Is Cyber Security A Form of Violence?

This weekend I had an interesting conversation with my friend Suzanne Kryder. She’s a mindfulness expert and co-founder of a radio show called “Peace Talks.” She was giving me some feedback on my Shmoocon presentation and she said, “I’m really noticing the violence inherent in computer malware.” Her comment stopped me cold, because as a proponent of non-violence, I never actually made such a direct, clear connection in my mind. As we continued the discussion, I realized how strongly the subject was resonating with me. As someone with a past history of being emotionally tone deaf, I now expend great effort in cultivating respect and compassion when interacting with the user community and my fellow IT professionals. It isn’t always easy for me and I fail about 50% of the time, but the short interaction I had with Suzanne gave me a fresh outlook on my profession.

I started to consider how the security industry might be reshaped if we approached it as peace advocates instead of cops. If in defending our enterprises and governments, we didn’t also seek to disempower others. I realized that the current trend is very similar to a Cyber Cold War with malware and DoS attacks being used instead of bombs, with governments installing virtual walls as opposed to brick ones around their citizenry. Last year, when I was offered a position with a company that did work for the DoD, I sought the advice of a friend, a former member of the military who had become a counselor and supporter of non-violent communication methods. He was a West Point graduate and had been in the Pentagon when it was hit on 9/11. I was concerned that by taking the job, I might inadvertently be contributing to the escalation of violence.  I’ll never forget what he told me, that the mindset in that realm is to cause harm to an enemy. He asked me if I could live with that. Ultimately, I turned down the job, because I thought the line would become too fuzzy for me. Now, after a weekend of watching security conference presentations about breaking and defending systems, I’m considering how much of what I do in my professional life is still inadvertently aggressive.

In closing, I’d like to emphasize that this isn’t a criticism of those who have selflessly dedicated themselves to serving in the armed forces or law enforcement. In fact, I have both in my family and I have nothing but respect for those who have chosen that difficult path. It’s more of a contemplation on how I can personally make my professional words and actions consistent with the moral fabric of my life. I believe this is the only way I can avoid the despair and discouragement, aka burnout, I perceive in many of my colleagues in the security field.

 

Mrs. Y
Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.
Mrs. Y
Mrs. Y
  • http://twitter.com/DmitriKalintsev Dmitri Kalintsev

    Any form of defence, save, perhaps, peaceful conversion of an enemy into an ally (friendly assimilation), is ultimately a form of violence.

    Essentially, job of security is to say “No” to an attacker’s “I want”. And in saying “No”, it doesn’t help to understand *why* “No”, so attacker’s “mindfulness” is not improved.

    Hope this makes sense.

    • http://twitter.com/MrsYisWhy Mrs. Y.

      I disagree. To protect oneself or an organization from harm is not violence. Check out Marshall Rosenberg’s books on the Non-Violent Communication Method. There’s a difference between assertive and aggressive interaction. Peaceful does *not* mean passive and there are plenty of Buddhist monks in Burma who would agree.

      • http://twitter.com/DmitriKalintsev Dmitri Kalintsev

        To elaborate a bit, I am not proposing non-protection. I am just saying that often some form of violence is the right course of action, like those monks beating the living lights out of those who attack their stronghold. :)

        It is, in my view, calling duck a duck and being comfortable with it.

  • Dan Verwolf

    Great post. 

    As a fellow advocate for non-aggression, I’ve also contemplated my own role in administering IT networks and systems.  I agree with your consideration of approaching the industry as advocates for peace rather than as cops, often punishing and cracking down on even peaceful users. In protecting our organizations and our users, we need to be sure that we don’t unintentionally become the aggressor.

  • Fernando Montenegro

    Very nice post with a great deal of personal insight, thank you.

    I take objection to security folks – at least in the enterprise sphere – as ‘cops’. While there’s always those who wish we could ‘retaliate’, ‘strike back’, etc… the majority of folks just want to have their infrastructure work reliably, efficiently and securely. To me, this is much more of a ‘leave me alone and don’t bother me’ mentality than “aggression”.

    I think there are security roles that are more aggressive – specifically military/DoD/… as you well point out – but to me the aggression/violence comes from those who attack us, not the other way around.

    Respectfully,
    Fernando