Reframing Digital Literacy: what it is and how to teach it

I did a research piece for Canadian School Libraries last winter that looked at how you might develop the complex, multi-disciplinary digital skills you find in cybersecurity in a relatively short period of time. When I first put it together I found myself spending a lot of the time at the front of the paper trying to define the digital skills we find ourselves lacking. I came to the conclusion that adopting high abstraction digital tools such as those you find in cyber, A.I. and other emerging technologies makes for an impossible leap when we don't have the basics in place.

How we've missed this in education is a good question. Anyone with a background in the field knows that there is no such thing as a 'digital native' and that this myth, which has caused so much damage as it prevents education from building meaningful digital pedagogy, kicked off what has become a multi-generational skills shortage that is doing real damage to both the economy and students' future prospects.

Digital technology has worked its way into everything in 2025, so being unable to make productive use of it damages our ability to compete in a digitally connected world. That we continue to hum and haw about what digital fluency is and how to build it suggests that we're not going to resolve this problem any time soon in Canadian classrooms.

We've seen coding and computational thinking finally worm their way into education curriculums, but this is the tip of a much bigger iceberg when it comes to understanding what digital skills are and how we should approach them.

Originally created for this post on why education is seemingly unwilling to address a persistent digital skills shortage (from 2023).

I've been pushing the boundary of what constitutes digital skills ever since I first got knocked out of digital technology by the compsci grads who had claimed the keys to the kingdom. It took me decades to recover and come around to the approach I have now that nurtures my hacking mindset rather than dismissing it.

A few weeks ago I attended a STEM space technology event put on by a partner of ours in Mississauga. Moonshot was designed to introduce students to the interdisciplinary nature of STEM careers - something we go out of our way to avoid in our departmentalized schools. If you're building space technology as an electronics engineer your job doesn't end where the wires stop, it also involves collaborating with all the other teams to ensure the electronics are working in conjunction with mechanical, communications, logistics and many other systems. Why do schools insist on siloing subjects like they do?

That siloing is also hobbling digital literacy development. The current coding/computational thinking fixation is just the latest in a long line of compsci blinkered approaches to addressing digital technology literacy. What would it look like if we represented the true breadth of digital and taught that wider scope of understanding in our classrooms? We use this technology daily to do everything from operate our schools to deliver learning across all subjects, but then avoid teaching how it all works at all costs.

At the Moonshot event I was introduced to the CEO of MineConnect, an organization that represents and works to promote the mining industry in Ontario. Our chat at Moonshot led to introductions with Science North over their Mine Evolution game. I'm hoping to get a web based version of that running on UBC's Quantum Arcade - perhaps with a quantum add-on as quantum sensing is going to drastically improve s in how we mine in the next decade.

What does this have to do with digital literacy? The fact that you're asking this question shows how little most people understand about where digital technologies come from, and that understanding should be a part of their literacy, don't you think? If you look up 'digital supply chain' you don't get what we need to build digital technologies, instead you only information on how to 'go digital'. Even industry goes out of its way to ignore what digital technology is... except in rare mineral mining, hence my work with Mine Connect and Science North.

It's incredible to me that this late in our adoption of this technology that we still go out of our way not to teach what is needed to make digital happen. The current wholesale adoption of A.I. in education is a great example of this ignorance, as was the rush to the cloud. There is no cloud (it's someone else's computer) and A.I. isn't intelligent, but we'll grasp at digital straws with willful ignorance if we think it'll make our lives easier.

In the CSL research I created a pyramid that showed how I taught digital awareness from the ground up in my rural high school. The assumption is that 'kids nowadays' know all of this, but that simply isn't the case. If you want to disable a 'digital native' it's as easy as flipping a switch they don't usually use. If you want to send a room of them into a panic unplug the Wi-Fi router (assuming you know what that is and where to find it).

Start with the physical substrata and work your way up into the more abstract realms of digital technology; starting digital fluency at coding is like starting literacy at poetry. 

In grade 9 I got a lot of digitally engrossed students who thought they knew it all because adults who lack even basic digital familiarity have been telling them that for years. Revealing that this perceived expertise is merely familiarity with a couple of devices and specific software doesn't take long. In many cases these kids had owned a series of game consoles and phones and that's it. Familiarity with software is limited to games and social media. Very few knew what an operating system was let alone the firmware that kick start it; this is literally how all computers work yet almost no one seems to know it.

Last week I was in Ottawa doing an introduction to OSes on our cyber range. The grade 5s didn't know what an OS was, but by the end of our 90 minutes they certainly did. They also learned the boot process any digital device goes through from firmware start-up to OS loading to where most users think computers start - when the desktop appears. They also got to interact with Linux as well as Windows on their Chromebooks (we use a cloud based cyber range so you're not limited to the restrictive OS on your local device). None of the students knew what Linux was, but they use it everyday because their Chromebook ChromeOS is Linux based. By the end of our afternoon they were navigating the settings in multiple OSes and understood how you could interrupt boot sequences to gain control and interrupt processes.

That we hand students tools like these without any understanding of what they are or how they work is a great failure in modern education, especially as we are only accelerating our use of these machines in classrooms. Considering how widespread their use is now, digital skills have become an ignored foundational literacy.

***

How did I tackle this ever widening digital divide in my program? We started by making our lab DIY. My seniors and I built the first iteration out of e-waste and then kept improving it as we found resources. In 2015 I returned tens of thousands of dollars in board run desktops which then got converted into half a dozen chromebook carts for other classes to use. In that first year our DIY conversion saved the board over tens of thousands of dollars.

In 2016 I contacted AMD and asked if they'd provide CPUs for our next upgrade, and they did! Our board's SHSM program provided additional funding and for a fraction of the cost of a board run computer lab we had significantly better hardware and control over installing our own OSes and software, which allowed us to provide digital learning opportunities others couldn't reach.

