A coming cybersecurity schism?
Figure 1: Image: Ben Heine. "Schizophrenia is a special strategy that the patient invents in order to live with an unliveable situation" – R.D. Laing
Splits in technology
People talk about "The Internet", as if a singular routable network still exists. It does not. It was a nice idea, but it disappeared ten years ago, replaced by the "Splinternet", divided into smaller interests. It could, in effect, not sustain itself. If we have ever achieved global connection, it was only briefly.
The idea of a universal, common service for the betterment of humanity is an attractive one. It holds within it the promise that we can avoid wars, and solve problems together.
We are coming to see computer security the same way, as a kind of commons that raises the wealth and happiness of everybody, and could promise comparable benefits.
Recognition of a universal right to digital security - including not just privacy as freedom from technical intrusion but self-determination, secure communication and control of our data - would seem like a natural progression for humanity at this point in history.
However, in reality there is almost always a tragedy of the commons where uncertainty, greed and ontological insecurity leads to concentration of capability and leaves some group with no "security resources" at all. So-called "surveillance capitalism" is the face of a system that benefits from one group taking away security from another. It is an "insecurity industry".
The "Arab Spring" frightened power everywhere. Free trade without tax and customs borders, and without the control of world intellectual property, trade and economic organisations (WIPO, WTO and WEF) was too much for governments. The disintegration of "intellectual property" was terrifying, not for authors and creatives but for those publishers and "owners" by whom ideas are controlled.
So the Internet was split by nation state and corporate firewalls into silos which keep cultures and groups of customers separate, captive and controlled as chattel. Big social media, within walled gardens, was in fact a godsend and timely solution for authoritarian states.
The Internet was never a thing so much as an ideal. Many of those public interest ideals have been lost to misgoverning and corruption. The power of profit-seeking mega-corporations, mainly from the US, along with a growing realisation by people and governments concerning the negative side-effects of a connected world, have pushed it back. On the surface where ordinary people experience the Internet, the popular vision of globalisation through digital liberation and peer relations seems dead. It will remain dead, or at least unhealed in permanent split state, so long as "security" can be made an issue.
With respect to actual, real security, most of what happened in the past decade should be regarded as a mistake. I think now we realise that division into large social media blocks has fomented insecurity, polarisation and extremism much more than a heterogeneous, hands-off Internet ever would have. It made chatter less legible, and handed an audience to terrorists. It baked vanity and mental insecurity into our youth. Compared to personal websites, open news (nntp) and email, Facebook and Twitter are a societal setback, with far more socially destructive power.
More generally, personal computing, as a secure and stable cultural norm, is undergoing a similar fracture. We've had 50 years of cheap, user-programmable gadgets, standards, common protocols, volunteer governing bodies, more or less interchangeable ideas of data and applications. It looks like that is under threat too. It's a change that reflects geopolitical tensions and power consolidation. This is a trend in civic cybersecurity that we think puts western liberal democracy at risk.
It's less fun to compute
Most industries enjoy a period of growth and diversity then settle into a more stable phase with a few dozen major players, a few thousand smaller firms under some basic safety and quality regulation and barriers to entry. Nonetheless, there remains opportunity for newcomers and constant innovation. Competition and diversity keep things healthy.
Computing is different. It is not an industry but a realm in which, through software, anything is possible and the story is never written. What counts as "ground truth" is no more than one particular vision of how things might be done.
As anthropologist David Graeber wrote about the Power of the Imagination;
The ultimate, hidden truth of the world is that it is something that we make, and could just as easily make differently.
Application products and devices reflect ever changing uses driven by culture and imagination, and the seeds of radical new directions can be sown, by a marginal lone outsider at very low cost and go viral within hours.
Further, to see an idea is to be able to copy it at once. Yet there are surprisingly few original ideas. Everything is a rehash of a rehash. A few fundamental concepts like "word processor", "messaging" or "spreadsheet/database" go around, being reinvented. Much of the pretty coloured cruft and jank offered by giant companies like Google and Microsoft was around, and better, in the 1970s when IBM did it the first time.
