icm2re logo. icm2:re (I Changed My Mind Reviewing Everything) is an  ongoing web column  by Brunella Longo

This column deals with some aspects of change management processes experienced almost in any industry impacted by the digital revolution: how to select, create, gather, manage, interpret, share data and information either because of internal and usually incremental scope - such learning, educational and re-engineering processes - or because of external forces, like mergers and acquisitions, restructuring goals, new regulations or disruptive technologies.

The title - I Changed My Mind Reviewing Everything - is a tribute to authors and scientists from different disciplinary fields that have illuminated my understanding of intentional change and decision making processes during the last thirty years, explaining how we think - or how we think about the way we think. The logo is a bit of a divertissement, from the latin divertere that means turn in separate ways.

Chronological Index | Subject Index

Gangsters in your pocket

About change in the information security sector

How to cite this article?
Longo, Brunella (2021). Gangsters in your pocket. About change in the information security sector. icm2re [I Changed my Mind Reviewing Everything ISSN 2059-688X (Print)], 10.11 (November). http://www.icm2re.com/2021-11.html

How to cite this article?
Longo, Brunella (2021). Gangsters in your pocket. About change in the information security sector. icm2re [I Changed my Mind Reviewing Everything ISSN 2059-688X (Print)], 10.11 (November). http://www.icm2re.com/2021-11.html

London, 29 October 2021 - While I was writing the previous article, I wanted to check, as I usually do, bibliographic information to see if fundamentals have been recently linked to new areas of research I do not know anything about. What a sad evidence of hijacking emerged from the website of a leading academic source, publisher of reference materials: under the entry "bibliometrics" it showed three articles with titles not at all pertinent, referring instead to an internal diatribe within that area of research between traditional and alternative views.

This is nothing really new, but for the global societal impact of the problem. Corrupted, misplaced or missing records have always existed within cards catalogues, paper files, academics' drawers and then databases and electronic archives but, before the internet brought such tools into everybody's daily lives, those were mainly administrative errors.

How many teachers, libraries or publishers understand that this state of affairs can have huge consequences in the age of social media, instant communications and distance learning? Do universities have strategies in respect of the information security threat existing for teaching and learning activities?

I would not be surprised to learn there are polarised views on the issue. Results? Nothing really substantive innovative has happened in the realm of the computer networks infrastructure since the devise of the ISO / OSI reference model of communications and the TCP/IP (Internet) protocol, both naively conceived and designed in the 1970s, when human factors, geopolitical implications, management aspects were simply non perceived at all as relevant in relation to information security.

Having written so many bitter articles and notes on cybersecurity for several years, I thought I would end icm2re with a lighthearted look at this matter. But I could not find a tune, a joke, an episode I would really like to smile about. People become tired of reading and listening, year after year, statistics and warnings, arguments and marketing claims that keep on repeating the same messages to audiences scared at first, then left speechless and helpless and keen to avoid the issue and eventually, most of the times, indifferent. It seems a gigantic failure of knowledge management.

The experts keep on choosing the same narratives, referring to past and present milestones that do not address the problem: what glorious times those Colossus years, when British intelligence was able to crack the German Enigma cipher; and shouldn't we all support the Cyber Essentials Scheme nowadays? Of course, of course.

In 1950 the Unites States began to use computers for military purposes, such as war games and simulations, and Claude Shannon started a computer aimed at playing chess. Those endeavours have contributed to the development of a specialistic knowledge. They crafted techniques for software programming and debugging, shaping the mindset and practices of the entire sector for years to come.

Perhaps it dates back to those origins the attitude I still see within the industry to treat any information security issue in reactive, military terms, concluding that prevention is never enough and legislation - if and whenever would come in place - will not suffice to win the war but would just delay the next move of the bad guys.

What about R&D? What about making different types of computers? Or inventing different protocols of communications? Look at the history of the automobile: innovations did not stop at horses!

The domain of cybersecurity is still a childish world in black and white, that struggles to understand and deal with matters of human factors but for advocating digital forensics, a field that very often turns too weak to serve any cause; nor it gets to grips with actual information behaviours. I believe it should stop glamourising that the boys that will always be boys, that information security needs to managed as a game, that it counts on the good guys being faster on scam psychology than the bad guys, etc etc.

