At many hacker conferences, you’re more likely to hear boasting about flashy new methods for “breaking” a niche technology than strategies for defending your data. You’ll also hear about the uninformed laziness of software developers, or the unpatchable stupidity of technology consumers. Amid pessimism bordering on nihilism, alcohol flows in abundance and sexual harassment becomes all too common.
We hackers have problems.
Thankfully, many people are working hard to address these and other issues in the information security community. While such challenges stem from a range of root causes, I’ve also wondered lately if the language we use when thinking about security has influenced some of these worrisome trends.
Have you ever considered how militaristic our jargon can be? Attackers threaten targets by breaking systems with weaponized exploits. We may joke about the idea of “cyberwar,” but we talk as if we’re in one. And with that mental model, it makes sense to focus on efforts such as preventing anyone from ever getting past your perimeter defenses.
But in practice, we know compromises will happen; strategies such as defense-in-depth or robust monitoring help mitigate risks even if someone finds a way into our systems. What if instead of trying to simply build “secure” apps, we aimed for resilient apps? What if we replaced our conception of security as a field for toughness and aggression with a model that can thrive even in the presence of vulnerability?
Personally, I favor Paris Tabriz’s health care analogy. (No “cyber pathogen” jokes, please!) We all certainly want to avoid getting sick, but in medicine, catching a virus hardly constitutes a failure. Software systems often resemble biological organisms more than buildings or landscapes anyway.
Language matters. I’m not pretending a change of metaphor will solve all of the problems with infosec culture, but it can help reframe and retrain some of the thinking that drives those problems. Our descriptions also convey images to people outside our field; inclusive language helps support efforts to increase the diversity of our community, which in turn helps us build better fortifications… or should I say immunities?