There are some perennial battles, such as between cryptographers and cryptanalysts, but these are really tar-pits of toil rather than frontiers of "progress". They are one person digging a hole while another fills it in.
All this is a big problem for corporations who want to retain stable domination, and so digital technology is rife with skulduggery and jiggery-pokery. Lawfare: predatory misuse of patents, copyright and other laws to stifle competition, is the norm. Brutal employment conditions, non-compete contracts and insecure "at will" labour fuels an industry that freeloads upon a vast underclass of Free Open Source, hobby developers and smaller companies who are eaten alive by bigger fish. Tech is ugly, in a truly Dickensian way, and our governments have done the square root of jack to regulate it since political dinosaurs like Thatcher and Reagan stalked the Earth.
Network and accumulative effects, during twenty years of laissez faire government absenteeism, have consolidated power into just three or four companies. This leads to an enormous and ever widening gap between a profitable "consumer side" and the rest of computing. In trying to pull up the ladder and deny upstarts the same opportunity they enjoyed, established companies are scorching the earth.
Security implications
Security is built on trust and mutuality. One narrative about how the digital world became so insecure focuses on growth. Perhaps a better explanation is simply the breakdown of trust and fragmentation into mutually hostile camps, fuelled by power-seeking greed and vanity. The Internet has provided another canvas on which to paint human division.
In a nutshell, insecurity has become profitable. What Edward Snowden also called the "Insecurity Industry" can be explained not solely as malice in lieu of incompetence, but that both may exist side by side in a world where it's often more profitable to have something be broken than to fix it.
What I fear we are now seeing is a fault line between informed, professional computer users with access to knowledge and secure computer software - a breed educated in the 1970s who are slowly dying out - and a separate low-grade "consumer" group for whom digital mastery, security, privacy and autonomy have been completely surrendered.
The latter have no expectation of security or correctness. They've grown up in a world where the high ideals of computing that my generation held, ideas that launched the Voyager probe to go into deep space using 1970's technology, are gone.
They will be used as farm animals, as products by companies like Apple, Google and Microsoft. For them, warm feelings, conformance and assurances of safety and correctness, albeit false but comforting, are the only real offering, and there will be apparently "no alternatives".
These victims are becoming ever-less aware of how their cybersecurity is being taken from them, as data theft, manipulation, lock-in, price fixing, lost opportunity and so on. If security were a currency, we're amidst the greatest invisible transfer of wealth to the powerful in human history.
Despite some forces in Europe working toward greater interoperability and consumer empowerment, US tech giants are doubling down on locking-in customers, stripping them of rights, privacy, and mobility. Europe itself is also struggling with far-right political undercurrents breeding insane surveillance ideas like "Chat Control".
The issue at the centre of it all is "security". And as always we must ask:
"Whose security?"
Most of what you'll hear in the media is contradictory. By some accounts we are already in a full-blown cyber war. Governments are scrambling desperately to shore up systems, recruit cybersecurity people and announce how Britain will become the "safest place to be online". Yet simultaneously governments and corporations work tirelessly to make computers less secure, because monitoring and selling your data is their goal. Governments shy from prosecuting international cybercriminals who sell them products to spy on journalists and protesters - all while squandering tens of millions on petty state retaliation against whistle-blowers. An unholy Faustian pact is at work that makes a mockery of civic computer security.
Nonetheless, they make a big song and dance about cybersecurity, and all the things that you must do to shoulder the burden. Workplaces offload their insecurity as intrusive 'bossware' to spy on workers in their homes, or as "blame and train" programmes to mandate vacuous naughty-step remedies to their own weaknesses. This is security for the rulers and owners, not for the people. As such, there is no buy-in to cyber-security by ordinary folk, except as a vague gnawing fear and anxiety.
Rational and technical factors have little to do with this now. The "technology industry" hasn't had much to do with computer scientists, engineers, intelligence or technology people in about 20 years. It feeds off our knowledge and advances, but is run entirely by marketing people and political lobbyists.
