Interview extracts from the first volume of an oral history of cybersecurity practitioners.
This is a book about work. By definition, it is about struggle … and discord … and misery, as well as accomplishment, resolution, and joy. The fact that it focuses on cybersecurity, or involves technology at all, is almost beside the point. It is an attempt to capture, in their own words, the backgrounds, motivations, outlooks, and experiences of those who operate across the spectrum of cyberspace.
In the context of this work, when I speak of “cyberspace,” I’m talking, effectively, about the aspect of securing the Internet and the things that travel on and through it. The Internet, originally designed to be a resilient means of communication in the face of destruction and disruption, has evolved over a short period of time, into an essential communication platform, an unconventional environment, and in military parlance, a “domain.” Like the domains of land, sea, and air, the Internet is also a medium for conflict. Significant conflict exists between those who follow the rules and those who break them, between those who use the resources of the environment for meaningful purposes, and those who seek to destroy, and between those who enhance existing abilities and come up with new ways to produce value, and those who would steal that value for themselves and undo all that hard work, often simply for the sake of proving their ability to do so.
Operating in this environment is a group of people performing a host of different tasks, in a Sisyphean effort to hold back the tide of theft, degradation, and destruction. Few will admit to the retrograde action that it is; nearly all will tell you that there is nothing they would rather do. Don’t tell their bosses, but they would do it for free. Just as you find in every story in Working, by Studs Terkel – the inspiration from which this book is drawn – you hear their sense of passion and pride reflected in the work they do. Everyone has their gripes, but everyone shows up because the work is a part of who they are.
Those who work in cybersecurity are not dissimilar to the generations that preceded them, in the sense that they consider the work they do important, and that it is important they do their very best every day. The results of that work may very well be intangible—at the end of the day the brick mason can look at the wall that he’s built, the security operations center analyst not so much—but the impact it has in any discrete organization, or the economy at large, is the same. Our parents and grandparents were builders; we’re trying to protect the things they built.
Who I chose to talk to for this text was largely driven by my personal network, though there was no small amount of anguish over who made it into this first volume. Brian Concannon, who you’ll meet towards the end of the book, works a few feet away from Kris Merritt, who has no less interesting a background and career. I know several people in CTO roles, including one with whom I worked hand-in-hand for years, and with whom great success was achieved. Yet he is notably absent, while a former colleague whom I have not worked with in almost 15 years is included. If things go to plan, you’ll hear from these people and many more in subsequent volumes.
I undertook this project because there is no shortage of books that talk about technical security issues, or how the bad guys operate and how to combat them, or sleep-inducing tomes trying to shoehorn cold-war theory into cyberspace reality. What there isn’t a whole lot of is a record of those doing the actual work. This is an attempt to tell their stories, so that you might understand what drives those who are trying to help ensure our rush to incorporate technology into all aspects of our lives doesn’t lead to destruction or dystopia. To paraphrase one of the subjects in Working, most people working in cybersecurity are answering a calling, not doing a “job.” Jobs are too small for the spirits of our subjects.
Finally, a word on definitions. I will use the word “cybersecurity” as shorthand for computer security, information security, communications security, etc., simply because it is the more widely used term both in and outside the field. I will also use “hacker” to mean both those who participate in malicious activity, as well as in the more historically correct sense. Context should help you determine which I mean. For these, and other terms of art , I am confident that the value in making this world more accessible to those outside of it, outweighs the risks associated with not being overly pedantic.