Canadian School Library Association's Treasure Mountain 8 Research Symposium

 ***

Cyber is complicated because it exists throughout digital technologies, yet very few people have any idea how any of it works.  Marshall McLuhan famously said, "the medium is the message" as way to recognize that how we transmit information changes the message itself.  

I made this graphic for my action research project with Canadian School Libraries. You can't understand the medium if you're oblivious to the message. I developed a multi-award winning program that produced some of the top digital skills in Canadian students. In thanks for that I'm told I should got back to teaching English if I return to the classroom, giving you an idea of how seriously Ontario is at meaningful cyber-education. 

The end is nigh

 I've been blogging extensively for the past fifteen years. In that time I've accumulated millions of views, had posts republished on professional, academic and news sites and honoured an early internet ideal of freely sharing my thinking with the hopes of engaging others and perhaps making things a bit better. Dusty World was also an essential part of my teaching practice; an opportunity to critically review what I'm doing and provide perspective in order to improve my practice. In the process it prompted conversations with colleagues and (I hope) moved the needle on how we teach and use technology in education.

You may have noticed some posts have vanished recently. I'm in the process of backing them all up off-line and bringing down the tent. Reader numbers have tumbled in our brave new world of paid-for content delivered by 'influencers' who post for eye balls rather than quality. A blog about pedagogy was never going to compete in that sordid attention market. (Human) reader numbers have fallen as a result.

In the meantime I'm seeing bot traffic, most likely from AI engines, hoovering up my content so big tech can reproduce my voice for everyone and anyone to do with as they see fit.  I'd been willing to weather this storm because I was still reaching real educators trying to improve their practice in a technological quagmire, but public education is in survival mode these days and those looking for a fairer future with edtech have surrendered to marketing.

What pushed me into action was reading Cory Doctorow's Enshittification. I'd urge you to buy it from your local independent book shop. If you get it from Amazon you'll regret it by chapter five. Having wrapped it up now, I know that things are bad (I knew that before), but I also know that things could improve, though these days I'm just hoping we avoid World War Three as many countries seem to have forgotten who they are.

If you've been reading Dusty World for awhile, thank you for your support. If you're one of the vanishing minority still working to create digitally literate graduates who have the tools to protect themselves in a vicious disinformation mediascape on digital devices increasingly limited by design for the benefit of billionaires, I'm a keen ally and can still be found online, though for how long I don't know.

The urge to become a ghost in the machine is strong.

A Canadian Cyber Militia for the 21st Century

 Background

Canada’s history and ultimately its emergence as a nation depended heavily on citizen led militias who were willing to take up arms to defend Canadian interests.[1]  In its early years Canada was under constant threat from foreign invasion, and it was through militias that key battles such as the Siege of Quebec in 1775 were won.

Figure 1 Citizen militias in action at the Siege of Quebec (1775)

Without the combined support of both French and English citizen militias in Quebec, the lower town barricades would have fallen to American invaders and Canada as we know it may never have been.[2] This is one of many moments where citizen militias, in this case those from formerly opposing colonies, joined forces and supported the regular military in protecting an emerging Canada.

Context

Due to the complexities of modern warfare, we leave physical military conflict to professional soldiers in the 21^st Century, but cyber conflict is an emergent problem that every Canadian faces so passing this responsibility to professionals has proven ineffective. From skirmishes with cyber criminals to all out attacks by professional foreign cyber militaries on missions to diminish Canada’s effectiveness as a society, modern cyber warfare is aimed squarely at a citizenry who has been made helpless by deference to central authority. This helplessness makes cyber-resiliency difficult to develop as we have atrophied our citizens' expectations of empowered personal engagement.

With criminal and foreign interests focused on disinformation aimed squarely at unprepared Canadian hearts, minds and wallets, an approach in keeping with our militia rich past is called for.

 Looking at the rapidly rising rate of cyber attacks (Figure 2) below, it quickly becomes obvious that existing centralized attempts at improving cyber-literacy have failed because with centralized authority comes the expectation that this is someone else’s problem. The borderless nature of cyberattacks ties our police services in knots.[3] Our failure to monitor or effectively respond to online crime suggests dependence on any central ‘pre-digital’ authority is problematic.

The concept of citizen led militias are fundamental to Canada’s history and identity. By enabling modern localized cyber training and response Canada would resolve previous failed attempts by placing the responsibility where it belongs: with citizens.  A localized cyber militia would also resolve several other challenges our country faces when it comes to developing our own cyber talent[4]. Failure to act or simply repeating previous approaches puts Canada at risk of ongoing deterioration from foreign digital attacks.

