Friday, 20 June 2025

Every Graduate In Canada is an Immigrant in their Own Country

"an image showing the effects of high youth
unemployment in canada showing angry
 young people from many fields of work in
front of a wilting maple leaf"


 The gap between education and work in Canada continues to grow. Many people are aware of the challenges immigrants face when trying to break into the Canadian job market, but young people, even those born here, face many of the same hurdles including in-built prejudices by the people hiring them.

A colleague recently told me her son cannot find a cybersecurity job even after finishing his college program in it. I've talked about cybersecurity a fair bit on Dusty World and it's a mess. Academia wanted its pound of flesh and so rebranded computer science courses as cybersecurity specializations and further muddied the water, but cyber is a an applied skill set, like policing, nursing or teaching. You can sit in a cloud and theorize about it as much as you like, but the work of it happens in the real world every day and a Ph.D. in it isn't the same as doing it. Yet requirements for entry level cyber jobs have become absurd with expectations of post-graduate degrees which do little to prepare a young person for the work itself any more than a masters in law would help a police officer work on the streets. This young man did everything right, studying cyber in an applied manner in college to fill a need Canada claims it has, and yet he finds himself out in the cold.

Last night I was at a mining industry event. Someone on our panel suggested that we could resolve the skills shortage by upskilling people local to the mines in Northern Ontario. This has the added benefit of them more likely sticking around because they're already home. They also aren't caught out by life in the north as those in Southern Ontario often are. Someone in the audience pushed back with the story of their son who grew up in Northern Ontario doing all the right things. He answered the call for skills trades and became an apprentice electrician in hopes of working the local mines where money is good and he can stay close to home. His applications to all the mines in the area were summarily ignored. We often hear these skills-gap closing suggestions and they sound great when you're floating on a boat in Toronto harbour, but why isn't a kid in a high-demand skilled trade finding work in an industry that claims to be desperately short of young talent?

Youth unemployment (ages 18-24) remain at
over double what everyone else faces. It was
even worse during COVID.
Canadians are cliquey by nature, even when it comes to their own children. You hear constant bleating from industry about shortages in skilled trades, technology, yet we seem to go out of our way to find a reason not to hire young people.

In the past year I've worked with cybersecurity, manufacturing and mining organizations on engaging students with career possibilities. The promise is a high-demand, good paying job with future readiness baked in, yet when it comes to landing that job the people hiring seem to go out of their way to find reasons not to even acknowledge these applications let alone accept them.

I'd always assumed this was a failure of education, but the problem runs deeper than that. Perhaps it's Canada's colonial history. Do we have an ingrained belief that we don't have to develop talent or provide it with places to grow? Perhaps this is mixed up with our immigration policies as well. Why nurture local talent when you can cherry pick it from other countries? The next time I hear someone lamenting a 'brain drain' to another country I'll laugh. Trying to grow a career in Canada's stoney ground makes it less a brain drain and more of a brain catapult. Other countries aren't stealing our talent, we're rejecting it and they're taking what we throw away.

There is a lot of momentum in Canada right now to build an economy that can function internally without everything going through the US, as it so often has, but we're not going to build that economy unless we resolve our talent supply chain first. And we're not going to resolve that yawning school to work gap unless we not only build the programs to support it, but also change our minds and get out of this colonialist mindset.

Whether it's a gap between post-secondary institutions and employers or some deeper cultural mindset Canadians are prejudiced with, finding work in Canada remains far more difficult than it should be for young people, even if they follow all the advice and spend a lot of money training themselves in the high-demand careers everyone keeps telling them Canada so desperately needs.

The advertising is one thing, the reality another.


Monday, 9 June 2025

Reframing Digital Literacy: what it is and how to teach it

I did a research piece for Canadian School Libraries last winter that looked at how you might develop the complex, multi-disciplinary digital skills you find in cybersecurity in a relatively short period of time. When I first put it together I found myself spending a lot of the time at the front of the paper trying to define the digital skills we find ourselves lacking. I came to the conclusion that adopting high abstraction digital tools such as those you find in cyber, A.I. and other emerging technologies makes for an impossible leap when we don't have the basics in place.

How we've missed this in education is a good question. Anyone with a background in the field knows that there is no such thing as a 'digital native' and that this myth, which has caused so much damage as it prevents education from building meaningful digital pedagogy, kicked off what has become a multi-generational skills shortage that is doing real damage to both the economy and students' future prospects.