The proximity of characters like Rishi Sunak and Nick Clegg to US tech power should be a clear enough sign that things are funky in the business. Under the Johnson government the UK's 'Secretary of State for Science, Innovation and Technology' was Michelle Donelan, whose qualification for the job was a career in marketing with Marie Claire magazine. Donelan attended and represented the UK at a critical AI Safety Summit, an international conference held at Bletchley Park supposedly to discuss safety and regulation of artificial intelligence. It is a subject of such concern that many of the world's leading scientists consider it a threat comparable with climate change.
Understanding civic cybersecurity
At The Cybershow we are determined to convey important messages about civic cybersecurity and what computing in the public interest really means. It is about much more than securing systems from intruders and helping more people to survive workplace anti-phishing purges. A few people at GCHQ, or the national power grids take civic computer security very seriously. They understand resilience, hybrid threats, insider threats, and the broken politics working against actual, long-term digital security. But they have a different, limited remit, which is essentially military.
Our problem, as experts and proponents in the civilian space, is that nobody cares much about technical realities of security, so long as people keep buying gadgets and posting on social media. "Consumer Tech" is now mostly a make-believe world of wishful thinking and leveraging users' addiction. "AI" now sells convenience and abdication of agency, creativity, imagination, human relations and responsibility. When grave security gaffes are revealed, they are rebranded as "features" or as "necessary".
Although there is a cultural backlash brewing, perhaps in part caused by the economic and culture effects of "AI", we've still got an industry that preys on the worst aspects of human greed and laziness. It's backed by trillions of dollars of marketing power to paint loneliness, anxiety and mental illness, not merely as "normal" but as "essential for our modern life". The outcomes are plummeting education and real productivity, depression, broken relationships, derelict high-streets, and a mental health crisis.
Therefore we have a schism emerging between the lofty, broad democratic societal aims of technology and its rather mediocre reality of cheap exploitation. For example, the final wording of the UK online safety bill - a misshapen legacy of the outgoing Tories which addresses only symptoms and avoids all of the real problems behind technological misery - is a paradigmatic break with reality. It literally thumbs its nose at science.
Changing incentives
We recently saw another huge uptick in data breaches. Experts in security and anti-fraud now clearly share the view that data containment is too difficult a task under conditions of surveillance capitalism. To survive in this economy, where all the incentives align against infosec, we need to radically change our culture.
That means going up against fossilised technological rituals, religions and ideologies. For example, "Know your customer" (KYC) requirements are a regulatory abomination that appeared after 9/11 attacks in 2001, under the US Patriot Act and imposed a vast bureaucratic burden on the whole world. The reality is that the banks themselves, and politicians, are up to their necks in money-laundering.
There is a false official narrative that these laws help track drug-lords, oligarchs and international criminals. In reality those people have all the tricks in the book at their disposal to hide their tracks. KYC is for-profit financial surveillance for small businesses and ordinary folks, and a way of shifting risk.
Like many data and cookie regulations it is an example of how broad regulation without cultural buy-in, joined-up plan, research or education is insufficient to solve today's complex digital problems. Despite large fines, shelves of regulation, auditing and compliance, even jail time for executives, data breaches are accelerating.
Some ridiculously dangerous ideas like Microsoft Recall, and cloud "AI" services are only going to amplify our problems. Nobody is keeping corporations in check at the level of challenging their reckless engineering and naive ideas.
For organisations like NCSC, it is like being a butler or house-maid, constantly walking behind sweeping up the crumbs and mess of those who consider themselves above elementary manners. We are in a greenhouse, giving rocks and slingshots to children, along with a stern warning about "being careful and good behaviour".
Remember that cybersecurity, as practised today in a misaligned world, is not a tide that raises all ships. It is a fixed sum trade in which one party's security is another's insecurity. To give security back to people, we have to take some away from corporations and governments. That's an eternal balance we have forgotten since Aristotle, Rousseau and Hobbes.