 

Figure 2 Statistics Canada. Table 35-10-0002-01  Police-reported cybercrime, number of incidents and rate per 100,000 population, Canada, provinces, territories, Census Metropolitan Areas and Canadian Forces Military Police https://www150.statcan.gc.ca/t1/tbl1/en/tv.action?pid=3510000201

Leveraging Canada’s History of Militias to Create a Modern Citizen Based Cyber Defence

With recent increases in support for the Canadian military due to changes in the geopolitical status quo[5], plans for the creation and support of a citizen led cyber militia would resolve an ongoing problem that centralization of responsibility has failed to address.

The vast majority (over 88%[6]) of data breaches in Canada ’s defences come as the result of user ignorance and error. Canada loses over five billion dollars a year to cyber-criminal and foreign digital interference[7]. One of the first duties of Canada’s Cyber Militia would be to peer educate citizens on the importance of disinformation and cyber security preparedness and make them aware of the challenges they face. This change is essential because reported cyber criminal activity has increased over 600% since 2014[8] while remaining one of the least reported crimes (estimates suggest over 90% go unreported). This data makes it clear that a centralized government approach is ineffective in developing the cyber resilience our citizens need.

Canada also suffers from a shortage of experienced cyber specialists[9]. Academic programs have proven ineffective in resolving this problem because, like policing, cybersecurity operations are an experiential/skills-based job rather than an academic one. The best way to produce these applied experts is through a trades-based apprenticeship and experiential training model that local cyber militias could provide. In doing so these units would also uncover regional talent and reduce Canada’s cyber-gaps by spreading cyber-opportunities evenly across the country instead of centralizing it in a few urban areas.

A Canadian cyber militia would work with and through industry, government and civil society spheres of influence by leveraging citizens locally and establishing individuals as responsible for Canada’s shared digital defence. Like a militia of old these groups would depend on grassroots support. In a field like cybersecurity which suffers from longstanding dominance by privileged groups,[10] supporting local militias that are protecting their home communities would create a Canadian shield the truly covers the country.

Canada spends billions to provide centralized cyber-awareness prevention programs[11] that are obviously ineffective against an onslaught of increasingly automated[12] and well funded foreign campaigns. One only need look at the data to see this. To make cyber and foreign disinformation awareness the responsibility of every Canadian we need to de-centralize ineffective programs and pivot to a local militia model that places cyber-readiness in the hands of grassroots groups at the local level. Federal services that do advanced research and active defence are not part of this change in focus, but the programs designed to spread cyber-awareness and access to the field that aren’t working are.

The Canadian Shield is also a weapon

The final piece of the puzzle is organizing and indirectly supporting the most advanced cyber militias to provide reconnaissance and arms-reach offensive cyber operations against foreign interlopers. A government response brings diplomatic strings and bureaucracy, but this arms length approach to offensive cyber operations has already been effectively employed by many other countries, including those doing the most egregious harm to Canada.

Other countries have approached this in different ways. Awash in resources, China[13] has more people working in offensive cyber operations in their military than Canada has in its entire Forces. Russia offers a more resource limited approach that is also very effective with arms-length former military and industry groups performing offensive cyber operations that are incredibly effective without getting tangled in government expectations.

Many cyber ‘powers’ utilize decentralized approaches to make agile, effective use of digital systems for intelligence gathering and foreign interference.[14] Canada has not only fallen behind in developing offensive cyber capabilities but also finds itself trying to defend against this astonishing array of approaches. Trying to play a game with no offence leaves you with at best a draw and most likely a loss. The development of cyber militias would quickly reverse that trend while rapidly enabling a full suite of options for both defensive and offensive operations.

Conclusion

Canada has a long history of self defence using local militias. In 2025 Canadian citizens find themselves alienated from a responsibility that should be placed squarely in their hands. In a world where automated, state sponsored cyber attacks are something everyone will face, leaving awareness and responsibility to people thousands of miles away is both ineffective and ultimately frustrating.

Every Canadian who is online will face foreign disinformation and potential harm from state sponsored criminal cyber campaigns in the next year, yet most Canadians think it’s someone else’s job to be aware of them and stop them. The most astonishing aspect is that it’s Canadians themselves who open the door to many of these attacks. It’s time to put responsibility for cyber awareness and literacy where it belongs, locally with citizens.

By changing its focus from a wagging finger coming from Ottawa to a supporter of locally based cyber-awareness and future talent development, federal (and provincial) governments would reverse decades of damage caused by cyber illiteracy, empower Canadians to defend our country against foreign attacks that will only grow in the coming years, and ultimately place cyber awareness and skills development where they belong: in the communities that so desperately need it.

Figure 3  A Canadian Citizen Cyber Militia for the 21st Century.