By 2018 we had a mix of AMD APUs that could handle the graphic modelling we were doing in our game-dev class. This meant they were also more than capable of running any other software we needed to build digital fluency from scratch. In the process my one teacher department went on to win multiple national awards across a staggering range of digital domains ranging from coding and electronics to IT & Networking, 3d modelling and cybersecurity. DIYing is essential if we're to build digital skills without those compsci coding blinkers on. Even worse is buying a ready-made 'edtech solution' which does it all for you and doesn't teach anyone (staff or students) how technology works. It also tends to trap you in a single brand rather than striving for agnostic digital comprehension.

Having a flexible digital learning environment that we built ourselves allowed us to create unique student projects. In grade 9 that means starting with Arduino micro-controllers. Not only did these open source electronics allow us to develop an understanding of the circuits that all digital technologies depend on, it also offered a tangible approach to programming where the lines of code would produce direct outputs like turning on lights or making music. By the end of the Arduino unit students were confident in building circuits and for many it was also their first opportunity to code in text as opposed to blocks.

As you can see by the gif, getting into Arduino in grade 9 means that by grade 10 students are building customized electronics solutions to everything from the PC temperature system you see to various robotics and digital art installations. One of my seniors worked out an Arduino based fuel management system for his pickup that he then sold to others. Understanding the electronics substrata that digital operates in is imperative for well rounded digital literacy.

From that basis in electronics and introductory coding we moved to information technology and networking - two subjects studiously ignored in schools even though every one of them depends on both to operate every day. We begin I.T. by walking students through PC parts in our recently delivered Computers For Schools desktops. After covering the safety requirements for tools and working with machines that can contain enough electricity to knock you out if you don't treat them with respect, we dug in.

The biggest point I make in PC building is about static management. As long as students respect the delicacy of the electronics (which they already understand thanks to Arduino), they quickly gain confidence and are never again tyrannized by this technology. After this unit no one calls a desktop PC a "CPU", because that's just one part of a much bigger device. Calling a desktop a CPU is like calling a car an engine.

We typically spend a week taking a part desktops and putting them back together. Getting them is no problem because no one wants desktops these days and CFS has piles of them they're aching to give to classrooms. When we wrap up the IT unit anyone who wants to take their computer home can - you'd be surprised how many students (and teachers) don't own a home computer. The best part? If it ever goes wrong they know how to fix it because the built it from the hardware up.

Once we got the hardware figured out we installed operating systems. This involves interrupting boot processes and learning how to navigate BIOSes and other types of firmware. Everyone gets to the point where they have Windows and Linux installed, but some students want to build an epic stack. This can involve adding extra hard drives and going through install processes on up to a dozen OSes. By the end of week two we've got OSes installed and students have explored many more than the one that came on their phone or game system (which are often Linux based). We've even had our share of Hackintoshes in the lab.

Our final step in the IT/Networking unit is to connect the desktops together on a local network and figure out IP addressing and all those other connectivity details most people have no concept of even though they use them daily. Building a network like this takes it out of theory and into tangible practice, as does the PC building. By the end of the week no one is calling connectivity 'WIFI' any more. Ethernet is ethernet and wireless is wireless and everyone knows how to configure and troubleshoot both. The motivation is that once we've got our network up and running on a domain where everyone can see each other we cue up a LAN party and everyone plays networked games on their DIY systems.

Our wide ranging and borderless approach to digital skills created interesting opportunities to mash up different technologies that are typically taught in siloed departments (if at all). In this case a student leveraged Arduino electronics, PC building and networking with robotics to build a whimsical LAN party robotrain.

We do eventually get to coding of course, but starting that far up the tech pyramid is absurd. High level coding languages (the only ones schools teach) are resource heavy because they spell out commands in easy to understand English (easier for humans = harder for machines). We did HTML and associated languages in grade 9 so the internet didn't baffle anyone anymore. In grade 10 it was Python simply because it's in such wide use. In the senior grades students choose their own coding focus, but not before I drag them through an introduction to low level 'machine language' programming so they have an appreciation for all the work those high level languages are doing for them. After you've had to do your own memory addressing, it changes you.

Leveraging this digital literacy, my seniors helped keep the tech in our building running smoothly. This not only saved money but also gave students invaluable public facing support experience. Perhaps the best example of this was our Chromebook graveyard. We would take in broken machines and then repair them with bits from others. After a couple of years of service most high schools in our board had lost over a quarter of their Chromebooks to abuse and accidents - we enjoyed a 90%+ active rate meaning more computers for more students at no extra cost.

The 'that's not your job' thinking that most boards operate under prevents this kind of innovation and cost savings. I always am left wondering to whose benefit.

The other benefit was that our digital fluency made us resilient. When COVID struck and everyone else folded up their classes and went home early, the digitally fluent students in my program didn't want to lose their semester's work and we went online, created our own Discord and landed it remotely. It took a bit of re-culturing because the students needed reminding that this isn't a gaming Discord - you're at school, but they quickly adapted and were sharing 3d models, Unity code snippets, circuit designs and network details back and forth to build complex demonstrations of their skills. In many cases they were doing it on the PCs they'd built when they were in grades 9 or 10 because many parents thinking digital technology is a toy.

So what's stopping us from graduating digitally fluent students with a wide range of skills who are ready to go into any field they choose because every one of them these days involves some kind of digital technology? I come from a time when home computers were brand new and no one had worked out how to 'do them' yet. In that primordial binary goo I hacked my own software and learned how to build my own hardware. My millwright apprenticeship turned to IT because of my familiarity with this new technology but I never came at it as a scientist might, but rather as a mechanic would. Hacking isn't bad, it's humans finding ways to approach digital technology as agents rather than consumers.

