The recent Office of Personnel Management cyber breach was not only a case of stolen federal employee and contractor data. It may also have been one of mistaken identity.
While the breach did take place in cyberspace and was certainly a crime, it did not constitute a cyberattack, Director of National Intelligence James Clapper testified last month. The incident was simply a case of stolen data, which does not fulfill the “working definition” of a cyberattack, he said.
The breach also doesn’t fulfill the Defense Department’s definition of a cyberattack, which describes a hostile act via cyberspace, with the intention to disrupt or destroy a system, asset or function.
However, the OPM breach does fulfill the National Institute of Standards and Technology’s definition of a cyberattack. According to NIST, a cyberattack is “an attack, via cyberspace, targeting an enterprise’s use of cyberspace” for a whole host of reasons including “stealing controlled information.”
To add another layer, a leading academic study on international cyber law, the Tallinn Manual on the International Law Applicable to Cyber Warfare, includes yet another interpretation of the word. A cyberattack is “a cyber operation … reasonably expected to cause injury or death to persons or damage or destruction to objects,” according to the manual.
As cyberincidents continue to grow in velocity, the widespread misunderstanding and overall ambiguity surrounding their classification has become increasingly apparent. While mixing up cyber terminology may seem harmless, doing so could have real-world consequences.
For example, if an action falls under the category of “attack,” the United Nations Charter grants the wronged entity the right of self-defense. Similarly, NATO members have agreed to defend one another in the case of a cyberattack.
“If they’re in the law, they have the weight of the law behind that definition,” said Gregory Wilshusen, the director of information security issues at the Government Accountability Office, in an interview with Nextgov. “Now, whether that’s a commonly used definition of course is something else.”
Cyberwarfare involves armed conflict conducted, at least in part, through cyberspace, according to DOD’s definition. It would include military operations being used to stop the opposing entity from effectively using cyberspace systems.
“Cyberwar is the most abused, almost as much as the term ‘war,’ which is used to describe everything from armed conflict to social campaigns against sugar and Santa Claus,” said Peter Singer, New America strategist and senior fellow, and author of the book, “Cybersecurity and Cyberwar: What Everyone Needs to Know.”
Ninety percent of the time people use the word cyberwar, they actually mean cybercrime, said Squadron Leader Emma Lovett, an expert on armed conflict with the Royal Australian Air Force currently on exchange at the Pentagon, during September’s Nextgov Primeconference.
Last year, as Sony Pictures was hacked and everyone from The New York Times to the FBI used the word cyberattack to describe the incident, President Barack Obama took a different approach, calling it “cybervandalism.” Lovett described her reaction to his choice of terminology as a “happy dance moment.”
Sometimes, the term used to describe a cyberincident was initially correct, but should be changed based on new information, GAO’s Wilshusen said.
For example, an incident could initially be classified as a cybercrime, but then should be changed to cyberfraud or cyberespionage or cyberterrorism, based on new information.
“If you start using espionage, you’re making a judgment on what the motivation of the attacker or the hacker is,” he said.
Wilshusen suggested one simple strategy for getting an initial understanding of a cyber term: Remove the word “cyber” and look at the definition of the underlying word.