The concept of praise and blame – or moral responsibility more generally – is a central concept in ethics that features many responses. Of note in evaluating various approaches to the problem is the concept of human fallibility in the face of ethical decision-making. For Aristotle, humanity is intrinsically flawed due to the experience of emotion and feeling, resulting in a “weakness of the will” (akrasia) – thus an individual may very well know or even (on some level) want to do the “right thing”, but emotion and inherent weakness (a built in “tragic flaw” or “hamarita”) results in a blameworthy action (or lack of action).
Writing several hundred years later, Immanuel Kant posited a “duty-centric” ethical framework (rather than a “virtue-focused” approach) that identified recognition and fulfillment of responsibilities (duties) as the critical aspect of moral behavior. However, Kant’s approach is dependent upon reason as a mechanism to accurately identify and then act in pure accordance with the dictates of an individual’s duties – a faculty that human beings, imperfect as we are, cannot possibly meet in every instance. Yet a pure or “divine” will lacks moral meaning behind decisions because they cannot help but act in accordance with duty – while human beings have a choice. Because of this inherent flaw (lack of perfect moral, or practical, reason), human beings will – either through ignorance, poor reasoning, or influence of “natural desires” (like Aristotle’s “pathos”) – fail to act in accordance with duty consistently.
The above highlights a recurrent theme in ethics and moral philosophy from its earliest origins to the present: that human beings are not perfect, even when moral or ethical obligations are seemingly clear. Thoughts, passions, emotions, or simple ignorance interject and prevent an individual from doing “what is right” or knowing “what is good” in all cases. More pernicious still are those instances where events (and duties) collide: such as when friendship or family ties are overcome by higher responsibilities, and how such conflicts should be resolved. Perhaps this is the reason Mill and others tried to reduce such decision-making to a moral calculus: identifying and quantifying “utility” and judging actions based on maximization of this quality. In this sense, one may not have necessarily have “done wrong” – one may simply be “bad at math”. In any case, the issue of “why do otherwise good/decent people do bad things” is a topic that has perplexed many for thousands of years, and remains fundamentally unresolved – and in all honesty, is likely unsolvable.
Which leads us now to the information security community. Recently, Motherboard published an explosive article detailing a toxic, “private” Facebook group where many prominent information security persons (as far as I can tell, all male) made a number of sexist, hurtful, and simply immature statements with respect to peers (based on released screenshots and other items, all female). You might think I’m about to make a pivot from this event to some defense of these individuals based on inherent human failings – on that, you will be disappointed as I find the actions (given their brazenness, consistency, and apparent lack of any remorse or awareness) to be “beyond the pale” of a mere “mistake” or temporary moral failing. These individuals making such hurtful, abusive statements knowingly acted in a way that is indefensible and reprehensible, and so they should be judged.
There might be something to be said for the topic which I am discarding in the previous paragraph, but right now I feel it is distracting and misses a far more important point that needs addressing: how those who are (or try to be) basically “good” people react in such situations, and what can be done to counter or otherwise “push back” against blameworthy or reprehensible behavior. For as much as I am pessimistic on humanity in general, personal experience and anecdotal evidence strongly suggest the people actively being abusive represent a minority of the information security population – but these individuals are enabled and tolerated by a majority which, while not actively partaking in such lamentable behavior, stand by and let it pass unacknowledged and unchallenged. If we want to assume human beings at least attempt to be reasonably ‘good’ in most cases, how and why do so many individuals, who presumably do not wish to harm others, stand aside and let such behavior pass without consequence? In this instance, I feel quite strongly that we are witnessing the very “weakness of the will” discussed above: that even in the face of reprehensible, indefensible behavior, fundamental weakness in executing on moral precepts intrudes and results in passivity. The burning question then is how does any collection of people deal with this unfortunate set of circumstances, and improve outcomes such that the vocal, abusive minority either fundamentally changes their ways, or finds themselves no longer welcome.
Before exploring this further, we must first look to what counts as the dominant response in the wake of such behavior when exposed. The predominant reaction for many within the information security “community”[1] is emotivism. Essentially, after an event or revelation that people (and especially not nice people) do morally blameworthy things, hordes descend upon social media and other avenues to make a statement that basically is distilled to the following: “Boo, <insert reprehensible behavior here>!” While this “feels good” and I will agree with the sentiment in most cases, this is effectually as useful as the ever-present “thoughts and prayers” response to tragedy. While “self-identifying” as for/against an issue may have some value (although honestly, if you have to vocally and publicly say you don’t like racism or sexism, maybe you should question your actions that make this stance non-obvious to observers?), it fundamentally does nothing to resolve the problem.
