What is a Threat?
Defining Term Seen as Helping to Safeguard PrivacyWhat is a threat?
The answer seems obvious, especially in the context of IT security and information risk. Yet, is it, especially when developing codes and standards, as well as funding research and development initiatives that involve taxpayer money?
I hadn't thought much about the definition of the term "threat" until this past week, when EPIC - the Electronic Privacy Information Center - submitted comments on a proposed update of the Federal Cybersecurity Research and Development Strategic Plan, which, according to the Federal Register, addresses the continued criticality of R&D in ensuring the nation remains on track to develop innovative tools and capabilities to address cybersecurity threats.
Here's what EPIC, in its filing, says about defining threat:
- "The strategic plan makes numerous references to 'threats' without fully identifying what constitutes a threat. The strategic plan references the Fiscal Year 2010 Report to Congress on the Implementation of the Federal Information Security Management Act of 2002 as a resource for 'further data on the size and nature of threats,' yet even this document fails to adequately define and narrow the term 'threats.'"
Earlier this month, I wrote a story and a blog about draft guidance being developed by the National Institute of Standards and Technology that defines IT security terms (see NIST Revising Glossary of Infosec Terms and Quantifying the Growth of IT Security). How does the draft define "threat?"
NIST's 3 Definitions of Threat
NIST Interagency Report 7298 Revision 2 (Draft), Glossary of Key Information Security Terms, provides three definitions of the term "threat":
- Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service.
- The potential source of an adverse event.
- Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets or individuals through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.
IR 7298 also furnishes definitions for threat analysis, threat assessment, threat event, threat monitoring, threat scenario, threat shifting and threat source, as well as advanced persistent threats, inside threat, insider threat, outside threat and outsider threat. Plus the term "threat" appears in dozens of other definitions in the glossary.
That's a lot of defining, and perhaps too many definitions when it comes to addressing threat in the cybersecurity landscape. It's a point EPIC makes:
- "Such an open-ended and broad use of the word 'threat' does not properly narrow the strategic plan's cybersecurity research objectives to relevant cybersecurity problems. EPIC objects to these particularly broad usages because they increase the risk of innocuous online activities being classified as 'threats' - thereby providing the pretext for the collection of user data. Therefore, [the government] needs to refine and clarify the definition of cyberthreat."
Being precise in defining "threat" or, for that matter, other terms is crucial. People must understand one another because specific terms don't necessarily mean the same thing to different people.
Take, for instance, the term "cybersecurity." As addressed in a blog posted earlier this spring - Can You Define Cybersecurity? - being misunderstood on cybersecurity could have devastating consequences. Improving understanding, through language or by actions, was behind U.S. Defense Secretary Leon Panetta's joint announcement with Chinese Defense Minister Gen. Liang Guanglie last May that both nations will cooperate on cybersecurity.
As Panetta says, it's extremely important to avoid misperceptions that could lead to a crisis.