Digital technology has worked its way into everything in 2025, so being unable to make productive use of it damages our ability to compete in a digitally connected world. That we continue to hum and haw about what digital fluency is and how to build it suggests that we're not going to resolve this problem any time soon in Canadian classrooms.

We've seen coding and computational thinking finally worm their way into education curriculums, but this is the tip of a much bigger iceberg when it comes to understanding what digital skills are and how we should approach them.

Originally created for this post on why education is seemingly unwilling to address a persistent digital skills shortage (from 2023).

I've been pushing the boundary of what constitutes digital skills ever since I first got knocked out of digital technology by the compsci grads who had claimed the keys to the kingdom. It took me decades to recover and come around to the approach I have now that nurtures my hacking mindset rather than dismissing it.

A few weeks ago I attended a STEM space technology event put on by a partner of ours in Mississauga. Moonshot was designed to introduce students to the interdisciplinary nature of STEM careers - something we go out of our way to avoid in our departmentalized schools. If you're building space technology as an electronics engineer your job doesn't end where the wires stop, it also involves collaborating with all the other teams to ensure the electronics are working in conjunction with mechanical, communications, logistics and many other systems. Why do schools insist on siloing subjects like they do?

That siloing is also hobbling digital literacy development. The current coding/computational thinking fixation is just the latest in a long line of compsci blinkered approaches to addressing digital technology literacy. What would it look like if we represented the true breadth of digital and taught that wider scope of understanding in our classrooms? We use this technology daily to do everything from operate our schools to deliver learning across all subjects, but then avoid teaching how it all works at all costs.

At the Moonshot event I was introduced to the CEO of MineConnect, an organization that represents and works to promote the mining industry in Ontario. Our chat at Moonshot led to introductions with Science North over their Mine Evolution game. I'm hoping to get a web based version of that running on UBC's Quantum Arcade - perhaps with a quantum add-on as quantum sensing is going to drastically improve s in how we mine in the next decade.

What does this have to do with digital literacy? The fact that you're asking this question shows how little most people understand about where digital technologies come from, and that understanding should be a part of their literacy, don't you think? If you look up 'digital supply chain' you don't get what we need to build digital technologies, instead you only information on how to 'go digital'. Even industry goes out of its way to ignore what digital technology is... except in rare mineral mining, hence my work with Mine Connect and Science North.

It's incredible to me that this late in our adoption of this technology that we still go out of our way not to teach what is needed to make digital happen. The current wholesale adoption of A.I. in education is a great example of this ignorance, as was the rush to the cloud. There is no cloud (it's someone else's computer) and A.I. isn't intelligent, but we'll grasp at digital straws with willful ignorance if we think it'll make our lives easier.

In the CSL research I created a pyramid that showed how I taught digital awareness from the ground up in my rural high school. The assumption is that 'kids nowadays' know all of this, but that simply isn't the case. If you want to disable a 'digital native' it's as easy as flipping a switch they don't usually use. If you want to send a room of them into a panic unplug the Wi-Fi router (assuming you know what that is and where to find it).

Start with the physical substrata and work your way up into the more abstract realms of digital technology; starting digital fluency at coding is like starting literacy at poetry. 

In grade 9 I got a lot of digitally engrossed students who thought they knew it all because adults who lack even basic digital familiarity have been telling them that for years. Revealing that this perceived expertise is merely familiarity with a couple of devices and specific software doesn't take long. In many cases these kids had owned a series of game consoles and phones and that's it. Familiarity with software is limited to games and social media. Very few knew what an operating system was let alone the firmware that kick start it; this is literally how all computers work yet almost no one seems to know it.

Last week I was in Ottawa doing an introduction to OSes on our cyber range. The grade 5s didn't know what an OS was, but by the end of our 90 minutes they certainly did. They also learned the boot process any digital device goes through from firmware start-up to OS loading to where most users think computers start - when the desktop appears. They also got to interact with Linux as well as Windows on their Chromebooks (we use a cloud based cyber range so you're not limited to the restrictive OS on your local device). None of the students knew what Linux was, but they use it everyday because their Chromebook ChromeOS is Linux based. By the end of our afternoon they were navigating the settings in multiple OSes and understood how you could interrupt boot sequences to gain control and interrupt processes.

That we hand students tools like these without any understanding of what they are or how they work is a great failure in modern education, especially as we are only accelerating our use of these machines in classrooms. Considering how widespread their use is now, digital skills have become an ignored foundational literacy.