If we're going to tackle complex interdisciplinary digital technologies like artificial intelligence with anything other than willful ignorance, we need to start building an understanding of digital from the ground up so students and teachers can see beyond the box tech companies want to keep you in. If we're putting children on it, we should be showing them how it works so that they become more than what most of us are: consumers.

This is from a decade ago. FB has faded from relevance, but every 'tech' we use follows the same approach: your attention is the product being sold.

It might sound counter-intuitive, but cybersecurity offers a unique approach to tech that other subjects lack. Cyber is inherently about edge cases and encourages a 'meta' mindset when approaching digital environments. You're not a component inside the system, you've recognized its limitations and are working beyond it where being human is not only a benefit but essential. With all the 'AI doing it for you' going on these days does being human matter? Other approaches seem easier and wear 'academic credibility' better, but what is academic credibility but another system meant to contain your thinking? If we keep our current status quo we will, at best, produce another generation of passive consumers. We've tried that and it isn't going well. Time to hack this problem by putting students back in control of the technology we are using to control them. It's time to embrace your inner hacker.

Ontario Library Association Super Conference 2025

I feel great shame. I wrapped up this year's Ontario Library Association super conference a few weeks ago, but my Kawasaki needed me and I've been neck deep in engine heart surgery instead of reflecting on this fantastic conference. Mechanics that my life depends on is sufficiently engrossing.

This reaction is (in part) happening because I have begun the process of separating myself from the my decades long role in Ontario public education. I'm still committed to changing the system but it isn't, and it has processes in place to remove any foreign contaminants that try to change the status quo. I suspect my 'innovative' approach has led to some early constructive dismissal. In talking to other refugees from OntEd who tried to change it and found their return unwelcome, this is a systemic mechanism across all school boards. All that aside, here are my reflections from OLASC 2025...

 

This was my second go at the OLA Super Conference, I last went in 2023. This year, like the former one, was remarkably emotional. You can't help feeling that these are the front line people trying to hold civilization together even as it seems determined to tear itself apart. I'm left dizzied by the size of the fight against them.

Tech billionaire oligarchs are leveraging bottomless resources to direct a biblical flood of idiotic panic mongers who are happy to churn out disinformation that buys political victories. Once in power they have the tools to dismantle the critical thinking based education that we all used to aspire to.

Nothing is easier to incite than ignorant, misinformed, angry people. Our tech overlords have designed systems that encourage propaganda and reduce people to shallow, self-contradicting talking heads. I've been struggling to get pedagogically meaningful digital literacy into more classrooms throughout my career, but I'm beginning to realize that this is contrary to the direction society is going. Swimming upstream against this big money gets tiring in your mid-fifties.

Libraries standing against this political onslaught are having their resources systemically cut because libraries are precisely the institutions we designed to stop this sort of thing. How do you win such a one sided fight? I'm beginning to think that the democratic elections being gamed by this process can't produce governments capable of stopping it, and I'm getting all Asimov-Foundations about it. Perhaps it's time to save what we can for civilization until we start rebuilding again. And yes, these are my thoughts as I watched the Ontario Library Association standing against book bans and funding cuts.

Belief in the mission is one way to keep up the fight, but everyone seems worn thin by the effort. Keeping a strong front becomes difficult when your allies dwindle and everything you've built around literacy and critical information analysis is dismissed as meaningless. We live in interesting times. Being able to tie one on at the evening social with the brilliant women leading this fight was a highlight.

Carol Off's closing keynote was earth shaking. I wish they'd put it out so more people could hear it. Her retirement from As It Happens on CBC coincided with the rise in hate and division we've seen around us. Her talk cut to the quick describing the mechanics of this nastiness in vivid detail. It was a much needed rallying cry even as the barbarians hammer at the gates.

***

I'd signed up to present at the conference because I wanted to demonstrate (rather than just talk about) the importance of government, civil society and industry working together for our mutual cyber well-being. If you think that's not a priority, 2025 is only a few weeks old and dozens of Canadian school boards have already been crippled by cyber-attacks, most of which depend on clueless users to get in. The vast majority of our cyber woes are a human education problem, not a technical one.

While we were at the conference one of Ontario's bigger urban boards was off-line due to another cyberattack. This persistent problem isn't just affecting school boards. The automated nature of cyber attacks these days has clueless criminals with no technical skill buying 'cyber-crime as a service (CaaS) that lets them launch hundreds of cyber-attacks to see which one sticks. This is why you're seeing a rise in attacks on organizations that make no sense, like libraries. As a result, this year at OLASC and in addition to our talk, there were multiple well attended presentations focused on getting libraries and their patrons better cyber-defended. I wish Ontario school boards felt the same way, but they prefer to play victim rather than solve the problem.

In the spirit of cooperation I reached out to many cyber organizations, but the common response seems to be a shrug when you're sitting on a comfortable amount of funding, which isn't very mission driven of them. I did connect with Debra at Knowledgeflow who is nothing but mission driven and she worked tirelessly to help build our collaboration in a country designed against working together. This ended up being our pitch for the talk:

To demonstrate the width of our collaborative approach, Marie at the Canadian Centre for Cyber Security joined our motley crew along with Cheryl from Cyber Legends. This gave us a full complement of cyber expertise from federal government, civil society and private industry. I can only shake my head at the many other not for profits, industry and provincial organizations who weren't interested in participating because they'd rather just do their own thing poorly. Gaps caused by these little fiefdoms are why Canada is considered a prime target in global cyber-crime circles.

