A few weeks ago, I sat down next to a friend who happened to be in the middle of a conversation between a lawyer, a hacker, and philosopher and I was just in time for the â€œI hate the word â€˜cyberâ€™. FamousHacker#2138123 and I are trying to get people to stop using it.â€
Sigh.Â At this stage the anti-â€œcyberâ€ routine is really starting to sound a little bit high pitched – and I even *come from* a hacker community. But, it reminded me both that I owed Liquid Matrix an introductory post and that even though there is a place and role for the word, much of the hacker/security community, who excel at seeing the gaps in the atoms of the molecules of the trees in the forrest, might not have noticed or even be interested in it.
Then I realized that, perhaps, that – the things hackers find boring – might be a great start to explain what â€œcyber securityâ€ as a discipline, in my experience, is coming to entail.
Letâ€™s start by making a list of things that could be considered *both* boring and perhaps outside of a technical or security-specific skill set:
- Marketing & Sales
- Policy Development
- Deferring to Non-Expert Authority
Although thatâ€™s not a complete list, I think itâ€™s a pretty good representation and is sufficient for my purposes.Â Moving on, let’s try identifying the people who typically use the word â€œcyberâ€:
- The Government
- The news
- Uncool outsider lawyers
- Regulators and Regulatory Auditors
- Standards bodies
- Everyone but â€œusâ€ (or â€œyouâ€, depending on your opinion of yours truly.)
- Money, investment, and resource management
This might be a completely subjective list, but again I think you get the idea.Â I would even go so far as to suggest that the algorithm for using the word â€œcyberâ€ is basically â€œthe further away you get from technology, the more likely you are to use it.â€
Ok, so, if we matrix these two lists together, itâ€™s clear that the list of things we find boring matches pretty well with the things people who use the word â€œcyberâ€ do. In fact, I think we can safely say that â€œthe kind of people who say â€˜cyber securityâ€™ do the crap that people who understand technology don’t want to – or cannot – do.â€
The next obvious questions is, so what? Weâ€™re hackers/security professionals – why do we care? The answer, in my opinion, depends on whether you want the world to get safer or if youâ€™re just content to break/fix things independent of whether youâ€™re making any lasting change.
This is because if we want to make strategic improvements or any other lasting change, simply finding and demonstrating Android vulnerability number 11383121329 or doubling the speed of real time threat indicator sharing just doesnâ€™t matter by itself.Â The larger environment has to be hospitable to progress: Aware of the issues, able to receive and translate information, mature enough to pivot toward sustainable change.
Otherwise, no matter how many times you own someone or explain how deplorable their security is, your contribution just isnâ€™t going to matter to anyone except you.
So, if youâ€™re the type of person who is really frustrated with the state of the world and wants the overall quality of security to go up across the board (particularly for the critical infrastructure that keeps us safe and civilized), then those people who arenâ€™t like you doing those things you find boring – the ones saying â€œcyber securityâ€ – are critical to you.Â They determine the environment you are trying to affect and, when they say â€œcyber securityâ€, they are doing their best to make your more technical efforts matter.
Without â€œcyber securityâ€ the other more technical disciplines – â€œinformation securityâ€, â€œdata securityâ€, â€œcomputer securityâ€, â€œpen testingâ€, â€œIDS monitoringâ€, â€œreversingâ€, whatever – lack the context required to make them most productively meaningful.
On the other hand, if youâ€™re really just happy twiddling bits and bytes and demonstrating Android vulnerability number 2323498234, then â€œcyber securityâ€ might not actually be relevant to you. That doesnâ€™t mean itâ€™s a useless word, or a useless set of activities, just that itâ€™s a component higher in the stack of security than youâ€™ve scoped yourself into.
So care or care not, but the stack layer at which “cyber security” happens is, in my opinion, the single most important layer of them all. Â Comprised of those skills and activities which create the environment in which other, more technical and specific â€œsecurityâ€ disciplines operate in, and helping to glue those disciplines together into a contextual vector, nothing we do matters very far past tomorrow without it.
I’ll be following this post up, over time, with more thoughts on “cyber security” layer activities: what they mean, how they affect us, how they’re succeeding or failing, and how we can help or hinder them.
Follow me on twitter if you want to hear me mouth off more often: @sintixerr.