What Is A 'Cyberattack'?: Definitions For IT Security Terms According To ACSC

The word "cyberattack" is used quite regularly as an umbrella term for any kind of attempt by hackers to gain access to IT systems, infrastructure and equipment for malicious intent. You probably use it yourself when describing security breaches and malware attacks, but is that the correct term to use? We refer to the Australian Cyber Securiy Centre (ACSC) Threat Report 2015 for guidance.

Lock picture from Shutterstock

This month, ACSC released its first unclassified Threat Report which provides details on what's going on in Australia IT security landscape. There weren't many surprises. IT security incidents affecting Australian businesses and government organisations went up in 2014. New forms of attacks are surfacing and everybody needs to exercise caution when it comes to protecting their technology assets. These are things we have heard before.

What was interesting were the definitions for IT security terms that ACSC scattered throughout the report to provide clarity to readers. Here's the its definition for "cyberattack":

What is a cyber attack? A cyber attack is a deliberate act through cyber space to manipulate, destruct, deny, degrade or destroy computers or networks, or the information residing in them, with the effect, in cyber space or the physical world, of seriously compromising national security, stability or prosperity.

So the proviso for calling a hacking attempt a "cyberattack" is whether it "seriously compromises national security, stability or prosperity".

According to ACSC, "Australia has not yet been subjected to any activities that could be considered a cyber attack. A destructive cyber attack against Australian networks or critical infrastructure - that would seriously compromise national security, stability or prosperity - is unlikely outside a period of significant heightened tension or escalation to conflict with another country".

Under ACSC's definition, the 11,073 cyber security incidents reported in by Australian businesses and government agencies cannot be classified as "cyberattacks". I, myself, have been guilty of using "cyberattack" to describe incidents where businesses experience a security breach. Many individuals, organisations and other media outlets have done the same. I liken the misuse of "cyberattack" to what's has happened with the term "big data". It's a misnomer, but because it's so commonly used it has become part of the global IT lexicon.

ACSC also breaks down some key terms that are often used in the IT security space:

  • Cyber adversary: An individual, organisation or nation state that conducts cyber espionage, crime or attack.
  • Cybercrime: Criminal acts involving the use of computers or other ICT, or targeted against computers or other ICT.
  • Cyber espionage: Offensive activity designed to covertly collect information from a user's computer network for intelligence purposes.
  • Cyber security incident: Any activity that may threaten the security of a system or its information. A "compromise" is an incident where the security of a system or its information was successfully harmed.
  • Cyber intrusion: Can also be called "unauthorised access" or "hacking". This happens when someone gains access to a computer or device without the owner's permission.

Do you agree with ACSC's definitions of the listed security terms? Do you have your own definitions that you think is more accurate? Let us know in the comments.


Comments

    I want to commend ACSC on putting forward a reasoned definition of the term "Cyberattack".

    The term "attack" and the connotation it brings of physical violence justifying a "strikeback" response, is very over-used in the computer security field. Katherine Carpenter and I were honored to speak at the inaugural ACSC conference in Canberra on April 22, where we raised this issue of terminology and the heated rhetoric about what ACSC is terming here "cyber intrusions" and system "compromise."

    In our ACSC talk (http://staff.washington.edu/dittrich/talks/DittrichCarpenter_ACSC2015.pdf) we referenced another talk I gave at the AusCERT 2005 conference (https://www.honeynet.org/node/1048) that eventually became a compilation and analysis of a broad range of terms associated with what the industry likes to call "active defense" (but is better described by the "active response continuum" to reflect the fact that this is not a situation in which black/white binary conditions exist, but rather a continuum.) This list of terms -- which will of course be updated to include ACSC's terms above -- can be found at https://staff.washington.edu/dittrich/arc/book/definitions.html.

    Again, thanks ACSC for taking a rational and constructive stance that I hope more journalists (and those in the computer security field) will also reflect upon. We need to respond, but in a manner that is appropriate, measured, and is both ethically and legally defensible. Using illogical, irrational, and emotionally charged rhetoric and analogies to "attacks" and physical violence, is in our opinion going to end up causing more harm than good.

Join the discussion!

Trending Stories Right Now