Internet news events are reported daily about computer abuse, hacking, data theft and malware, nationally and internationally. The concept of cybersecurity, as a term, appears bounced around by writers, scholars, politicians, and news media, short of carefully determining what it encompasses and how cybersecurity relates to the Internet. Around the world the term is used loosely as well and causing debates. The same can be said of ‘data security,’ it’s sibling. From an operational aspect of advising clients, a clear understanding is needed of what we are talking about. It is also important as notice letters are devised to send to the affected public in the event of a cyber incident regarding a data breach, cyber-attack, or cyber theft. When an entity is developing policies, it is important to define these clearly for the benefit of personnel training, administrative audits, cyber audits, compliance reviews, cloud contracts, data storage agreement, and even securing insurance coverage. Unfortunately, the terms have been used interchangeably and been misused. The term ‘cyber’ began to be loosely used after President Obama referred to the subject by using the term ‘cyber’ in seeking to appoint a ‘Cyber Adviser.’ What would have been more appropriate term was ‘data security,’ because the issue was about data and information protection of physical information. Ever since, the terms have been loosely used by academics, in and around state legislatures and as well among members of the U.S. Congress in their usual parlance. However, operationally, in practice dealing with clients and their issues, the terms should not be dealt loosely and should be termed appropriately. Not ironing out these terms and their applications will draw countries to not see eye-to-eye on how to cooperate on cyber events, when cyber events have a global impact as did the WannaCry malware.
This post seeks to clarify the terms to avoid further misuse and mischaracterization of the terms when they are referred to in business and in entity operations, policy implementations, and in legal discussions. As they are loosely used, they are given the meaning for protecting information from unauthorized access, and that had made some sense. The failure to distinguish allows for gaps in insurance coverage and misdiagnosed issues in audits and in personnel evaluations for their performance measures. The same can be said that by the failure to make the valid distinction, appropriate information technology performance is as well misdiagnosed. In governmental policy circles cybersecurity is the prevailing nomenclature, however, the federal legal provision that addresses cybersecurity is termed as the Federal Information Security Management Act (FISMA). Among information technology professionals and in select industries, such as in accounting, financial, and in the medical areas, the term referred to as is information insecurity. Yet that terminology requires clarification because an important consideration is the actual form of of the information.
As we consider the form of information and its means, we also need to realize the differences. The Internet and the digital age is here and the information that we derive from digital networks and process means can be termed data, digital documents, digital records, as opposed to physical information. Once that physical information is digitized, it becomes digital data. For purposes of addressing systems, networks, and platforms, cyber security is most appropriate. For purposes of addressing the element of communication, or what is being transferred, sent, stored, or received, data security is most appropriate. As files are maintained any entity’s concern is appropriately with its network integrity or network security. Because of the interface of servers being accessed amid multiple users accessing, transmitting, and sharing the data, the practical reference is cybersecurity as it addresses the integrity of the system managing the activities and functions of the digital features of the data. So, cybersecurity is the macro systemic interface activity of networks, Internet, Intranet, email trunks, remote access relays, and data channels involved in the transmission, storage, and maintenance. Hence, cyber security is about the system. The technical application of the term is cyber security involves the technologies, algorithms, software, networks, and devices to protect the amalgamation that comprises the computing system from intrusions and to conduct diagnostics of its security system.
Data security is the process of addressing unauthorized access. As data-security is applied, the issues discussed cover unauthorized disclosure and access, breach of confidentiality, and misappropriation. Such characterization gives rise to a focus on the management or administration of data that is transmitted through the system. This gives rise to the concepts of data hygiene, analytics, and data governance. The data lives in the system. Data security is about what is transmitted through the system. Another way to describe the distinction is that data security involves the interaction of humans, artificial intelligence (AI), encryption, technology management, and software processes for the digital realm, in securing and protecting data from breaches within the cyber system. Essentially, data security is the intended benefit of cyber security or of protecting the system, network or platform.
The Internet function blurs the distinction for many businesses and entities. This blurring has given rise to debates on how to address information security, protection of data, data governance, Internet governance, network protection, Internet of Things security, and Industrial Internet of Things security. The debates will continue even among governments, organizations, and private entities about responding to cybercrimes and addressing Internet governance, vis-à-vis billions of individuals resorting to the Internet for freedom, freedom of expression, pursuit of knowledge, conduct business, transferring and transmitting records, even executing financial transactions. The terms appear related and they are; but the practical approach to resolving how best to address the critical events faced daily with every cyber incident, requires a clearer distinction. Until we have a clear understanding, the lag between law being at step with cyber events will widen and the learning curve for employees, managers, corporate officers, and government officials and lawmakers will, as well, continue.