IETF Logo Mail Archive

Re: [Smart] When we say 'cyber'...

Olaf Kolkman <kolkman@isoc.org> Fri, 19 October 2018 11:59 UTC

Return-Path: <kolkman@isoc.org>
X-Original-To: smart@ietfa.amsl.com
Delivered-To: smart@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E743212DD85 for <smart@ietfa.amsl.com>; Fri, 19 Oct 2018 04:59:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isoc.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pQ-PTheHfDqN for <smart@ietfa.amsl.com>; Fri, 19 Oct 2018 04:58:59 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0630.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe46::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 789EA130E5B for <smart@irtf.org>; Fri, 19 Oct 2018 04:58:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sb2K/wom1Rtcz26lCj/CsDX/aX4MD0l3lFw3lEjxqLI=; b=oFNMK7PyNIJdvCU9jJaIupVJi412Mg7D+0p8/41o7GpiZ8lQjlhqSVMAtWH8brUBqOnUMOF5y5lE+Nw5qyBcErsGWEVypNOf+RvUP2KLvWxOz6wIa7rnEvU6CC7WDjB1XxQY40DTeC6TGTdQ6QG/60+iIVa7niRShZ8LkCi+Ojc=
Received: from BN6PR06MB2721.namprd06.prod.outlook.com (10.173.146.11) by BN6PR06MB2883.namprd06.prod.outlook.com (10.175.128.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1228.25; Fri, 19 Oct 2018 11:58:56 +0000
Received: from BN6PR06MB2721.namprd06.prod.outlook.com ([fe80::e18c:35e:a409:731c]) by BN6PR06MB2721.namprd06.prod.outlook.com ([fe80::e18c:35e:a409:731c%6]) with mapi id 15.20.1228.027; Fri, 19 Oct 2018 11:58:56 +0000
From: Olaf Kolkman <kolkman@isoc.org>
To: Mark O <Mark.O=40ncsc.gov.uk@dmarc.ietf.org>
CC: "smart@irtf.org" <smart@irtf.org>
Thread-Topic: [Smart] When we say 'cyber'...
Thread-Index: AdRb+MuvGdbud9dwRr+3TL9bSAhVogLqk6oA
Date: Fri, 19 Oct 2018 11:58:56 +0000
Message-ID: <F2B9750C-A3F9-421A-90F4-57F144413D2C@isoc.org>
References: <LOXP123MB14168BB24E88B846C5055842D3EA0@LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <LOXP123MB14168BB24E88B846C5055842D3EA0@LOXP123MB1416.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-clientproxiedby: AM6PR0202CA0029.eurprd02.prod.outlook.com (2603:10a6:209:15::42) To BN6PR06MB2721.namprd06.prod.outlook.com (2603:10b6:404:5e::11)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kolkman@isoc.org;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2001:980:2282:1:7083:90b9:7c1b:d664]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR06MB2883; 6:YD5NphTpsS767lyb6Vcub8UaqCwJEyAqfOHSKJqpXoRI+QtZi7bu21LdIeDMksRjd8+HfE9e/RadD2Y9AFrkgEmiJ01Qi7shywswwUwzIqhoXmjVwcEUBwGaYIK0C1Empj8hLgjc/p5mmFIeYJ9pA1BTpZado+LNqRC/sIz/uMp7h8nu3mgjlu9tYzDdoeXtW5UAmGqxsfdTJtyLU6dNyMWhbsgxVJZtxG1hC5lRoWUBjlMB2Uu+ciDml40ujyP95nZVKPR9Grut4SEyMKALIUjQ/3E8Zk0/u1OmJRP7cAv4NF5Z2g7UWZu8t2Xb89uFmYKnFQWx9m3wHdAnqiR6vzslFW8S2AOR6LCVlY8SBV3nKYa+I6FYQe9tsW1GZIsDxHJGf69C/a79sDKXb5Yz5iA3A+Sfr8p/0LeaLAvEYW/Ob2wzwJB3Cg+SJjIF5G0Dakwf1Bi2H32XyHURRiJo1g==; 5:0JTCNVoJWkO6VbGVz1r+i9atc5mfMT4oKngN8dLwoXxBdN2axXSajUo75oTT16iEzzaFnoyINCXFWC5YnaPjZ5GFRXlO+MfurfYJz3fE5lsRilnHVsERdkwblDPsc/7PibmpKmR/WoIVois2gdD2LNWP64s6b4mXSNu4Y0XME1g=; 7:ERkQzHENjbCxSDubOGcjF21mgNf8BpMWZLpdyqyh51CwDY5fd2GmWLKL/8x3sO3jwJoy68xcjntWnjCcUqNg+N17s02ZNf+AfwgX1vXwYhoaD0/eVNg7ALpfdvF4thAdWjdcXLSTGzuvFpFavAZrMRwNIf/igw5jbYIuqT52WwN+oWknR3a32BNnQm80aPOXQrnPeolmvXe5WB6QszF6KxNCiZ8wFqpotGxGF4Rwg1mbns4QY7Wv74r4xWaFJE+6
