Why We Need to Be Much More Careful About How We Use the Word Cyberattack

A picture taken on Oct. 17, shows an employee walking behind a wall with machine coding symbols at the headquarters of internet security giant Kaspersky in Moscow.

Kirill Kudryavtsev/AFP/Getty Images

Part of the long, slow slog toward better online security is trying to make incremental changes to how people interact with technology when it comes to logging in to accounts, or reading their email, or downloading attachments, or visiting websites. But a recent announcement by the Associated Press serves as a reminder that some important behavioral changes don’t even involve touching technology.

In case you don’t follow copy-editing Twitter closely, the Associated Press Stylebook has changed its entry for the term cyberattack. (Slate uses AP Style with some modifications.) It now advises that the word should only be used for events that result in “significant and widespread destruction.” I understand why this may seem like pretty trivial progress towards securing the internet. But it’s an important step for helping us understand how we reach that goal, who should be responsible for helping us get there, and, even, what it means to talk about a secure internet.

Full disclosure: I talked with people from the AP about the changes while they were in the process of writing the new Stylebook entry. But here’s why I think that was time well spent—better spent, even, than trying to teach someone how to recognize a likely phishing email or set-up two-factor authentication.

When we call something a cyberattack, we are almost always relying on the cyber half of the word to justify the label, rather than the attack. Colloquially, any security-related incident can apparently rise to the level of an “attack” when there are computers involved in some fashion. And that, in turn, means that none of us really has any idea what the term refers to and no way to meaningfully compare or contextualize the data gathered about these incidents.

It’s easy to fall into the habit of calling everything a cyberattack, from a successful phishing email to a rash of ransomware cases to the thousands of unknown computers trying to initiate connections to a company’s servers on any given day. But most of the time, none of these rise to the level of causing serious, widespread harm. Even most data breaches and stolen records don’t reach that level. Even (confusingly) many denial-of-service incidents don’t warrant the attack moniker we attach to them almost automatically. Attack suggests something beyond petty robbery—even on a large scale. It conjures (or, at any rate, it should conjure) bigger, more life-threatening fears: someone taking out the electric grid, or rigging an election, or compromising airplanes or cars or medical devices.

Take, for instance, two fairly typical headlines from earlier this year about cyber security incidents in the United Kingdom: “UK Businesses Were Hit 230,000 Times Each by Cyber-Attacks in 2016, Says Internet Service Provider” (from CNBC) and “Two Cyber Attacks a Day Hit Britain” (from the Daily Mail). By one estimate, every single business in the U.K. was the victim of more than 600 cyberattacks each day last year. The other says that the whole country sees a total of two such “attacks” every day. Even the latter estimate seems sort of high in comparison with the number of kinetic attacks we typically imagine being directed at a nation.

If we can’t agree on what constitutes a cyberattack, or how many a country (or business) is facing, then we have no way of determining whether they’re becoming more or less frequent, more or less serious, more or less costly.

Moreover, if we call everything a cyberattack, then we lose the ability to effectively call out the really significant, damaging, harmful incidents—the ones worthy of the moniker—and end up resorting to a truly ridiculous vocabulary (see: cyber-apocalypse, cyber war, cyber-9/11, cyber-armageddon, cyber Pearl Harbor). And in overblowing the significance of the more minor incidents with the attack label, we also steadily nudge the responsibility for addressing cybersecurity concerns more squarely in the direction of the military, which, after all, deals with most other types of attacks on the country.

So being more judicious in our usage of the term cyberattack could have fairly far-reaching implications for how we think about computer security incidents and who we put in charge of dealing with them. It’s not an easy task—we don’t really have any other commonly accepted language for describing denial-of-service attacks, for instance, regardless of their scale or damage—but it’s a worthwhile one, if only to start us down the road of trying to be more precise and careful about how we describe, classify, and ultimately understand the security threats we face online.

Disentangling cyber crime and cyber espionage from cyberattacks is certainly not an exact science, and even the AP’s new guidance doesn’t provide an entirely clear-cut distinction between what does or does not constitute a cyberattack. (After all, different people will likely have different interpretations of what counts as “significant and widespread destruction.” Does it have to be physical destruction? Or do large-scale economic losses count—and, if so, just how large do they have to be?) But linking our labels of security incidents to their outcomes and consequences, rather than just the computer-related means by which they’re perpetrated, is, nevertheless, a step in the right direction.

And it’s particularly encouraging to see a journalism organization taking the lead on this effort, since headline writers are some of the very worst offenders when it comes to touting cyberattacks (second only, perhaps, to politicians). After all, everyone would rather read an article about a cyberattack (or 230,000 of them!) than a cybersecurity incident or account compromise or computer intrusion or attempted network connection. But if those other things sound less interesting and important, well, that’s sort of the point. Not every cybersecurity story is a big deal. Not every breach of security is a full-fledged attack. Not every defensive effort should be owned by the military.

Figuring out where to draw those lines is—like most cybersecurity work—complicated, slow, and sometimes tedious. But it begins with recognizing events for what they are and calling them by their proper names.