Cyber Resilience: the evolution of cybersecurity beyond the technical

Navigating a Generational Digital Skills Crisis

The World Economic Forum's Centre for Cybersecurity recently (Nov '24) released a white paper called Unpacking Cyber Resilience. The goal of this paper is to redefine digital information security (currently called 'cybersecurity') beyond the technical box it currently sits in.

Digital transformation has forced unprecedented change in all aspects of our lives, yet digital literacy has remained at best an afterthought in education even as education systems across the world embrace mandatory eLearning and place students in online learning environments from the earliest grades. Our failure to recognize digital fluency as a foundational skillset has resulted in generational global digital skills crisis demonstrating shocking digital habits that are the main cause of an epidemic of cybersecurity breaches. Hiding cyber in a technical bubble is probably both a reaction and the result of this mess.

WEF's opening remarks in the Unpacking Cyber Resilience white paper describe an expansion of cyber awareness using business language that many educators will use to say, 'that's not our job!' (i.e.: training students for workplace readiness), but this digital illiteracy also damages our democracies by destroying our trust in institutions, creating disinformation echo-chambers that erode public discourse and also preventing us from accessing trustworthy news sources. Surely some of that is the job of public education?

"The digital transformation continuously reshapes and evolves businesses and governments. The primary goals and objectives of organizations are often supported by business processes that are critically reliant on digital technology, commonly without any analogue  alternatives. While primary goals and objectives will differ between organizations, they will always  include the protection of critical service delivery, stakeholder confidence and the principle assets  that underpin value and position in the market. Achieving true cyber resilience is fundamentally a leadership issue, and is paramount to retaining shareholder value."

- Executive Summary, Unpacking Cyber Resilience

Those 'business processes' underlie all aspects of modern life, including those in education. School boards call their operational network domains 'corporate' because it's lifted from the same digital systems that support business and government. Educational operations aren't digitally distinct from those in the public and private sectors, they're the same technologies but with higher security needs because they collect the data of minors (and their families) on a massive scale. Putting employees and students onto these systems without teaching them fundamental digital literacy is akin to putting them in a car and hoping they'll drive it without having an accident.

WEF's efforts to reframe cybersecurity are important because there aren't many aspects of our lives left that are independent from networked information technology. This dependence is absolute because the analogue processes that proceeded digitization have been jettisoned with a promise of cost savings. We live in a world run on ICT where almost no one understands ICT.

Cybersecurity is a particularly difficult nut to crack because it is an interdisciplinary field of study that exists within a larger framework of digital expertise that very few people possess. Cyber also suffers from being the edge of digital where zero days and emerging technologies can have devastating impact. Instead of building stable systems that then change slowly over time, cyber stares into the edge case abyss where you not only need deep digital fluency but also a willingness to step into the unknown.

If we address digital skills at all in education it tends to be a rote coding plug-and-play edtech solution. This one and done approach fails to recognize the complexity of digital literacy.

The Evolution of Digital Information Security

The idea that 'cybersecurity' was the final conception of this rapidly evolving field demonstrates a lack of understanding both in how new it is and how quickly its scope is changing. For a long time the cool kids on the West Coast hated the term cyber and created a lot of political tension in a field that was barely conceptualized. You know you're in trouble when the people doing the thing can't even agree on what to call it. If you take a step back and look at how things have evolved over the past four decades you begin to see the broad strokes of digital information security:

For many even what to call cybersecurity was a sticking point. The good news is that if you don't like it now, it's already moving on. From WEF's Unpacking Cyber Resilience.

One of my favourite early graphics pushing back against the framing of cybersecurity as a purely technical field of study was this one:

Not because it's complete, but because it reframes cybersecurity in a multi-dimensional manner. Through my coaching of student teams in cybersecurity I've found that a mix of talents is much more effective than a group of identical 'head-in-the-machine' types deep diving the technical. That skillset in cybersecurity could be parallelled by a lawyer or surgeon who is doing the point work but is surrounded by specialists with varying skillsets that allow the technical resolution of problems to happen. Can you imagine someone saying that the only people in the medical professions are surgeons, or the only legal professionals are lawyers? These more mature disciplines have a wider understanding of what's necessary to do the work. Clinging to this lone haxor fixation has been one of the mechanisms used to keep cyber a male dominated profession for far too long.

