Thursday, 24 August 2023

Stories of Innovation Are Never About One Person

I've been involved with Cisco's Networking Academy since we joined the CyberTitan national student cybersecurity competition in its inaugural year in 2018. It's the 25th anniversary of Netacad and this summer they asked alumni to tell them stories that arose from their association with the platform. I told the tale of the Terabytches and bringing the first all-female team to CyberTitan national finals along with my own journey of taking my first technical qualification in almost two decades. It was a story of perseverance in the face of prejudice and a love of life long learning.

To my surprise I made the finalists list out of hundreds of applications from across the globe (Netacademy runs in almost every country in dozens of languages - it's a truly global platform). When I read about some of the other finalists I was thrilled just to be included with them.

On August 15th I was driving through the countryside to the University of Waterloo, listening to the awards being announced on spotty cell phone coverage. It cut out just as the innovation architect award was announced and then came back for the next award, so I didn't hear I'd won when it happened.


At CEMC at UWaterloo I took a room full of computer studies teachers through cyber-range activities and while that was going on my wonderful wife and innovation touch-stone, Alanna, announced that I didn't just win the Innovation Architect Award, but also the Shooting Star grand prize which has me in NYC in mid-September for the Global Citizen Festival

As part of the prize Cisco gave me a communications package and asked for shoutouts, and there are many. Innovating can often feel like a lonely exercise where most of what you're doing seems to aggravate management, but it's really a collaborative exercise, otherwise you're by yourself in a room doing cool things that no one else knows about. The idea of a lone inventor hidden away working on their own is a fiction.

I could never have built the program I developed without getting my school board onside. There are two people in particular who became supporters and advocates for the unique work we were attempting. Charles Benyair was our SHSM lead and he provided the resources that my school would not to get us in motion, and Sandro Buffone in our IT department made a point of attending my cybersecurity sessions at ECOO so he could understanding what I was trying to do. He then was instrumental in clearing away the technical bureaucracy to let it happen.

Convincing students to take on an international competition in a subject we'd never studied before was a challenge, but Cam, Cal, Nick and Justin were seniors in 2017 and bravely jumped into cybersecurity with me. We learned new concepts and got a handle on things to such a degree that we discovered we were going to the first Canadian national cybersecurity finals in Fredericton. Three of those students had never left the province or been on a plane so you can imagine the impact.

As the teams gathered for a photo I happened to be standing next to Sandra Saric, the vice-president in charge of CyberTitan at the Information & Communication Technology Council (ICTC). As the photo got taken she said under her breath, "where are all the girls?" Out of seventy odd students only a handful were girls. That observation put me on a mission. 

Sandra went back and established a program for encouraging all-female teams to sign up and I went back to my junior computer technology classes (the exacting gender expectations of our rural high school made sure that there were no girls in senior computer tech classes) and cajoled six girls to give it a try. That next year we had three full teams instead of two-thirds of one. I encouraged them to find a name that speaks to their experience and the girls came up with the Terabytches (terabyte with a twist).


Those six pioneers faced derision from our school and when they went to nationals a member of one of the other all-male teams said to one of them, "you're lucky you're pretty, because you suck at this." That year emphasized for me how important it is to give girls their own space away from the often corrosive male culture that forms around technology.

In a radio interview in Ottawa at those finals Rachel said something that stuck with me. "We used this name so that it couldn't be used against us." 2019 was an incredible year for getting my head around diversifying access to technology learning, particularly in the hyper-male dominated field of cybersecurity. But it was also a year of finding allies. Joanne Harris at the school board enabled us to attend nationals by coming along as our female chaperone and I got to meet Diana Barbosa, Sheena Bolton and Hayley Heaslip who ran the competition.

That summer Philippe Landry from Cisco Canada got in touch and asked if I'd be interested in working toward my CCNA Cyber Operations Instructor qualification. My last I.T. certification was CompTIA's Network+ way back in 2002, so this would be my first run at a technical certification in seventeen years, and in a subject I'd only been looking for eighteen months. Claude Roy at FTI in Quebec was my instructor and he was patient and very giving of his time. Over the summer I became familiar with Wireshark and all sorts of other cyber-tools and in September I wrote the exam and became the first K12 teacher in Canada qualified to teach cyber operations - I think I am still the only one five years later. Yes, innovating can sometimes feel a bit lonely.

