Americas

  • United States

Asia

Oceania

jmporup
Senior Writer

Scapegoating security researchers harms society

Opinion
May 23, 20187 mins
LegalSecurity

Want your government to stop punishing the security community for its own lapses? Become a better teacher and advocate for what you do.

blame select pointing finger trending
Credit: Thinkstock

Clarke’s Third Law is a warning, not a recommendation.

“Any sufficiently-advanced technology is indistinguishable from magic,” the science fiction writer said, but the flip side to the wonder and delight we get from magical-seeming technology is fear and anxiety and loathing.

Ordinary folks want potions and spells. But when things go wrong, they burn witches.

Computers aren’t magic, and we are not mages. We must demystify the world we now live in. We must ease the growing social anxiety, and so defuse the ticking time bomb that threatens to hurt us all. In the long term, that means more and better STEM education, with minimum technical fluency requirements, for all students. In the short term, we need better translators — journalists and teachers, but also geeks to advise lawmakers and judges in private. Help govern well or be governed badly.

The herd impulse to scapegoat is ancient and universal, and it happens over and over again in different context, languages, countries and cultures around the world. Few societies are wise enough to divert their anger to a goat, as the Old Testament Hebrews did. The human urge to purge is strong.

If we’re not careful, geeks are next. Everyone will suffer if that happens.

That may seem like an extraordinary statement, but bear with me. Do you wonder at the need to buy and wear T-shirts that read “wget is not a crime”? Does hearing the phrase “tech wizardry” in casual conversation irritate you? Does it frustrate you that non-technical friends don’t understand what you do for a living?

While some might take pleasure in the mystique of donning the mantle of the modern mage — a hoodie casting shadows across your face while typing incantations of power to make the mystical electronic gadgetry do thy bidding — the end result is increased anxiety and tension between information security professionals and those who fear us and our “powers.”

Society, language can’t keep up with increasing complexity

The problem is that, as Arthur C. Clarke observed, technology is increasing in complexity faster than society can adapt. Say what you will of Ray Kurzweil’s fanciful projections of a singularity, his observation that technology is becoming more complex at an exponential rate holds true — at least so far.

Humans had many generations to adjust to the advent of the sword, the stirrup, the long bow, the rifle. Each initial discovery caused disarray, but society had time — often centuries — to let each one play itself out before the next invention descended to wreak havoc on established norms and power balances.

That is not the case today, when the cycle of novelty to obsolescence can be measured in years, not lifetimes. What makes the problem worse is the lag time for language itself to adapt. Only the refinement of generations can provide sharp mental models of new technology and what each means for society and its individual members. Fast forward to today, and we find ourselves using old words for new things in ridiculous ways — “email” is nothing like “mail,” cyber “war” nothing like “war”, and mass “surveillance” nothing like meatspace spying.

Take the example of “mail,” a word we all understand. It means posting private paper-based correspondence that cannot be opened and read (in a plausibly-deniable manner) except with special skills — steaming, unrolling the letter with a special tool, etc. By design, mail defaults to private, and significant effort must be invested to invade that privacy.

Indeed, interception of people’s private messages is as old as the written word. The European powers made frequent use of their cabinets noirs to intercept the post of diplomats and political dissidents. The important point here is that only targeted surveillance is possible with regular mail.

But e-“mail” is, by original design, an insecure medium, one that is trivial to intercept, read, store, and analyze at scale. This makes possible a world of mass surveillance, but what does that even mean? Intercepting and analyzing everything? The mind boggles. Beyond the imagination of anything that’s gone before.

At every step, at every turn, anxious politicians, law enforcement, and public at large, use the wrong words for new things, stress test bad metaphors to understand what this new technology means for them, and in their struggle and failure to understand, vent that frustration on us, the geeks of the world.

Breaking down communication barriers

What we have here is, truly, a failure to communicate.

As I wrote back in March:

“Information security is an unintuitive discipline, in many ways backwards from how we think about security and power and threats in meatspace. Worse, the security community has developed its own slang over the years that deliberately excludes outsiders. All fields do this, of course, and if infosec were metalworking or plumbing or air traffic control, that would be fine and dandy. Ordinary people don’t have a pressing need to understand the inner workings of those fields.”

Breaking down those communication barriers and educating the general public, especially lawmakers and law enforcement, about how technology works is essential to ending the growing tension between technologists and frustrated, anxious, non-technical gun-toting law enforcers.

We must make information security as boring as accounting. Accounting is by no means an easy discipline to master, but everyone has a clear picture in their minds of what accountants do, how they do it, why they do it, and why accountants are important. There is nothing magical, mysterious, or even surprising about the existence of accountants or their trade.

Ending the mystique surrounding information security is essential not only for the profession, but for the greater good of society.

When the security community stands up for itself

There is hope. The war on scary hacker witches took an abrupt step backwards a couple weeks ago. The governor of Georgia vetoed SB 315, a proposed law that would have banned good-faith security research and legalized vigilante action by victims of cybercrime. The government of the Canadian province of Nova Scotia dropped charges against a teen who used a simple script to download public documents off a public web server — documents the government had accidentally published online.

Both cases, in Georgia and Nova Scotia, began with anxious, frustrated lawmakers lashing out at security researchers for pointing out government incompetence in properly securing a web server. In both cases, however, overwhelming pressure from industry forced the governments to back down and accept the fault was their own.

That’s encouraging news, but consider: The Georgia legislature voted for that bill in such overwhelming numbers that it could conceivably override the governor’s veto with two-thirds of both houses. The government of Nova Scotia refuses to apologize to the innocent teen, after sending 19 heavily armed police officers to break down his door and arrest him at gunpoint.

These kinds of situations, or even worse situations, must be avoided in the future. Would these two governments have acted in this way if they had the faintest idea how computers and the internet worked? I think we all know the answer to that question.

To understand how technology works leads to a just outcome. To fear and loathe technology you don’t understand leads to unjust outcomes.

We may celebrate this momentary good news, but unless we act now, things will get worse. Clarke’s Third Law is a warning, not a recommendation. Act accordingly. Burn your hoodie, end the mystique, help lawmakers and judges and society understand that information technology — and information security — is just math: ones and zeroes, nothing more.

Your life — and society as a whole — may well depend on it.

jmporup
Senior Writer

J.M. Porup got his start in security working as a Linux sysadmin in 2002. Since then he's covered national security and information security for a variety of publications, and now calls CSO Online home. He previously reported from Colombia for four years, where he wrote travel guidebooks to Latin America, and speaks Spanish fluently with a hilarious gringo-Colombian accent. He holds a Masters degree in Information and Cybersecurity (MICS) from UC Berkeley.

More from this author