You might think that school boards are 'doing' cyber education locally, but the material I see (if there is any at all) is reductive, outdated, performative and not at all pedagogically valid in terms of teaching skills. Most of the cyber awareness stuff being trotted out locally looks to be made by people with no background or experience in cybersecurity. In many cases the cringy media they produce doesn't look like it was made by anyone with an instructional background either.

Cybersecurity education needs to be developed by qualified people and delivered with best pedagogical practices in mind if we're to get at the prickly subject of digital safety. A reasonable expectation would be that this outreach produces a demonstrable improvement in real world cyber-safety skills in both students and staff as evidenced by a substantial drop in the neverending reports we're getting about school boards being hacked. You can tell what we have isn't working by simply looking at the headlines.

Until we stop handing this off to "a guy in IT" or a relative of administration who is "good with computers", we're going to keep making these headlines.

Debra has this slide up in our presentation and suggested that these kinds of systemic failures aren't something that individuals can influence, but I disagree. If the vast majority (research suggests over 80%) of breaches are caused by someone clicking on something they shouldn't and letting criminals in past otherwise effective defences, then a skills based approach to cyber-education would also reduce these kinds of headlines!

Our talk can be found here: https://knowledgeflow.org/wp-content/uploads/2025/01/OLA-Conference-Cybersecurity-Isnt-a-Scary-Word.pdf and includes piles of material designed by cyber specialists. Whether you're working with post-secondary, K-12 or even with adults, you will find credible material designed to teach actual cyber skills rather than questionable performative marketing material that checks a box.

The talk went very well in front of a full house and many stayed afterwards to get contact information and talk about next steps. This kind of outreach is essential if we're to turn the tide. I wonder were all the other catalysts for cyber in Canada were that morning.

***

After our talk I popped over to a presentation on the role of AI in student research:

DIana and Kim took on a subject that alternately instills fear and provides hope for a better education system. The fact that we're turning to machines to create a better educational outcomes is (I would suggest) because the humans doing it have given up on that responsibility themselves - which speaks to my main concern with AI: if we let it replace us it will, and that won't be better.

 

Kim and Diana started with a look at how relationships with AI have changed over time through media, and then got into the nuts and bolts of critical uses in process driven learning. If every educator approached teaching with the same lens we wouldn't be worrying about AI's influence on an education system that has remained mired in a pre-information revolution mindset. The humour and honesty was much needed and helped clear away all the edtech marketing clutter which has become a roar in the last year.

The inconsistencies in the edtech AI sell are difficult to make sense of. No AI for students, but teachers can happily use it to replace even core human activities like reporting on student learning? This is going to end well.

If you think the solution is to ban AI you've missed the boat while also putting your students in real cyber-peril. The 'free' VPNs that students use to get around blacklisted sites on school board wifi are anything but free. The shady organizations (mainly criminal) that pay for this bandwidth get a chokehold on a user's data. Imagine school boards saying they aren't going to run buses any more but at the same time a stranger in a white van pulls up and offers them free rides. Schools do nothing to stop the white vans lining up at the front of the school day in and day out; same thing.

Students *are* using AI in their school work and I think they should if your assignments are still final product nonsense stuck in the idea that information is difficult to find (like it's 1985). If you're assessing process, AI is a powerful tool for enriching student thinking. If you're still handing out assignments that only describe the final product you're looking for that students can drop into an AI that will spit out an answer you think is real, then AI plagiarism is what you deserve. There was a moment in this year's Davos talks about it:

Go to 40:52 if the video doesn't automatically.

The worst thing we can do is ignore AI or think that board IT that can't stop breaches can stop AI from being used. This head in the sand thinking is exactly why we're in a multi-generational digital literacy crisis that is crippling democracies and making it impossible for young people to find work. Reaching for an emerging technology like AI that demands so much inter-disciplinary digital infrastructure to operate (none of which most people have a first clue about) is like reaching for a nuclear reactor when you're learning how to start a fire, but that's exactly what we're doing.

I made a point of attending talks on cyber attack recoveries to understand how mature public library policies are around dealing with them (rapidly improving because they had to is the answer). Of interest was a comment from the Toronto Public Library head of IT who mentioned that their outage resulted in a huge spike in users accessing their terminals when it finally came back on, underlining the important role public libraries play in helping many Canadians cross our widening digital divide.

There is still room to improve though, and even when an organization recognizes the need for a cyber skilled approach to breach management they seldom want to consider putting anything towards cyber in a preventative manner.

A heartwarming moment on day two was seeing Joseph Jeffries and Jennifer Casa-Todd recognizing the yawning digital skills gap in our education systems and tackling digital skills head on with the Canadian School Libraries. Seeing this happening across provincial lines gave me hope as this doesn't often occur in the true north siloed and regionally self-interested.

Though they had a first thing in the morning slot they brought together a room full of educators from coast to coast and got everyone thinking about the many skills that fall under the auspices of digital fluency. For a long time there was a reductive approach that believed that putting coding in the curriculum would solve all our digital woes, but this is like studying grammar and spelling closely and then assuming it will produce literate people. There is a reason why we call it digital literacy and not digital skill. The latest fad is computational thinking, but again this is reductive.  The skills needed to build a network, train an AI on big data, program an IoT sensor or resolve a breach are very distinct.

Like traditional literacies, digital literacies are interdisciplinary and complex. Some are more technical than others and some are more media adjacent, but they all have to be developed if we want to start producing digitally fluent graduates. The OSLA/CSL digital skills toolkit will be a good step in that direction, especially as we're all fixated on grabbing the latest magic fruit to fall from the digital tree.

No regrets about attending OLASC this year. It was heartbreaking and warming all at the same time. If we ever see the superconference quietly disappear, civilization is sure to be next.