You need team members with organization and communication skills or the technical discoveries get fumbled between detection and response. You also need researchers and admin who understand what everyone is doing so that they can provide resources where needed. Those skillsets are essential to a cybersecurity operation, even a predominantly technical one, but the world of digital information security has expanded far beyond even that scope.

I wrote about this a year ago in a Cybersecurity Secret Sauce post. At that point I was still arguing for better technical training in cyber, but that's the tip of a digital skills iceberg that leans on abilities often ignored in STEM education. The creativity and self-direction demanded by the edge-case nature of cybersecurity is more often found in the arts. My strongest cybersecurity teams included a mix of students from a variety of disciplines, and the very best were also wildly neuro-diverse. Reframing the field to cyber resilience opens the door to those alternative and much needed talents.

Considerations of inclusion are often framed as charitable, but in this case diversity was a genuine performance enhancer, especially once I could convince non-technical students that they had a place on a national championship bound cybersecurity team. STEM education does a great job of selecting out creative thinkers early on. Hopefully reframing to cyber resilience ends this gatekeeping.

Cyber Resilience Reframing Digital Information Security

Multidisciplinary collaboration is a force multiplier well beyond blue teams doing competitive defensive work in capture the flag exercises. I should add here that no one should avoid a hackathon or cyber-defence competition because they are afraid they don't have the hands-on technical skills to do the hacking for a couple of reasons:

CyberTitan Top Defenders in 2021 had
diverse and complementary skillsets.

1) The detective process for determining  damage from a cyberattack is remarkably intuitive and the best way to learn it is to watch someone who has developed this intuition display it.

2) If you have half a dozen haxors all digging into a hacked system and attempting repairs at the same time you have chaos, so it's typical to have one operator in the system while others support them. Again, think of the operator as a surgeon with a team of supporting talents around them and you begin to see how even technical cyber needs diversity.

Even in technical cybersecurity team based/complimentary skillsets are the norm. Attempting to solve the global cybersecurity skills gap by minting as many hands on cyber-operators as you can misunderstands the needs of the field, especially with the onset of AI automating basic tasks.

Cyber resilience recognizes the diversity of expertise needed to create functional digital information security. Another example of this expansion is in international collaboration. You can't work across languages and cultures without being eye to eye on the technical aspects. The work I've done this fall around cyber diplomacy both in DC and the DR have shed light on this emerging field and the importance of us understanding the same terminology. You'd think this is how things are done but training is often rolled out by insular regional interests who (incredibly) often lack an understanding of the subject and don't give much thought to national let alone international collaboration. You can't work together defending against cyber attacks when you don't share common understandings. The work Global Affairs Canada has done in providing internationally recognized industry certifications for developing countries is a great example of this in action.

Hundreds of people from dozens of countries all working
together on cyber resiliency at the GFCE annual meeting
in Washington DC in September, 2024 (I'm on the left).

From talking to the newly minted director of cyber at GAC to presenting on emerging technology disruptions in cyber internationally, I'm more aware than ever of the challenges in creating global connections encouraging cyber resilience. Unless we align our terminology and technical awareness we cannot communicate and collaborate effectively. In our one sided world of digital defence where they only have to get it right once but we have to get it right every time, this is a recipe for disaster. Without collaboration and cooperation there is no way organizations can defend against the asymmetrical nature of cyber attacks, the largest of which have the funding of nation states behind them. 

Hope For The Future

Locally, I hope that reframing cybersecurity to cyber resilience means more leaders begin taking it more seriously, especially in education. But even cyber resilience remains problematic because it is hidden inside a larger digital literacy crisis that has grown to such a degree that many in education ignore it rather than recognize the cross curricular damage it is doing, not to mention the societal damage it is doing to our democracies.

