Recently Barack Obama gave a speech on security, focusing on nuclear, biological, and infotech threats. It was a good, thoughtful speech, but I couldn’t help noticing how, in his discussion of the infotech threats, he promised to appoint a “National Cyber Advisor” to give the president advice about infotech threats. It’s now becoming standard Washington parlance to say “cyber” as a shorthand for what many of us would call “information security.” I won’t fault Obama for using the terminology spoken by the usual Washington experts. Still, it’s interesting to consider how Washington has developed its own terminology, and what that terminology reveals about the inside-the-beltway view of the information security problem.
The word “cyber” has interesting roots. It started with an old Greek word meaning (roughly) one who guides a boat, such as a pilot or rudder operator. Plato adapted this word to mean something like “governance”, on the basis that governing was like steering society. Already in ancient Greece, the term had taken on connotations of central government control.
Fast-forward to the twentieth century. Norbert Wiener foresaw the rise of sophisticated robots, and realized that a robot would need something like a brain to control its mechanisms, as your brain controls your body. Wiener predicted correctly that this kind of controller would be difficult to design and build, so he sought a word to describe the study of these “intelligent” controllers. Not finding a suitable word in English, he reached back to the old Greek word, which he transliterated into English as “cybernetics”. Notice the connection Wiener drew between governance and technological control.
Enter William Gibson. In his early novels about the electronic future, he wanted a term for the “space” where online interactions happen. Failing to find a suitable word, he coined one – cyberspace – by borrowing “cyber” from Wiener. Gibson’s 1984 novel Neuromancer popularized the term. Many of the Net’s early adopters were fans of Gibson’s work, so cyberspace became a standard name for the place you went when you were on the Net.
The odd thing about this usage is that the Internet lacks the kind of central control system that is the subject matter of cybernetics. Gibson knew this – his vision of the Net was decentralized and chaotic – be he liked the term anyway.
All I knew about the word “cyberspace” when I coined it, was that it seemed like an effective buzzword. It seemed evocative and essentially meaningless. It was suggestive of something, but had no real semantic meaning, even for me, as I saw it emerge on the page.
Indeed, the term proved just as evocative for others as it was for Gibson, and it stuck.
As the Net grew, it was widely seen as ungovernable – which many people liked. John Perry Barlow’s “Declaration of Independence of Cyberspace” famously declared that governments have no place in cyberspace. Barlow notwithstanding, government did show up in cyberspace, but it has never come close to the kind of cybernetic control Wiener envisioned.
Meanwhile, the government’s security experts settled on a term, “information security”, or “infosec” for short, to describe the problem of securing information and digital systems. The term is widely used outside of government (along with similar terms “computer security” and “network security”) – the course I teach at Princeton on this topic is called “information security”, and many companies have Chief Information Security Officers to manage their security exposure.
So how did this term “cybersecurity” get mindshare, when we already had a useful term for the same thing? I’m not sure – give me your theories in the comments – but I wouldn’t be surprised if it reflects a military influence on government thinking. As both military and civilian organizations became wedded to digital technology, the military started preparing to defend certain national interests in an online setting. Military thinking on this topic naturally followed the modes of thought used for conventional warfare. Military units conduct reconnaissance; they maneuver over terrain; they use weapons where necessary. This mindset wants to think of security as defending some kind of terrain – and the terrain can only be cyberspace. If you’re defending cyberspace, you must be doing something called cybersecurity. Over time, “cybersecurity” somehow became “cyber security” and then just “cyber”.
Listening to Washington discussions about “cyber”, we often hear strategies designed to exert control or put government in a role of controlling, or at least steering, the evolution of technology. In this community, at least, the meaning of “cyber” has come full circle, back to Wiener’s vision of technocratic control, and Plato’s vision of government steering the ship.
I don’t think agreement about the equivalence of the terms is universal. I’ve heard some people — including DHS officials — state that “information security” and “cybersecurity” don’t mean the same thing. The distinction they offer is that “cybersecurity” refers specifically to threats arising from, and attacks carried out using, electronic means. “Information security,” according to this view, refers to protecting information, no matter how it’s stored or how attacks are carried out.
The DHS’s National Infrastructure Protection Plan seems to follow this line by defining “cyber security” (whether to use a space, a hyphen, or make it one word might be the topic of a separate post) to mean:
“The prevention of damage to, unauthorized use of, or exploitation of, and, if
needed, the restoration of electronic information and communications systems and the information contained therein to ensure confidentiality, integrity, and availability. Includes protection and restoration, when needed, of information networks and wireline, wireless, satellite, public safety answering points, and 911 communications systems and control systems.”