 

---

[1]  Canada’s Militia and National Defence Acts, Royal United Services Institute of Nova Scotia, Jan 20, 2025. https://rausi.ca/images/edocman/newsletters/rusins/Dispatches_2025-02-21.pdf 

[2]  1775/76 – Battle for Quebec, Canada History Society, militaryhistory.ca. https://militaryhistory.ca/1775-76-battle-for-quebec/

[3] Combatting Cybercrime. Office of the Auditor General of Canada. https://www.oag-bvg.gc.ca/internet/English/att__e_44499.html

[4] One in Six Canadian Cybersecurity Roles Go Unfilled: New Report Explores Talent Shortage and Solutions. ICTC-CTIC. https://ictc-ctic.ca/news-events/one-in-six-canadian-cybersecurity-roles-go-unfilled-new-report-explores-talent-shortage-and-solutions

[5] Department of National Defence, Jun 9, 2025. Canada’s new government is rebuilding, rearming and reinvesting in the Canadian Armed Forces. https://www.canada.ca/en/department-national-defence/news/2025/06/canadas-new-government-is-rebuilding-rearming-and-reinvesting-in-the-canadian-armed-forces.html 

[6] UNDERSTAND THE MISTAKES THAT COMPROMISE YOUR COMPANY’S CYBERSECURITY. The Psychology of Human Error, Stanford University. https://f.hubspotusercontent20.net/hubfs/1670277/%5BCollateral%5D%20Tessian-Research-Reports/%5BTessian%20Research%5D%20Psychology%20of%20Human%20Error%202022.pdf

[7] Countering Foreign Interference, Public Safety Canada. https://www.publicsafety.gc.ca/cnt/ntnl-scrt/frgn-ntrfrnc/fi-en.aspx

[8] The Impact of Cybercrime on internet users in Canada, Statista. https://www.statista.com/topics/4574/cyber-crime-in-canada/

[9] One in Six Canadian Cybersecurity Roles Go Unfilled: New Report Explores Talent Shortage and Solutions. ICTC-CTIC. https://ictc-ctic.ca/news-events/one-in-six-canadian-cybersecurity-roles-go-unfilled-new-report-explores-talent-shortage-and-solutions

[10] How more diverse recruitment can help close the cybersecurity talent gap. WEF. May 3, 2023. https://www.weforum.org/stories/2023/05/how-diverse-cybersecurity-recruitment-can-help-close-talent-gap/

[11] Canada : The National Cybersecurity Agency’s Budget Has Nearly Doubled in Three Years. Incyber.org.  https://incyber.org/en/article/canada-national-cybersecurity-agencys-budget-nearly-doubled-three-years/

[12] Beyond Phishing: Exploring the Rise of AI-enabled Cybercrime. UC Berkeley. January 2025. https://cltc.berkeley.edu/2025/01/16/beyond-phishing-exploring-the-rise-of-ai-enabled-cybercrime/

[13] Military and Security Developments Involving the People’s Republic of China 2024. US Department of Defence. 2024. https://media.defense.gov/2024/Dec/18/2003615520/-1/-1/0/MILITARY-AND-SECURITY-DEVELOPMENTS-INVOLVING-THE-PEOPLES-REPUBLIC-OF-CHINA-2024.PDF

[14] How Big 4 Nations Cyber Capabilities Threaten The West. DarkReading, Feb 9, 2024. https://www.darkreading.com/vulnerabilities-threats/how-big-4-nations-cyber-capabilities-threaten-the-west

Reframing Digital Literacy: what it is and how to teach it

I did a research piece for Canadian School Libraries last winter that looked at how you might develop the complex, multi-disciplinary digital skills you find in cybersecurity in a relatively short period of time. When I first put it together I found myself spending a lot of the time at the front of the paper trying to define the digital skills we find ourselves lacking. I came to the conclusion that adopting high abstraction digital tools such as those you find in cyber, A.I. and other emerging technologies makes for an impossible leap when we don't have the basics in place.

How we've missed this in education is a good question. Anyone with a background in the field knows that there is no such thing as a 'digital native' and that this myth, which has caused so much damage as it prevents education from building meaningful digital pedagogy, kicked off what has become a multi-generational skills shortage that is doing real damage to both the economy and students' future prospects.

Digital technology has worked its way into everything in 2025, so being unable to make productive use of it damages our ability to compete in a digitally connected world. That we continue to hum and haw about what digital fluency is and how to build it suggests that we're not going to resolve this problem any time soon in Canadian classrooms.

We've seen coding and computational thinking finally worm their way into education curriculums, but this is the tip of a much bigger iceberg when it comes to understanding what digital skills are and how we should approach them.

Originally created for this post on why education is seemingly unwilling to address a persistent digital skills shortage (from 2023).

I've been pushing the boundary of what constitutes digital skills ever since I first got knocked out of digital technology by the compsci grads who had claimed the keys to the kingdom. It took me decades to recover and come around to the approach I have now that nurtures my hacking mindset rather than dismissing it.

A few weeks ago I attended a STEM space technology event put on by a partner of ours in Mississauga. Moonshot was designed to introduce students to the interdisciplinary nature of STEM careers - something we go out of our way to avoid in our departmentalized schools. If you're building space technology as an electronics engineer your job doesn't end where the wires stop, it also involves collaborating with all the other teams to ensure the electronics are working in conjunction with mechanical, communications, logistics and many other systems. Why do schools insist on siloing subjects like they do?