x-ms-office365-filtering-correlation-id: 5c3f9e61-668c-42bf-b744-08d635ba3f38
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR06MB2883;
x-ms-traffictypediagnostic: BN6PR06MB2883:
x-microsoft-antispam-prvs: <BN6PR06MB28837780943B0E5B0BE974AED9F90@BN6PR06MB2883.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(27231711734898)(66739203006769);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(3231355)(944501410)(4983020)(52105095)(10201501046)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(20161123560045)(20161123558120)(201708071742011)(7699051)(76991095); SRVR:BN6PR06MB2883; BCL:0; PCL:0; RULEID:; SRVR:BN6PR06MB2883;
x-forefront-prvs: 0830866D19
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(346002)(376002)(39850400004)(136003)(396003)(199004)(189003)(53754006)(186003)(81156014)(2906002)(52116002)(606006)(8676002)(81166006)(25786009)(4326008)(76176011)(8936002)(6246003)(99286004)(5250100002)(68736007)(6486002)(7736002)(33656002)(966005)(36756003)(14454004)(229853002)(97736004)(6436002)(99936001)(105586002)(86362001)(6512007)(446003)(54896002)(11346002)(6306002)(106356001)(102836004)(2900100001)(476003)(46003)(236005)(478600001)(53936002)(14444005)(6116002)(66574009)(486006)(2616005)(71200400001)(71190400001)(82746002)(6506007)(256004)(83716004)(5660300001)(316002)(53546011)(386003); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR06MB2883; H:BN6PR06MB2721.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: isoc.org does not designate permitted sender hosts)
x-microsoft-antispam-message-info: pG6qOhaRDkTAhD14BFK8NSKpm7xnoSKAxgW2J0sXIi1ScKHeT80PZh9jYt1m01le+Ac4mXE2AoBvIEOQLAgv+G+kFZ3zADBW8rPqusa9zZePrN3y0ypTIlSg63WYdooqvJp1RI/O+ccGfSt2WCxGXhSZ6uQX9BU/FKuHwg5xq1mi9Yi3crcj/GqcBagfXCmeIEDaAVNG4bExrJVjOX9DVR24+1uzc8n9rFr9ugY1BG/y8p32ezc+a9fMd+dfi/6RrOpgZakgqHotk8SMbvdQ3oCbktw7KP85aZYOuaCcQn3eJhNv/sWdA0pFcgo4TgjT0VTINyXPQ6uvuWiniAfbluzYPFBaiec1eHxiCba03MM=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; boundary="=_MailMate_41144D8E-3221-482F-B301-905C1A613D10_="; micalg="sha1"; protocol="application/pkcs7-signature"
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-Network-Message-Id: 5c3f9e61-668c-42bf-b744-08d635ba3f38
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Oct 2018 11:58:56.7981 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR06MB2883
Archived-At: <https://mailarchive.ietf.org/arch/msg/smart/sBynnx-JtDeYBQKtDZmj2O_yVa0>
Subject: Re: [Smart] When we say 'cyber'...
X-BeenThere: smart@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Stopping Malware And Researching Threats <smart.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/smart>, <mailto:smart-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smart/>
List-Post: <mailto:smart@irtf.org>
List-Help: <mailto:smart-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/smart>, <mailto:smart-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2018 11:59:04 -0000