More to the point, such statements infantilize a difficult issue through emotional outrage, which is easy to project against clear perpetrators of abuse, violence, or other reprehensible behavior – but less clear (and more difficult) as a mechanism for affecting change or establishing norms within an environment. Basically, the statement indicates that the individual delivering it does not like such behavior – which is fine – but does nothing to indicate why that behavior is unacceptable, what one should do about it in practice, and for the scope of this discussion, how do we evaluate those that fail to meet a potential standard of morally praiseworthy behavior.
This leads to the final point and why I have been particularly dismissive of such efforts as of late: emotive statements give the appearance of action through public spectacle (Tweeting at your n number of followers your views or allegiance) while actually doing nothing of consequence. I say this with an assumption in mind: that in 2019, we can all universally agree that statements or actions which are racist, sexist, discriminatory, or abusive are unacceptable and unambiguously wrong. Therefore, simply “voicing displeasure” merely reinforces what is an already-existent norm – far different from saying “racism is bad” in the 1950s USA or similar circumstances where such a statement challenged prevailing norms and represented a meaningful action on its own. Individuals still make these statements, but do so privately (or at least somewhat so) because it is already known that such language and the views implied by it are unacceptable to the wider public.
Circling back to the theoretical digression at the start of this ranting, this statement-without-action complex in response to events provides a cheap and painless facsimile of “taking a stand” or “making a statement” – all the while merely embracing an already-existent social norm and expending no more effort than required to input text into a keyboard or smart device. More concerning still, this illusion of action also provides a convenient escape from the problem of weakness or failure to act in the face of reprehensible statements (or more importantly, behavior). Essentially, individuals can tell a comforting story that “of course I am against <insert morally repugnant behavior here> – I have made this position unambiguous on social media!” – without examining or questioning how (or even if) they have adjusted their actions to support or advance this position. We are left with a type of moral “junk food”: individuals fill themselves up on feelings of self-righteousness based upon their publicly-expressed indignation, while not exploring what actions they could (or should) concretely take to concretely advance the desired goal, or how a disconnect exists between publicly known norms (racism and sexism are unacceptable) and individual behaviors.
What worries me in these circumstances is that an individual may feel that they are an “ally” or otherwise supporting a laudable cause, without taking a pause to ask themselves: Just what would I do in circumstances where I found such behavior, either in action or just implied? How would I react when involved in such circumstances? Would it make a difference if the people involved were colleagues? Friends? Family? These are hard questions – and go to the questions of pathos and an incomplete understanding (or false identification) of duties mentioned above – yet the false confidence imbued by a simple Tweet or Facebook post of “solidarity” gives many the false sense of accomplishment and – more worrisome – completion. And to some extent we can see this playing out within the information security profession as individuals stood by, silent, while colleagues, friends, or just “known personas” made such statements (and potentially engaged in behavior aligning with such statements) while doing nothing – even if they as individuals embrace current public norms.
With these concerns in mind, what a truly concerned and morally aware person must do is determine – in advance of a crisis, to the extent possible – just where their values lie, how they will support them, and what actions they could (or should) take in response. For example, using the recent Motherboard story as a concrete case study, how should one react when observing such reprehensible behavior? Directly admonish the person making such statements? Inform victims of the abuse for their awareness? Inform that person’s employer or others as to that individual’s true character? Some combination of all three? Unfortunately, such circumstances will almost always result in situationally-dependent, varying answers – but to avoid weakness in the face of adversity, exploring these scenarios in advance is not merely beneficial but likely necessary. A false sense of confidence built from a series of public (but practically empty) statements will in all likelihood merely set oneself up for failure in a moment where values and (seemingly) conflicting duties are tested. For example, if someone I would consider a friend suddenly (privately) exhibits reprehensible, unacceptable views, what would you do in that situation? Many of us would rightly be conflicted just how to proceed (especially if there is a social or professional power differential within the relationship) – but recognizing that such conflicts may come up and how to potentially deal with them strengthens one’s will and improves the likelihood of acting in accordance with one’s values when such a test manifests itself.
