecting an information system from cybersecurity threats. A countermeasure is a defensive measure conducted on an information system:
- Owned or operated by the party to be protected;
- Operated on behalf of the party to be protected; or
- Operated by a private entity providing electronic communication services, remote computing services, or cybersecurity services to the party to be protected.”
As with critical infrastructure, the definition of critical information infrastructure may require modification based on the context and intent of its use. In general, critical information infrastructure can be defined as follows:
“Critical information infrastructure refers to information and communications technology systems that are themselves critical infrastructures or that are essential for the operation of critical infrastructures, such that their destruction, degradation, or unavailability would have a largescale, debilitating impact on national security, public health, public safety, national economic security, or core government functions.”
Definitions for critical infrastructure may need to be more broad or more narrow, depending on the context in which the term is being used. Moreover, beyond a legal definition of the term, a national government should maintain risk-based processes for identifying specific critical infrastructure assets, services, and systems.
However, in general, critical infrastructure can be defined as follows:
“Critical infrastructure refers to those assets, services, and systems, whether physical or virtual, which, if destroyed, degraded, or rendered unavailable for an extended period, would have a large-scale, debilitating impact on national security, public health, public safety, national economic security, or core state or federal government functions. Specific critical infrastructures are identified based on analysis of criticality, interdependency, and risk.”
A cyber attack can be defined as “an action intended to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.”
Consistent with the Budapest Convention on Cybercrime, cyber crime may be defined as follows:
“Criminal offenses against the confidentiality, integrity, and availability of data and systems or unauthorized access to systems, to include the following actions, when committed intentionally:
- Illegal access: the access to the whole or any part of a computer system without right.
- Illegal interception: the interception without right, made by technical means, or nonpublic transmissions of computer data to, from, or within a computer system, including electromagnetic emissions from a computer system carrying such computer data.
- Data interference: the damaging, deletion, deterioration, alteration, or suppression of or denial of access to computer data without right.
- System interference: the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering, or suppressing computer data.
- Misuse of devices: the production, sale, procurement for use, import, distribution or otherwise making available of (a) a device, including a computer program or computer code, designed or adapted primarily for the purpose of committing any of the offenses listed above, or (b) a computer password, access code, credential, or similar data by which the whole or any part of a computer system is capable of being accessed, with intent that it be used for the purpose of committing any of the offenses listed above.”
A cybersecurity incident may be defined as “a single, or series of, identified occurrence(s) of a system, service, or network indicating a possible breach of information security policy or failure of security controls, or a previously unknown situation that may be relevant to the security of the system, service, or network.”
Cybersecurity services may be defined as “products, goods, or services, that are primarily designed to detect, mitigate, or prevent cybersecurity threats.”
A cybersecurity threat may be defined as “any action that may result in unauthorized access to, exfiltration of, manipulation of, harm of, or impairment to the integrity, confidentiality, or availability of an information system or information that is stored on, processed by, or transiting an information system.”
A cybersecurity threat indicator may be defined as follows: “information that is necessary to describe or identify:
- Malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;
- A method of defeating a security control or exploitation of a security vulnerability;
- A security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;
- A method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
- Malicious cyber command and control;
- The actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;
- Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or
- Any combination thereof.”
A defensive measure may be defined as “an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.”
Information Security. Information security may be defined as follows: “the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide:
- Integrity, which means guarding against improper information modification or destruction, and includes ensuring nonrepudiation and authenticity;
- Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
- Availability, which means ensuring timely and reliable access to and use of information.”
An information system may be defined as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.”
A standard may be defined as “a document, established by international consensus, approved by a recognized body, and widely adopted that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context. Standards are voluntary agreements, developed within an open process that gives all international stakeholders, including consumers, the opportunity to express their views and have those views considered. This contributes to their fairness and market relevance, and promotes confidence in their use.”
Risk can be defined as “an expression of the effect of uncertainty on cybersecurity objectives, as understood through the analysis of identified threats to a product or system, the known vulnerabilities of that product or system, and the potential consequences of the compromise of the product or system.”
A security control may be defined as “a management, operational, or technical control used to protect against unauthorized efforts to adversely affect the confidentiality, integrity, and availability of an information system or its information.”
A significant cybersecurity incident may be defined as “a cybersecurity incident resulting in:
- The unauthorized or denial of access to or damage, deletion, alteration, or suppression of data that is essential to the operation of critical infrastructure; or
- The defeat of an operational control or technical control that is essential to the security or operation of critical infrastructure.”