Nationally, I hope that cyber resilience creates more diverse pathways into the field. I would love to see the absurdly privileged 'comp-sci degree' base expectations disappear (this is the equivalent of saying everyone who works in the field of law has to be a lawyer). Cyber resilience isn't for specialists, it's for everyone and I hope this reframing encourages more diverse skillsets to engage with it.

Internationally, cyber resilience is where emerging fields like cyber diplomacy and multi-country partnerships grow. If we want the benefits of digital transformation to be available to everyone while relaxing the grip of surveillance capitalists and ensuring our democracies are functional, critically looking at how we compartmentalize digital literacy and opening them up to reinterpretation is essential. Digital technology is only accelerating and clinging to old frameworks makes no sense.

NOTES

The idea that we can resolve a lack of cyber skills when they hide within a much larger digital illiteracy crisis has caused a lot of frustration in cyber training. Teaching information security awareness when users lack basic digital skills is akin to attempting to teach Shakespeare to people who can't read.

Rather than base your cyber stance on this impossible situation and watching training fail to stop the vast numbers of breaches digital ignorance causes, reframing cyber resilience through a human risk management lens reveals a more effective tactic. If people are the weakest link (and they are), don't expect their illiteracy to be an easy fix. Leveraging a wider human risk management approach lets you ensure safety regardless of how digitally clueless your users are.

LinkedIn Post

Security awareness and training is a method, not an outcome

"In 2024, the idea of human risk management shifted from concept to reality as frustrated CISOs looked for solutions beyond security awareness and training to make real change."

The EU isn't hanging around:  The Cyber Resilience Act

The Organization of American States' Caribbean Regional Cybersecurity Symposium DR 2024

*** Simposio de Ciberseguridad de la OEA

Cyber Pirates of the Caribbean.
Sorry, couldn't help myself.

In September I got an invite to sit on a panel at the GFCE's annual meeting. Then the Organization of American States got in touch and asked if I'd sit on their emerging tech panel at the regional pre-meeting. I guess that went well because they then asked if I'd be willing to cover for their quantum cyber specialist who couldn't make a Cybersecurity Symposium in the Dominican Republic at the end of the month. My approach to this sort of thing is to always say yes; that's how I found myself in Ghana last year.

Most Canadians think of Punta Cana and an all inclusive week on a resort when it comes to the Dominican Republic, but I was headed to Santo Domingo which can be a bit rough around the edges. It was an intense week of coming to understand the cybersecurity needs of a region facing the results of climate instability head on while also rapidly developing their digital economy.

Our panel was set to go on the first day, which was good - I like to get them done sooner. Co-panelist Heather happened to be coming in on a flight right behind mine so we met at the airport and shared a cab across the city to the hotel, which felt a bit like the first 20 minutes of Fury Road. Having not eaten since 5am, I sat in the empty hotel restaurant and ate a poor club sandwich that cost an eye watering $30USD while wondering what I was doing here. There is nothing like hunger and exhaustion to make you doubt yourself.

I finally got into the room and collapsed for a couple of hours and awoke feeling more like my usual, confident self; food and rest resolves most anxiety. I went for a wander around the hotel and found Heather on the pool deck watching the sun going down (dramatic sunsets in the DR). She works in AI research and we had a good chat about how it's being used in cybersecurity and both left with enough context to take on the panel in the morning.

Our moderator got switched right before the event but Donavon was agile, knowledgeable and did a great job chasing down themes as they came up rather than following a script. The conversation dove into AI but also left space for IoT and quantum in a cyber context.

I came away from the GFCE event in DC earlier in the month cognisant of the need to keep technical detail out of these kinds of high level talks, especially if you're talking to most of the people in the room through a translator. The technical side of cyber isn't necessarily what you need to focus on because it doesn't really change how most people interact with it. An easier to grasp example might be to ask if you need to have a strong understanding of the metallurgy involved in casting your car's engine in order for you to drive it. This isn't to say you need to simplify the the point of absurdity, but getting into the technical weeds tends to be an academic back-patting exercise rather than being helpful to the audience.