So what should one actually do if the now seemingly-requisite social media post of “boo/yay” is insufficient and potentially harmful for making an actual, tangible difference in affairs? Aside from partaking an exploration of just what your values are and where they hold force by thinking through just what such scenarios mean and their implications in practice, extend the simple statement of “I dislike this activity” to actions that measurably push back against it. Along these lines, if you truly feel it is important to make the information security profession a welcoming and inclusive field for people of all backgrounds and persuasions, consider the following:
- Make yourself available for mentoring, discussion, and exploration of information security topics, whether specific technical issues or less-tangible career items such as how to interview or a primer on information security cultural norms and practices.
- Open yourself up to reviewing resumes, conference or paper proposals, and similar items from people looking to get into this field, and make a conscious effort to do so not just for people who look and think just like you, but for those that can inject new life and perspectives into this field.
- Highlight the work and efforts of others when you have a public platform, whether through a vocal call-out in a presentation or a citation in a paper. Try to make sure you go beyond your small circle of friends and colleagues to give credit to or explore the ideas of others working in this field.
- Strongly consider including junior colleagues from different backgrounds or perspectives as co-authors or co-presenters on topics to raise their profile and expand the breadth of the information security profession.
- Meaningfully contribute to the design of organizational and event codes of conduct, and work to promulgate them actively through vocal and actionable support rather than simply “checking the box” of accepting such strictures as a condition of employment or conference attendance.
- For recognizing and dealing with situations at events such as conferences, look into and study resources covering bystander intervention. Instead of being helpless or shocked when facing abuse – or even worse, being oblivious to less-direct types of harassment and abuse – learn what to look for and develop strategies to intervene in advance. Determine how you can defuse a situation and protect those who are under attack.
For any of the above, feel free to reach out to me at any time (jslowikATpylosDOTco) and I’m happy to help.
More importantly, if we can all commit to such actions – which I would argue is representative of basic human decency toward our fellow persons – no individual really needs to expend extraordinary effort or resources to ensure the information security profession (and the way people of all backgrounds within it are treated) improves. Rather, through a continued commitment to the above and similar sorts of actions, we establish a new norm for behavior where individuals are not lauded for helping others, but expected to as part of membership in this profession. If successful, one could argue that information security could justifiably call itself a “community” with shared values and practices, instead of just shouting such in public despite lack of meaning underneath the statement. Based on this shared commitment, “naming and shaming” and public proclamations of empty platitudes become irrelevant as persons will be expected to perform in the above fashion to be a part of the profession cum community. Furthermore, given widespread “buy in” to such principles and active interventions, sufficient support (again striving towards the creation of an actual community) exists where normal human fallibility in the face of hard decisions is mitigated through a sort of “defense in depth” – as others can and will be expected to step “into the breach” to support their fellows in such circumstances.
Overall, we must strive to be better – and that begins by a critical examination of just what we, as members, want from the profession we engage in and how we can concretely contribute to that change. Broadcasting vague messages of support simply does not suffice to achieve the goal of creating a meaningful community and enforcing its norms. Such statements sound nice, but are effectively empty and lead to a false sense of having accomplished something. Instead, each of us needs to commit to incremental, steady change and support for fellow members of the information security profession. If this is successful and we truly build out a supportive framework for all members, then (and only then) can we call information security a “community” – and not merely a collection of individuals all simply working in the same field.
Note: I cited two (three, if you want to count my brief mention of Mill) Dead White Guys in the preface to this piece. Unfortunately, based on written records and what we know, they are the originators for much of this thought and its basis. Having said that, there are excellent women who have significantly pushed the boundaries of these topics over the years, who I would strongly recommend reading if you want to go into detail on the fundamental philosophical issues at play. They are:
- Christine Korsgaard – The Sources of Normativity and Creating the Kingdom of Ends
- Marcia Baron – Kantian Ethics Almost without Apology
- Nomy Arpaly – Unprincipled Virtue
- Onora O’Neill – Bounds of Justice
[1] I put “community” in quotes because I now firmly think that there is no such thing as an “information security community” given current circumstances. Taking the definitions of “community” as a group of people living in the same place or having a particular characteristic in common; or having a feeling of fellowship due to holding interests, goals, or values in common, neither applies to the information security profession right now. We are far too diverse in outlook, mindset, and worldview to really be a community – and I think the sooner the profession disabuses itself of this idea, the better off we will be. Alternatively, striving toward a genuine set of standards, norms, and supporting practices means we can actually turn a profession into a community – but we are not there yet.