That siloing is also hobbling digital literacy development. The current coding/computational thinking fixation is just the latest in a long line of compsci blinkered approaches to addressing digital technology literacy. What would it look like if we represented the true breadth of digital and taught that wider scope of understanding in our classrooms? We use this technology daily to do everything from operate our schools to deliver learning across all subjects, but then avoid teaching how it all works at all costs.

At the Moonshot event I was introduced to the CEO of MineConnect, an organization that represents and works to promote the mining industry in Ontario. Our chat at Moonshot led to introductions with Science North over their Mine Evolution game. I'm hoping to get a web based version of that running on UBC's Quantum Arcade - perhaps with a quantum add-on as quantum sensing is going to drastically improve s in how we mine in the next decade.

What does this have to do with digital literacy? The fact that you're asking this question shows how little most people understand about where digital technologies come from, and that understanding should be a part of their literacy, don't you think? If you look up 'digital supply chain' you don't get what we need to build digital technologies, instead you only information on how to 'go digital'. Even industry goes out of its way to ignore what digital technology is... except in rare mineral mining, hence my work with Mine Connect and Science North.

It's incredible to me that this late in our adoption of this technology that we still go out of our way not to teach what is needed to make digital happen. The current wholesale adoption of A.I. in education is a great example of this ignorance, as was the rush to the cloud. There is no cloud (it's someone else's computer) and A.I. isn't intelligent, but we'll grasp at digital straws with willful ignorance if we think it'll make our lives easier.

In the CSL research I created a pyramid that showed how I taught digital awareness from the ground up in my rural high school. The assumption is that 'kids nowadays' know all of this, but that simply isn't the case. If you want to disable a 'digital native' it's as easy as flipping a switch they don't usually use. If you want to send a room of them into a panic unplug the Wi-Fi router (assuming you know what that is and where to find it).

Start with the physical substrata and work your way up into the more abstract realms of digital technology; starting digital fluency at coding is like starting literacy at poetry. 

In grade 9 I got a lot of digitally engrossed students who thought they knew it all because adults who lack even basic digital familiarity have been telling them that for years. Revealing that this perceived expertise is merely familiarity with a couple of devices and specific software doesn't take long. In many cases these kids had owned a series of game consoles and phones and that's it. Familiarity with software is limited to games and social media. Very few knew what an operating system was let alone the firmware that kick start it; this is literally how all computers work yet almost no one seems to know it.

Last week I was in Ottawa doing an introduction to OSes on our cyber range. The grade 5s didn't know what an OS was, but by the end of our 90 minutes they certainly did. They also learned the boot process any digital device goes through from firmware start-up to OS loading to where most users think computers start - when the desktop appears. They also got to interact with Linux as well as Windows on their Chromebooks (we use a cloud based cyber range so you're not limited to the restrictive OS on your local device). None of the students knew what Linux was, but they use it everyday because their Chromebook ChromeOS is Linux based. By the end of our afternoon they were navigating the settings in multiple OSes and understood how you could interrupt boot sequences to gain control and interrupt processes.

That we hand students tools like these without any understanding of what they are or how they work is a great failure in modern education, especially as we are only accelerating our use of these machines in classrooms. Considering how widespread their use is now, digital skills have become an ignored foundational literacy.

***

How did I tackle this ever widening digital divide in my program? We started by making our lab DIY. My seniors and I built the first iteration out of e-waste and then kept improving it as we found resources. In 2015 I returned tens of thousands of dollars in board run desktops which then got converted into half a dozen chromebook carts for other classes to use. In that first year our DIY conversion saved the board over tens of thousands of dollars.

In 2016 I contacted AMD and asked if they'd provide CPUs for our next upgrade, and they did! Our board's SHSM program provided additional funding and for a fraction of the cost of a board run computer lab we had significantly better hardware and control over installing our own OSes and software, which allowed us to provide digital learning opportunities others couldn't reach.

By 2018 we had a mix of AMD APUs that could handle the graphic modelling we were doing in our game-dev class. This meant they were also more than capable of running any other software we needed to build digital fluency from scratch. In the process my one teacher department went on to win multiple national awards across a staggering range of digital domains ranging from coding and electronics to IT & Networking, 3d modelling and cybersecurity. DIYing is essential if we're to build digital skills without those compsci coding blinkers on. Even worse is buying a ready-made 'edtech solution' which does it all for you and doesn't teach anyone (staff or students) how technology works. It also tends to trap you in a single brand rather than striving for agnostic digital comprehension.

