What is a cyber attack?

11:02 23 March in attack, Cyber security, Espionage

The phrase cyber attack gets used a lot, in a lot of different contexts. Any bad thing done over the internet is generally characterised by the media as a cyber attack. But does the phrase really mean anything?

This week South Korea was under cyber attack (see our last blog post). What had happened was that a number of South Korean companies had been targeted with malicious software which, at a predetermined time, deleted important bits of the infected computers operating system. On balance it seems fair to call this an ‘attack’. It was clearly intentionally malicious, but it was limited in it’s impact. There was no disruption to day to day to life of South Koreans, and outside of the small number of targeted companies, no real impact at all. Thats not to down play the significance of the incident, or the cost and disruption to the affected company, just that headlines proclaiming a cyber attack on South Korea are a bit over blown.

China is often accused of launching cyber attacks against the US. The purpose of this activity is espionage – there appears to be no intent to cause disruption (although of course  cyber espionage does cause disruption when it is discovered. The clean up can be time consuming and expensive). Activity like this seems less clearly to be an ‘attack’. Denial of service attacks are, pretty much by definition, an attack, although again limited in scope and impact.

This may seem like a minor point, but language is important. In the physical world we don’t talk generally of ‘physical attack’ and mean anything from a burglary through to spying. The broad use of the phrase cyber attack, and the undue significance attached to it, make decision making and risk management difficult. Defending against an ‘attack’ is hard – preventing espionage is more concrete. Espionage has a scope and a purpose. Attack is an emotive word, which suits headline writers, but risks to the information and systems of organisations are real, tangible things. Using appropriate, clear, language makes managing these risks that much easier.