In the last three years, we have seen an increasing amount of public discussion about cybersecurity, part of which has involved an ongoing debate about what counts as expertise, credibility and legitimacy in cybersecurity. Last week, Trevor Butterworth of Forbes.com entered the fray. He lamented that “few mainstream journalists covering this beat are armed with sufficient technological insight.” Among those technologically illiterate journalists he includes the Washington Post’s David Ignatius, who recently wrote a piece critical of public policy discourse about cyberwar. For Butterworth, Ignatius’ piece, and the attention that it has received, is evidence that “in some (tech free) quarters, skepticism is still the default position.”
“The geeks cringed” at Ignatius and others like him, he said, because “the answer to whether the system was doing the right thing lay in understanding the technology” and that “The only way to know if government is screwing up is to know enough tech to know whether the bureaucrats know enough tech.” He ended his piece by quoting Forrester’s John Kindervag, who said, “too many people get a voice before they’ve earned the right to have a voice.” For Butterworth and Kindervag, earning the right to have a voice means that “reporters need to be more tech savvy,” a requirement that would presumably apply to policymakers and the public as well.
I completely agree with Butterworth that more “tech savvy” journalists, policymakers, and members of the public would be of great benefit to ongoing efforts to assess and respond to cybersecurity threats. However, though necessary and beneficial, the requisite knowledge of “the technology” is likely not achievable before important decisions must be made, and in any case, it is not in itself sufficient to result in clarity, consensus, and good decision making. Nor is it required to provide legitimate critique of contemporary cybersecurity discourse.
“The Technology”
First, there is no such thing as “the technology.” There are multiple technologies and associated practices involved in cybersecurity, from networking and programming to the design and operation of various types of critical infrastructure facilities, and much more in between. No one person or group knows all “the technology” and associated practices involved in cybersecurity. Which ones are more and less important to know? How much technical knowledge is enough technical knowledge? Jeffrey Carr, for example, though clearly knowledgeable about “the technology,” and though he has written an excellent overview of cyberwar, does not describe himself as a “tech guy” and has warned us away from relying too heavily on technical means of analyzing cyber-threats. Has he “earned the right to have a voice?”
Technical Knowledge is Insufficient
Second, even technical knowledge does not necessarily lead to clarity or consensus when it comes to assessing cyber-threats. Skepticism has not just been raised in “tech free quarters”; even technical experts can disagree in their interpretations of particular incidents and in their assessments of the overall threat of cyberwar. There are ongoing disagreements among experts about attribution, targeting, and intent of Stuxnet. Carr has been criticalof Stuxnet hype and has not seen the smoking gun pointing to Israel that others have seen. Similarly, Ralph Langner and Symantec [PDF] have publicly disagreed on various aspects of Stuxnet.
Third, when it comes to cyber-threats more generally, individuals with technical expertise such as Bruce Schneier, Marcus Ranum, Rob Rosenberger,George Smith, and others have been either skeptical or even downright dismissive. Maybe we could dismiss their claims by calling into question whether these individuals truly have the right technical expertise. But that would only support my point about “the technology.”
Fourth, many claims about cyber-threats do not contain and likely will not contain a lot in the way technical details as so much of the discussion is shrouded in secrecy. Even if we all had more technical knowledge, it is not entirely clear how useful it would be in evaluating the kinds of claims we so often hear from cyberwar proponents. You cannot assess information that you do not have, no matter what your level of technical literacy.
Communication Failure
Again, I agree with Butterworth that in an ideal world, journalists, politicians, and the public would all be more technically literate and, therefore, more able to assess the technical claims being made in public policy debates related to technology, science, and medicine. But that is not the world in which we live.
Nonetheless, we need to have the best possible public discussion given the circumstances. The belief by technical experts and bureaucrats that it is either too difficult or too dangerous to talk about technical details in public is just as much a roadblock to fruitful public policy discourse as technical illiteracy on the part of journalists, policymakers, and the public. Such attitudes are indicative of communication failure on the part of experts and bureaucrats–i.e. if they cannot or will not speak in an open and effective manner, then that is a failure on their part.
So, maybe in addition to journalists and politicians becoming better versed in the technical details of cybersecurity, technical experts should work on improving their understanding international and domestic politics, institutional and organizational cultures and interests, the dynamics of public opinion, and much more. Most importantly, maybe the technical experts should work on learning better how to communicate effectively with a lay audience. If it really is the case that the technical experts are failing to convince their lay audience, then maybe it’s time to move beyond just blaming the audience.
To conclude, while one suspects that the views expressed by Butterworth and Kindervag are all too common among technical experts of various types–i.e. that “the geeks” are the ones who should decide who has “earned the right to have a voice”–one does not often hear such views expressed so overtly. While we should encourage technological literacy among journalists, policymakers, and the public, such arrogant, anti-democratic, technocratic views should be roundly rejected. No one type of knowledge or way of knowing will provide the silver bullet.
No one person or group of people will have all the knowledge necessary to “know if government is screwing up.” Rather, multiple people with multiple skill sets and areas of expertise, all looking at the same problems from their various perspectives, will give us an idea about the wisdom of government decision making on cybersecurity (or any policy, for that matter). Policy decisions, even ones about highly technical matters, cannot be left to the technicians alone.