Flipping the cybersecurity narrative

How we think about things, how we use language and build mental models, has a huge impact on our success and happiness.

Once I had a job taking the stones out of cherries for a big fruit punch. The chef said, "You're thinking about it wrong. You're trying to take the fruit off the stone." He was right. I was picking at the flesh. As soon as I flipped the mental model, and started taking the stones out of the cherries it went ten times faster!

In cybersecurity we talk a lot about "adding security". As if security was a tangible asset. That's ass-backwards. We're stuck in an old groove, using old language. We need to start talking about reducing insecurity.

I recently listened to a guest lecture for Ross Anderson and Sam Ainsworth's Security Engineering course, where ex-CTO of our National Cybersecurity Centre Ian Levy made a singular, deep remark. It is an idea I've held dear for decades and was, to be honest, very surprised to hear that come from the lips of an associate of GCHQ. It is that;

Fear is no basis for security.

At this point my ears perked up and I instantly warmed to the speaker. As Levy enthusiastically and patiently worked a suspicious and silent audience, he spoke on mainly technical topics with a confident air of total disbelief.

For readers who don't know this, it must be said, that anyone who works in cybersecurity soon falls into one of two camps; either a dissociated state of anodyne denial - with a kind of accepting, hypnotised, starry-eyed Disneyland glaze; or - a permanent state of humorous disbelief at how utterly, mind-blowingly fucked-up and broken everything in the digital world actually is.

After winning his Nobel Prize for climate work on Kyoto, my father-in-law hung it in the downstairs toilet - "for all the bloody good it would do". Like all scientists nowadays, he has that humorous twinkle, something that lies beyond cynicism. It comes to people who've been gaslighted by chirpy, avoidant idiots for decades.

As a cybersecurity person I have the same disposition.

We all know the truth and mustn't scare the natives.

It's that… there's probably nothing much we can do. Not against such entrenched ignorance of politicians, and such astonishing greed of those who would burn the world and their grandchildrens' future to make a profit today. Not against such widespread denial and propaganda telling people to "ignore the eggheads and experts, and look at the shiny things".

Like the late Ross Anderson himself, Levy is one of those survivors who somehow clung to a shred of good humour. In the talk he starts to name what is on everyone's tongue, but dare not be said too loudly. That to obtain security we will have to take-on BigTech/industry. His secret super-weapon in his crimefighting cape is shame. However the "point and laugh" strategy he exalts is rightly scrutinised come question time.

Certainly these "techno/lol/ogies" are comical, pitiful and an embarrassment to computer science, indeed to all human endeavour. I personally believe that Microsoft set back computing by 2 decades at least.

But the questioner is right, what power does shame have over those who are shameless? Giant private equity firms and rarefied billionaires who live in abject contempt of society, freedom and democracy are not swayed. And any commercial leverage in a dysfunctional market, like an enshitified advertising market linked only to stock growth, is useless.

When the great software engineers and real visionaries like Ian Sommerville, Sir Tim Berners-Lee, and Linus Torvalds have all said in one way or another "Hell! What's the point now? This thing is escaping us", what is one to do but plan for radical alternatives?

Having said his piece, within a year Levy was shipped off to GCHQ's parent company Amazon, after a period of gardening leave. Well done for what you did, and said with the remit you had. Losing Ross this year has also been a gut punch.

Those of us who still want Civic Cybersecurity, who put the safety, privacy and dignity of British citizens above the profits of international (mainly US and Chinese companies) and the temporary convenience of underfunded law enforcement, are stuck with challenging problems;

• How do we ensure good quality hardware and software that is under the control of its users?
• How do we ensure that technology remains aligned with freedom and liberal democracy?

We recently got stuck with one more that adds huge tension to the equation;

• How do we align technology with the environment and climate emergency when "AI" consumes the energy and water resources of a large developed nation, and we cannot sustain the production and disposal of billions of mobile handsets and IoT devices that go into landfills along with toxic heavy and rare metals?

Perhaps, as I am writing this on the 80th anniversary of D-Day, from which our Prime Minister absented himself - presumably to interview for an upcoming tech job in California - these feel like pressing issues. That so many millions died fighting for an idea of life, only to see it thrown to the crows in the name of profit, is upsetting.

By now it has escaped nobody that, for all its good and promise, digital technology is synonymous with destructive social upheaval. Crashed financial markets, hacked hospitals, stolen elections and genocides ignited by disinformation… Closer to home our derelict high-streets with empty shops and boarded-up bank branches whirr with CCTV cameras on every pole in lieu of police.

Our children, robbed of their attention, in suicidal crisis, attend schools that foist Google Chromebooks on them, and dysfunctional apps on parents, because they lack the teachers and staff to run effectively. Cancer patients are dying on waiting lists because despite the surgeons, equipment and drugs being available "the system" is hacked. Blaming "The Russians" for that seems like a poor excuse at this point.