Having a flexible digital learning environment that we built ourselves allowed us to create unique student projects. In grade 9 that means starting with Arduino micro-controllers. Not only did these open source electronics allow us to develop an understanding of the circuits that all digital technologies depend on, it also offered a tangible approach to programming where the lines of code would produce direct outputs like turning on lights or making music. By the end of the Arduino unit students were confident in building circuits and for many it was also their first opportunity to code in text as opposed to blocks.

As you can see by the gif, getting into Arduino in grade 9 means that by grade 10 students are building customized electronics solutions to everything from the PC temperature system you see to various robotics and digital art installations. One of my seniors worked out an Arduino based fuel management system for his pickup that he then sold to others. Understanding the electronics substrata that digital operates in is imperative for well rounded digital literacy.

From that basis in electronics and introductory coding we moved to information technology and networking - two subjects studiously ignored in schools even though every one of them depends on both to operate every day. We begin I.T. by walking students through PC parts in our recently delivered Computers For Schools desktops. After covering the safety requirements for tools and working with machines that can contain enough electricity to knock you out if you don't treat them with respect, we dug in.

The biggest point I make in PC building is about static management. As long as students respect the delicacy of the electronics (which they already understand thanks to Arduino), they quickly gain confidence and are never again tyrannized by this technology. After this unit no one calls a desktop PC a "CPU", because that's just one part of a much bigger device. Calling a desktop a CPU is like calling a car an engine.

We typically spend a week taking a part desktops and putting them back together. Getting them is no problem because no one wants desktops these days and CFS has piles of them they're aching to give to classrooms. When we wrap up the IT unit anyone who wants to take their computer home can - you'd be surprised how many students (and teachers) don't own a home computer. The best part? If it ever goes wrong they know how to fix it because the built it from the hardware up.

Once we got the hardware figured out we installed operating systems. This involves interrupting boot processes and learning how to navigate BIOSes and other types of firmware. Everyone gets to the point where they have Windows and Linux installed, but some students want to build an epic stack. This can involve adding extra hard drives and going through install processes on up to a dozen OSes. By the end of week two we've got OSes installed and students have explored many more than the one that came on their phone or game system (which are often Linux based). We've even had our share of Hackintoshes in the lab.

Our final step in the IT/Networking unit is to connect the desktops together on a local network and figure out IP addressing and all those other connectivity details most people have no concept of even though they use them daily. Building a network like this takes it out of theory and into tangible practice, as does the PC building. By the end of the week no one is calling connectivity 'WIFI' any more. Ethernet is ethernet and wireless is wireless and everyone knows how to configure and troubleshoot both. The motivation is that once we've got our network up and running on a domain where everyone can see each other we cue up a LAN party and everyone plays networked games on their DIY systems.

Our wide ranging and borderless approach to digital skills created interesting opportunities to mash up different technologies that are typically taught in siloed departments (if at all). In this case a student leveraged Arduino electronics, PC building and networking with robotics to build a whimsical LAN party robotrain.

We do eventually get to coding of course, but starting that far up the tech pyramid is absurd. High level coding languages (the only ones schools teach) are resource heavy because they spell out commands in easy to understand English (easier for humans = harder for machines). We did HTML and associated languages in grade 9 so the internet didn't baffle anyone anymore. In grade 10 it was Python simply because it's in such wide use. In the senior grades students choose their own coding focus, but not before I drag them through an introduction to low level 'machine language' programming so they have an appreciation for all the work those high level languages are doing for them. After you've had to do your own memory addressing, it changes you.

Leveraging this digital literacy, my seniors helped keep the tech in our building running smoothly. This not only saved money but also gave students invaluable public facing support experience. Perhaps the best example of this was our Chromebook graveyard. We would take in broken machines and then repair them with bits from others. After a couple of years of service most high schools in our board had lost over a quarter of their Chromebooks to abuse and accidents - we enjoyed a 90%+ active rate meaning more computers for more students at no extra cost.

The 'that's not your job' thinking that most boards operate under prevents this kind of innovation and cost savings. I always am left wondering to whose benefit.

The other benefit was that our digital fluency made us resilient. When COVID struck and everyone else folded up their classes and went home early, the digitally fluent students in my program didn't want to lose their semester's work and we went online, created our own Discord and landed it remotely. It took a bit of re-culturing because the students needed reminding that this isn't a gaming Discord - you're at school, but they quickly adapted and were sharing 3d models, Unity code snippets, circuit designs and network details back and forth to build complex demonstrations of their skills. In many cases they were doing it on the PCs they'd built when they were in grades 9 or 10 because many parents thinking digital technology is a toy.

So what's stopping us from graduating digitally fluent students with a wide range of skills who are ready to go into any field they choose because every one of them these days involves some kind of digital technology? I come from a time when home computers were brand new and no one had worked out how to 'do them' yet. In that primordial binary goo I hacked my own software and learned how to build my own hardware. My millwright apprenticeship turned to IT because of my familiarity with this new technology but I never came at it as a scientist might, but rather as a mechanic would. Hacking isn't bad, it's humans finding ways to approach digital technology as agents rather than consumers.

