There is a longstanding commonplace amongst us, the community of cyber security experts, that the key to good cyber security tomorrow is to teach our children more and better science, technology, engineering and mathematics today. We have a common sense that we can STEM the tidal waves of the cyber security crisis. We are of the belief that if children can only be taught how to cut computer code then they will become good cyber citizens and cyber will be made safe. We lament with incredulity the idiocy of an approach that might teach our children how to use technology; how to behave in the cyber domain.
We express this view frequently and fervently at the many cyber security conferences we repeatedly attend. It is one of several that we particularly cherish. Another is that the controlling minds of the great institutions of our society and our economy are not taking the cyber security crisis seriously enough and so they must face the prospect of punishment if they persevere in their delinquency. Another is that users are somewhat stupid and even if they are not actually an active, insider, threat; then they are reckless and irresponsible in their desire to pervert our systems to their own uses. Another is that they; the users, the business, the children, must be educated out of their dangerous ignorance. Another is that there is a lack of a code of conduct for cyber, that cyber lacks normative behavioural standards.
These are the same conferences at which we have been gathering for over a decade. We have spent countless hours nurturing these commonplaces amongst ourselves; to ourselves. Countless hours exhorting our own community to ‘beware’ and to ‘think very seriously about difficult problems’. Countless hours scaring ourselves with the magnitude and severity of the ever impending cyber apocalypse. Countless hours rehearsing slightly differing descriptions of the same problems; to ourselves. Countless hours showing each other how smart we are by showing off how easy it is for us, the experts, to break the systems we have designed. The systems we are responsible for securing.
These commonplaces are replete with contradictions and riddled with tensions. They have been repeated ad-nauseam with little or no regard to either the presence or the quality of available evidence. Our conferences have become episodes where we experts gather to console ourselves. They have long ceased to be crucibles of creative, structured, productive Socratic investigation. We must now subject our cherished commonplaces to the destructive and creative rigour that our status as experts demands of us. We must now start communicating, meaningfully, with those who are not us.
Cyber is a way of describing a system of profound complexity within which humans and machines interact and interoperate in new and transformative ways. Whatever good cyber security looks like, it is not reducible to technology and we cannot widget our way to human and societal safety in this new domain. As a community we will always default to a reliance on science, technology, engineering and mathematics. We think that because computers are machines then computing is simply a bigger machine. We are wrong. Computing is a human system. Computing is a social system. Computing has become the property of society. It is far too important to be left in the hands of technocrats. It belongs to them, not us. It’s time to let the butterflies go.
Colin Williams, CyberTalk Editor