A few weeks ago, I sat down next to a friend who happened to be in the middle of a conversation between a lawyer, a hacker, and philosopher and I was just in time for the “I hate the word ‘cyber’. FamousHacker#2138123 and I are trying to get people to stop using it.”
Sigh. At this stage the anti-“cyber” routine is really starting to sound a little bit high pitched – and I even *come from* a hacker community. But, it reminded me both that I owed Liquid Matrix an introductory post and that even though there is a place and role for the word, much of the hacker/security community, who excel at seeing the gaps in the atoms of the molecules of the trees in the forrest, might not have noticed or even be interested in it.
Then I realized that, perhaps, that – the things hackers find boring – might be a great start to explain what “cyber security” as a discipline, in my experience, is coming to entail.
Let’s start by making a list of things that could be considered *both* boring and perhaps outside of a technical or security-specific skill set:
- Marketing & Sales
- Policy Development
- Deferring to Non-Expert Authority
Although that’s not a complete list, I think it’s a pretty good representation and is sufficient for my purposes. Moving on, let’s try identifying the people who typically use the word “cyber”:
- The Government
- The news
- Uncool outsider lawyers
- Regulators and Regulatory Auditors
- Standards bodies
- Everyone but “us” (or “you”, depending on your opinion of yours truly.)
- Money, investment, and resource management
This might be a completely subjective list, but again I think you get the idea. I would even go so far as to suggest that the algorithm for using the word “cyber” is basically “the further away you get from technology, the more likely you are to use it.”
Ok, so, if we matrix these two lists together, it’s clear that the list of things we find boring matches pretty well with the things people who use the word “cyber” do. In fact, I think we can safely say that “the kind of people who say ‘cyber security’ do the crap that people who understand technology don’t want to – or cannot – do.”
The next obvious questions is, so what? We’re hackers/security professionals – why do we care? The answer, in my opinion, depends on whether you want the world to get safer or if you’re just content to break/fix things independent of whether you’re making any lasting change.
This is because if we want to make strategic improvements or any other lasting change, simply finding and demonstrating Android vulnerability number 11383121329 or doubling the speed of real time threat indicator sharing just doesn’t matter by itself. The larger environment has to be hospitable to progress: Aware of the issues, able to receive and translate information, mature enough to pivot toward sustainable change.
Otherwise, no matter how many times you own someone or explain how deplorable their security is, your contribution just isn’t going to matter to anyone except you.
So, if you’re the type of person who is really frustrated with the state of the world and wants the overall quality of security to go up across the board (particularly for the critical infrastructure that keeps us safe and civilized), then those people who aren’t like you doing those things you find boring – the ones saying “cyber security” – are critical to you. They determine the environment you are trying to affect and, when they say “cyber security”, they are doing their best to make your more technical efforts matter.
Without “cyber security” the other more technical disciplines – “information security”, “data security”, “computer security”, “pen testing”, “IDS monitoring”, “reversing”, whatever – lack the context required to make them most productively meaningful.
On the other hand, if you’re really just happy twiddling bits and bytes and demonstrating Android vulnerability number 2323498234, then “cyber security” might not actually be relevant to you. That doesn’t mean it’s a useless word, or a useless set of activities, just that it’s a component higher in the stack of security than you’ve scoped yourself into.
So care or care not, but the stack layer at which “cyber security” happens is, in my opinion, the single most important layer of them all. Comprised of those skills and activities which create the environment in which other, more technical and specific “security” disciplines operate in, and helping to glue those disciplines together into a contextual vector, nothing we do matters very far past tomorrow without it.
I’ll be following this post up, over time, with more thoughts on “cyber security” layer activities: what they mean, how they affect us, how they’re succeeding or failing, and how we can help or hinder them.
Follow me on twitter if you want to hear me mouth off more often: @sintixerr.