Cyber espionage is not cyber attack

I agree with this perspective; language is important. Not every automated phishing email is a ‘BEC’, scans of your website are not ‘DDoS’…:

There is something about the cyber domain that makes people lose perspective. The latest cyberspace incident is a perfect example.

According to the news, a foreign actor, most likely Russia, infected a much-used software program with malware that allowed it to access the accounts of those U.S. agencies that used the program. The goal seems to have been to collect (i.e., spy) on these organizations.

This cyberspace incident is a classic case of espionage through a system breach executed via a software supply-chain compromise by Russian actors. Many U.S. agencies were penetrated, without their knowledge, and the access to these systems reportedly was maintained for many months and may be ongoing today. If the Russians have this sort of cyber espionage tradecraft, you can be sure the Chinese have, or soon will have, it too.

However, the event was not, as widely characterized, a “cyberspace attack.” To call it such is to minimize the consequences of a real cyberspace attack, an event where actual functional denial occurs in cyberspace or one of the physical domains. It was not, if the news accounts are correct, an “armed attack” or even likely an example of “armed conflict.” No “arms” were used, unless Russia left behind code that would allow disruption or destruction of infected computers upon subsequent command. If the malware left behind can be used to allow malicious code to be delivered sometime in the future that destroys or degrades these U.S. computers, then this attack-preparation malware left behind might permit a future-armed attack. Ransomware events are examples of actual cyberspace attack, since they deny functionality.


Original article