Still a world of male dominance, very often the information security professional communities would proudly act as a brigade to defend onanists and thieves with unarguable and totally non pertinent excuses of neuro-diversity or other mental and physical conditions, Asperger's or epilepsy, rather than accept responsibilities of computer misuse. To start rethinking the way in which IT people work and create those software artefacts would require a U-turn in IT management, in training and education, in R&D and HR, courageous investments, just turn-off strategies, rewrite entire libraries of software routines, discards decades of programming, think big. Who would like to make such hard choices?

Female computer scientists and software engineers very rarely take divergent stances, although they do exist. When they do, they show to entire community how immature is the science behind computers, a discipline formally born in the early 1960 along science fiction, games and notes about intergalactic networks and still unable to overcome the literary nature of its roots.

There is nothing wrong at all with ascribing the core essence of computer science and cybersecurity to creativity and art: without it, we would not have computers, the internet, the web. But perhaps information security needs to be led with a more scientific and managerial approach, to grow up with unambiguous technical and legal scope. To serve a better world, not just to entertain and sell faster.

The discipline has given evidence too many times of disregarding risks, errors and malpractices as a way to maintain itself in a sort of kindergarten in which only Hal 9000, the paranoid computer created by Arthur C. Clarke's Space Odyssey series, would opt for self-reflection - and in any case that would be dysfunctional! That is the view of an eternal computer scientist Peter Pan.

Furthermore, in spite of early attempts to have legislative defences against privacy intrusions (that date back to the 1970s), software development professionals have never taken data protection seriously, being personal data breaches too intriguing and too relevant for so many.

To this extent, since the early 1980s, training and certification programmes launched by Microsoft, Apple and other large high tech companies have done a great service to the public, trying to professionalise hobbyists and amateurs. But the world of computing is still too young and not up to the challenge of information security. It does not generally like criticism, history, policies and governance approaches or legal specifications and it is, in turn, prone to propaganda, disinformation, the game of cyberwars, the lure of mangling evidence of computer misuse, the paranoid obsessions of nerds' and geeks' culture.

Civil liberties and end users groups have had their cases and reasons heard and, at least in the Western democracies, they have very rarely lost the right to be heard even loudly. In 2002 even the "virtual" child pornography (in which no actual children are violated or filmed, that in a world of deep fakes is irrelevant because it its not what is true and what is phantasy but what is perceived and believed that matters) passed the test of the US Supreme Court, meaning that the production and distribution of pedophiles pornography is in any case protected by the US constitution's First Amendment. That was something I strongly felt the need to oppose, because life is not only a matter of principles - and vice-versa, matters of principles cannot be successfully addressed only as logical argument, in which life is disregarded. I have not only lost that argument, I was pilloried by colleagues for putting it forward and there are still voices that, twenty years on, do not stop to ridicule me as a way to ostracise me and depict me as the idiot of the village. What can be done?

Scientists, journalists and free thinkers pointing towards computer professionals acting as cyber criminals or favouring in some ways the proliferation of cybercrime have never been very popular. For instance, the astronomer and "computer contrarian" Clifford Stoll who, in the 1980's, published a memorable book on how to investigate and defeat a hacker or, in recent years, the AI researchers Margaret Mitchell and Timnit Gebru, dismissed by Google, or the Facebook whistleblower Frances Haugen: individuals with higher level of sensitivity, uncommon ethical views, a sense of responsibility for the information they handle are still not very popular in IT.

Fighting cybercrime from the perspective of a large IT department is still a matter of star wars into and through the layers of the networks, the firewalls, the intercepted communications. There is nothing dreadfully wrong with that. But why does anybody calls for big data and AI applications to fight modern slavery networks, a social plague that relies on identity thefts, money laundering and criminals' infiltrations into professional communities of solicitors and financial advisers through computer networks?

Where are the open source algorithms needed to prevent pollution or environmental incidents? where are the software developers hackers "a la Robin Hood" in defence of civil and human rights in China or other Countries that suppress freedom of expression? why we do not hear of systems that could detect phishing coming from "orphan" DNS servers (i.e. domains left behind by closed banks, insurance companies or government departments that do not exist anymore while people keep on thinking they are genuine and current)?

What needs to be done to develop R&D on cybercrime and its teaching? Some mechanisms exist to incentivise public and private R&D in this direction: redistribution of copyright revenues, digital taxes, governance of corporate human relations. It is not Space Odyssey, it starts keeping both feet on the ground.

If you are a proud IT person, computer professional or software developer I wish you to think big.