Because of the mushrooming value of data, many laws now lead to more insecurity for ordinary people whilst having almost no impact on money laundering, terrorism or child predators - the Four Horsemen of the Infopocalypse.
Even if we had a "corporate death penalty" that shut down companies forever when they harm society, it would not fix much. Resurrection is too easy. We'd soon get fly-by-night vampire tech companies with an average lifespan of 18 months, run by recycling the same entitled VC-backed ownership class through revolving doors of political appointments, captured regulators and other reservoirs of corruption.
Escaping the tar-pits of corporate tech
Yet there are alternative, workable models. These cybersecurity models, which give security to you the end customer, are a threat to the status quo and the money makers. That's why you are discouraged from even knowing about them.
For example, did you know you can:
- Build your own social networks for family, neighbours, a company or smaller social groups using distributed technology? Now you don't need to share granny's minor ailments with Mark Zuckerberg! If, that is, you are able to distinguish communication from marketing.
- Buy phones that have neither Google nor Apple operating systems? They do what you want. Don't want to be spied on? Turn it off - forever! You can secure them not to touch any of the treacherous BigTech ecosystems.
- Build your own computers from components so they are free from hidden hardware that threatens your security?
- Use and share data via free applications that are actually way better than Microsoft Word or Google Docs? In Europe the law even requires that you can exercise that choice!
- Pay cash for digital services? For example, a company called Mullvad are very happy to give an anonymous VPN account in exchange for an envelope of cash sent by post.
- Easily have as high a standard of computer security as is used in the government and the military? The Qubes operating system can fully compartmentalise your digital life and give you hierarchical, ephemeral security models far superior to anything Apple or Google offer to consumers.
- You can build your own private self-hosted social media, email and personal cloud with a few clicks these days?
This is how security should look when it is security for customers. Yes, you need a bare minimum of technical skills and some extra work to operate these services. In return you get technological autonomy, like a real grown up. There's no "signing up" to things. But also, on the flip side, no "help" and password recovery. If you lose it, bad luck… but you're wearing big boys and girls pants now; in charge of your own digital life.
Getting off products like Microsoft Windows, now simply an awful piece of spyware, and getting away from services like Google is an important priority for everyone who is conscious about personal information security. Helping other people to assert digital independence is also something you can achieve, because everyone who seeks digital emancipation and security becomes a golden example to others that it's possible! Alternatives, independence and empowerment is possible.
Why we get stuck
There is an old, popular, and wrong explanation of why people find it hard to escape digital serfdom. We are supposed to believe that the "average person is too stupid". Wherever digital technology exists there is "victim blaming" just below the surface. It is baked into our culture since BOFH (the Bastard Operator From Hell), PEBKAC (problem exists between keyboard and chair) and other cultural artefacts born in the "Eternal September".
Sadly, people use insecure services because of habit. We might download an app from a dodgy catering company just to order a drink at a bar. People install an NHS app, while listening to the morning BBC news saying how the whole infrastructure has been hacked by the Russians, instead of just calling their doctor on the phone number they've used for 20 years.
Habit and thoughtless conformity are much more powerful obstacles to positive change than any amount of opportunity or education. Psychologically, we see that in everything from dieting and quitting smoking, to taking the bike instead of the car.
It's the little things that get us. Today it's not moustached dictators with columns of tanks that threaten our way of life! Being too lazy to walk to the counter, or too timid to insist on paying cash are the little human weaknesses that add up to the giant crushing defeat of free society.
There is a kind of hypnotised enchantment with technology that bypasses our rational, thoughtful minds. And there is a lack of widespread education such that people can recognise and politely refuse premature, unreliable and dangerous technologies pushed at them.
Behind the push is an intense momentum at the executive managerial and policy level to drive technologies in the name of theoretical "efficiency", technology that nobody actually wants, nobody trusts and society cannot support in the long term. Who is behind that? The people and companies that sell half-baked digital systems of course.