If we're going to tackle complex interdisciplinary digital technologies like artificial intelligence with anything other than willful ignorance, we need to start building an understanding of digital from the ground up so students and teachers can see beyond the box tech companies want to keep you in. If we're putting children on it, we should be showing them how it works so that they become more than what most of us are: consumers.

This is from a decade ago. FB has faded from relevance, but every 'tech' we use follows the same approach: your attention is the product being sold.

It might sound counter-intuitive, but cybersecurity offers a unique approach to tech that other subjects lack. Cyber is inherently about edge cases and encourages a 'meta' mindset when approaching digital environments. You're not a component inside the system, you've recognized its limitations and are working beyond it where being human is not only a benefit but essential. With all the 'AI doing it for you' going on these days does being human matter? Other approaches seem easier and wear 'academic credibility' better, but what is academic credibility but another system meant to contain your thinking? If we keep our current status quo we will, at best, produce another generation of passive consumers. We've tried that and it isn't going well. Time to hack this problem by putting students back in control of the technology we are using to control them. It's time to embrace your inner hacker.

The Organization of American States' Caribbean Regional Cybersecurity Symposium DR 2024

*** Simposio de Ciberseguridad de la OEA

Cyber Pirates of the Caribbean.
Sorry, couldn't help myself.

In September I got an invite to sit on a panel at the GFCE's annual meeting. Then the Organization of American States got in touch and asked if I'd sit on their emerging tech panel at the regional pre-meeting. I guess that went well because they then asked if I'd be willing to cover for their quantum cyber specialist who couldn't make a Cybersecurity Symposium in the Dominican Republic at the end of the month. My approach to this sort of thing is to always say yes; that's how I found myself in Ghana last year.

Most Canadians think of Punta Cana and an all inclusive week on a resort when it comes to the Dominican Republic, but I was headed to Santo Domingo which can be a bit rough around the edges. It was an intense week of coming to understand the cybersecurity needs of a region facing the results of climate instability head on while also rapidly developing their digital economy.

Our panel was set to go on the first day, which was good - I like to get them done sooner. Co-panelist Heather happened to be coming in on a flight right behind mine so we met at the airport and shared a cab across the city to the hotel, which felt a bit like the first 20 minutes of Fury Road. Having not eaten since 5am, I sat in the empty hotel restaurant and ate a poor club sandwich that cost an eye watering $30USD while wondering what I was doing here. There is nothing like hunger and exhaustion to make you doubt yourself.

I finally got into the room and collapsed for a couple of hours and awoke feeling more like my usual, confident self; food and rest resolves most anxiety. I went for a wander around the hotel and found Heather on the pool deck watching the sun going down (dramatic sunsets in the DR). She works in AI research and we had a good chat about how it's being used in cybersecurity and both left with enough context to take on the panel in the morning.

Our moderator got switched right before the event but Donavon was agile, knowledgeable and did a great job chasing down themes as they came up rather than following a script. The conversation dove into AI but also left space for IoT and quantum in a cyber context.

I came away from the GFCE event in DC earlier in the month cognisant of the need to keep technical detail out of these kinds of high level talks, especially if you're talking to most of the people in the room through a translator. The technical side of cyber isn't necessarily what you need to focus on because it doesn't really change how most people interact with it. An easier to grasp example might be to ask if you need to have a strong understanding of the metallurgy involved in casting your car's engine in order for you to drive it. This isn't to say you need to simplify the the point of absurdity, but getting into the technical weeds tends to be an academic back-patting exercise rather than being helpful to the audience.

On this panel (as I've done in all of them), I don't pretend I'm something I'm not. I'm a teacher, an I.T. technician and a cyber operations instructor and often refer to anecdotal cyber teaching situations to land a point. People seem to appreciate this approach because presenting material as a teacher is something everyone can relate to, and there is enough intellectual intimidation in cyber as it is. There is also enough marketing misinformation that a clear eyed, education focused approach resonates.

Our talk mainly focused on artificial intelligence but quantum did get some airtime, though many questions (as at the GFCE) orbited the complexities of trying to teach cybersecurity. As mentioned at the Serious Play Conference in August, teaching a subject that few people have the basic digital media literacy to even contextualize is a challenge. The fear that arises from this ignorance is real and makes teaching cyber especially difficult.

I'm always conscious of the Canadian perspective I bring to an international event like this. Canada seldom participates at the international cybersecurity events I've attended. We fund a lot of them (including this one), but finding Canadians willing to make the trip and talk the talk seems difficult. I was the only Canadian on any of the panels at this one too, though I'm hoping to change that. If international cooperation is about relationships, having Canadians talking at events like these is essential.