Hello all,

I am normally lurking on this list but I would personally stay somewhat at arms length from ‘cyber defence’. There is a delta in understanding between how technologists, policy makers, and diplomates use and understand the term _cyber security_ and in my experience the delta may be bigger for the words _cyber defence_.



—Olaf Kolkman




On 4 Oct 2018, at 17:44, Mark O wrote:

> There's been some discussion on the list about what to call the main topic of our research. We settled on the name 'SMART' - Stopping Malware And Researching Threats - for the list because it covered a couple of our major aims and made for a handy acronym. But it's not the whole of our ambition.
>
>
>
> When we first mooted the possibility of a research group at the SAAG open meeting in Montreal, we referred to 'Cyber Defence'. That's [part of] what we do at the National Cyber Security Centre - we have an Active Cyber Defence<https://www.ncsc.gov.uk/active-cyber-defence> programme, aimed at improving the resistance of UK infrastructure to cyber attacks. So the word 'cyber' trips easily off our tongues. It's not just us - large parts of industry and academia refer to 'cyber security' and 'cyber attacks', as do the media.. But we're also aware that 'cyber' means different things to different people, it's a buzzword, it's generic, and it can raise hackles in some. Earlier versions of the draft charter referred to 'cyber security', 'cyber defence', 'security operations', and the current version refers to the rather plain 'attack defence'. Hopefully without getting side-tracked - what speaks best to most people?
>
>
>
> Ultimately, we don't have a strong view on what phrase is used - the important point is that it's clear and obvious what type of threats we're trying to defend against (without being prescriptive). So it's probably more helpful to try and build a list of the kind of threats we're meaning.
>
>
>
> As a general theme, the threats we're considering:
>
>   *   have malicious intent - as opposed to accidental threats (e.g. hardware failure causing data loss);
>   *   involve active interference with data, users or the network - as opposed to passive wiretapping and offline attacks; and
>   *   result in harm.
>
>
>
> We probably will need to reference a taxonomy of threats, and we needn't reinvent the wheel here - that work has been done before. ENISA has produced one such threat taxonomy<https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/etl2015/enisa-threat-taxonomy-a-tool-for-structuring-threat-information> which I've used to construct the list below. This is just a starting point - there will be some things I've missed off, and I certainly can't promise that we'll be able to address all of them:
>
>   *   Unsolicited e-mail - spam and infected e-mails; links to malicious websites
>   *   Identity theft - stealing credentials
>   *   Denial of service - DDoS, network and application layer, amplification attacks
>   *   Malware, worms, trojans, rootkits, injection attacks, viruses, exploits
>   *   Spyware, scareware, ransomware
>   *   Social engineering - phishing, spear-phishing
>   *   Fake certificates, MITM, signed malware
>   *   Manipulation of hardware and software
>   *   Manipulation of information - hijacking, routing table manipulation, DNS poisoning
>   *   Misuse of audit tools to discover security weaknesses
>   *   Unauthorised access, network intrusion
>   *   Unauthorised installation of software, web/browser-based attacks, drive-by downloads
>   *   Data breach
>   *   Remote execution, botnets
>   *   Advanced Persistent Threats
>
> Note that 'cyber' doesn't appear in the list once - and that's OK.
>
>
>
> Is that what everyone's expecting? This is still up for grabs and we'd like everyone to have the same, clear view of what we're trying to achieve.
>
>
>
> -- Mark
>
>
>
> This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk


> -- 
> Smart mailing list
> Smart@irtf.org
> https://www.irtf.org/mailman/listinfo/smart

v2.23.0 | Report a Bug | By Email