Let’s see if we can poke the hornets’ nest and stimulate some discussion. The views I express in this post are purely my own.
Information Security – Its Role in Stability and Prosperity
As information security professionals, topics like trust, resilience, and safety throughout the digital economy and society are a big part of what we work towards – not just the tactical and technical cybersecurity of our clients and employers.
A big part of this involves doing our part to leverage our competence, experience, and contacts to help assure that important, technologically relevant parts of the global social, political, and economic fabric remain functional in ways that we can influence – for example, e-voting, e-commerce, trustworthiness of online media, digital literacy of our fellow citizens, and many, many more.
Building Norms, Processes, Institutions
CyAN and many of my fellow members already support initiatives that work towards positive change – for example, Cybermindz and its focus on mental health among cybersecurity professionals, STISA‘s work to combat online image-based sexual abuse, and the Global Encryption Coalition‘s advocacy of encryption technology adoption and usage. We’ve lent our voice to the effort to defeat the EU’s ill-conceived (and currently, thankfully defeated) “Chat Control” regulatory proposal and to the campaign against the UK’s attempt to undermine end-to-end encryption, we vocally encourage diversity in the cybersecurity workforce, and we work towards security capacity building by contributing to events such as MaTeCC in Morocco and CYBERSEC in Poland, and through our mentorship program.
A Brave New (and Scary) World
Unfortunately, this is not enough. As we work to empower new generations of security, trust, and resilience professionals, to constructively influence policy, and to create and strengthen mechanisms that protect us all, the threat landscape is constantly expanding.
The past 10-15 years have seen a shockingly dramatic acceleration of fraud and scams, cyberattacks, or what Osavul refers to as “FIMI”, or Foreign Information Manipulation and Interference. We face a constantly evolving set of adversaries and challenges. These have included a significant expansion of mis- and disinformation that has influenced elections, espionage, sabotage of critical infrastructure (Russian anchors and Baltic subsea cables anyone?), and other threats to our prosperity and democracy.
Who’s Behind This?
Those responsible include nihilistic vandals, hacktivists (an overrated threat in my opinion), state actors, or conventional, financially motivated criminal actors. Obviously, these often overlap.
Regardless of where you fall on the political spectrum, malicious state actors that play zero-sum games (notably, Russian disinformation efforts), and a growing number of extremist populist political groups, seek to undermine the multilateral world order. They threaten our rights, stability, and prosperity as democratic citizens, whether through attacks on institutions like the European Union and NATO that support and underpin collective cyber-resilience, or through the undermining of norms, rules, and capabilities that help secure our society. A good example is the US Trump administration’s recent disbanding of its Cyber Safety Review Board while campaigns like Salt Typhoon against US telecoms infrastructure are still in full swing, and its ongoing dismantling of AI safety rules.
What Can We Do?
There already exists a mature and extensive ecosystem of information security vendors, coordination groups, government agencies, and other entities dedicated to protecting themselves and the rest of us. That said, many democratic governments, while possessed of some exceptionally dedicated and talented information security and policy specialists and high quality politicians, have often struggled to keep up in their willingness to bluntly confront threats to stability – whether from outside forces, or from actors within our societies themselves, whatever their motivation. In short, we play by the rules, the bad guys don’t; when we take off the gloves, the bad guys cry about it.
As individual citizens, there are limits to our ability to combat these forces. While we ourselves can’t go after cyber-threat actors or disinformation campaigns, we can vote, inform our friends, colleagues, neighbors, and business stakeholders, and write our politicians, to name a few things. Those of us who are exceptionally bloody-minded and have some spare time on their hands can try to waste scammers’ time, a technique pioneered by the classic and very funny website 419eater.
As information security professionals and companies, we have a few more options. Our daily work gives us access to information and analysis that consumers of mainstream news sources may not know about, or understand, while it is the bread and butter of what we do for a living. Active contribution to cyber exercises, podcasts, information campaigns, ISACs, and other collective defence initiatives let us leverage our expertise for the common good.
Mentorship, and reaching out to schools, local communities, journalists, and others who can benefit from our experience are all good ways to “share the wealth” and help strengthen our compatriots’ ability to become aware of, understand, and counteract destabilizing influences on our politics and economies. Companies can additionally sponsor initiatives that do the above – it is a great marketing opportunity to be seen as contributing to cyber-stability. All of these are good tools to help mitigate the impact of both destabilization campaigns, and of the cyberattacks, fraud, and scams that are often perpetuated by the same groups attacking our politics and economies.
Follow the Money
There is one more tool that we all have access to, which I feel is the most important of all – financial interest. Michael V. Hayden, former director of the US National Security Agency and author of The Assault on Intelligence, makes the argument that it is extremely difficult to create societal divisions, but comparatively easy to exploit them. But even that exploitation, for example through disinformation campaigns that strengthen extremist groups, cannot take place without money.
Unfortunately, many such resources come from corporate and wealthy donors to the very political groups that act as vehicles for destabilization. Support can also take the form of social media platforms that allow extremist content to flourish unchecked, firms that do business with rogue states and their agents, even employers who implement and encourage harmful policies and messages.
It’s a free market; as consumers and customers, we have the power to determine where our money goes. It’s up to every person and company to decide for themselves what a reasonable and realistic level of “activism” is – for me, a very easy technique has been to decide what firms’ attitudes I don’t like, and to stop using them. For enterprises, a consideration could be the potential reputational impact of being seen to do business with a vendor or partner acting irresponsibly, or the risk from relying on a supplier involved in political or economic instability or controversy.
Personally, I choose as a consumer to stop giving money and information whenever possible, to entities that support, implicitly or explicitly, aggression and destabilization. This includes retailers who continue to do business with Russian companies. It also entails tech firms who allow disinformation and propaganda to flourish via their platforms, and who cave to demands of authoritarian, hostile governments, or even donate to political groups that espouse those countries’ views.
As an information security consultant, I encourage my clients and colleagues to do the same, and to drop software and services that puts their own companies at risk of things like data leakage, or even unauthorized access to their sensitive assets, due to a service or software provider being co-opted by a dangerous government or supplier.
In short, it’s a dangerous world, but we are not powerless. Above and beyond our voice as citizens, the nature of our expertise and capabilities as informed and connected professionals in the disciplines of information security, trust, safety, and resilience gives us a wide range of tools to help protect our fellow human beings and the societies we live in from information-borne threats. We don’t have to, nor should we, accept the undermining of our democratic freedoms and economic opportunity by a world full of cynical bad actors.