When asked about IoT threats I brought up two Canadian instances that resonated with the room (I was asked about them repeatedly across the week). One was my visit to the Canadian Institute for Cybersecurity in Fredericton last spring which included a look at their IoT lab. The curiosity this generated has me wondering if an OAS event in Fredericton at UNB wouldn't go amiss. Does Canada ever host these things?

The second Canadian cyber challenge was the rash of car thefts Canada is experiencing. It's tempting to define this under traditional criminal activity but these are new vehicles with 'state of the art' electronics that are being hacked, making this an IoT cyber problem. When you know enough about cybersecurity you start to think differently about how it's integrated into your day to day life. My cunning solution is to drive manual vehicles that are 'pre-smart'. They're unhackable and also undrivable for most thieves. If you don't expect technology to do everything for you, you're not beholden to its weaknesses.

With our panel in the rearview, I made it a point of understanding the context through which Caribbean and Latin American states are tackling cybersecurity. Our very nice hotel provided bottled water because you're not supposed to drink what comes out of the taps. It's astonishing to me that people without available drinking water are going after digital transformation and the cybersecurity that enables it, but if you want to participate in the 21st Century economy that's the price of admission. Perhaps digitization will solve the water problem too.

One of the first speakers at this event did a deep dive into misinformation and how it is generated using the latest in deepfake technology. Extremists are using this tech in propaganda campaigns. The corrosive effect this has on our shared media is interesting. I had a number of chats with Daniel throughout the conference and discovered that his motivating interest is in the nature of online communities and how they work in terms of social norms and expectations. This kind of decentralized, narrow (as opposed to broad) band media transmission is becoming the new norm, yet no one seems to be teaching how it is influencing society in media theory classes. It's something I want to go after in terms of updating digital media education in Canada.

The theme of the symposium was, DisruptX:Redefining the future of cybersecurity in Latin America and the Caribbean", so many of the talks revolved around the impact A.I. is having in cybersecurity. As in most places, it's a force leveller. People writing phishing emails now write with perfect grammar and spelling, and don't use form letters anymore because AI can generate targeted, articulate messages specifically for individuals. This enabling of cyber criminals by automated systems targets our ongoing cyber-illiteracy because that's the easiest target, but that's just the tip of the iceberg. Automated malware as a service can be purchased by anyone who can turn on a computer. The days of technically talented hackers are far behind us as AI serves to elevate anyone looking to create havoc online.

To further complicate the landscape, you've got state actors (including world superpowers) performing offensive cyber operations against governments, businesses and even individuals. At this cost-no-object end of the spectrum you've got cyber militaries operating on budgets in the billions possibly taking aim at your company or government.  If you're a developing economy with minimal digital infrastructure, how do you possibly keep it secure against that? The short answer is you don't, sometimes you just get pwned.

OK, so what do I do, you ask? You've got a couple of options when it comes to protecting your internet facing systems (in this case critical systems that make society work and provide things like electricity):

1) Put money up front building the most secure network you can, but this requires talented people who are in short supply (the cyberskills shortage isn't just happening in Canada). It also means paying up front for something that hasn't happened yet, and can't be guaranteed secure no matter what you throw at it. The case for preemptive cyber capacity building remains a struggle and not just in the Caribbean, it's a problem in Canada too.

2) The other option is to design full backup systems so you can recover when the inevitable happens, but this too requires technical talent, forethought and a willingness to invest in the future - all aspects of cyber that humans everywhere struggle with.

Like the GFCE event in Washington, a lot of time was spent thinking about governance and policy. These frameworks are vital, especially if we want to push back against human nature that isn't likely to invest in anything precautionary. A purely passive/defensive mindset doesn't work in cyber any more than it would in sports. The nature of this one sided game means that some of these limited resources also need to be reserved for active cyber operations, both offensive and defensive. 

I hope there is room in policy and governance to ensure that there are resources left over to support this kind of agility. This 'just-in-time' work often happens in companies and government agencies rather than in university research labs and needs to be more accessible to the people on the ground doing the work. So much of the research funding in Canada is tied to post-secondary institutions and is inaccessible to anyone else. This is an area where developing cyber systems have an advantage.  Agile action research in cyber by practitioners rather than solely by academics is essential if we're to retain the ability to deal with emerging threats.

This confusion around the nature of cybersecurity (is it an apprenticeable skillset or an academic pursuit?) is another one of those evolving understandings still somewhat out of focus as we continue to define what cybersecurity is. It was nice to see one of my favourite cyber graphics come up in one of the RICET education talks reminding everyone that cyber is a complex, multi-modal field of study ranging from apprenticelike hard technical roles through management and logistics to academically intensive legal and human facing work in subjects ranging from policy and HR to education.

Like any other field of study, cybersecurity is full of nuance. We're just not there yet because we're still figuring out what it is.

*** Extracurriculars

Fascinating conversations and an opportunity to network without a schedule or talking points. These 'extracurricular' evening events are often the most informative!