***

How did I tackle this ever widening digital divide in my program? We started by making our lab DIY. My seniors and I built the first iteration out of e-waste and then kept improving it as we found resources. In 2015 I returned tens of thousands of dollars in board run desktops which then got converted into half a dozen chromebook carts for other classes to use. In that first year our DIY conversion saved the board over tens of thousands of dollars.

In 2016 I contacted AMD and asked if they'd provide CPUs for our next upgrade, and they did! Our board's SHSM program provided additional funding and for a fraction of the cost of a board run computer lab we had significantly better hardware and control over installing our own OSes and software, which allowed us to provide digital learning opportunities others couldn't reach.

By 2018 we had a mix of AMD APUs that could handle the graphic modelling we were doing in our game-dev class. This meant they were also more than capable of running any other software we needed to build digital fluency from scratch. In the process my one teacher department went on to win multiple national awards across a staggering range of digital domains ranging from coding and electronics to IT & Networking, 3d modelling and cybersecurity. DIYing is essential if we're to build digital skills without those compsci coding blinkers on. Even worse is buying a ready-made 'edtech solution' which does it all for you and doesn't teach anyone (staff or students) how technology works. It also tends to trap you in a single brand rather than striving for agnostic digital comprehension.

Having a flexible digital learning environment that we built ourselves allowed us to create unique student projects. In grade 9 that means starting with Arduino micro-controllers. Not only did these open source electronics allow us to develop an understanding of the circuits that all digital technologies depend on, it also offered a tangible approach to programming where the lines of code would produce direct outputs like turning on lights or making music. By the end of the Arduino unit students were confident in building circuits and for many it was also their first opportunity to code in text as opposed to blocks.

As you can see by the gif, getting into Arduino in grade 9 means that by grade 10 students are building customized electronics solutions to everything from the PC temperature system you see to various robotics and digital art installations. One of my seniors worked out an Arduino based fuel management system for his pickup that he then sold to others. Understanding the electronics substrata that digital operates in is imperative for well rounded digital literacy.

From that basis in electronics and introductory coding we moved to information technology and networking - two subjects studiously ignored in schools even though every one of them depends on both to operate every day. We begin I.T. by walking students through PC parts in our recently delivered Computers For Schools desktops. After covering the safety requirements for tools and working with machines that can contain enough electricity to knock you out if you don't treat them with respect, we dug in.

The biggest point I make in PC building is about static management. As long as students respect the delicacy of the electronics (which they already understand thanks to Arduino), they quickly gain confidence and are never again tyrannized by this technology. After this unit no one calls a desktop PC a "CPU", because that's just one part of a much bigger device. Calling a desktop a CPU is like calling a car an engine.

We typically spend a week taking a part desktops and putting them back together. Getting them is no problem because no one wants desktops these days and CFS has piles of them they're aching to give to classrooms. When we wrap up the IT unit anyone who wants to take their computer home can - you'd be surprised how many students (and teachers) don't own a home computer. The best part? If it ever goes wrong they know how to fix it because the built it from the hardware up.

Once we got the hardware figured out we installed operating systems. This involves interrupting boot processes and learning how to navigate BIOSes and other types of firmware. Everyone gets to the point where they have Windows and Linux installed, but some students want to build an epic stack. This can involve adding extra hard drives and going through install processes on up to a dozen OSes. By the end of week two we've got OSes installed and students have explored many more than the one that came on their phone or game system (which are often Linux based). We've even had our share of Hackintoshes in the lab.

Our final step in the IT/Networking unit is to connect the desktops together on a local network and figure out IP addressing and all those other connectivity details most people have no concept of even though they use them daily. Building a network like this takes it out of theory and into tangible practice, as does the PC building. By the end of the week no one is calling connectivity 'WIFI' any more. Ethernet is ethernet and wireless is wireless and everyone knows how to configure and troubleshoot both. The motivation is that once we've got our network up and running on a domain where everyone can see each other we cue up a LAN party and everyone plays networked games on their DIY systems.

Our wide ranging and borderless approach to digital skills created interesting opportunities to mash up different technologies that are typically taught in siloed departments (if at all). In this case a student leveraged Arduino electronics, PC building and networking with robotics to build a whimsical LAN party robotrain.

We do eventually get to coding of course, but starting that far up the tech pyramid is absurd. High level coding languages (the only ones schools teach) are resource heavy because they spell out commands in easy to understand English (easier for humans = harder for machines). We did HTML and associated languages in grade 9 so the internet didn't baffle anyone anymore. In grade 10 it was Python simply because it's in such wide use. In the senior grades students choose their own coding focus, but not before I drag them through an introduction to low level 'machine language' programming so they have an appreciation for all the work those high level languages are doing for them. After you've had to do your own memory addressing, it changes you.

