This reference aid draws on CTIIC’s experience promoting interagency situational awareness and information sharing during previous significant cyber events—including cyber threats to elections. It provides a guide to cyber threat terms and related terminology issues likely to arise when describing cyber activity. The document includes a range of cyber-specific terms that may be required to accurately convey intelligence on a cyber threat event and terms that have been established by relevant authorities regarding technical infrastructure for conducting elections.
CTIIC will adhere to this terminology guide in future documents related to cyber threats to US elections and recommends use by others in the interest of consistency and clear communication.
Please note that this reference aid is not intended to address terminology related to political or other noncyber aspects of influence or interference involving elections, nor is it intended to be a comprehensive guide to cyber threat terminology.
Describing What’s Happened: Common Terms
The following terms are central to accurately describing cyber threat activity but are often used differently. CTIIC recommends their use be accompanied by definitions and any necessary context for nontechnical readers.
Indicates that a cyber actor has attempted to degrade, destroy, disrupt, manipulate, or otherwise detrimentally affect the operation of a system or network. However, manipulation or deletion of data solely for the purpose of hiding one’s tracks is not considered an attack. Some reports use “attack” and “exploit” synonymously, drawing in part on the cryptanalysis sense of “attack”—the use of a technical approach to defeat a security measure. The dual usage can cause confusion, especially for nontechnical readers, if the context does not fully explain the type of malicious cyber activity that occurred.
Indicates that a victim system has installed malware, connected to a malicious Internet Protocol address, or provided a cyber actor unauthorized access to collect data or execute commands.
Indicates that a malicious actor has conducted additional activities on a compromised system, such as collecting data, deploying more malware, or establishing persistent access. Some documents—within both the IC and the private sector—use exploited and compromised synonymously. In practice, however, cyber actors may compromise more accounts and systems than they exploit, in part because of the availability of tools to automate the process of compromising vulnerable systems. Distinguishing whether and how an actor has made use of a compromised system—whenever available intelligence allows—aids in understanding the impact and implications of the malicious cyber activity.
Scanning a system involves attempting to identify the security vulnerabilities the system may have by sending it specific network traffic and observing its responses. The definition is reasonably specific but can cause confusion—and potentially undue alarm—if it is assumed to include follow-on attempts to exploit any vulnerabilities discovered. Scanning is extremely common on the Internet but may have only a modest success rate, and cyber actors therefore scan far more systems than they actually affect.
A cyber actor’s targeting of a particular victim can refer to any aspect of the actor’s attempts to select a system to conduct operations against, learn about, find vulnerabilities, gain access, or conduct other malicious activities. The term also connotes an attempt at conducting malicious cyber activity, without indicating the degree of success an actor achieved. We recommend greater specificity and clarification of the specific usage whenever available intelligence allows.
The prevention of cyber action by credibly demonstrating the ability and willingness to deny benefits or impose costs to convince the adversary that restraint will result in better outcomes than will confrontation.
A set of processes and measures to detect, monitor, protect, analyze, and defend against network infiltrations. See Cyber Security.
Activities initiated by the threat actor that temporarily negatively alter or prevent the operation of the victim’s network.
The manipulation, disruption, denial, degradation, or destruction of computers, information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.
The intentional clandestine acquisition of information from targeted networks without altering the information or affecting users’ access.
The use of cyber operations to shape the perceptions or behavior of targeted audiences while maintaining plausible deniability.
An umbrella term to describe cyber attack, cyber espionage, cyber influence, or cyber defense, and intrusions or activities with unknown intent.
A global domain within the information environment consisting of the interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.
The protection of information systems against unauthorized access to or modification of information contained therein, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats. Also known as network security. See Cyber Defense.
Cyber operations or noncyber actions (intentional or accidental) that compromise the confidentiality, integrity, reliability, or availability of digital devices, systems, networks, or data.
Cyber Threat Intelligence
The collection, processing, analysis, and dissemination of information from all sources of intelligence on foreign actors’ cyber programs, intentions, capabilities, research and development, tactics, operational activities and indicators, and their impact or potential effects on US national security interests. Cyber threat intelligence also includes information on cyber threat actor information systems, infrastructure, and data; and network characterization or insight into the components, structures, use, and vulnerabilities of foreign cyber program information systems.