Julie E. Mehan - Cyberwar, Cyberterror, Cybercrime and Cyberactivism

Cyberwar, Cyberterror, Cybercrime and Cyberactivism

An in-depth guide to the role of security standards in the cybersecurity environment

DR JULIE E. MEHAN, PHD, CISSP, ISSPCS

Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are at the readers own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licenses issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publisher at the following address:

IT Governance Publishing

IT Governance Limited

Unit 3, Clive Court

Bartholomews Walk

Cambridgeshire Business Park

Ely, Cambridgeshire

CB7 4EA

United Kingdom

www.itgovernance.co.uk

Julie Mehan, 2008, 2014

The author has asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work.

First published in the United Kingdom in 2008 by IT Governance Publishing.

ISBN 978-1-905356-48-5

Second edition published in 2014

ISBN: 978-1-84928-573-5

This book was originally written in an attempt to understand todays cybersecurity environment and how the application of existing international standards and best practices can be used to assist in the protection of information and information systems. Since its original issue in 2008, much has changed in the discussion of cyberwar, cyberterror and cybercrime. A significant amount of discussion has centered on the very definition of cyberwar and cast a spotlight on the dangers of hyperbole in the use of the term. Many credible security experts warn that apocalyptic metaphors, such as digital Pearl Harbor, divert attention from the real risks to information and information systems and from the mind-set necessary to identify and implement proactive information security. Understanding the real nature of the diverse threats becomes particularly important if we continue to address all inter-state cyber attacks as acts of war. Determining the appropriate legal response to an attack in the Internet environment becomes incredibly complex if the organizations or nations cannot determine whether they are dealing with state-sponsored attacks, foreign cyberespionage, domestic cyberterrorists, cybercriminals, or some form of cyberactivism.

This 2nd edition attempts to address the changed environment and provides an updated body of knowledge essential to acquire, develop, and sustain a secure information environment. We could not address this changed environment without including cyberactivism and information exfiltration in this revision. Nor could this latest edition be of value without addressing the challenges of protecting personal privacy and corporate intellectual property and the issues associated with an ever expanding information technology supply chain.

Each chapter concludes with a list of related references, as well as recommendations for additional reading. This book is intended to provide a foundation for developing further education and training curricula and products, as well as being useful to information security practitioners, system administrators, managers, standards developers, evaluators, testers, and those just wishing to be knowledgeable about the establishment and sustainment of a secure information environment.

The wild growth of the Internet continues to be one of the most remarkable phenomena in human history. It is much more than just a medium for communication it is the core of a global information infrastructure, which is influencing our culture at the same time as it insinuates itself into our daily lives. There are predictions that this phenomenon is changing everything from standards of literacy and monetary transactions, to the practice of medicine. Today, we add the unprecedented growth of social media and information exfiltration to the challenges associated with the expansion of the Internet.

Almost every new development has opposing aspects forcing a balance between positive and negative. For example, the automobile has provided us with new means of effectively and quickly covering distance and moving goods. It has also created pollution, caused innumerable deaths through accident and misuse, and has fostered a dependency on limited fossil fuel.

The rapid development of the Internet, information accessibility, and social media is also not without its benefits and costs. The Internet has become a universal trade space for economic transactions, government decisions, and social interaction. At the same time, the Internet comprises a largely unstructured terrain with challenges associated with legal limitations and rules. The result has been a digital wild, wild West with the Internet providing a fertile feeding ground for cyberwarriors, cyberterrorists, and cybercriminals and increasingly, those who steal information for reasons ranging from social activism and espionage to monetary profit. The varying types of cyber threats have become so persistent, the incidents so widespread, that organizations and their leaders have essentially become increasingly desensitized to the many oracles claiming cyberwar for each and every incident involving the Internet. Just do a simple search on cyber Pearl Harbor, cyber Armageddon, or cyber 9/11, and you will see just how overused and potentially misapplied - the term cyberwar has become.

Several cybersecurity experts, such as Bruce Schneier, have indicated that there is an inherent danger in the overuse of the cyberwar rhetoric. The result of everything being named as cyberwar potentially feeds a sense of futility and focuses the discussion away from the real danger: the constant and consistent threat to our intellectual property, our financial integrity, the security of our national and global power grids, and the persistent leakage of critical information from our government and commercial sectors.

Given that we might agree on the need to create some form of order in this cyber environment, the key question now is how? The establishment of internationally-accepted laws and regulations is one solution. The other is the proactive implementation of cybersecurity standards and best practices that allow for regularity and fairness in managing the broad issue of Internet security and structure without adversely affecting the cyber environments open architecture. The idea is to embrace the new information technology as a powerful positive agent for change without ignoring the dangers created by the deterministic nature of change.

I undertook the task of authoring this book to provide cybersecurity practitioners, managers, engineers, as well as educators, trainers, and others with a companion to guide them through the challenge of using national and international standards to address cybersecurity issues in an environment that is threatened by elements of cyberwarfare, cyberterrorism, cybercrime, cyberactivism, and cyberespionage/exfiltration.