My mother is not scared of the Russians. She lives in fear of her electricity company breaking in to her home to install a "mandatory smart meter". They can't do that mum, I tell her. But like all older people she is besieged with "grey disinformation" - the vile corporate psyops spew designed to mislead, undermine and disorient the population. This is a small taste of what is to come as the wheels fall off a technological society jerry-built by incompetents and pushed by digital thugs.

We all know that CCTV cameras, Microsoft Teams, and Amazon delivery vans are no substitute for a society - something I hope the incoming Labour government will take note of, but I hold out scant hope for the corrupt political classes.

There is a real sense in which National Security, which is the sum total of the security interests of all citizen stakeholders, includes a defence against technologies that are harmful. And against those who would wield technologies as weapons against the population however subtle and "borderline legal" their actions are. We have a lot of catching up to do with understanding these kinds of harm.

At present our myopic notion of "cybersecurity" is mainly limited to a horizon of threats which reside within technologies which are otherwise assumed to be benign and beneficial. It neglects any account of side effects or combinations of technology that - even if "secure" - even with the "best of intentions" - lead to significant societal and individual harms.

But we are stuck with patronising messaging and stupid ideas about computer security. They haven't changed since the last century and they do everyone no good; Hoodie wearing, balaclava-clad figures sit in front of green Matrix symbols of the shadowy "Bad Actor", and yet;

• for tens of thousands of women in the UK their hacker is most likely a jealous spouse who they live with. 137 women across the world are killed every day by a partner. Similarly, kids are most likely to be victimised by their "best" schoolfriends.
• People spend a fortune on virus checkers, security packs, privacy products like those from Apple, but billions of data records including intimate medical records, therapy notes, years of location and browsing data are routinely leaked by big companies with whom people foolishly entrust their data.
• The biggest vendor of operating systems. Microsoft, literally turned their latest product into a giant, always-on remote access Trojan for spying on all its user's activities and feeding that to "AI".
• Scare mongering politicians use real concerns about crimes against children to draw-up ill conceived, unworkable, egregious and, frankly, Fascist mass surveillance bills, while in reality social media companies predate on children and we see spates of suicides, addiction and abuse caused by technology children should not even be allowed to have.

In free nations, strategic limitation and control of technologies is always as hands-off as can be, excepting nuclear, biological and chemical threats. But "AI" caused sufficient concern to convene some of world's computer scientists along with industrialists like Musk and Altman at Bletchley Park last summer. No doubt the aim of that "AI Safety Summit", for Sunak, was to see Britain keep a slice of the AI profit pie, rather than to genuinely lead the world in moral technological examination.

The presence of Nick Clegg, a former British politician now president of global affairs at Meta, or Elon Musk standing beside Ursula von der Leyen, president of the European Commission raised not a single eyebrow. The proximity of industrial billionaires to elected officials is just one face of now endemic regulatory capture and corruption around technology.

Had we known in 2010 what the effects of mass, proprietary social media would be, how surveillance capitalism and attention economies would destroy the metal health of our youth, would we have convened a similar check-point at Bletchley Park? Would it have made any difference?

What if we had been able to ask "What will be the increase in insecurity caused by this? Because today, insecurity is all around us. You can see it in the faces of people, You can hear it in their voices. Health insecurity. Job insecurity. Financial insecurity. Food insecurity. Energy insecurity…

As generative image and language models (so-called "AI") combines with social media, the insecurity/harms are going to grow rapidly. AI will not deliver on its "productivity" promises, other than as an excuse to further downsize and outsource employees in developed nations, all while ratcheting up workloads for those still with any appetite for dark moral labour. But it likely will deliver on our concerns of destabilisation, breeding ever more insecurity. In other words, its insecurity-cost will outweigh all its purported economic benefits.

So far, where this has been left to politicians (as it should be) around subjects like social media and AI, there's an overwhelming stench of failure. That's not a structural failure of government, its a competence gap amongst those that presently put themselves forward as leaders. We have a society run by pallid impostors. It's become a joke in technology circles that in any large company those given the top jobs will have no background or qualification in science or technology whatsoever.

This raises the question of what really is the function of scientists, engineers, intelligence agencies, and bridges like NCSC in this era? It always looks very conflicted to me. Why were NCSC, who under Levy were sailing under the flag of scientific reason and evidence based decision making, unable to help our government avoid an Online Safety Bill that effectively said - "Fuck science!"

Ultimately we need countermeasures to the process I call "trickle down insecurity". We create technology that forces insecurity down on the people as a side-effect of accumulating wealth and power upwards. Insecurity, in all its manifest interpretations, is the negative externality that industry and government (knowingly or unwittingly) places on society. We've reached the opposite of Hobbes' and Rousseau's "social contract".

Any mature understanding of Civil Cybersecurity must acknowledge this.

Perhaps if we flip the language around cybersecurity we can do more. Instead of talking about "increasing security", which feeds an industry that achieves very little, we need to talk about reducing insecurity. For that we must start closer to home.