Over in the hyperglossary community this week, we've been chatting about 'cyber' as in cybersecurity etc. The old guard who were already deeply immersed in the field prior to Y2k are distinctly cynical about cyber-everything.

Been there, done that, using the teeshirts for rags.

Deep-dive coming [takes a big breath ...]

When a BBC article explored the origin of the term a decade ago, 'cyber' essentially meant 'the internet' ... although, as I recall back then, 'the web' was more common. Gradually, cyber has come to refer more specifically to internet attacks, in particular active attacks perpetrated via the Internet (all lower case), implying that defending corporate digitals against external threats is our main - perhaps even our only - focus.

During the current hubbub about Mythos, I've spotted just one or two cyber-commentators challenging the widely-held presumption that all [AI-enabled] internet hackers have extraordinarily powerful capabilities, enabling them to compromise any vulnerable system in an instant, on a whim.

Doubtless, some do ... but most don't. We've lost a sense of proportion.

We see cyber-tropes play out time-after-time in popular films, where some lone figure (heavily tattooed and pierced, of course, dressed in black, a gruff and sinister hermit, a rebellious teen like a cartoon version of a punk rocker from the 1980s) frantically types away on a keyboard in a darkened room, surrounded by a wall of greenscreens, breaking into their target, determinedly defeating all the security controls, brute-forcing passwords just moments before the inevitable countdown timer expires ... and then as 'bad stuff happens' we instantly flip back to a more conventional screen-friendly plot.

A slight variation involves the baddies unleashing a 'virus' (actually a worm), portrayed as a foreboding flow of ones and zeroes streaming rapidly through 'cyberspace' (whatever that means!) ... but again once 'bad stuff happens', the storyline flips quickly back to the familiar non-cyber world. Cue explosion, car-chase, gun fight with infinite bullets and spurting arteries.

Therefore, 'cyber' - quite obviously - must be all about preventing that ^ 

The target of such attacks is always very specific - the focus being some sizeable (non-SME) corporation with a back-story, not just 'some random organisation that just happens to be running a vulnerable version of windows' or whatever. 

The attackers and defenders are generally black-and-white - either 100% evil or 100% angelic, the age-old cops-n-robbers. No shades of grey here except perhaps the potential double-agent to inject a little intrigue.

Strangely, social engineering and coercion don't feature as prominently in the usual cyber-story lines, nor active responses to intrusion attempts, nor insider+outsider attacks, nor the whole gamut of everyday errors and omissions such as misconfigurations, system failures and broken controls, nor floods, fires, power cuts and blown fuses, nor any realistic portrayal of incident response, nor honeynets ... although honeytraps are a convenient way for the alluring leading actress to be seen naked, boosting ratings.

Ransomware and theft of intellectual property including trade secrets (as opposed to SECRETs) are notably absent. Generative AI and quantum have yet to feature in anything I've seen on screen so far, whereas mercuric Terminator or Transformer-style indestructable robots have become old hat.

Exploitation of information other than digital data is uncommon and incidental - in fact all of these are quite rare in the popular potrayals, by comparison to the tropes. I don't personally recall ever seeing a realistic long-term supply chain attack, for instance, nor OT, IoT or cloud compromise, nor the involvement of spooks compromising various cyber-controls to retain long-term access and secretly do whatever the hell they want to do, seemingly immune to every rule or law. 

Hacking the firmware on a supplier's multifunction office printer as a staging post for a downstream compromise years later? No chance!

On screen, overbearing managers and supportive colleagues are largely absent or indistinct throughout. We are spared the daily tedium of policies and procedures, generating security metrics and reporting, plus the interminable meetings. However, the rising tide of anxiety and chaos increases the pace and tension towards the inevitable climactic release.

Overwhelmed security pro's may become increasingly desperate and approach exhaustion but they never actually reach the point of collapse and walk away, resign or worse. Mental ill-health? Yeah, nah - too confronting and triggering, perhaps, for the big screen.

Researching, specifying, designing, testing and implementing controls? Nope, none of that either, far too boring. So evidently that's not 'cyber' either. 

Naturally, failed access attempts are almost completely disregarded except perhaps as a device to pile on the stress as the dreaded countdown timer (red LED, always red LED but evidently erratic and terrible at keeping time) plummets towards zero. The baddies would never just give up when the going gets tough, moving-on to some other poor unfortunate, oh no. 

...

OK, OK, enough already. Three-two-one and ... we're back in the room.

The Cybersecurity Hyperglossary is realigning 'cyber' And All That with everyday life for information security specialists - the army of dedicated professionals quietly slaving away behind the screens (big and small) to stop 'bad stuff happening'.