As I was writing an article for the first edition of Paged Out,
I had an interesting (albeit too short) conversation regarding
with Gynvael Coldwind.
Drawn by ReFiend, it
features two people on the foreground, wielding what looks like guns.
This lead to a discussion on the omnipresence of military jargon, and thus violence,
in the world of computer security. I told him that I’ll publish a blogpost
to correctly articulate my thoughts on the topic, instead of the incoherent
rambling that I served him.
At every single security conference, there is someone with a direct quote of
the Art of War on their slide
deck, and there is a metric fuckton of assorted military-inspired bullshit
terms for almost everything: cyber
defensive cyber operations/proactive
I understand that it’s tempting to compare computer security to war: It takes our daily toil and
raises the stakes, makes us feel that victory is glorious; a battle of the
minds, that our work really matters and is important; and we are united against a common enemy.
But when you think about it, it’s absurd: War is something terrible that should be avoided at
almost any cost, a solution of last resort. The worse outcome of
computer-related drama/problems probably doesn’t imply entire populations
dying, being tortured, millions of refugees, camps, … Odds are that you won’t
save actual lives by deploying a firewall: don’t call it a “cyber bulletproof vest deployment”.
War justifies terrible behaviours: who cares about you being screamed at when
you’re at war? Who cares about your family life, when you’re at war? What
are broken principles and despicable means, when you’re at war ? …
which is a disastrous way to govern and organise a workspace.
Moreover, war maps poorly over computer security. What is a “penetration
combat-wise? How do you map “full disclosure” to war? What is a
“prisoner’s camp” or “carpet bombing” with a computer (apparently zdnet can )? Rigidly mapping
one onto the other can and will create huge distortions.
Of course, nobody says that computer security stuff actually is war, but
as said in Metaphors We Live By by George Lakoff and Mark
Johnson, “Conceptual metaphors shape not just our communication, but also shape
the way we think and act.”. Leading to nonsensical bullshit posts like this one, entire laughingly stupid books,
and to despicable and hostile work climate.
When we think about it, we have way better metaphors:
- Computer security as gardening: defending against bugs, growing programs,
harvesting money, …
- Computer security as building a house: everyone wants cosy stuff, yet you
still need a solid door, maybe a couple of windows as well, definitely solid
- Computer security as playing cards: there are adversaries, winning moves,
gambles, influences, …
- Computer security as guarding a museum: priceless artefacts, sneaky attackers
à la Arsène Lupin, …
The goal of computer security is to make safer systems, not about waging wars,
and thus shouldn’t be envisioned as such.
Of course, if you’re working in the military and in infosec, there are overlaps,
but I would argue that this is more about military than it is about computer security.
As Rob Bahat said in 2016 in his Business Is Not War. Let’s Stop Talking Like It Is. article:
Business, at its best, is creation — and war,
always, is destruction. They are opposites, and if we want industry to be a
positive force in our personal lives, environment, society, and future, we
should divorce our language about business from the tragic (if sometimes
necessary) conflicts that bring devastation. There are so many good businesses;
but it is hard to find a good war.