Cyber Resilience: the evolution of cybersecurity beyond the technical

Navigating a Generational Digital Skills Crisis

The World Economic Forum's Centre for Cybersecurity recently (Nov '24) released a white paper called Unpacking Cyber Resilience. The goal of this paper is to redefine digital information security (currently called 'cybersecurity') beyond the technical box it currently sits in.

Digital transformation has forced unprecedented change in all aspects of our lives, yet digital literacy has remained at best an afterthought in education even as education systems across the world embrace mandatory eLearning and place students in online learning environments from the earliest grades. Our failure to recognize digital fluency as a foundational skillset has resulted in generational global digital skills crisis demonstrating shocking digital habits that are the main cause of an epidemic of cybersecurity breaches. Hiding cyber in a technical bubble is probably both a reaction and the result of this mess.

WEF's opening remarks in the Unpacking Cyber Resilience white paper describe an expansion of cyber awareness using business language that many educators will use to say, 'that's not our job!' (i.e.: training students for workplace readiness), but this digital illiteracy also damages our democracies by destroying our trust in institutions, creating disinformation echo-chambers that erode public discourse and also preventing us from accessing trustworthy news sources. Surely some of that is the job of public education?

"The digital transformation continuously reshapes and evolves businesses and governments. The primary goals and objectives of organizations are often supported by business processes that are critically reliant on digital technology, commonly without any analogue  alternatives. While primary goals and objectives will differ between organizations, they will always  include the protection of critical service delivery, stakeholder confidence and the principle assets  that underpin value and position in the market. Achieving true cyber resilience is fundamentally a leadership issue, and is paramount to retaining shareholder value."

- Executive Summary, Unpacking Cyber Resilience

Those 'business processes' underlie all aspects of modern life, including those in education. School boards call their operational network domains 'corporate' because it's lifted from the same digital systems that support business and government. Educational operations aren't digitally distinct from those in the public and private sectors, they're the same technologies but with higher security needs because they collect the data of minors (and their families) on a massive scale. Putting employees and students onto these systems without teaching them fundamental digital literacy is akin to putting them in a car and hoping they'll drive it without having an accident.

WEF's efforts to reframe cybersecurity are important because there aren't many aspects of our lives left that are independent from networked information technology. This dependence is absolute because the analogue processes that proceeded digitization have been jettisoned with a promise of cost savings. We live in a world run on ICT where almost no one understands ICT.

Cybersecurity is a particularly difficult nut to crack because it is an interdisciplinary field of study that exists within a larger framework of digital expertise that very few people possess. Cyber also suffers from being the edge of digital where zero days and emerging technologies can have devastating impact. Instead of building stable systems that then change slowly over time, cyber stares into the edge case abyss where you not only need deep digital fluency but also a willingness to step into the unknown.

If we address digital skills at all in education it tends to be a rote coding plug-and-play edtech solution. This one and done approach fails to recognize the complexity of digital literacy.

The Evolution of Digital Information Security

The idea that 'cybersecurity' was the final conception of this rapidly evolving field demonstrates a lack of understanding both in how new it is and how quickly its scope is changing. For a long time the cool kids on the West Coast hated the term cyber and created a lot of political tension in a field that was barely conceptualized. You know you're in trouble when the people doing the thing can't even agree on what to call it. If you take a step back and look at how things have evolved over the past four decades you begin to see the broad strokes of digital information security:

For many even what to call cybersecurity was a sticking point. The good news is that if you don't like it now, it's already moving on. From WEF's Unpacking Cyber Resilience.

One of my favourite early graphics pushing back against the framing of cybersecurity as a purely technical field of study was this one:

Not because it's complete, but because it reframes cybersecurity in a multi-dimensional manner. Through my coaching of student teams in cybersecurity I've found that a mix of talents is much more effective than a group of identical 'head-in-the-machine' types deep diving the technical. That skillset in cybersecurity could be parallelled by a lawyer or surgeon who is doing the point work but is surrounded by specialists with varying skillsets that allow the technical resolution of problems to happen. Can you imagine someone saying that the only people in the medical professions are surgeons, or the only legal professionals are lawyers? These more mature disciplines have a wider understanding of what's necessary to do the work. Clinging to this lone haxor fixation has been one of the mechanisms used to keep cyber a male dominated profession for far too long.

You need team members with organization and communication skills or the technical discoveries get fumbled between detection and response. You also need researchers and admin who understand what everyone is doing so that they can provide resources where needed. Those skillsets are essential to a cybersecurity operation, even a predominantly technical one, but the world of digital information security has expanded far beyond even that scope.

I wrote about this a year ago in a Cybersecurity Secret Sauce post. At that point I was still arguing for better technical training in cyber, but that's the tip of a digital skills iceberg that leans on abilities often ignored in STEM education. The creativity and self-direction demanded by the edge-case nature of cybersecurity is more often found in the arts. My strongest cybersecurity teams included a mix of students from a variety of disciplines, and the very best were also wildly neuro-diverse. Reframing the field to cyber resilience opens the door to those alternative and much needed talents.

Considerations of inclusion are often framed as charitable, but in this case diversity was a genuine performance enhancer, especially once I could convince non-technical students that they had a place on a national championship bound cybersecurity team. STEM education does a great job of selecting out creative thinkers early on. Hopefully reframing to cyber resilience ends this gatekeeping.

Cyber Resilience Reframing Digital Information Security

Multidisciplinary collaboration is a force multiplier well beyond blue teams doing competitive defensive work in capture the flag exercises. I should add here that no one should avoid a hackathon or cyber-defence competition because they are afraid they don't have the hands-on technical skills to do the hacking for a couple of reasons:

CyberTitan Top Defenders in 2021 had
diverse and complementary skillsets.

1) The detective process for determining  damage from a cyberattack is remarkably intuitive and the best way to learn it is to watch someone who has developed this intuition display it.