That, in itself, is a colossal cybersecurity problem! It's just not one that involves cryptography or traditional hacking. These are Layer 8 (usability) and Layer 9: (politics) cybersecurity problems. They exist in our culture as giddy, breathless attitudes of incautious zealotry - often alongside a contempt for "experts and eggheads" who urge more thoughtful progress.
Victim Blaming
In the UK, when things go wrong we parade the victims on TV. Rip Off Britain is where sobbing mums robbed of their life savings break down in interviews and say "I can't believe how stupid I am". It's victim porn. It frightens people.
The message speaks only of evil fraudsters and victims. Never is the technology itself, its providers and the reckless everyday practices and policies we've become accustomed to actually questioned. We do not hear;
- Why did you send your passport in the post to a so-called "employer"? Did you not know that the Home Office have said themselves that a passport is not to be used as a casual identity document?
- Why did you enter every detail of your life into a form, loyalty card or device for legally dubious "food discounts" or a competition to win cosmetics?
- Why did you not insist on paying cash or walk out the store instead of being bullied into using your bank card some place you felt uncomfortable about it?
"Lazy technology" allows citizens to bully and exploit one another. That's a stage of casual insecurity that exists long before it accumulates into something fraudsters, blackmailers and ransomers can use for graver harms. It weakens our:
- self control and boundaries
- situational awareness
- operational and habitual security
Messages that the media feels comfortable giving to victims tepidly align with the interests of "the industry". It keeps them subdued, docile and deferential to technology which is made to appear authoritative, scary, other-worldly, uncontrollable, and "inevitable".
Angela Rippon and Gloria Hunniford never quite build up the courage to say:
"Why not just throw your phone in the bin love? It's obviously destroying your life and you're failing to manage it. Maybe 'smart' technology isn't for everyone. Stop signing up for rubbish you don't need every five minutes. There's more to life than peer pressure to be a mug."
Because they would consider that to be victim blaming rather than actually empowering - which it is - ask the one billion people who eagerly and successfully switched their lifestyle to a "dumbphone" last year.
Maybe on these programmes we also need to hear;
- Have you asked your MP what they're doing about civic cybersecurity?
- Does your MP, who claims "crime is an issue", realise that online fraud is three times as prevalent and costly as street crime and housebreaking?
- Have you tried telling the school headmaster that if your kid comes home agitated, anxious and shaking with fear about homework on the Google Chromebook you "rented" her, you'll throw it in the shredder?
- Have you heard of the NCSC and the idea that national security is also your security from living under technological fear?
- Do you realise there are alternative technologies that do not abuse you and steal your data and therefore put you at risk? Here's a list of them…
Another sticking point is that people go into denial and avoidance when facing the reality of technology's faults and dangers. Because we transfer the idea of "authority" onto technology we don't feel "qualified" to make critical observations, and we dismiss our own disagreement as "crazy".
You are not crazy! Our research at Cybershow has identified how people feel their instinct or "spidery feelings" about technology are powerful and something they want not to ignore, but often do! People widely say they feel "gaslighted" by media and government messages around technology they have a deep instinctive mistrust for. They feel bullied and tricked into risky behaviour.
We say;
- It won't happen to me.
- The technology must be safe because many people use it.
- It must be safe because it's backed by a big company.
- I don't really have a choice Technology-X is "essential to participate in society now" (total rubbish - there is always a slightly less convenient alternative).
Risk bias, safety in numbers, appeals to authority, learned-helplessness and defeatism are all classic symptoms security researchers now recognise and understand as intrinsic to the problem.
So we all continue with risky behaviour, to give data to reckless, dishonest and technically incompetent companies who deserve no trust. People allow themselves to be harassed by a utility company into accepting a "smart meter" that leaks sensitive behavioural data to commercial third party telemetry and analytic companies. They let themselves be cajoled into allowing their workplace to install spyware on their personal devices.
Companies use devious bullying tactics that skirt or clearly break the law, make false representations, foment fear of "missing out", being marginalised or threatened with being charged more.
