To C2 or Not to C2, That is the Question

The information security industry confirmed this week it remains locked in a decades-long standoff over whether to abbreviate “command and control” as C2 or C&C, with sources describing an opinion survey as “the most important thing happening in cybersecurity” and “definitely worth the effort.”

C2, the abbreviation used by NIST, CISA, MITRE, and the entire United States military, faces stiff competition from vendors clinging to C&C, the abbreviation used by several marketing departments and a Westwood Studios game from 1995.

MITRE, which embedded C2 directly into official technique names such as “Exfiltration Over C2 Channel,” declined to acknowledge the controversy, noting that an organization does not debate a term it has already carved into a taxonomy the whole industry maps its detections to. The NIST glossary was reached for comment and, as a glossary, simply contained an entry for C2 and no entry for C&C, which observers described as “cold” and “kind of a power move.”

The Department of Defense, which coined C2 as doctrine and then spent fifty years attempting supplemental letters until it produced C4ISR, reportedly finds the civilian dispute adorable.

However, the carnival barkers and sellers of C&C remain committed. “The ampersand conveys the kind of gravitas that makes thought leadership about self-promotion,” said a vice president of content marketing at a leading endpoint security firm, gesturing at a glossary page optimized for search traffic and a podcast by two friends citing an unfinished dissertation. “Also we published four hundred blog posts with C&C in the URL and nobody here knows how to set up redirects.”

One major vendor has adopted a compromise position declaring C2, C&C, and the fully spelled-out term interchangeable, a diplomatic maneuver historians recognize as the final stage before unconditional surrender.

Expert vulnerability researchers citing Google Ngrams noted that C&C has roots that stretch back to the 1800s, suggesting Victorian threat actors maintained their own sophisticated botnet infrastructure. Closer inspection revealed the hits referred to dry goods firms, cash-and-carry arrangements, and other commercial ampersands, confirming the corpus will happily testify to anything if you call the underlying documents “sophisticated”.

Experts recommend writing “command and control (C2)” on first mention and C2 thereafter, citing the convergence of a federal glossary, federal advisory formatting, and the industry’s own taxonomy. Writers who prefer C&C are encouraged to continue, secure in the knowledge that they are backed by the full authority of a real-time strategy franchise and several websites that want to sell you an EDR agent.

At press time, the industry had moved on to arguing about whether it is spelled cybersecurity or cyber security, or cyber, a debate expected to consume the remainder of the market opening window.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.