2) If you have half a dozen haxors all digging into a hacked system and attempting repairs at the same time you have chaos, so it's typical to have one operator in the system while others support them. Again, think of the operator as a surgeon with a team of supporting talents around them and you begin to see how even technical cyber needs diversity.

Even in technical cybersecurity team based/complimentary skillsets are the norm. Attempting to solve the global cybersecurity skills gap by minting as many hands on cyber-operators as you can misunderstands the needs of the field, especially with the onset of AI automating basic tasks.

Cyber resilience recognizes the diversity of expertise needed to create functional digital information security. Another example of this expansion is in international collaboration. You can't work across languages and cultures without being eye to eye on the technical aspects. The work I've done this fall around cyber diplomacy both in DC and the DR have shed light on this emerging field and the importance of us understanding the same terminology. You'd think this is how things are done but training is often rolled out by insular regional interests who (incredibly) often lack an understanding of the subject and don't give much thought to national let alone international collaboration. You can't work together defending against cyber attacks when you don't share common understandings. The work Global Affairs Canada has done in providing internationally recognized industry certifications for developing countries is a great example of this in action.

Hundreds of people from dozens of countries all working
together on cyber resiliency at the GFCE annual meeting
in Washington DC in September, 2024 (I'm on the left).

From talking to the newly minted director of cyber at GAC to presenting on emerging technology disruptions in cyber internationally, I'm more aware than ever of the challenges in creating global connections encouraging cyber resilience. Unless we align our terminology and technical awareness we cannot communicate and collaborate effectively. In our one sided world of digital defence where they only have to get it right once but we have to get it right every time, this is a recipe for disaster. Without collaboration and cooperation there is no way organizations can defend against the asymmetrical nature of cyber attacks, the largest of which have the funding of nation states behind them. 

Hope For The Future

Locally, I hope that reframing cybersecurity to cyber resilience means more leaders begin taking it more seriously, especially in education. But even cyber resilience remains problematic because it is hidden inside a larger digital literacy crisis that has grown to such a degree that many in education ignore it rather than recognize the cross curricular damage it is doing, not to mention the societal damage it is doing to our democracies.

Nationally, I hope that cyber resilience creates more diverse pathways into the field. I would love to see the absurdly privileged 'comp-sci degree' base expectations disappear (this is the equivalent of saying everyone who works in the field of law has to be a lawyer). Cyber resilience isn't for specialists, it's for everyone and I hope this reframing encourages more diverse skillsets to engage with it.

Internationally, cyber resilience is where emerging fields like cyber diplomacy and multi-country partnerships grow. If we want the benefits of digital transformation to be available to everyone while relaxing the grip of surveillance capitalists and ensuring our democracies are functional, critically looking at how we compartmentalize digital literacy and opening them up to reinterpretation is essential. Digital technology is only accelerating and clinging to old frameworks makes no sense.

NOTES

The idea that we can resolve a lack of cyber skills when they hide within a much larger digital illiteracy crisis has caused a lot of frustration in cyber training. Teaching information security awareness when users lack basic digital skills is akin to attempting to teach Shakespeare to people who can't read.

Rather than base your cyber stance on this impossible situation and watching training fail to stop the vast numbers of breaches digital ignorance causes, reframing cyber resilience through a human risk management lens reveals a more effective tactic. If people are the weakest link (and they are), don't expect their illiteracy to be an easy fix. Leveraging a wider human risk management approach lets you ensure safety regardless of how digitally clueless your users are.

LinkedIn Post

Security awareness and training is a method, not an outcome

"In 2024, the idea of human risk management shifted from concept to reality as frustrated CISOs looked for solutions beyond security awareness and training to make real change."

The EU isn't hanging around:  The Cyber Resilience Act

The Organization of American States' Caribbean Regional Cybersecurity Symposium DR 2024

*** Simposio de Ciberseguridad de la OEA

Cyber Pirates of the Caribbean.
Sorry, couldn't help myself.

In September I got an invite to sit on a panel at the GFCE's annual meeting. Then the Organization of American States got in touch and asked if I'd sit on their emerging tech panel at the regional pre-meeting. I guess that went well because they then asked if I'd be willing to cover for their quantum cyber specialist who couldn't make a Cybersecurity Symposium in the Dominican Republic at the end of the month. My approach to this sort of thing is to always say yes; that's how I found myself in Ghana last year.

Most Canadians think of Punta Cana and an all inclusive week on a resort when it comes to the Dominican Republic, but I was headed to Santo Domingo which can be a bit rough around the edges. It was an intense week of coming to understand the cybersecurity needs of a region facing the results of climate instability head on while also rapidly developing their digital economy.

Our panel was set to go on the first day, which was good - I like to get them done sooner. Co-panelist Heather happened to be coming in on a flight right behind mine so we met at the airport and shared a cab across the city to the hotel, which felt a bit like the first 20 minutes of Fury Road. Having not eaten since 5am, I sat in the empty hotel restaurant and ate a poor club sandwich that cost an eye watering $30USD while wondering what I was doing here. There is nothing like hunger and exhaustion to make you doubt yourself.

I finally got into the room and collapsed for a couple of hours and awoke feeling more like my usual, confident self; food and rest resolves most anxiety. I went for a wander around the hotel and found Heather on the pool deck watching the sun going down (dramatic sunsets in the DR). She works in AI research and we had a good chat about how it's being used in cybersecurity and both left with enough context to take on the panel in the morning.

Our moderator got switched right before the event but Donavon was agile, knowledgeable and did a great job chasing down themes as they came up rather than following a script. The conversation dove into AI but also left space for IoT and quantum in a cyber context.

