As long as I’m being honest, I might as well get this one off my chest: Not only am I an unrepentant 80s metal-head, and one who’s convinced that music has only gone downhill since about 1988 (sorry, Rage Against the Machine fans), but of late, I’ve become convinced that much of what was written in the 80s was unnervingly prophetic. Take these lines from side one, track four of Iron Maiden’s Piece of Mind album, Die with Your Boots On, from 1983:
Yeah, another prophet of disaster
Who says this ship is lost
Another prophet of disaster
Leaving you to count the cost
Taunting us with visions
Afflicting us with fear
Predicting war for millions
In the hope that one appears
Why am I telling you this? Because it turns out that Adrian Smith, Bruce Dickinson, and Steve Harris accurately prophesied the current state of cybersecurity. Before you give me your best “Whatcha talking ’bout Willis” (another 1980s reference…IYKYK) face, hear me out on this. Veterans of Black Hat, RSA, B-Sides, and Billington are all too familiar with the drums of doom that accompany every gathering of cyber professionals. Remember how ICS (in)security was the trumpet of Armageddon? How about how ransomware is the harbinger of TEOTWAWKI? (That’s another IYKYK, BTW.) And let’s not leave out the coming quantum-pocalypse.
That’s not to say that these aren’t important – or even critical – issues that need to be solved. But it’s important to realize that they also represent an industry’s continuous search for relevance in a world where there are an ever increasing number of crises; personal, local, national, and global competing for customer mindspace. And that’s both fair and not especially unique to cyber. Predicting war, or doom, for millions, sells.
What’s not fair is when the industry (or government, or academia) deliberately blurs the lines to arrogate a problem space for which its solutions are unwarranted. Over the last few years we’ve seen this happen in cyber with respect to something called “disinformation.” I use the words “something called” deliberately because the definition of disinformation is so amorphous as to fail to rise to the level of a definition at all. In 1983, in the time it took to flip Piece of Mind from side one to side two, we’d have called disinformation “propaganda.” Or maybe a difference in perspective.
Back then, it would have been obvious that the antidote to the poison of propaganda is not high-tech censorship, a dictatorship of the algorithms, or the establishment of a taxpayer funded arbiter of truth, but rather critical thinking based on a deep well of historical fact and personal experience, grounded in solid, lifelong learning and education. Moreover, it would have been understood that ignorance easily survives technological attempts at its eradication.
Yet, that’s exactly what a significant portion of the cybersecurity industry is peddling. It’s understandable as efforts to that end are both (currently) popular and profitable. But they may not be effective, and more importantly they may have long term effects to the national psyche that are, to put it mildly, carcinogenic.
There are so many real problems for the cybersecurity industry to solve, any and all of which will result in well-deserved value generation and valuation. We don’t need to, and ought not to, distract ourselves in a space where our solutions may be inappropriate, ineffective, and potentially harmful.
Build it right!