On this panel (as I've done in all of them), I don't pretend I'm something I'm not. I'm a teacher, an I.T. technician and a cyber operations instructor and often refer to anecdotal cyber teaching situations to land a point. People seem to appreciate this approach because presenting material as a teacher is something everyone can relate to, and there is enough intellectual intimidation in cyber as it is. There is also enough marketing misinformation that a clear eyed, education focused approach resonates.

Our talk mainly focused on artificial intelligence but quantum did get some airtime, though many questions (as at the GFCE) orbited the complexities of trying to teach cybersecurity. As mentioned at the Serious Play Conference in August, teaching a subject that few people have the basic digital media literacy to even contextualize is a challenge. The fear that arises from this ignorance is real and makes teaching cyber especially difficult.

I'm always conscious of the Canadian perspective I bring to an international event like this. Canada seldom participates at the international cybersecurity events I've attended. We fund a lot of them (including this one), but finding Canadians willing to make the trip and talk the talk seems difficult. I was the only Canadian on any of the panels at this one too, though I'm hoping to change that. If international cooperation is about relationships, having Canadians talking at events like these is essential.

When asked about IoT threats I brought up two Canadian instances that resonated with the room (I was asked about them repeatedly across the week). One was my visit to the Canadian Institute for Cybersecurity in Fredericton last spring which included a look at their IoT lab. The curiosity this generated has me wondering if an OAS event in Fredericton at UNB wouldn't go amiss. Does Canada ever host these things?

The second Canadian cyber challenge was the rash of car thefts Canada is experiencing. It's tempting to define this under traditional criminal activity but these are new vehicles with 'state of the art' electronics that are being hacked, making this an IoT cyber problem. When you know enough about cybersecurity you start to think differently about how it's integrated into your day to day life. My cunning solution is to drive manual vehicles that are 'pre-smart'. They're unhackable and also undrivable for most thieves. If you don't expect technology to do everything for you, you're not beholden to its weaknesses.

With our panel in the rearview, I made it a point of understanding the context through which Caribbean and Latin American states are tackling cybersecurity. Our very nice hotel provided bottled water because you're not supposed to drink what comes out of the taps. It's astonishing to me that people without available drinking water are going after digital transformation and the cybersecurity that enables it, but if you want to participate in the 21st Century economy that's the price of admission. Perhaps digitization will solve the water problem too.

One of the first speakers at this event did a deep dive into misinformation and how it is generated using the latest in deepfake technology. Extremists are using this tech in propaganda campaigns. The corrosive effect this has on our shared media is interesting. I had a number of chats with Daniel throughout the conference and discovered that his motivating interest is in the nature of online communities and how they work in terms of social norms and expectations. This kind of decentralized, narrow (as opposed to broad) band media transmission is becoming the new norm, yet no one seems to be teaching how it is influencing society in media theory classes. It's something I want to go after in terms of updating digital media education in Canada.

The theme of the symposium was, DisruptX:Redefining the future of cybersecurity in Latin America and the Caribbean", so many of the talks revolved around the impact A.I. is having in cybersecurity. As in most places, it's a force leveller. People writing phishing emails now write with perfect grammar and spelling, and don't use form letters anymore because AI can generate targeted, articulate messages specifically for individuals. This enabling of cyber criminals by automated systems targets our ongoing cyber-illiteracy because that's the easiest target, but that's just the tip of the iceberg. Automated malware as a service can be purchased by anyone who can turn on a computer. The days of technically talented hackers are far behind us as AI serves to elevate anyone looking to create havoc online.

To further complicate the landscape, you've got state actors (including world superpowers) performing offensive cyber operations against governments, businesses and even individuals. At this cost-no-object end of the spectrum you've got cyber militaries operating on budgets in the billions possibly taking aim at your company or government.  If you're a developing economy with minimal digital infrastructure, how do you possibly keep it secure against that? The short answer is you don't, sometimes you just get pwned.

OK, so what do I do, you ask? You've got a couple of options when it comes to protecting your internet facing systems (in this case critical systems that make society work and provide things like electricity):

1) Put money up front building the most secure network you can, but this requires talented people who are in short supply (the cyberskills shortage isn't just happening in Canada). It also means paying up front for something that hasn't happened yet, and can't be guaranteed secure no matter what you throw at it. The case for preemptive cyber capacity building remains a struggle and not just in the Caribbean, it's a problem in Canada too.

