Title: On the pervasive presence of military language elements in computer security
Date: 2020-09-30 17:45

As I was writing an article for the first edition of [Paged Out]( https://pagedout.institute ),
I had an interesting (albeit too short) conversation regarding
its [cover](https://pagedout.institute/download/PagedOut_001_wallpaper_30.png)
with [Gynvael Coldwind]( https://gynvael.coldwind.pl/?id=50).
Drawn by [ReFiend]( https://www.deviantart.com/refiend ), it
features two people on the foreground, wielding what looks like guns.
This lead to a discussion on the omnipresence of military jargon, and thus violence,
in the world of computer security. I told him that I'll publish a blogpost 
to correctly articulate my thoughts on the topic, instead of the incoherent
rambling that I served him.

At every single security conference, there is someone with a direct quote of
the [Art of War](https://en.wikipedia.org/wiki/The_Art_of_War) on their slide
deck, and there is a metric ton of assorted military-inspired bullshit
terms for almost everything: [cyber
kill-chain](http://www.sans.org/reading-room/whitepapers/analyst/killing-advanced-threats-tracks-intelligent-approach-attack)/[cyber
missiles](https://www.langner.com/2010/12/the-short-path-from-cyber-missiles-to-dirty-digital-bombs/)/[cyber
pearl
harbor](https://www.techopedia.com/definition/29052/cyber-pearl-harbor)/[cyber
soldier](https://www.arcyber.army.mil/)/[cyber
strikes](https://www.langner.com/2010/12/the-short-path-from-cyber-missiles-to-dirty-digital-bombs/)/[cyber](https://www.wired.com/2010/03/schmidt-cyberwar/)
[war](https://www.theverge.com/2014/11/21/7259833/cyberwar-is-bullshit)/[cyber
weapons](https://www.bloomberg.com/news/articles/2011-07-20/cyber-weapons-the-new-arms-race)/[cyber](https://www.academic-conferences.org/conferences/iccws/)
[warfare](https://en.wikipedia.org/wiki/cyberwarfare)/[defensive counter
cyber](http://www.nsci-va.org/cyberreferencelib/2010-11-joint%20terminology%20for%20cyberspace%20operations.pdf)/[detonation
chamber capability](https://nvd.nist.gov/800-53/rev4/control/sc-44)/[digital
munitions](https://www.cyberriskopportunities.com/notpetya-the-exploit-that-would-lead-to-many-attacks-part-3/)/[military-grade
encryption](https://www.howtogeek.com/445096/what-does-military-grade-encryption-mean/)/[next-generation
defensive cyber operations](https://www.jstor.org/stable/26502756)/[proactive cyber defence](https://en.wikipedia.org/wiki/proactive_cyber_defence)/[cyber nuclear](https://www.nti.org/about/projects/addressing-cyber-nuclear-security-threats/)/
[cyber arms race](https://www.csmonitor.com/USA/Military/2011/0307/The-new-cyber-arms-race)/[cyber peacekeeping](https://arxiv.org/abs/1710.09616)/[cyber counter-intelligence matrix](https://www.jinfowar.com/tags/cyber-counterintelligence)/…

I understand that it's tempting to compare computer security to war: It takes our daily toil and
raises the stakes, makes us feel that victory is glorious; a battle of the
minds, that our work really matters and is important; and we are united against a common enemy.

But when you think about it, it's absurd: War is something terrible that should be avoided at
almost any cost, a *solution* of last resort. The worse outcome of
computer-related drama/problems probably doesn't imply entire populations
dying, being tortured, millions of refugees, camps, … Odds are that you won't
save actual lives by deploying a firewall: don't call it a "cyber bulletproof vest deployment".

War justifies terrible behaviours: who cares about you being screamed at when
you're *at war*? Who cares about your family life, your dinners plans, your hollidays, … when you're *at war*? What
are broken principles and despicable means, when you're *at war* ? …
which is a disastrous way to govern and organise a workspace.

Moreover, war maps poorly over computer security. What is a "[penetration
test](https://en.wikipedia.org/wiki/Penetration_test)"
combat-wise? How do you map "[full disclosure](
https://en.wikipedia.org/wiki/Full_disclosure_ )" to war? What is a
"prisoner's camp" or "[carpet bombing](
https://en.wikipedia.org/wiki/Carpet_bombing )" with a computer (apparently [zdnet]( https://www.zdnet.com/article/proof-of-concept-carpet-bombing-exploit-released-in-the-wild/ ) [can]( https://www.zdnet.com/article/carpet-bombing-ddos-attack-takes-down-south-african-isp-for-an-entire-day/ ) )? Rigidly mapping
one onto the other can and will create huge distortions.

Of course, nobody says that computer security stuff actually *is* war, but
as said in [Metaphors We Live By ](https://en.wikipedia.org/wiki/Metaphors_We_Live_By) by [George Lakoff](https://en.wikipedia.org/wiki/George_Lakoff) and [Mark
Johnson](https://en.wikipedia.org/wiki/Mark_Johnson_(professor)), "Conceptual metaphors shape not just our communication, but also shape
the way we think and act.". Leading to nonsensical bullshit posts like [this one](
https://twoscenarios.typepad.com/maneuver_marketing_commun/2005/05/military_metaph.html), [entire laughingly stupid books](https://www.forbes.com/sites/forbeslifestyle/2012/05/07/plea-for-a-cease-fire-in-business-as-warfare-advice/#f77cce37aa79),
and to despicable and hostile work climate.

An other perverse effect is that since military and violent imagery are traditionally, culturally and stereotypically associated with [toxic masculinity]( https://en.wikipedia.org/wiki/Toxic_masculinity),
this doesn't help with increasing the [dramatically low]( https://www.isc2.org/research/women-in-cybersecurity ) diversity in the computer security sector.

When we think about it, we have way better metaphors for computer security:

- gardening: defending against bugs, growing programs,
	 harvesting money, …
- building a house: everyone wants cosy stuff, yet you
	still need a solid door, maybe a couple of windows as well, definitely solid
	walls, …
- playing cards: there are adversaries, winning moves,
	gambles, influences, …
- guarding a museum: priceless artefacts, sneaky attackers
	à la Arsène Lupin, …
- …

The goal of computer security is to make safer systems, not about waging wars,
and thus shouldn't be envisioned as such. 

Of course, if you're working in the military and in infosec, there are overlaps,
but I would argue that this is more about military than it is about computer security.

As [Rob Bahat](https://www.linkedin.com/in/roybahat) said in 2016 in his [Business Is Not War. Let’s Stop Talking Like It Is.](https://shift.newco.co/2016/11/15/business-is-not-war-lets-stop-talking-like-it-is/) article:

> Business, at its best, is creation — and war,
always, is destruction. They are opposites, and if we want industry to be a
positive force in our personal lives, environment, society, and future, we
should divorce our language about business from the tragic (if sometimes
necessary) conflicts that bring devastation. There are so many good businesses;
but it is hard to find a good war.