Leveraging this digital literacy, my seniors helped keep the tech in our building running smoothly. This not only saved money but also gave students invaluable public facing support experience. Perhaps the best example of this was our Chromebook graveyard. We would take in broken machines and then repair them with bits from others. After a couple of years of service most high schools in our board had lost over a quarter of their Chromebooks to abuse and accidents - we enjoyed a 90%+ active rate meaning more computers for more students at no extra cost.

The 'that's not your job' thinking that most boards operate under prevents this kind of innovation and cost savings. I always am left wondering to whose benefit.

The other benefit was that our digital fluency made us resilient. When COVID struck and everyone else folded up their classes and went home early, the digitally fluent students in my program didn't want to lose their semester's work and we went online, created our own Discord and landed it remotely. It took a bit of re-culturing because the students needed reminding that this isn't a gaming Discord - you're at school, but they quickly adapted and were sharing 3d models, Unity code snippets, circuit designs and network details back and forth to build complex demonstrations of their skills. In many cases they were doing it on the PCs they'd built when they were in grades 9 or 10 because many parents thinking digital technology is a toy.

So what's stopping us from graduating digitally fluent students with a wide range of skills who are ready to go into any field they choose because every one of them these days involves some kind of digital technology? I come from a time when home computers were brand new and no one had worked out how to 'do them' yet. In that primordial binary goo I hacked my own software and learned how to build my own hardware. My millwright apprenticeship turned to IT because of my familiarity with this new technology but I never came at it as a scientist might, but rather as a mechanic would. Hacking isn't bad, it's humans finding ways to approach digital technology as agents rather than consumers.

If we're going to tackle complex interdisciplinary digital technologies like artificial intelligence with anything other than willful ignorance, we need to start building an understanding of digital from the ground up so students and teachers can see beyond the box tech companies want to keep you in. If we're putting children on it, we should be showing them how it works so that they become more than what most of us are: consumers.


This is from a decade ago. FB has faded from relevance, but every 'tech' we use follows the same approach: your attention is the product being sold.

It might sound counter-intuitive, but cybersecurity offers a unique approach to tech that other subjects lack. Cyber is inherently about edge cases and encourages a 'meta' mindset when approaching digital environments. You're not a component inside the system, you've recognized its limitations and are working beyond it where being human is not only a benefit but essential. With all the 'AI doing it for you' going on these days does being human matter? Other approaches seem easier and wear 'academic credibility' better, but what is academic credibility but another system meant to contain your thinking? If we keep our current status quo we will, at best, produce another generation of passive consumers. We've tried that and it isn't going well. Time to hack this problem by putting students back in control of the technology we are using to control them. It's time to embrace your inner hacker.



Wednesday, 19 February 2025

Ontario Library Association Super Conference 2025

I feel great shame. I wrapped up this year's Ontario Library Association super conference a few weeks ago, but my Kawasaki needed me and I've been neck deep in engine heart surgery instead of reflecting on this fantastic conference. Mechanics that my life depends on is sufficiently engrossing.

This reaction is (in part) happening because I have begun the process of separating myself from the my decades long role in Ontario public education. I'm still committed to changing the system but it isn't, and it has processes in place to remove any foreign contaminants that try to change the status quo. I suspect my 'innovative' approach has led to some early constructive dismissal. In talking to other refugees from OntEd who tried to change it and found their return unwelcome, this is a systemic mechanism across all school boards. All that aside, here are my reflections from OLASC 2025...

 
This was my second go at the OLA Super Conference, I last went in 2023. This year, like the former one, was remarkably emotional. You can't help feeling that these are the front line people trying to hold civilization together even as it seems determined to tear itself apart. I'm left dizzied by the size of the fight against them.

Tech billionaire oligarchs are leveraging bottomless resources to direct a biblical flood of idiotic panic mongers who are happy to churn out disinformation that buys political victories. Once in power they have the tools to dismantle the critical thinking based education that we all used to aspire to.

Nothing is easier to incite than ignorant, misinformed, angry people. Our tech overlords have designed systems that encourage propaganda and reduce people to shallow, self-contradicting talking heads. I've been struggling to get pedagogically meaningful digital literacy into more classrooms throughout my career, but I'm beginning to realize that this is contrary to the direction society is going. Swimming upstream against this big money gets tiring in your mid-fifties.

