Agitation and disruption

In this century for technology to enjoy continued economic growth, demand is stimulated by constant stirring-up, destabilisation and change for change's sake. Now familiar techniques like forced obsolescence by remote sabotage, network backdoors, logic bombs, time and location based fault injection, have given way to more sophisticated methods involving cryptographic "rights management", forced "updates", deliberate subtle incompatibilities and even false-flag attacks by an "insecurity industry" (modern protection rackets).

On a cognitive level, complex applications, markup and configuration languages, and other parts of security systems take a long time to learn and master. This is a feature, not a problem. It's called depth of capability. As proprietary systems are agitated by vendors (simply to disrupt and so gain sales), huge learning investments are squandered and more mistakes are made. At this pace, systems are rarely used beyond ten percent of their feature set.

Exercise: CISOs  - rerun your IT budget calculations adjusting
for the fact that only 10% of capability you purchase is ever used.

Those in the agitation game call this "creative destruction", a breathless credo of "move fast and break things". They are proud to produce "disruptive" technology. They also deploy propaganda to belittle cautious behaviour and paint engineers who value security as 'anti-progressive' Luddites who will be "left behind".

Not only does this make a nonsense of computer security even as a possibility, it has negative economic impacts, causing:

• purposeless activity
• epistemic laziness and cavalier attitude
• make-work and deliberate inefficiency
• loss of legibility ("nobody can keep up with it all")
• vast amounts of e-waste and environmental harm
• stressful work conditions
• crazy-making, gas-lighting

The most important value change one can make is to begin seeing stability as a top security concern.

Agitation is fundamentally a psychological attack designed to affect "decision makers" by spreading fear, uncertainty and doubt, and undermining confidence in decision-making.

A second powerful security intervention is therefore to value staff more, placing human needs above systems. Give personnel space to study, think and build durable domain knowledge for their job.

Isolate personnel from sales reps and advertising. IT people are swamped with approaches offering quick fixes to daily activities which are not necessarily 'problems'. They are encouraged to deploy recklessly. Redirect personal development to genuinely education and information seeking. Build pride in internal capabilities.