Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

July 2019
The field lacks a common terminology, and the ambiguity includes even core concepts.

By David Hechler
SOME SUBJECTS ARE WORTH RETURNING TO. We often focus on the importance of cooperation between the public and private sectors in order to achieve real security in cyberspace. But there’s another topic we’ve just begun to explore. And it’s worth sticking with because it hasn’t received the attention it deserves. It’s about the language of cybersecurity.
     We stumbled on this issue during an interview with Summer Fowler that we posted in April. Fowler is the Chief Security Officer of Argo AI, which is working to create software for autonomous vehicles. We knew that she’d been talking about the importance of “resilience” in this kind of work, and we asked her to explain what she meant.
     “Resilience means I can operate and achieve my objective before, during and after any sort of disruptive event,” she said. “That event could be a cyber event. It could be a failure in process. It could be a human error. Once the disruptive event is over, the organization or system can return to full operating capability.”
     This wasn’t a definition that Fowler invented herself. She has done research and has taught (and continues to teach) at Carnegie Mellon University. The term was developed, she explained, by a large group of people there. But the trouble is that it’s unfamiliar to many others.
     “Cybersecurity suffers from a terminology struggle,” Fowler went on. “We don’t all say the same words and mean the same thing. And that’s really something that’s holding us back. When you think about the financial world, you think about the concept of materiality. When you think about the legal world, there are terms that mean things. “Pro bono” means something. “Precedent” means something.
     But “resilience” lacks a common definition that everyone in the world of cybersecurity agrees on, Fowler said. “So resilience as a concept can sometimes mean different things to different people. Every time I talk about it, I give a definition.”
     Is this a problem if the field lacks a common terminology? “Absolutely,” Fowler said. “Because if you want to move from a job to a profession, and to something that endures, you have to have that.”

What Is the Meaning of ‘Breach’?
While we were still in the process of absorbing this exchange, we were introduced to another crack in the field’s linguistic foundation.
     Our very next interview was with Kris Lovejoy, Global Cybersecurity Leader for EY. And she also had some important things to say about terms of art. In fact, she quickly drilled down into the very core. 
     What word is more fundamental in the cybersecurity lexicon than “breach”? And what question could be more straightforward than, “Has there been a breach?” But that’s Lovejoy’s least favorite question from lawyers. “Because often you don’t have the answer,” she said. “It’s not just that you don’t have an answer; you will never have an answer.”
     As she continued, she peeled back layers of explanations and layers of new questions. Often the evidence of a possible breach is circumstantial, and the kind of evidence you would need to confirm a breach simply isn’t there.
     Beyond that, different legal communities have different definitions. One interpretation Lovejoy has heard is, “A breach is where there is evidence that there has been some sort of unauthorized disclosure, modification or interruption of availability of protected information.” But other lawyers disagree. “No, that’s not it,” they say. “You don’t have to prove that there was access, modification or interruption. You just have to prove that there was some sort of illicit activity in the network or on the system that could have led to violation.”
     So how does Lovejoy advise the lawyers who ask her the question she hates? She counters with a question of her own: “How do you define breach?”  She finds the uncertainty and ambiguity deeply troubling. Like Fowler, she felt this status quo was untenable. “We need terms we can agree on,” she said. “And taking it further, what is a ‘disclosable event’?
     “Most organizations will say, ‘That would be a material or potentially significant breach.’ Well, what does that mean?”
      Before she had a chance to overwhelm us with more questions, we asked Lovejoy who should answer them all. For a company, she suggested, this was a task for the Chief Risk Officer. But for the entire industry, it should be a collective effort. “You’re going to be talking about risk officers, the legal community and to some extent the NACD. You’re going to want corporate directors to be involved. They’ll have a good sense, from a board perspective, what they would consider to be materially significant, and what kind of breaches they would want to be disclosed.”
     We were still pondering these complaints, which seemed like comments from a philosophy class discussion rather than pleas from cyber stars in search of a common language, when we had another opportunity to explore this subject.
     In June we interviewed Eric Goldman , a professor at Santa Clara University School of Law, who has been a pioneer in teaching internet and privacy law. And we asked him if cybersecurity has a language problem. Goldman quickly agreed. And he chimed in with examples of his own.
     “The media called Cambridge Analytica a ‘data breach’ when it was clearly a ‘data leak,’” he noted. “More generally, there is little consensus about what the term ‘cybersecurity’ means or what kind of work is performed by ‘cybersecurity lawyers,’ which can range from product counseling to incident responses.”
     When he was finished, we asked about solutions. Who should take charge and clean up the problem? Maybe the American Bar Association? Or a conference of law schools?
     Goldman took the long view. “We had a lot of the same semantic ambiguity in internet law in the 1990s,” he remembered, “and most of that got resolved organically over the past two decades. I’m sure the same things will happen with cybersecurity nomenclature. I think we’ll muddle through this.”
     Muddling, eh? We certainly seem to be doing that. We wonder how many other muddlers are as troubled as Fowler and Lovejoy.