Libraries standing against this political onslaught are having their resources systemically cut because libraries are precisely the institutions we designed to stop this sort of thing. How do you win such a one sided fight? I'm beginning to think that the democratic elections being gamed by this process can't produce governments capable of stopping it, and I'm getting all Asimov-Foundations about it. Perhaps it's time to save what we can for civilization until we start rebuilding again. And yes, these are my thoughts as I watched the Ontario Library Association standing against book bans and funding cuts.

Belief in the mission is one way to keep up the fight, but everyone seems worn thin by the effort. Keeping a strong front becomes difficult when your allies dwindle and everything you've built around literacy and critical information analysis is dismissed as meaningless. We live in interesting times. Being able to tie one on at the evening social with the brilliant women leading this fight was a highlight.

Carol Off's closing keynote was earth shaking. I wish they'd put it out so more people could hear it. Her retirement from As It Happens on CBC coincided with the rise in hate and division we've seen around us. Her talk cut to the quick describing the mechanics of this nastiness in vivid detail. It was a much needed rallying cry even as the barbarians hammer at the gates.


***

I'd signed up to present at the conference because I wanted to demonstrate (rather than just talk about) the importance of government, civil society and industry working together for our mutual cyber well-being. If you think that's not a priority, 2025 is only a few weeks old and dozens of Canadian school boards have already been crippled by cyber-attacks, most of which depend on clueless users to get in. The vast majority of our cyber woes are a human education problem, not a technical one.

While we were at the conference one of Ontario's bigger urban boards was off-line due to another cyberattack. This persistent problem isn't just affecting school boards. The automated nature of cyber attacks these days has clueless criminals with no technical skill buying 'cyber-crime as a service (CaaS) that lets them launch hundreds of cyber-attacks to see which one sticks. This is why you're seeing a rise in attacks on organizations that make no sense, like libraries. As a result, this year at OLASC and in addition to our talk, there were multiple well attended presentations focused on getting libraries and their patrons better cyber-defended. I wish Ontario school boards felt the same way, but they prefer to play victim rather than solve the problem.

In the spirit of cooperation I reached out to many cyber organizations, but the common response seems to be a shrug when you're sitting on a comfortable amount of funding, which isn't very mission driven of them. I did connect with Debra at Knowledgeflow who is nothing but mission driven and she worked tirelessly to help build our collaboration in a country designed against working together. This ended up being our pitch for the talk:


To demonstrate the width of our collaborative approach, Marie at the Canadian Centre for Cyber Security joined our motley crew along with Cheryl from Cyber Legends. This gave us a full complement of cyber expertise from federal government, civil society and private industry. I can only shake my head at the many other not for profits, industry and provincial organizations who weren't interested in participating because they'd rather just do their own thing poorly. Gaps caused by these little fiefdoms are why Canada is considered a prime target in global cyber-crime circles.

You might think that school boards are 'doing' cyber education locally, but the material I see (if there is any at all) is reductive, outdated, performative and not at all pedagogically valid in terms of teaching skills. Most of the cyber awareness stuff being trotted out locally looks to be made by people with no background or experience in cybersecurity. In many cases the cringy media they produce doesn't look like it was made by anyone with an instructional background either.

Cybersecurity education needs to be developed by qualified people and delivered with best pedagogical practices in mind if we're to get at the prickly subject of digital safety. A reasonable expectation would be that this outreach produces a demonstrable improvement in real world cyber-safety skills in both students and staff as evidenced by a substantial drop in the neverending reports we're getting about school boards being hacked. You can tell what we have isn't working by simply looking at the headlines.

Until we stop handing this off to "a guy in IT" or a relative of administration who is "good with computers", we're going to keep making these headlines.

Debra has this slide up in our presentation and suggested that these kinds of systemic failures aren't something that individuals can influence, but I disagree. If the vast majority (research suggests over 80%) of breaches are caused by someone clicking on something they shouldn't and letting criminals in past otherwise effective defences, then a skills based approach to cyber-education would also reduce these kinds of headlines!

Our talk can be found here: https://knowledgeflow.org/wp-content/uploads/2025/01/OLA-Conference-Cybersecurity-Isnt-a-Scary-Word.pdf and includes piles of material designed by cyber specialists. Whether you're working with post-secondary, K-12 or even with adults, you will find credible material designed to teach actual cyber skills rather than questionable performative marketing material that checks a box.

The talk went very well in front of a full house and many stayed afterwards to get contact information and talk about next steps. This kind of outreach is essential if we're to turn the tide. I wonder were all the other catalysts for cyber in Canada were that morning.