I came away from the GFCE event in DC earlier in the month cognisant of the need to keep technical detail out of these kinds of high level talks, especially if you're talking to most of the people in the room through a translator. The technical side of cyber isn't necessarily what you need to focus on because it doesn't really change how most people interact with it. An easier to grasp example might be to ask if you need to have a strong understanding of the metallurgy involved in casting your car's engine in order for you to drive it. This isn't to say you need to simplify the the point of absurdity, but getting into the technical weeds tends to be an academic back-patting exercise rather than being helpful to the audience.

On this panel (as I've done in all of them), I don't pretend I'm something I'm not. I'm a teacher, an I.T. technician and a cyber operations instructor and often refer to anecdotal cyber teaching situations to land a point. People seem to appreciate this approach because presenting material as a teacher is something everyone can relate to, and there is enough intellectual intimidation in cyber as it is. There is also enough marketing misinformation that a clear eyed, education focused approach resonates.

Our talk mainly focused on artificial intelligence but quantum did get some airtime, though many questions (as at the GFCE) orbited the complexities of trying to teach cybersecurity. As mentioned at the Serious Play Conference in August, teaching a subject that few people have the basic digital media literacy to even contextualize is a challenge. The fear that arises from this ignorance is real and makes teaching cyber especially difficult.

I'm always conscious of the Canadian perspective I bring to an international event like this. Canada seldom participates at the international cybersecurity events I've attended. We fund a lot of them (including this one), but finding Canadians willing to make the trip and talk the talk seems difficult. I was the only Canadian on any of the panels at this one too, though I'm hoping to change that. If international cooperation is about relationships, having Canadians talking at events like these is essential.

When asked about IoT threats I brought up two Canadian instances that resonated with the room (I was asked about them repeatedly across the week). One was my visit to the Canadian Institute for Cybersecurity in Fredericton last spring which included a look at their IoT lab. The curiosity this generated has me wondering if an OAS event in Fredericton at UNB wouldn't go amiss. Does Canada ever host these things?

The second Canadian cyber challenge was the rash of car thefts Canada is experiencing. It's tempting to define this under traditional criminal activity but these are new vehicles with 'state of the art' electronics that are being hacked, making this an IoT cyber problem. When you know enough about cybersecurity you start to think differently about how it's integrated into your day to day life. My cunning solution is to drive manual vehicles that are 'pre-smart'. They're unhackable and also undrivable for most thieves. If you don't expect technology to do everything for you, you're not beholden to its weaknesses.

With our panel in the rearview, I made it a point of understanding the context through which Caribbean and Latin American states are tackling cybersecurity. Our very nice hotel provided bottled water because you're not supposed to drink what comes out of the taps. It's astonishing to me that people without available drinking water are going after digital transformation and the cybersecurity that enables it, but if you want to participate in the 21st Century economy that's the price of admission. Perhaps digitization will solve the water problem too.

One of the first speakers at this event did a deep dive into misinformation and how it is generated using the latest in deepfake technology. Extremists are using this tech in propaganda campaigns. The corrosive effect this has on our shared media is interesting. I had a number of chats with Daniel throughout the conference and discovered that his motivating interest is in the nature of online communities and how they work in terms of social norms and expectations. This kind of decentralized, narrow (as opposed to broad) band media transmission is becoming the new norm, yet no one seems to be teaching how it is influencing society in media theory classes. It's something I want to go after in terms of updating digital media education in Canada.

The theme of the symposium was, DisruptX:Redefining the future of cybersecurity in Latin America and the Caribbean", so many of the talks revolved around the impact A.I. is having in cybersecurity. As in most places, it's a force leveller. People writing phishing emails now write with perfect grammar and spelling, and don't use form letters anymore because AI can generate targeted, articulate messages specifically for individuals. This enabling of cyber criminals by automated systems targets our ongoing cyber-illiteracy because that's the easiest target, but that's just the tip of the iceberg. Automated malware as a service can be purchased by anyone who can turn on a computer. The days of technically talented hackers are far behind us as AI serves to elevate anyone looking to create havoc online.

To further complicate the landscape, you've got state actors (including world superpowers) performing offensive cyber operations against governments, businesses and even individuals. At this cost-no-object end of the spectrum you've got cyber militaries operating on budgets in the billions possibly taking aim at your company or government.  If you're a developing economy with minimal digital infrastructure, how do you possibly keep it secure against that? The short answer is you don't, sometimes you just get pwned.

OK, so what do I do, you ask? You've got a couple of options when it comes to protecting your internet facing systems (in this case critical systems that make society work and provide things like electricity):

1) Put money up front building the most secure network you can, but this requires talented people who are in short supply (the cyberskills shortage isn't just happening in Canada). It also means paying up front for something that hasn't happened yet, and can't be guaranteed secure no matter what you throw at it. The case for preemptive cyber capacity building remains a struggle and not just in the Caribbean, it's a problem in Canada too.

2) The other option is to design full backup systems so you can recover when the inevitable happens, but this too requires technical talent, forethought and a willingness to invest in the future - all aspects of cyber that humans everywhere struggle with.

Like the GFCE event in Washington, a lot of time was spent thinking about governance and policy. These frameworks are vital, especially if we want to push back against human nature that isn't likely to invest in anything precautionary. A purely passive/defensive mindset doesn't work in cyber any more than it would in sports. The nature of this one sided game means that some of these limited resources also need to be reserved for active cyber operations, both offensive and defensive. 

I hope there is room in policy and governance to ensure that there are resources left over to support this kind of agility. This 'just-in-time' work often happens in companies and government agencies rather than in university research labs and needs to be more accessible to the people on the ground doing the work. So much of the research funding in Canada is tied to post-secondary institutions and is inaccessible to anyone else. This is an area where developing cyber systems have an advantage.  Agile action research in cyber by practitioners rather than solely by academics is essential if we're to retain the ability to deal with emerging threats.

