Artificial truth

archives | latest | homepage | atom/rss/twitter

The more you see, the less you believe.

On the pervasive presence of military language elements in computer security
Wed 30 September 2020 — download

As I was writing an article for the first edition of Paged Out, I had an interesting (albeit too short) conversation regarding its cover with Gynvael Coldwind. Drawn by ReFiend, it features two people on the foreground, wielding what looks like guns. This lead to a discussion on the omnipresence of military jargon, and thus violence, in the world of computer security. I told him that I'll publish a blogpost to correctly articulate my thoughts on the topic, instead of the incoherent rambling that I served him.

At every single security conference, there is someone with a direct quote of the Art of War on their slide deck, and there is a metric fuckton of assorted military-inspired bullshit terms for almost everything: cyber kill-chain/cyber missiles/cyber pearl harbor/cyber soldier/cyber strikes/cyber war/cyber weapons/cyber warfare/defensive counter cyber/detonation chamber capability/digital munitions/military-grade encryption/next-generation defensive cyber operations/proactive cyber defence/cyber nuclear/ cyber arms race/cyber peacekeeping/cyber counter-intelligence matrix/…

I understand that it's tempting to compare computer security to war: It takes our daily toil and raises the stakes, makes us feel that victory is glorious; a battle of the minds, that our work really matters and is important; and we are united against a common enemy.

But when you think about it, it's absurd: War is something terrible that should be avoided at almost any cost, a solution of last resort. The worse outcome of computer-related drama/problems probably doesn't imply entire populations dying, being tortured, millions of refugees, camps, … Odds are that you won't save actual lives by deploying a firewall: don't call it a "cyber bulletproof vest deployment".

War justifies terrible behaviours: who cares about you being screamed at when you're at war? Who cares about your family life, your dinners plans, your hollidays, … when you're at war? What are broken principles and despicable means, when you're at war ? … which is a disastrous way to govern and organise a workspace.

Moreover, war maps poorly over computer security. What is a "penetration test" combat-wise? How do you map "full disclosure" to war? What is a "prisoner's camp" or "carpet bombing" with a computer (apparently zdnet can )? Rigidly mapping one onto the other can and will create huge distortions.

Of course, nobody says that computer security stuff actually is war, but as said in Metaphors We Live By by George Lakoff and Mark Johnson, "Conceptual metaphors shape not just our communication, but also shape the way we think and act.". Leading to nonsensical bullshit posts like this one, entire laughingly stupid books, and to despicable and hostile work climate.

An other perverse effect is that since military and violent imagery are traditionally, culturally and stereotypically associated with toxic masculinity, this doesn't help with increasing the dramatically low diversity in the computer security sector.

When we think about it, we have way better metaphors for computer security:

  • gardening: defending against bugs, growing programs, harvesting money, …
  • building a house: everyone wants cosy stuff, yet you still need a solid door, maybe a couple of windows as well, definitely solid walls, …
  • playing cards: there are adversaries, winning moves, gambles, influences, …
  • guarding a museum: priceless artefacts, sneaky attackers à la Arsène Lupin, …

The goal of computer security is to make safer systems, not about waging wars, and thus shouldn't be envisioned as such.

Of course, if you're working in the military and in infosec, there are overlaps, but I would argue that this is more about military than it is about computer security.

As Rob Bahat said in 2016 in his Business Is Not War. Let’s Stop Talking Like It Is. article:

Business, at its best, is creation — and war, always, is destruction. They are opposites, and if we want industry to be a positive force in our personal lives, environment, society, and future, we should divorce our language about business from the tragic (if sometimes necessary) conflicts that bring devastation. There are so many good businesses; but it is hard to find a good war.