***

After our talk I popped over to a presentation on the role of AI in student research:


DIana and Kim took on a subject that alternately instills fear and provides hope for a better education system. The fact that we're turning to machines to create a better educational outcomes is (I would suggest) because the humans doing it have given up on that responsibility themselves - which speaks to my main concern with AI: if we let it replace us it will, and that won't be better.
 

Kim and Diana started with a look at how relationships with AI have changed over time through media, and then got into the nuts and bolts of critical uses in process driven learning. If every educator approached teaching with the same lens we wouldn't be worrying about AI's influence on an education system that has remained mired in a pre-information revolution mindset. The humour and honesty was much needed and helped clear away all the edtech marketing clutter which has become a roar in the last year.

The inconsistencies in the edtech AI sell are difficult to make sense of. No AI for students, but teachers can happily use it to replace even core human activities like reporting on student learning? This is going to end well.

If you think the solution is to ban AI you've missed the boat while also putting your students in real cyber-peril. The 'free' VPNs that students use to get around blacklisted sites on school board wifi are anything but free. The shady organizations (mainly criminal) that pay for this bandwidth get a chokehold on a user's data. Imagine school boards saying they aren't going to run buses any more but at the same time a stranger in a white van pulls up and offers them free rides. Schools do nothing to stop the white vans lining up at the front of the school day in and day out; same thing.

Students *are* using AI in their school work and I think they should if your assignments are still final product nonsense stuck in the idea that information is difficult to find (like it's 1985). If you're assessing process, AI is a powerful tool for enriching student thinking. If you're still handing out assignments that only describe the final product you're looking for that students can drop into an AI that will spit out an answer you think is real, then AI plagiarism is what you deserve. There was a moment in this year's Davos talks about it:

Go to 40:52 if the video doesn't automatically.

The worst thing we can do is ignore AI or think that board IT that can't stop breaches can stop AI from being used. This head in the sand thinking is exactly why we're in a multi-generational digital literacy crisis that is crippling democracies and making it impossible for young people to find work. Reaching for an emerging technology like AI that demands so much inter-disciplinary digital infrastructure to operate (none of which most people have a first clue about) is like reaching for a nuclear reactor when you're learning how to start a fire, but that's exactly what we're doing.



I made a point of attending talks on cyber attack recoveries to understand how mature public library policies are around dealing with them (rapidly improving because they had to is the answer). Of interest was a comment from the Toronto Public Library head of IT who mentioned that their outage resulted in a huge spike in users accessing their terminals when it finally came back on, underlining the important role public libraries play in helping many Canadians cross our widening digital divide.

There is still room to improve though, and even when an organization recognizes the need for a cyber skilled approach to breach management they seldom want to consider putting anything towards cyber in a preventative manner.


A heartwarming moment on day two was seeing Joseph Jeffries and Jennifer Casa-Todd recognizing the yawning digital skills gap in our education systems and tackling digital skills head on with the Canadian School Libraries. Seeing this happening across provincial lines gave me hope as this doesn't often occur in the true north siloed and regionally self-interested.


Though they had a first thing in the morning slot they brought together a room full of educators from coast to coast and got everyone thinking about the many skills that fall under the auspices of digital fluency. For a long time there was a reductive approach that believed that putting coding in the curriculum would solve all our digital woes, but this is like studying grammar and spelling closely and then assuming it will produce literate people. There is a reason why we call it digital literacy and not digital skill. The latest fad is computational thinking, but again this is reductive.  The skills needed to build a network, train an AI on big data, program an IoT sensor or resolve a breach are very distinct.

Like traditional literacies, digital literacies are interdisciplinary and complex. Some are more technical than others and some are more media adjacent, but they all have to be developed if we want to start producing digitally fluent graduates. The OSLA/CSL digital skills toolkit will be a good step in that direction, especially as we're all fixated on grabbing the latest magic fruit to fall from the digital tree.

No regrets about attending OLASC this year. It was heartbreaking and warming all at the same time. If we ever see the superconference quietly disappear, civilization is sure to be next.












Wednesday, 27 November 2024

Cyber Resilience: the evolution of cybersecurity beyond the technical



Navigating a Generational Digital Skills Crisis


The World Economic Forum's Centre for Cybersecurity recently (Nov '24) released a white paper called Unpacking Cyber Resilience. The goal of this paper is to redefine digital information security (currently called 'cybersecurity') beyond the technical box it currently sits in.