"What choice do we have?" people say, because we have been conditioned into learned-helplessness around technology. People do not feel empowered to legitimately question it, or to demand technology that works for them and respects their rights.
They believe that they need to have a smartphone app to access their bank and healthcare - despite 70 years of evidence that simpler, alternative systems work just fine, And as leading researchers in security economics found, despite all technological advances fraud remains more or less a constant in all societies - it is a function of social conditions and is barely touched by 'more security'.
The idea that even basics like food and heating must depend on absolute vulnerability to digital control is being aggressively thrust upon the population. This is a source of insecurity that is coming from within.
Militarily and politically, our greater enemies, whether they are in China, North Korea, Iran or Russia, are delighted that we build a fragile, precarious digital nation in the name of private profit and unscientific half-bakery that satisfies an idiotically narrow interpretation of "efficiency".
And yet we know this is not led by the people as a "market". Who do you suppose is really behind this fake "demand" when a third of young people now say they desperately want to get rid of their phone and just start living life again!! How do we square this with a majority of older people (the 18% of the population over 65) saying they want to spend cash on the high street, talk to a real person and not be constantly gaslighted by tech that makes them nervous every time a phone rings or an email arrives?
After every cybercrime, every embarrassing "leak", the same stuck record starts playing… "Security is our top priority. Your privacy is very important to us." We are supposed to believe this tripe and settle for a "voucher" and "victim information leaflet".
Cybersecurity people are burning out. The educators and TV presenters are exasperated. We know that telling you to pick a better password is a band-aid on a gunshot wound. We know that two-factor authentication, while great on paper, will probably make you more dependent and less resilient. We know that biometrics may actually put you at more risk and that "zero trust" is unworkable in a real society outside some corporate ideal.
The real problems are structural and cultural. We have grown to have an expectation of technological overload and poor digital security because that was good for business. Business is not going to fix it, because that absolutely is not in the interests of business. The sooner we all internalise that, and move on to a fresh paradigm, the better.
Schism
"… the individual delegates all transactions between himself and the other to a system (within his being) which is not 'him'… the world is experienced as unreal, and all that belongs to this system is felt to be false, futile and meaningless." - R.D. Laing
Our culture is now about to split into two camps; the normative and the secure. Instead of "the haves and have-nots", there will be "the will, and the will-nots". Those who will compromise and those who will not compromise security. Those who choose security over convenience. Those who choose security against the nagging "advice" of corporations and governments to adopt a weaker position favourable to "markets".
It may be a small cadre to start with, but in time it will grow. Like all such splits and fractures, it is necessary to process the intolerable contradictions right at the heart of our digital society. It will start by becoming ever more acceptable to say; "We reject Microsoft, Google and other BigTech services because we value security"
Counter-intuitively perhaps, governments must not prop-up this fragmentation. There must be no "psychiatric intervention", for if governments legitimise BigTech, and collude with it to further weaken security, then the basis of computer security will collapse. It will become a preserve of a few with "secret" knowledge and rare skills. A black-market in "illegal security" will become the fastest growing sector of a new tech industry. Ordinary peoples' expectation of security will implode, and along with it much of the benefits of a technological society that is compatible with democracy.
Something has to give
Customer support people are at their wits end (which is why they're being replaced by AI voices that have no feelings, soul or conscience). Many companies have simply given up on supporting their insecure wares, and when the Digital Markets Act comes into effect they will just walk away rather than adapt and incur the expense of taking responsibility for civic cybersecurity.
The police, where they even investigate these things, are exasperated. They are understaffed, underfunded and conflicted. They tell victims to "report it to the company", hoping the problem will just disappear and knowing the victims will never get redress. What are the police to realistically do with "cyber-bullying" when the parents and schools wash their hands of responsibility?
Schools don't know what to do. Most teachers now support a ban on smartphones for under-16s, but are stuck with school laptops that use insecure US commercial software and don't have the internal IT skills to move pupils to safer, more appropriate GNU/Linux operating systems.
