Many public discussions on information security tend to identify or claim the existence of an “information security community”. On its face, this seems a rather innocuous term that merely designates a collective of individuals dedicated toward relatively similar goals or ends – yet when delving a bit deeper, the term brings with it a host of additional considerations that make the flippant referrals to such a construct seem either misguided or profoundly misunderstood.
Before proceeding, first principles require us to understand just what a “community” means. Going back to Aristotle, the concept of “community” at its most basic roughly means a collection of parts having functions or interests in common. But more profoundly and meaningfully for collection of persons, communities are driven by common goals:
“Since we see that every city-state is a sort of community and that every community is established for the sake of some good (for everyone does everything for the sake of what they believe to be good), it is clear that every community aims at some good, and the community which has the most authority of all and includes all the others aims highest, that is, at the good with the most authority. This is what is called the city-state or political community.“ (Aristotle, Politics, I.1.1252a1–7)
While even the most die-hard proponents of an information security community would shirk from claiming to be a “city-state” or true “political community”, the concept of driving for some common, communal “good” would seem quite reasonable and expected to even lay claim to the term “community”. Thus, on basic principles, we confront a conception of an “information security community” notionally defined by (or directed toward) some common, collective good that gives the collective a sense of identity and purpose. The question at this stage, then, is what common, motivating “good” might exist to support and engender a potential community?
The obvious first place to look would be in the general idea of “security” itself – preserving entities from harm inflicted by malicious third parties. Yet this concept itself is full of assumptions and hidden meanings that begin to cause difficulty. First and foremost, the idea of what entities (or agents, or persons) are entitled to protection and security is immediately problematic: does this mean all “innocent” users of networks (itself a fairly loaded term), or just customers of a given entity, or members of a specific state body?
On a commercial level, organizations may make vaulted claims about wanting to protect “all innocents”, yet at the end of the day preserve most actionable, detailed information and capabilities enabling defense for paying customers. From a classically liberal, market economy perspective, this both makes sense and seems defensible – yet by its very nature would balkanize any sense of community to competing vendor ecosystems where members are entitled to the support and efforts of their champions, but denied similar efforts from others. In an individualistic, atomistic rights-based framework this is not only problematic but in some senses desirable, yet fails to reach the communal sense of shared goals across industry that a community would presumably seek. Ultimately, the vendor-focused construct is certainly a (semi) sustainable state of affairs, but hardly qualifies as a “community” in the sense of all parties striving toward a general goal (or possible telos) in common given the divisiveness and blatant separation between entities.
Moving a step beyond customers of specific companies, we enter the realm of state-based allegiances and necessities. While the security community has seemingly done an admirable job in presenting analysis of threats irrespective of source – from Symantec providing authoritative analysis of Stuxnet to Kaspersky Lab diving deep into Russian-linked espionage – private sector and broader commercial entities cannot operate in a political vacuum. Thus, the US government banning Kaspersky products in federal networks while major US technology companies open “transparency offices” (including source code reviews) in seemingly hostile (but lucrative) environments. As much as some (or even many) individuals within the field of information security would like to lay claim to the field representing something akin to medicine in terms of dedication to patient (or customer) care and a commitment to “do no harm”, actions “on the ground” indicate a distinct and growing nationalism sundering any sense of universality within this sphere.
From this, we’ve arrived at a situation where many of the end goals – the telos – of information security are not so much universal principles of defense and detection, but rather parochial efforts to benefit one’s customers or fellow citizens (or at least, to benefit those entities primarily and all other bodies benefiting as positive externalities of effort). Such a situation hardly seems to be the foundation of a community, but rather represents a base-level similarity in mission and effort that one would ascribe to mercenaries.
Yet in pursuing this exploration of community in line with classical (but still influencing) politics, perhaps we miss alternatives as expressed in ethics. Toward this end, I would bring up not only the (conservative) Aristotelian virtue of tradition (or perhaps more accurately, traditions yielding social virtues), but also the more contemporary phrasing of such a concept by Alasdair MacIntyre in his seminal work, After Virtue. Here, the concept of communitarian values is set against the classical liberal set of freedoms and rights to emphasize that true, vital, and enduring communities are only engendered and sustained through shared narratives (or visions) of “the good”. As such, true communities can only be created and maintained through a shared, universal commitment to certain values underpinning or justifying everyday actions – even if such actions (in classic Aristotelian fashion) frequently “miss the mark”.