Digital transformation has forced unprecedented change in all aspects of our lives, yet digital literacy has remained at best an afterthought in education even as education systems across the world embrace mandatory eLearning and place students in online learning environments from the earliest grades. Our failure to recognize digital fluency as a foundational skillset has resulted in generational global digital skills crisis demonstrating shocking digital habits that are the main cause of an epidemic of cybersecurity breaches. Hiding cyber in a technical bubble is probably both a reaction and the result of this mess.

WEF's opening remarks in the Unpacking Cyber Resilience white paper describe an expansion of cyber awareness using business language that many educators will use to say, 'that's not our job!' (i.e.: training students for workplace readiness), but this digital illiteracy also damages our democracies by destroying our trust in institutions, creating disinformation echo-chambers that erode public discourse and also preventing us from accessing trustworthy news sources. Surely some of that is the job of public education?

"The digital transformation continuously reshapes and evolves businesses and governments. The primary goals and objectives of organizations are often supported by business processes that are critically reliant on digital technology, commonly without any analogue  alternativesWhile primary goals and objectives will differ between organizations, they will always  include the protection of critical service delivery, stakeholder confidence and the principle assets  that underpin value and position in the market. Achieving true cyber resilience is fundamentally a leadership issue, and is paramount to retaining shareholder value."

- Executive Summary, Unpacking Cyber Resilience

Those 'business processes' underlie all aspects of modern life, including those in education. School boards call their operational network domains 'corporate' because it's lifted from the same digital systems that support business and government. Educational operations aren't digitally distinct from those in the public and private sectors, they're the same technologies but with higher security needs because they collect the data of minors (and their families) on a massive scale. Putting employees and students onto these systems without teaching them fundamental digital literacy is akin to putting them in a car and hoping they'll drive it without having an accident.

WEF's efforts to reframe cybersecurity are important because there aren't many aspects of our lives left that are independent from networked information technology. This dependence is absolute because the analogue processes that proceeded digitization have been jettisoned with a promise of cost savings. We live in a world run on ICT where almost no one understands ICT.

Cybersecurity is a particularly difficult nut to crack because it is an interdisciplinary field of study that exists within a larger framework of digital expertise that very few people possess. Cyber also suffers from being the edge of digital where zero days and emerging technologies can have devastating impact. Instead of building stable systems that then change slowly over time, cyber stares into the edge case abyss where you not only need deep digital fluency but also a willingness to step into the unknown.

If we address digital skills at all in education it tends to be a rote coding plug-and-play edtech solution. This one and done approach fails to recognize the complexity of digital literacy.


The Evolution of Digital Information Security


The idea that 'cybersecurity' was the final conception of this rapidly evolving field demonstrates a lack of understanding both in how new it is and how quickly its scope is changing. For a long time the cool kids on the West Coast hated the term cyber and created a lot of political tension in a field that was barely conceptualized. You know you're in trouble when the people doing the thing can't even agree on what to call it. If you take a step back and look at how things have evolved over the past four decades you begin to see the broad strokes of digital information security:

For many even what to call cybersecurity was a sticking point. The good news is that if you don't like it now, it's already moving on. From WEF's Unpacking Cyber Resilience.

One of my favourite early graphics pushing back against the framing of cybersecurity as a purely technical field of study was this one:


Not because it's complete, but because it reframes cybersecurity in a multi-dimensional manner. Through my coaching of student teams in cybersecurity I've found that a mix of talents is much more effective than a group of identical 'head-in-the-machine' types deep diving the technical. That skillset in cybersecurity could be parallelled by a lawyer or surgeon who is doing the point work but is surrounded by specialists with varying skillsets that allow the technical resolution of problems to happen. Can you imagine someone saying that the only people in the medical professions are surgeons, or the only legal professionals are lawyers? These more mature disciplines have a wider understanding of what's necessary to do the work. Clinging to this lone haxor fixation has been one of the mechanisms used to keep cyber a male dominated profession for far too long.

You need team members with organization and communication skills or the technical discoveries get fumbled between detection and response. You also need researchers and admin who understand what everyone is doing so that they can provide resources where needed. Those skillsets are essential to a cybersecurity operation, even a predominantly technical one, but the world of digital information security has expanded far beyond even that scope.

I wrote about this a year ago in a Cybersecurity Secret Sauce post. At that point I was still arguing for better technical training in cyber, but that's the tip of a digital skills iceberg that leans on abilities often ignored in STEM education. The creativity and self-direction demanded by the edge-case nature of cybersecurity is more often found in the arts. My strongest cybersecurity teams included a mix of students from a variety of disciplines, and the very best were also wildly neuro-diverse. Reframing the field to cyber resilience opens the door to those alternative and much needed talents.