2) The other option is to design full backup systems so you can recover when the inevitable happens, but this too requires technical talent, forethought and a willingness to invest in the future - all aspects of cyber that humans everywhere struggle with.

Like the GFCE event in Washington, a lot of time was spent thinking about governance and policy. These frameworks are vital, especially if we want to push back against human nature that isn't likely to invest in anything precautionary. A purely passive/defensive mindset doesn't work in cyber any more than it would in sports. The nature of this one sided game means that some of these limited resources also need to be reserved for active cyber operations, both offensive and defensive. 

I hope there is room in policy and governance to ensure that there are resources left over to support this kind of agility. This 'just-in-time' work often happens in companies and government agencies rather than in university research labs and needs to be more accessible to the people on the ground doing the work. So much of the research funding in Canada is tied to post-secondary institutions and is inaccessible to anyone else. This is an area where developing cyber systems have an advantage.  Agile action research in cyber by practitioners rather than solely by academics is essential if we're to retain the ability to deal with emerging threats.

This confusion around the nature of cybersecurity (is it an apprenticeable skillset or an academic pursuit?) is another one of those evolving understandings still somewhat out of focus as we continue to define what cybersecurity is. It was nice to see one of my favourite cyber graphics come up in one of the RICET education talks reminding everyone that cyber is a complex, multi-modal field of study ranging from apprenticelike hard technical roles through management and logistics to academically intensive legal and human facing work in subjects ranging from policy and HR to education.

Like any other field of study, cybersecurity is full of nuance. We're just not there yet because we're still figuring out what it is.

*** Extracurriculars

Fascinating conversations and an opportunity to network without a schedule or talking points. These 'extracurricular' evening events are often the most informative!

The conference had a couple of extracurricular events where I often hear the most enlightening things. A delegation from the South Pacific was attending this event under the idea that they they are facing many of the same challenges that the Caribbean states are. Tim from the Cook Islands and I had many great talks about the sudden change they are going through. About two weeks before the conference Elon flipped a switch and suddenly everyone on the islands could afford high speed internet for the first time through Starlink. The rest of us have been in the digital pot as the heat has been slowly turned up over the past two decades and don't realize it's boiling. Can you imagine going from 90's dial up to 2024's AI/social media/fake-news cyber-nightmare in one week? Tim's managing the IT there. Someone should be writing a book about this time travelling digital experiment.

The fortress in colonial Santo Domingo at sunset. The DR's relationship with its past, like Canada's, is complicated and unfinished.

On the final evening we got taken out to the colonial tourist area for a look around Fortaleza Ozama. Being me, I found watching the chaos of the evening commute around the castle distracting. Like the social the night before, this was an opportunity to chat with people working in cyber from many different perspectives. I'd run into Franklin from Suriname who I'd met in Ghana last year and we picked up right where we'd left off. Suriname is about to go through some dramatic changes.

When you find yourself having a drink with the head of Mastercard's security division and the entourage from Columbian cyber, you wonder how you got here. Tim from Cook Islands' wife messaged him asking what he was up to expecting another conference update. His response was, 'I'm drinking rum at a castle at sunset!" Indeed.

The tour included a projection onto the fortress of the DR's history. It reminded me of the projection show they were doing on the Houses of Parliament in Ottawa a few years ago and raised some interesting questions about how digital is insinuating itself into island life.

The seemingly incongruous VR experience at the fortress was complimented by animated digital projections throughout, to the point where it was easy to forget you were in a centuries old fortress, which is the point of being there, isn't it?  A few times in the conference the corrosive effect of AI on regional culture was noted (AI's fixation on large datasets tends to stamp out anything but the biggest producers of data). I suspect digitization (itself a byproduct of globalization) has a generally corrosive effect on people's ability to be where they are. We spend an awful lot of our time taking photos to share online instead of being where we are (like the ones in this post? -ed).