The idea that we have a choice and have a right to control over our own technological devices and digital lives is constantly under threat of being taken from people. Because that's profitable. Dependency and protection rackets (which is not the same as security) are new products for the "insecurity industry" to sell. They operate under the broken window fallacy of creative destruction.
Even suggesting people take more radical charge of their digital affairs by not providing data, and avoiding unsafe digital services gets a lot of negative reaction. Resistance comes from those who themselves profit from insecurity, or are psychologically invested in a Utopian ideology of a "corporate-run digital world".
Worryingly, Western nations that are rejecting liberal democracy and leaning toward authoritarianism are betting the farm on a public-private pact for cybernetic governance in which inequality, social immobility, privilege, and nudging suppression of dissent, can be programmed in. When Microsoft and Google provision your children's schooling and healthcare you might want to be more cautious about what you say online about Bill Gates' relationship with Jeffrey Epstein.
Not only is a "personal data driven technological society" optional, we may soon find ourselves in a world in which limiting it is the only way to avoid a societal implosion and catastrophic collapse.
How to dig deeper
If anyone is genuinely curious about why we're in a cybersecurity crisis, why the highly dysfunctional status quo exists, about how post 9-11 politics, KYC, the power of the banking system, data brokering and surveillance capitalism I recommend you read up on Security Engineering and Security Economics. Ross Anderson's books and the video series he did with Sam Ainsworth are a good first port of call.
Since Ross passed away much too soon this year, I've been hammering on at other technically minded people to re-read his works.
Figure 2: Ross Anderson 1956-2024 An "inspirational and doughty fighter" who understood how people are tricked by dishonest security talk.
Popular books by authors like Shoshana Zuboff, Tristan Harris and Jaron Lanier are fine to while away a train journey. But, like my own offering Digital Vegan, they don't give you in-depth explanations, solutions, or technical understanding to work with. I now see that with these kinds of books we risk alarming and alienating people rather than pointing out the many solutions and alternatives to our present surveillance-capitalist hell.
Gaining a deeper understanding of "why cybersecurity matters", is important. There are far too many "experts" working at the political level without solid technical foundations. There are far too many cowards who say only what is safe for their careers.
At present cybersecurity is sham. Auditing and regulation are not going to solve what are deep structural and cultural problems. It's mainly theatre to create the illusion of balancing conflicted spheres of interest which are invisible to the public and stacked against them. We must work to make these interests visible and understandable.
The whole gig is presently about shifting risk and responsibility on to victims through "trickle down insecurity" and the terrifying problem that power wants insecurity - your insecurity, as its own competence wanes.
This includes many things like;
- surveillance laws written with contempt for side effects and technical reality.
- presumption of negligence when customers' bank cards are fraudulently used.
- cyber insurance that gives disincentives to firms for doing security well.
- smartphone apps for healthcare that knowingly run on insecure operating systems and exclude patient privacy choices.
- poor or misleading science used to push technologies that favour profit or power above civic security.
- dumb laws (which for example justified claims against UK postmasters) that "computers are always correct".
- schools that mandate proprietary devices that violate children's privacy and safety.
- supermarkets who exclude shoppers without smartphones installed with invasive tracking software.
There is seemingly no end to examples where power in the name of technology tramples all over ordinary people and their rights to a quiet, peaceful, private and self-determined life.
The insecurity industry hides itself by creating distracting narratives about shadowy figures. "Hackers" wearing hoodies and balaclavas with green Matrix screens are the iconography to give Joe Public a digestible morsel to chow down. It's something to feel angry against. Yet the real villain is an industry that takes your security away from you in order to sell it back as a branded product that allays fears.
Meanwhile grey-area organised crime and huge abusive companies get a hall pass - in the name of "your security". It is the struggle between these interests - these different and incompatible models of security - where the real cybersecurity battle is taking place. It's not just the daily "hackers-versus-defenders" story told in the popular press.