The conference had a couple of extracurricular events where I often hear the most enlightening things. A delegation from the South Pacific was attending this event under the idea that they they are facing many of the same challenges that the Caribbean states are. Tim from the Cook Islands and I had many great talks about the sudden change they are going through. About two weeks before the conference Elon flipped a switch and suddenly everyone on the islands could afford high speed internet for the first time through Starlink. The rest of us have been in the digital pot as the heat has been slowly turned up over the past two decades and don't realize it's boiling. Can you imagine going from 90's dial up to 2024's AI/social media/fake-news cyber-nightmare in one week? Tim's managing the IT there. Someone should be writing a book about this time travelling digital experiment.

The fortress in colonial Santo Domingo at sunset. The DR's relationship with its past, like Canada's, is complicated and unfinished.

On the final evening we got taken out to the colonial tourist area for a look around Fortaleza Ozama. Being me, I found watching the chaos of the evening commute around the castle distracting. Like the social the night before, this was an opportunity to chat with people working in cyber from many different perspectives. I'd run into Franklin from Suriname who I'd met in Ghana last year and we picked up right where we'd left off. Suriname is about to go through some dramatic changes.

When you find yourself having a drink with the head of Mastercard's security division and the entourage from Columbian cyber, you wonder how you got here. Tim from Cook Islands' wife messaged him asking what he was up to expecting another conference update. His response was, 'I'm drinking rum at a castle at sunset!" Indeed.

The tour included a projection onto the fortress of the DR's history. It reminded me of the projection show they were doing on the Houses of Parliament in Ottawa a few years ago and raised some interesting questions about how digital is insinuating itself into island life.

The seemingly incongruous VR experience at the fortress was complimented by animated digital projections throughout, to the point where it was easy to forget you were in a centuries old fortress, which is the point of being there, isn't it?  A few times in the conference the corrosive effect of AI on regional culture was noted (AI's fixation on large datasets tends to stamp out anything but the biggest producers of data). I suspect digitization (itself a byproduct of globalization) has a generally corrosive effect on people's ability to be where they are. We spend an awful lot of our time taking photos to share online instead of being where we are (like the ones in this post? -ed).

*** RICET

The final day switched gears and became RICET, the Regional Initiative for Cybersecurity Education and Training, put on by the OAS and Florida International University. This focus on education and training is essential if we're to establish sustainable and effective cybersecurity. It's also a vital part of both figuring out what cyber is and framing it so the public better understands it.

I've said it before and I'll say it again, the vast majority of cyber incidents are the result of human failure. No matter how you want to frame it, our current cyber woes arise from a multi-generational failure to develop effective digital media literacy of which cybersecurity is perhaps the most interdisciplinary and complex because it's all about the edge cases. You can't hack something you don't fundamentally understand. You can't defend against those hacks without it either.

We've been fixated on coding as a solution to the digital skills crisis, but digital media literacy is about much more than coding. In cyber you need flexible, stochastic approaches with familiarity across a much wider range of digital technology. I've met too many compsci specialists who are sidelined by simple technical issues to believe that this is the epitome of digital literacy. I also heard the dreaded term 'digital native' during some of these talks, but I'm not going to get into that nonsense again here. 

RICET panels talked about the usual worries around the lack of talent, though like everyone else they spent much of the time on bandaid solutions like adult retraining instead of looking at strategic fixes like implementing nationwide cyber skills talent discovery and development in public schools that would not only address the user negligence problem, but would also resolve our cyber-professional shortage.

We'll never resolve this global digital skilling failure with stop gap solutions. We need both short term and long term strategies, but like the funding for seemingly obvious things like network security and data backups, getting anyone to finance the future is a struggle.

Watching these earnest cyber developers working on shoestring budgets trying to make this work while Canadians literally watch drinkable water go down the toilet has me wondering why we face so many of the same challenges they do. On my way back home I messaged a colleague in cyber education and lamented the fact that cyber expertise in Canada seems to be more about marketing than it does cybersecurity. I summarized the problem with genuine cyber-education in simple terms: there's no money in it.  That observation extends to cyber in general. One of the reasons for the high burnout rate is asking the few people who know what they're doing to do it without the necessary resources.

I enjoyed learning about the regional challenges being faced in the Caribbean, but what always surprises me about these glimpses into international cybersecurity is just how similar the problems we all face are. In a discipline where the bad guys only have to get it right once but the defenders have to get it right every time, the only hope for cybersecurity professionals is to develop connections, build international cyber-diplomacy and work together. Circling the wagons and sharing intelligence, tools and best practices is the only advantage we have against the cyber pirates (see what I did there?) that surround us.  This event was a prime example of that kind of networking. I hope to be a part of future ones and not the only Canadian talking.

Winging out of Santo Domingo at sunrise on Delta's A320 Airbus. What a beautiful country. Wish I'd had the opportunity to see more of it...

The Bermuda Triangle on a sunny Friday morning in October.