Considerations of inclusion are often framed as charitable, but in this case diversity was a genuine performance enhancer, especially once I could convince non-technical students that they had a place on a national championship bound cybersecurity team. STEM education does a great job of selecting out creative thinkers early on. Hopefully reframing to cyber resilience ends this gatekeeping.


Cyber Resilience Reframing Digital Information Security


Multidisciplinary collaboration is a force multiplier well beyond blue teams doing competitive defensive work in capture the flag exercises. I should add here that no one should avoid a hackathon or cyber-defence competition because they are afraid they don't have the hands-on technical skills to do the hacking for a couple of reasons:

CyberTitan Top Defenders in 2021 had
diverse 
and complementary skillsets.
1) The detective process for determining  damage from a cyberattack is remarkably intuitive and the best way to learn it is to watch someone who has developed this intuition display it.

2) If you have half a dozen haxors all digging into a hacked system and attempting repairs at the same time you have chaos, so it's typical to have one operator in the system while others support them. Again, think of the operator as a surgeon with a team of supporting talents around them and you begin to see how even technical cyber needs diversity.

Even in technical cybersecurity team based/complimentary skillsets are the norm. Attempting to solve the global cybersecurity skills gap by minting as many hands on cyber-operators as you can misunderstands the needs of the field, especially with the onset of AI automating basic tasks.

Cyber resilience recognizes the diversity of expertise needed to create functional digital information security. Another example of this expansion is in international collaboration. You can't work across languages and cultures without being eye to eye on the technical aspects. The work I've done this fall around cyber diplomacy both in DC and the DR have shed light on this emerging field and the importance of us understanding the same terminology. You'd think this is how things are done but training is often rolled out by insular regional interests who (incredibly) often lack an understanding of the subject and don't give much thought to national let alone international collaboration. You can't work together defending against cyber attacks when you don't share common understandings. The work Global Affairs Canada has done in providing internationally recognized industry certifications for developing countries is a great example of this in action.

Hundreds of people from dozens of countries all working
together on cyber resiliency at the GFCE annual meeting
in Washington DC in September, 2024 (I'm on the left).
From talking to the newly minted director of cyber at GAC to presenting on emerging technology disruptions in cyber internationally, I'm more aware than ever of the challenges in creating global connections encouraging cyber resilience. Unless we align our terminology and technical awareness we cannot communicate and collaborate effectively. In our one sided world of digital defence where they only have to get it right once but we have to get it right every time, this is a recipe for disaster. Without collaboration and cooperation there is no way organizations can defend against the asymmetrical nature of cyber attacks, the largest of which have the funding of nation states behind them. 


Hope For The Future


Locally, I hope that reframing cybersecurity to cyber resilience means more leaders begin taking it more seriously, especially in education. But even cyber resilience remains problematic because it is hidden inside a larger digital literacy crisis that has grown to such a degree that many in education ignore it rather than recognize the cross curricular damage it is doing, not to mention the societal damage it is doing to our democracies.

Nationally, I hope that cyber resilience creates more diverse pathways into the field. I would love to see the absurdly privileged 'comp-sci degree' base expectations disappear (this is the equivalent of saying everyone who works in the field of law has to be a lawyer). Cyber resilience isn't for specialists, it's for everyone and I hope this reframing encourages more diverse skillsets to engage with it.

Internationally, cyber resilience is where emerging fields like cyber diplomacy and multi-country partnerships grow. If we want the benefits of digital transformation to be available to everyone while relaxing the grip of surveillance capitalists and ensuring our democracies are functional, critically looking at how we compartmentalize digital literacy and opening them up to reinterpretation is essential. Digital technology is only accelerating and clinging to old frameworks makes no sense.




NOTES

The idea that we can resolve a lack of cyber skills when they hide within a much larger digital illiteracy crisis has caused a lot of frustration in cyber training. Teaching information security awareness when users lack basic digital skills is akin to attempting to teach Shakespeare to people who can't read.

Rather than base your cyber stance on this impossible situation and watching training fail to stop the vast numbers of breaches digital ignorance causes, reframing cyber resilience through a human risk management lens reveals a more effective tactic. If people are the weakest link (and they are), don't expect their illiteracy to be an easy fix. Leveraging a wider human risk management approach lets you ensure safety regardless of how digitally clueless your users are.


"In 2024, the idea of human risk management shifted from concept to reality as frustrated CISOs looked for solutions beyond security awareness and training to make real change."


The EU isn't hanging around:  The Cyber Resilience Act