Attending Cisco Live in the fall of 2019 I was again reminded of just how cloud based (and cybersecurity dependent) things have become. I also attended my first University of Waterloo Cybersecurity & Privacy Institute conference (bringing a bus load of students with me) which opened my eyes to the current state of networked technology where we're barely hanging on. To underline that I had my local OPP detachment asking if I could forensically analyze digital evidence for them because they weren't resourced to do it themselves.

We ground through the pandemic but CyberTitan was one of the few events that never cancelled on us. The diverifying of our teams in 2019 led to a richer and more effective co-ed senior team. Some of the girls wanted to join the best of the boys and that mix of skillsets led to a string of top five finishes including a top defender award. The girls team also continued, missing nationals in 2020 but earning top wildcard spots in the '21 and '22 finals.

In 2022 I discovered that I had been seconded to ICTC for the year to advocate for and support cybersecurity education nationally. In this role I've been in classrooms from Newfoundland to British Columbia and many points in between. I've supported two new provinces in joining the competition and continue to bang my drum for recognition of essential Twenty-First Century digital skills that are so often ignored in our school systems, like cybersecurity.

This spring I joined Katina Papulkas' Dell K-12 Education Innovation Accelerator, Part of that program was an opportunity to mentor with someone in the edtech space and I was lucky enough to be placed with Julie Foss, who helped me re-contextualize myself in my first role out of the classroom in two decades.The experience empowered me to apply for the Cisco award. Had I remained lost at sea in terms of understanding how to do what matters in my new role, I would never have done it.

Innovation is often lonely work. It can antagonize status quo types who are intent on maintaining a system that put them in charge, but innovation is also thrilling and can empower those not privileged by that status quo. If you're serious about diversity, equity and inclusion, innovators aren't people you want to be labelling as troublemakers, they're simply committed to finding a better way.

The other nice things about innovation is that you meet the most interesting people. From Ella in UBC to Kyle at Inspiretech, Louise at QAI and Eric George at the CPI, I've had the opportunity to meet some fascinating people who don't status quo anything.

Cisco, both as a company and as individual employees, have been wonderful enablers of innovation, providing me with resources in a subject that everyone uses all day every day in every classroom, but almost no one teaches. Being acknowledged as an innovator by such a forward thinking organization makes me think that I'm on the right track, even if it annoys some of the powers that be.

We face an ongoing shortage in cybersecurity skills and society faces a global digital skills crisis that is grinding on into its second decade. Women remain underrepresented in high paying STEM fields and especially in cybersecurity. Status quo thinking got us here, it's time to innovate our way out of it. Thanks to Cisco for supporting that by acknowledging our work.







Sunday, 13 August 2023

If Your Car Was Engineered Like Your Cloud Computing Solution


When you take engineering seriously, the
results are resilient, and elegant.
Imagine you're buying a car from a reputable manufacturer. That manufacturer doesn't build all the components itself. It partners with other specialists and works with them to tight tolerances so that all the bits fit together and work properly.

In a tightly controlled supply chain like that you end up with complex systems that can take you hundreds of thousands of kilometers through extreme environments. When engineering is taken seriously like this, amazing, resilient, elegant machines are the result. Unfortunately, the digital transformation we're living through hasn't been approached with that in mind.

There is nothing elegant about how we've
engineered our 'digital transformation'
2347: Dependency
If your car was built like the cloud infrastructure your business / school / government depends on to operate every day, your software 'manufacturer' scours the internet looking for free bits and pieces of code that will do a job that they can't be bothered to code themselves. This freeware, often taken without consent and seldom supported, becomes part of an under engineered stack of software that makes your magical, money saving cloud infrastructure work. Any time someone decides they want additional functionality, another piece is patched into this mess.

Imagine if your car was built like this. Every tire would come from a different manufacturer with different specs but they all got chucked onto the car because they filled a need at that particular moment. Some of the tires come from tire manufacturers, some came from a guy who thought he could build a better tire in his shed, and they're all different makes and sizes. Some are tested for safety, some aren't even technically tires, but fill the wheel well and roll like a tire. The other parts of your franken-car would also be sourced like that, with simplistic needs met but with little thought for integration or upkeep. Some parts of your rolling nightmare are updated regularly, others never have nor will be, meaning what fits together this week might not next.