In light of previous examples, various ways of delineating communities break apart as no universal agreement can be gained concerning elements such as “who we defend” and “what state do we serve” (or “what state do we not unnecessarily piss off”). Thus, trying to define an information security “community” along these lines either fails outright, or produces a litany of sub-communities each aligned to their particular interests, purposes, or telos.
However, instead of this fragmented vision of a security community, perhaps some center ground remains around which we, as security practitioners, can rally irrespective of what organizations we work for or what passport we own. To achieve this, we must recognize something akin to MacIntyre’s observation of modern, classically liberal society essentially encompassing “a collection of strangers, each pursuing his or her own interests under minimal constraints” beyond those bright lines defined by criminal law. While this viewpoint of extreme, individual autonomy (whether at the individual or potentially the organization level) may bring many benefits in terms of absolute (albeit ‘cold’) freedom, it does so at the expense of connection and community.
Essentially, pursuit of individual values and agendas subverts the understanding or creation of a more holistic community encompassing many others. From a pure goals-oriented approach – where agendas and deliverables are controlled by profit-driven entities – such an approach is inescapable. Yet in how such goals are achieved, individual practitioners hold the capability to forge a sense of wider community through adoption of and adherence to common values embedded within a shared, collective narrative.
In this, potentially limited but also perhaps more powerful perspective, a true community is forged not through the specific ends achieved through action, but in the principles motivating and guiding how such actions take place. Adopting this narrative-based approach while accepting the limitations placed on action end-states by the realities of commerce and politics allows us to carve out space for defining a community by virtue of how such actions are carried out by members of that community even if the goal of such actions may invalidate certain conceptions of the collective.
Thus, the adoption of common sets of standards for behavior, discourse, and treatment based upon or supported by an underlying, justifying narrative becomes the key driving factor in creating a community. In some senses, we see this within the information security perspective with increasing adoption of organization and event codes of conduct, establishing firm baselines of what behaviors and methods of discourse are acceptable – and which go beyond the bounds of the tolerable. Individuals and their specific organizational allegiances can pursue different goals or end-states within the bounds of the framework offered, but the methodology behind that pursuit adapts to common, communal interests – even if the narrative beneath is nothing more complex than “don’t be an asshole to others”.
So in trying to forge a sense of “community” within the information security, perhaps less attention should be paid to implausible conceptions of shared goals and objectives (“do no evil” or “protect all entities equally” – laudable ideas that quickly melt before the contradictions of real life) to a seemingly lesser, but attainable, common bond in communal standards of behavior and discourse. Instead of getting bogged down and caught in conflicts between mutually-exclusive goals and “what master do you serve” issues, individuals within a common profession can forge bonds in how they interact and what standards and norms govern such behavior.
In this lesser-but-possible conception of how a community can be formed even if a true “communitarian” framework remains untenable, we as prospective members still have significant work to do. Examples of how a “community” can (and maybe should be) formed from a profession where members have differing goals or ends could include: adopting common academic policies of citation and reference to acknowledge the work of others (and enabling others to do so by communicating in durable, referrable fashion rather than just via a presentation); embracing standards of conduct and communication to foster debate and discourse while avoiding attacks and ad hominem; organizing activity and interaction to be accepting and welcoming to potential outsiders rather than focused on only already-present “insiders”.
This may strike some as perhaps too basic and grounded to ground an aspirational sense of “community” – yet such standards of how we interact and behave remain reachable, actionable items. Some may wish for a utopian sense of a profession united toward achieving a common end or telos – but such conceptions place us in a sphere where the perfect (that communitarian paradise where all entities strive for the same fundamental good) becomes the enemy of the good (a collection of individuals that embrace a common set of conduct and values irrespective of their desired ends). Looking for attainable goals and achievable “wins” seems more productive – and maybe will, over time, place the community as defined by norms of behavior in position to seek greater, deeper integration over time.