Combatting drama and barriers in the infosec community

At its onset, the infosec community was very inclusive and welcoming…when others were not. Over the years, we’ve forgotten where we came from and why. Self-appointed gatekeepers leaders of who belongs in the community (or not) have caused a negative perception of us that drives people away. This is how we can learn not to be our own worst enemy.

The original online communities were developed by those that did not fit in, those that did not belong and those escaping bullying, oppression, racism and social pressure.

The late James Spradley and David McCurdy, in their seminal book, Conformity and Conflict:  Readings in Cultural Anthropology, cited that practitioners of non-mainstream religions such as Wicca increasingly used online communities to congregate and associate, well before the internet was popular. Online communities such as Bulletin Board Systems (BBSs) and chat systems such as Diversi-Dial (Ddial for short) catered to outsiders, the unpopular and outcasts. The LGBTQ (especially Trans) community also flocked to online communities, as did many others.

A refuge and escape

For years, these places became a refuge for people escaping bullying at school and at home, racism, sexism, xenophobia, gay-bashing, trans-bashing, uncaring families, or a lack of general social acceptance.

Online communities sprang up that reflected the creativity and technological prowess of their members. The demo scenes were one outlet, as was the Hacking/Phreaking community. The latter evolved into the nascent Information Security community, and many of the older security luminaries got their start in online communities that accepted them when no one else would because they were different.

With the stratospheric evolution of technology over the past 25 years, and the corresponding increase in cybersecurity, we’ve forgotten where we came from. We were the community that accepted others based on skill, knowledge and a desire to learn. We tolerated others and gave them a voice when no one else would. We provided refuge to those facing bullying. We developed communities that still stand to this day, such as The Cellar, where I’ve had an account for 28 years across its various incarnations.

It wasn’t all rosy

There were flame wars. People hated each other just as much in real life as they did online. There were fights. There were threats. It could get just as nasty then as it does now. In some ways it was much worse due to the smaller community size.

The Patriot Movement and a number of other right-wing movements also grew extensively online in parallel during this period. Stormfront had a BBS you could connect to using a modem. The John Birch Society, amongst others, took advantage of BBS systems and networks to spread New World Order conspiracy theories years before Alex Jones re-used and re-packaged them.

Many years before Barack Obama and Donald Trump extensively used social media to help get themselves elected President of the United States, conspiracy theorists and the Patriot movement were using BBSs and mailing lists to organize.

Long before ISIS was radicalizing people across the world online using social media, conspiracy theorists, Neo-Nazis and alternative political movements were organizing and recruiting from these networks and developing the techniques that others re-used.

Encryption and privacy were the norm in the early 1990s for many of these groups. Anonymous email got started with during this time. These were not days of innocence by any measure.

What are the effects?

These online communities evolved to become social media as we know it today. Instead of becoming welcoming to newbies, they’ve become exclusionary. They are used to build barriers and judge others. We’ve evolved to become the same bullies we escaped, and some have appointed themselves de facto gatekeepers. We’ve recreated the world we wanted to avoid in the world we built. We’ve been ignorant of our history and are repeating it.

While many of us have grown up, started families and live relatively normal lives, there are a number of others who have not. They are propagating the messages of intolerance, dehumanizing commentary and minimizing anyone not like them. They are especially not welcoming toward newbies. While I understand there are those that want to protect “their” community, and act out of the best intentions, they are misguided.

The effect that this has on the information security field is that we have self-appointed gatekeepers that are keeping the same people who would have been accepted in the past out. We are sending a message to the rest of the world that we are exclusionary, and that others are below us. We are scaring and losing customers because of them. We have taken the intellectual curiosity, tolerance and inclusivity that marked our community years ago and replaced it with a set of goalposts that move depending on the person.

While we always have had a component of radical politics and extremism, as that’s always been part of the communities, we never let them dominate the way they do now. The message now is that if you’re considered different, you’re a target and deserve the dehumanizing attacks and minimization that you get.

What this does to our community is that it drives a wedge further between us and the people we need to reach to improve security and privacy. While there is a movement to democratize technology and enable and empower everyone, some of these gatekeepers actively seek to keep others out, and constantly make up new reasons to do so. Some of them have been caught conspiring on private groups doing so against women and minorities.

This hurts all of us. This is the perception that people have of Information Security. While we may be doing great work, our customers see this behavior. Many of the students and people interested in switching careers to cybersecurity also see this, and it gives a negative impression. People choose to not work in this field because of this drama, especially women and minorities. We have to work very hard to combat this.

How do we fight this?

The gatekeepers are well-organized, discuss their tactics continually and plan for all possible scenarios. They take this very seriously. The recent disclosure via Twitter of one of their private Facebook groups shows that.

Do not try and fight and engage these people. That’s what they want. They want further ammunition to use against you to continue their narrative and make it about themselves. They want the attention, drama and memes. Don’t give them any of that. Go your own way.

Nothing is stopping you from scheduling your own con or event. That’s the first item to note. You can plan or schedule your own events and webinars. It doesn’t have to be DefCon. Take the “punk rock” approach and do it yourself.

When ransomware became an existential threat to healthcare organizations three years ago, and the approach from the vendor community was to buy their products to prevent it, despite overwhelming evidence that they were not working as sold, we held our own event. Representatives from several healthcare payor and provider organizations and I put together a 70-person event in two weeks. We were able to accomplish more to address this issue with this event than any other conference and used it to build relationships that still persist despite job and location changes.

You can include who you want. You don’t have to attend their events or be part of their community. You can plan your own. Build your own communities and be inclusive like our predecessors did. Reach out and educate. You’ll be better off for doing so, and more prepared personally and professionally.

Life is too short for drama, hatred and self-appointed arbiters/leaders. We need to demonstrate our core values that this community was originally founded on. Our family, friends and customers deserve better. We deserve and can do better ourselves.

Copyright © 2019 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022