Setting that distinction aside, my guess is that cybersecurity gained prominence after 9/11 because the associated spatial metaphor of cyberspace provided a ready (but not necessarily useful) means of distinguishing a set of risks that have something in common, i.e., they arise from computer- and network-based attacks. “Cyber” is now part of a checklist that businesses use to think about risk, and as you note, it’s part of the military’s categorization of threats and defenses (e.g., the Air Force’s “Air/Space/Cyber” slogan). So “cybersecurity” helps divide the world up into easily grasped components. “Information security” doesn’t work the same way.
My feeling is that we can blame/thank the media for the use of cyber in this fashion. It makes for snappier headlines and sound bites. Much the same way the term “hacker” was subverted by the press to mean “attacker,” cyber was employed as shorthand for “computer” or “information” and the term stuck.
dmc,
“infosec” was already a well-established shorthand for “information security”. Compared to “infosec”, “cybersecurity” is still a mouthful.
Let’s see…”information security”…”cybersecurity”…which rolls off the tongue better?
It’s simple a matter of economy of expression. Information = 4 syllables, Cyber = 2 syllables. If you think they mean the same thing (which people obviously do think), you use the easier one.
How and why people came to think of them as equivalent is clearly a complex story. But given that they do, it’s not surprising that they choose to use “cyber”.
Cyberspace; space for Cyber. If you have all those tubes with Cyberspace inside, wouldn’t it be an easy jump to conclude that whatever travels or are filling those clogged up tubes are called Cyber. Since we all know it’s not trucks.
Sorry, no, the Doctor Who villains were the ‘Cybermen”. The “Cybernauts” made an appearance in a couple of episodes of “The Avengers”.
Other usages (pretty sure these were pre-Gibson): CDC had a mainframe computer they called the “Cyber”. And one of the recurring villains in the “Doctor Who” TV series were the “Cybernauts”.
Its interesting how words evolve
Anonymous @ July 25th, 2008 at 4:28 pm,
Could you elaborate on that a bit?
Whenever I hear the word cyber, I assume the speaker doesn’t know very much about computers.
Sometimes I’m wrong (people speaking on behalf of National Science Foundation use the word “cyber” and understand what it means) — but I’ve found that, in general, assuming the speaker is clueless a good framework from which to start.
Maybe you just misunderstood Barack Obama and he was talking about “cider”.
Seriously, every day I see what happened to the Internet at US national labs and it makes me sick. It goes so far that DOE mandates which software researchers may use. Talk about micro-management.
I wouldn’t look for a deeper meaning.
Most likely an ignorant person didn’t really know what it meant, but it sounded cool and it began to take on a life of its own. (Perhaps confused it with cipher or some such.)
I was also amused at first read, having only ever seen the term “cyber” on its own as shorthand for “cybersex”.
It seems a little like having a “Relationship Manager”. It makes perfect sense to upper management, but to those of use living in a completely different world it sits somewhere between bizarre and amusing.
Don’t recall ever seeing the term cyber- in any US military context. Maybe it is from law enforcement (cybercrime)?
see what one good book can do to a word? BTW, perusing the OED entries for cyber* is very interesting.
Nice theory. Both funny and plausible, therefore slightly scary.
Funnily enough here (i.e. a german speaking enviroment) i think “cyber” is often/sometimes read as “not real” with a wink. That is: knowbody really thinks about what “cyber” means, but (cs/geek) jokes that treat the word that way work. Comes over the “virtual”-something connotation I think. Or over “illusional”. Or bad jokes about cybersex.
So my first association to “cyber advisor” would be (via “virtual advisor”) to “not real advisor” (and then to “unreal advisor” and terry pratchett’s unseen university). Similar with cybersecurity. it would become “illusional security”.
Is this meaning also present in the english-speaking world?
Oh, and wasn’t there the game “cyberjudas”, from the golden era of the word “cyber”? It had cyber advisors who tried to sabotage the president. 🙂
When I encounter the word “cyber” where it is not modifiying another noun or verb, it is shorthand not for “cybersecurity” but for “cybersex”; as in erotic online chat. For example, “I stayed up last night cybering with this hottie I met through Craigslist.”