ISO/IEC TS 27100 — Information technology — Security techniques — Cybersecurity — Overview and concepts [DRAFT]
The standard will provide an overview of cybersecurity, describing relevant concepts.
Scope of the standard
The standard will enable the concepts of cybersecurity to be shared and discussed.
It will compare and contrast cybersecurity with [the ISO27k version of] information security.
It will apply within an organization, in relationships between organizations and more broadly across society.
It will be particularly relevant to management.
“Cybersecurity has emerged as a critical topic globally. While it has similarities to information security, it is different. It is neither well understood nor defined nor standardized with different interpretations and disparate regulations, increasing costs and burdens for industry and society. The standard will guide stakeholders to help alleviate these burdens and create coherence.”
Content of the standard
The standards project started in 2018. It is due to be published at the end of 2021.
It is at 2nd Working Draft stage.
To my critical eye, the current WD sets off to a bad start with the introduction:
- “Cybersecurity has emerged as a critical topic globally.” No, ‘cyber’ is a buzzword. Cynics say that cyber = budget. I’ve no problem with budget but cyber isn’t a helpful term. Worse than that, as commonly used to mean something vaguely relating to ‘IT, Internet and/or network security’, it is a retrograde step.
- “While it appears to be similar to information security and many of the information security controls, methods, and techniques can be applied to manage cybersecurity risks, cybersecurity is distinct and different from information security.” So, it is ‘distinct and different’? I just can’t wait to read about those distinctions and differences ...
- “Governments, regulators, businesses, media, and consumers across the world are now aware of cybersecurity as a risk to them and to society.” Cybersecurity is a risk! What a bizarre abuse of terminology! This sentence is pure smoke. Stuff and nonsense!
- “While cybersecurity has become a well-known topic, it is not well-defined or well understood.” I completely disagree that it is ‘well-known’: that is the crux of the mess that much of the world, and now SC27 as well, has got itself into. There are plenty of people spouting off about it but very few are making sense. Also, that sentence is self-contradictory. How can something that is ‘well-known’ not be ‘well-defined’ or ‘well understood’? In what sense is it ‘known’ without definition and comprehension?
The WD includes cyber-related definitions mostly from ISO/IEC DIS 27102, but for some reason introduces a new definition of cybersecurity as “safeguarding of society, people, organization and nations from digital risks”. Unfortunately, “digital risks” are currently undefined ... and in any case that explicit definition is only confused by further explanations/re-definitions of cybersecurity (occasionally ‘cyber security’) such as:
- “an application of information security cyberspace within the context of entities in physical space and people in social space.”
- “the activities of maintaining stability, continuity, property and safety of entities from risks inherent to the pervasive digitization which involves risk sources and increases the consequences.”
- “Core concept of cybersecurity can be characterized by the followings: (a) Incidents are triggered by intentional acts, or, attacks on digital devices, systems, machines, facilities or services; (b) The attacks abuse [sic] the Internet or other networks; (c) Incidents have severe impacts on the society, people, organizations and nations.”
- Something vaguely relating to the ‘consequences’ of various incidents (i.e. incidents having impacts ... which they all do, otherwise they are just events or situations). However, it proceeds to muddy the waters by stating that, for some reason, cybersecurity incidents don’t affect confidentiality, integrity or availability of information, a very curious interpretation that goes directly against the rest of ISO27k. The quoted examples are distinctly unhelpful, for instance claiming that a DDoS attack on critical infrastructure is not an information security incident but a cybersecurity incident “because of its significant impact”, implying that the extent of impact is a factor.
- “A cybersecurity framework can be described as program designed by an organization to maintain the cyber security of the entire organization’s assets to an established level of confidentiality, integrity and availability.”
Frankly, I’m still none the wiser. ‘Pervasive digitization’ indeed! Oh I despair! If there is any genuine meaning under there, it has been lost in translation, then hidden in a dense fog.
“Cyber-physical” is used in the text but is also undefined. Other cyber definitions are mostly self-referential and unhelpful.
The WD repeatedly refers to “the cyberspace” and at least once “a cyberspace”. It appears to mean the Internet, so why not say so? Instead, it completely confuses matters with nonsense such as this: “Cyberspace is digital mapping of physical space and social space.” So now it’s something to do with digital mapping? Later, “cyberspace is digital intersection of physical space and social space”. ‘Digital intersection’?!! A blob diagram showing ‘real space’, ‘information space’ and ‘cyberspace’ blobs isn’t much help, even with the accompanying explanation e.g. “The information space is the space where information is available”, implying that there is an unnamed ‘space’ (whatever that means) where information is not available - a void perhaps, or a black hole?
I appreciate that it is tough to describe concepts but the current draft standard’s lack of clarity, inconsistencies and plain nonsense suggest that the concepts it is trying to express are not understood.
Summing up, in this one document we have several interpretations of ‘cybersecurity’, none of which actually makes sense and helps explain matters. So much for a standard that set out to provide an overview and describe relevant concepts!
I spot a naked emperor here. As I see things, the root of the problem is that there are two parallel cyber worlds:
- Critical national infrastructure: within the realm of government and defence, a significant concern is to protect the nation’s water, power, comms, financial systems, food supplies etc. from substantial attacks by foreign powers, terrorists or whatever through the Internet. Scary stuff! Those nations that are actively developing offensive capabilities in this area have a vested interest in other nations not developing their defensive capabilities ... hence I suspect some may be deliberately spreading confusion and frustrating attempts to bring clarity to this area among potential targets (through this international standard, for instance). It’s a delaying tactic.
- Plain old IT security, network security in particular: protecting digital data in general against deliberate attacks. This is the everyday world, nothing special - a subset of information security in fact. Move along please, nothing to see here.
Following the SC27 meeting in April 2019, WD2 includes editor notes that “digital risk” is undefined and “cyberspace” is an antiquated term. I’ll be looking on in amusement as the team seeks to clarify the meanings ... while also trying to distinguish this from just another information security or network security standard. Focusing on critical national infrastructure would take this and the other ISO27k cybersecurity standards to a different plane.
< Previous standard ^ Up a level ^ Next standard >