One day your engine bolts might update themselves and suddenly the motor won't start because nothing fits. The horn that got installed might not actually be a horn but a fire hazard waiting to burn your new car to the ground when you press the button. You might be running a 1990s transmission with a 2023 chassis that only superficially work with each other but will fly apart the first time you take a corner.

https://www.huawei.com/en/huaweitech/publication/81/open-source-powers-cloud-ecosystem
If there were any consistency in how open source software is integrated into business systems, this might work, but in most cases complex cloud based information management systems are cobbled together collections of corporate systems and under-resourced open source freeware. Why would this chaos suit some companies?

"Tech" companies seldom make the technology you're purchasing from them. In most cases that fancy new operating system you're buying was lifted from freeware and modified to fit the money-making paradigm - in many cases while ignoring the original intent of the freeware developer to provide functionality to those who need it while not supporting a profit mandate. Life's good when you're living a 'move fast and break stuff' tech-disruption life. That's what we're all depending on now to make our critical infrastructure work.

The stack of hardware and software your data passes through to use the internet is staggering. On your computer (laptop, smartphone, whatever, they're all computers) you're using a browser likely made by one company on an operating system made by another. The drivers that run the hardware that connects you online are a third company and in all three cases they may well have 'grabbed' some open source software to make their piece of the puzzle work. Once your data actually leaves your device it hits your router that is running another bunch of hardware and software before getting fired out to your internet service provider (ISP), who is running goodness knows what (but probably with ample amounts of 'free' open source software). From your ISP your data bounces from server to server on its way to its destination. If you're reading this through social media you've now picked up all their bad habits (TwitterMetaGoogle, though notice that they all make monetizing free software look like a community service).

This mad hack-fest is how the internet works and it's how the cloud based programs everyone finds so convenient are built. Your brand new 'mission critical' cloud based accounting software depends on the slap dash engineering to work... all day, everyday. This approach almost begs to be abused, and it is.

How can we possibly secure this mess? Well, it's nearly impossible, which is why you see so many criminals taking to this new frontier. The people using this technology are now decades into a digital skill crisis that shows no signs of abating, so the people who drive these terrible cars don't have the skills to know just how bad they are. Our information and communication technology illiteracy also affects management who make ill informed decisions about how to integrate technology with resilience and best engineering practices first. It's easier to play the victim than take responsibility for the technology we depend on.

The vast majority of online systems depend on open source software that introduce all sorts of chaos into what should be a coherent and carefully engineered system. When you pile on missing user and management digital fluency, it's amazing that the lights are on and your online banking works at all.

Imagine that you are the under-resourced mechanic for that franken-car. When something breaks you may find that it doesn't fit into what the car has changed into as other parts got updated. You might find that the intention of the part you need to replace was misunderstood to begin with and it was never the right thing for the job. Picking 'off the shelf' software to run your system can do that. Whenever you open the hood you're not expecting to see branded parts that were designed to be engineered together, you're seeing a hodgepodge of bits slapped together to work in a given moment. Your maintenance of this car becomes a panicky grab at anything that might make it work, which only makes things worse.

That under-resourced mechanic has a lot in common with cybersecurity specialists tasked with trying to keep our 'digital transformation' functional. When I read an article like this scattered piece in the Globe and Mail I get a sense of just how panicky and clueless our approach has been. They would rather portray criminals as better organized than resourced than government supported businesses in order to explain our ongoing cyber-crisis. The picture this article paints suggests that the slap-dash architects of our digital transformation are now helpless victims of their own poor judgement, but don't worry, it's your data that gets leaked. I found it particularly galling that the writer then insinuates that cybersecurity experts are somehow untrustworthy because they understand how poor our systems are.The spin in this is incredible.

Cybersecurity is an uphill struggle. You can expect the systems you work on to be cobbled together nonsense that no one in their right mind should have made the foundation of a business (or government, or school system). The users you're trying to protect in this digital hodge-podge are so lacking in understanding of how it works that they are your single biggest threat, even beyond the atrocious engineering. The people working against you (many with organized crime or foreign government support) only have to get it right once while you have to get it right all day everyday. It's no wonder we're in a decades long shortage of cyber-talent and seeing burnout in the few who dare to take it on.

The decision to start taking online security from software development on up seriously is going to take a revolution in thinking. Perhaps the coming quantum disruption to encryption in cybersecurity will prompt this change. The hacked together mess that powers our 'digital transformation' into the cloud is begging to be burned down and redone properly.