This confusion around the nature of cybersecurity (is it an apprenticeable skillset or an academic pursuit?) is another one of those evolving understandings still somewhat out of focus as we continue to define what cybersecurity is. It was nice to see one of my favourite cyber graphics come up in one of the RICET education talks reminding everyone that cyber is a complex, multi-modal field of study ranging from apprenticelike hard technical roles through management and logistics to academically intensive legal and human facing work in subjects ranging from policy and HR to education.

Like any other field of study, cybersecurity is full of nuance. We're just not there yet because we're still figuring out what it is.

*** Extracurriculars

Fascinating conversations and an opportunity to network without a schedule or talking points. These 'extracurricular' evening events are often the most informative!

The conference had a couple of extracurricular events where I often hear the most enlightening things. A delegation from the South Pacific was attending this event under the idea that they they are facing many of the same challenges that the Caribbean states are. Tim from the Cook Islands and I had many great talks about the sudden change they are going through. About two weeks before the conference Elon flipped a switch and suddenly everyone on the islands could afford high speed internet for the first time through Starlink. The rest of us have been in the digital pot as the heat has been slowly turned up over the past two decades and don't realize it's boiling. Can you imagine going from 90's dial up to 2024's AI/social media/fake-news cyber-nightmare in one week? Tim's managing the IT there. Someone should be writing a book about this time travelling digital experiment.

The fortress in colonial Santo Domingo at sunset. The DR's relationship with its past, like Canada's, is complicated and unfinished.

On the final evening we got taken out to the colonial tourist area for a look around Fortaleza Ozama. Being me, I found watching the chaos of the evening commute around the castle distracting. Like the social the night before, this was an opportunity to chat with people working in cyber from many different perspectives. I'd run into Franklin from Suriname who I'd met in Ghana last year and we picked up right where we'd left off. Suriname is about to go through some dramatic changes.

When you find yourself having a drink with the head of Mastercard's security division and the entourage from Columbian cyber, you wonder how you got here. Tim from Cook Islands' wife messaged him asking what he was up to expecting another conference update. His response was, 'I'm drinking rum at a castle at sunset!" Indeed.

The tour included a projection onto the fortress of the DR's history. It reminded me of the projection show they were doing on the Houses of Parliament in Ottawa a few years ago and raised some interesting questions about how digital is insinuating itself into island life.

The seemingly incongruous VR experience at the fortress was complimented by animated digital projections throughout, to the point where it was easy to forget you were in a centuries old fortress, which is the point of being there, isn't it?  A few times in the conference the corrosive effect of AI on regional culture was noted (AI's fixation on large datasets tends to stamp out anything but the biggest producers of data). I suspect digitization (itself a byproduct of globalization) has a generally corrosive effect on people's ability to be where they are. We spend an awful lot of our time taking photos to share online instead of being where we are (like the ones in this post? -ed).

*** RICET

The final day switched gears and became RICET, the Regional Initiative for Cybersecurity Education and Training, put on by the OAS and Florida International University. This focus on education and training is essential if we're to establish sustainable and effective cybersecurity. It's also a vital part of both figuring out what cyber is and framing it so the public better understands it.

I've said it before and I'll say it again, the vast majority of cyber incidents are the result of human failure. No matter how you want to frame it, our current cyber woes arise from a multi-generational failure to develop effective digital media literacy of which cybersecurity is perhaps the most interdisciplinary and complex because it's all about the edge cases. You can't hack something you don't fundamentally understand. You can't defend against those hacks without it either.

We've been fixated on coding as a solution to the digital skills crisis, but digital media literacy is about much more than coding. In cyber you need flexible, stochastic approaches with familiarity across a much wider range of digital technology. I've met too many compsci specialists who are sidelined by simple technical issues to believe that this is the epitome of digital literacy. I also heard the dreaded term 'digital native' during some of these talks, but I'm not going to get into that nonsense again here. 

RICET panels talked about the usual worries around the lack of talent, though like everyone else they spent much of the time on bandaid solutions like adult retraining instead of looking at strategic fixes like implementing nationwide cyber skills talent discovery and development in public schools that would not only address the user negligence problem, but would also resolve our cyber-professional shortage.

We'll never resolve this global digital skilling failure with stop gap solutions. We need both short term and long term strategies, but like the funding for seemingly obvious things like network security and data backups, getting anyone to finance the future is a struggle.

Watching these earnest cyber developers working on shoestring budgets trying to make this work while Canadians literally watch drinkable water go down the toilet has me wondering why we face so many of the same challenges they do. On my way back home I messaged a colleague in cyber education and lamented the fact that cyber expertise in Canada seems to be more about marketing than it does cybersecurity. I summarized the problem with genuine cyber-education in simple terms: there's no money in it.  That observation extends to cyber in general. One of the reasons for the high burnout rate is asking the few people who know what they're doing to do it without the necessary resources.

I enjoyed learning about the regional challenges being faced in the Caribbean, but what always surprises me about these glimpses into international cybersecurity is just how similar the problems we all face are. In a discipline where the bad guys only have to get it right once but the defenders have to get it right every time, the only hope for cybersecurity professionals is to develop connections, build international cyber-diplomacy and work together. Circling the wagons and sharing intelligence, tools and best practices is the only advantage we have against the cyber pirates (see what I did there?) that surround us.  This event was a prime example of that kind of networking. I hope to be a part of future ones and not the only Canadian talking.

Winging out of Santo Domingo at sunrise on Delta's A320 Airbus. What a beautiful country. Wish I'd had the opportunity to see more of it...

The Bermuda Triangle on a sunny Friday morning in October.