Language is arguably the most powerful creation of the human species, the most successful mechanism to encode and transmit information across geographical, cultural and temporal boundaries. The humankind’s ability to create and use a system of symbols has been subject of the study, commentary and vivid debate for centuries by the most influential thinkers of our history, from Socrates, Plato and Aristotle to Bertrand Russell, Ludwig Wittgenstein and Noam Chomsky by way of Hobbes, Locke and Rousseau.
The resiliency, ambiguity and evolutionary nature of natural language is in fact so formidable that its understanding remains one of the elusive goals of strong artificial intelligence. Humans have resorted to the creation and use of programming languages to "communicate” with computers and of other formal languages to communicate with each other in an accurate and non-ambiguous manner. The so-called “hard sciences” rely on formal languages -particularly those used by mathematical logic- to generate, encode and transmit scientific knowledge.
Linguistics, the scientific study of natural language, has progressed rapidly ever since Ferdinand de Saussure laid its foundations in the early 1900’s. In the late twentieth century linguistics and computer science started to cross their paths with the work of Noam Chomsky and Sydney Lamb.
Information security professionals and more generally technologists have a rather peculiar use of language in their trade, with all the traits of a dialect, geeky-ness of a constructed language such as Elvish, Klingon or Esperanto and the attempt at secrecy through obfuscation of a language game.
The particular idiosyncrasies of techno-babble were originally captured in the Jargon File which itself did not resist the exponential growth of technology and almost by definition is constantly outdated in today’s socially-networked cloudified interwebs 2.0 ecosystem. It is particularly telling that the three definitions for the word jargon in the Merriam-Webster dictionary can be used interchangeably to describe the language used for communications among information security professionals.
Casual analysis of the language we use to communicate with our peers and others may elicit some thoughts on how to improve our profession and the overall security discipline.
For example, lets consider how when we face the need to explain relatively simple information security concepts we often resort to the use of analogies from other disciplines or scenarios. Thus we equate port scanning and vulnerability scanning to physical inspection of door locks and windows, network packet inspection to human sensory behavior (ie sniffing) and attackers and defenders are directly linked to fashion trends of the clothing industry (ie. people that wear single-colored hats).
Some time ago while chatting with my peers over a circular table (ie. in a round-robin arrangement) I suggested that our constant use of analogies is an indication of the immaturity of our discipline or of our inability to create a system of symbols sufficiently expressive yet precise and accurate enough to encode and transmit information security knowledge in an unambiguous manner without the need for analogies.
Luckily, none of them pointed me to Douglas Hofstadter’s eulogy of the analogy as a foundation of cognition. Today, having read his essay I must confess that I have a different appreciation of the contribution of the analogies to our perception and knowledge of such an obtuse field.
Yet I still believe that an information security analogy is a dish best served cold, one that must be selected carefully to convey an intended meaning very precisely rather than to foster the uncontrolled propagation of Fear, Uncertainty and Doubt or to bias the audience towards an intended emotion.
Our selection of terms from other disciplines is also worthy of contemplation. Information security vocabulary has drawn extensively from military doctrine and the warfare glossary. Firewall, bastion host, armor, citadel, fortress, cyber-warrior and enemy are just a few of the terms commonly used by many security professionals and inflated war rhetoric is often found in our industry’s marketing collateral and public speeches -Incidentally, a quick search for War on CyberTerrorism came back with over 23,900 hits but War on CyberWar yielded a single result.
One of my favorite war-related terms is weaponized.
I’ve always failed to understand the intended meaning of the term. It is used discretionally to inspire fear of artifacts that could be purposely use to cause harm, thus a reliable program designed, developed and tested to exercise a software bug is a weaponized exploit as opposed to innocuous tools such as fdisk, rm or echo. I can’t help it! I invariably smirk when I hear the word weaponized and reflect that I seem to like weaponized cereal grain and to be tremendously happy about the availability of a weaponized fungus which among other things can be used to produce a kind of weaponized cheese that fits very well with weaponzied grapes.
Beside the warfare vocabulary we’ve also borrowed several terms from natural sciences such as biology -virus, epidemic, mutation, strain and physics - entropy, decay-rate - and, of course, science-fiction literature, the entertainment industry and pop culture. Our language is further peppered with an innumerable set of constantly evolving acronyms and neologisms, made up words that do not convey any meaning to the uninitiated.
Lastly, the necessary linkage of information security with the business world is usually sought by the use of terminology drawn from the social sciences mainly Economics and the legal system.
In sum, the long diatribe in this post was simply aimed at ending with a plausible claim:
By carefully studying the choice of words and language commonly used by information security professionals one may infer some degree of maturity of our discipline.
A secondary and perhaps more useful comment:
Careful selection of the words, analogies and external references in our discourse can have a more positive impact in the perception of our work and can help the development of our trade.
What do you think? How do you talk about information security? What is your favorite information security analogy?