*** RICET

The final day switched gears and became RICET, the Regional Initiative for Cybersecurity Education and Training, put on by the OAS and Florida International University. This focus on education and training is essential if we're to establish sustainable and effective cybersecurity. It's also a vital part of both figuring out what cyber is and framing it so the public better understands it.

I've said it before and I'll say it again, the vast majority of cyber incidents are the result of human failure. No matter how you want to frame it, our current cyber woes arise from a multi-generational failure to develop effective digital media literacy of which cybersecurity is perhaps the most interdisciplinary and complex because it's all about the edge cases. You can't hack something you don't fundamentally understand. You can't defend against those hacks without it either.

We've been fixated on coding as a solution to the digital skills crisis, but digital media literacy is about much more than coding. In cyber you need flexible, stochastic approaches with familiarity across a much wider range of digital technology. I've met too many compsci specialists who are sidelined by simple technical issues to believe that this is the epitome of digital literacy. I also heard the dreaded term 'digital native' during some of these talks, but I'm not going to get into that nonsense again here. 

RICET panels talked about the usual worries around the lack of talent, though like everyone else they spent much of the time on bandaid solutions like adult retraining instead of looking at strategic fixes like implementing nationwide cyber skills talent discovery and development in public schools that would not only address the user negligence problem, but would also resolve our cyber-professional shortage.

We'll never resolve this global digital skilling failure with stop gap solutions. We need both short term and long term strategies, but like the funding for seemingly obvious things like network security and data backups, getting anyone to finance the future is a struggle.

Watching these earnest cyber developers working on shoestring budgets trying to make this work while Canadians literally watch drinkable water go down the toilet has me wondering why we face so many of the same challenges they do. On my way back home I messaged a colleague in cyber education and lamented the fact that cyber expertise in Canada seems to be more about marketing than it does cybersecurity. I summarized the problem with genuine cyber-education in simple terms: there's no money in it.  That observation extends to cyber in general. One of the reasons for the high burnout rate is asking the few people who know what they're doing to do it without the necessary resources.

I enjoyed learning about the regional challenges being faced in the Caribbean, but what always surprises me about these glimpses into international cybersecurity is just how similar the problems we all face are. In a discipline where the bad guys only have to get it right once but the defenders have to get it right every time, the only hope for cybersecurity professionals is to develop connections, build international cyber-diplomacy and work together. Circling the wagons and sharing intelligence, tools and best practices is the only advantage we have against the cyber pirates (see what I did there?) that surround us.  This event was a prime example of that kind of networking. I hope to be a part of future ones and not the only Canadian talking.

Winging out of Santo Domingo at sunrise on Delta's A320 Airbus. What a beautiful country. Wish I'd had the opportunity to see more of it...

The Bermuda Triangle on a sunny Friday morning in October.

The Global Forum for Cybersecurity Excellence (GFCE)

 I got an invite to speak on a panel at the Global Forum for Cybersecurity Excellence's Annual Meeting last week. It was my first time in DC since I went on a trip there with Air Cadets in the 1980s, so it was an exciting prospect. More so when I saw it was going to be taking place in the Organization of American States' building.

Attending these things is a high wire act for me as it looked like I was going to have to self fund my way there, but then the OAS's Cybersecurity directorate got in touch and asked if I'd sit on one of their emerging technology panels for the region of the Americas pre-GFCE meeting too, so I got hotel and flights covered.

I got in on Sunday and my hotel was in Georgetown, so I got out and about and soaked up some Washington area history - the place is thick with it! 

That night I met up with Dr Juan from Mexico who I did a presentation with in June and we enjoyed some Potomac wings at the local Irish pub (as you do) and caught up. The last time I'd seen him was as we passed through US customs on our way back from Ghana last year, so we had a good chat. The opportunity to solidify these connections was impressed upon me as an important consideration later in the week. Never underestimate the appreciation inherent in making an effort to see people live, especially post-pandemic.

Day 1

The next morning, after breakfast at the Fairmont (!), we walked to the Organization of American States building only to discover it was the wrong one. We ran into Alex from Ghana who was on the OAS panel with me later that morning and he knew where we needed to go, so we backtracked four blocks to where we should have been in the first place.

I got there sweaty (DC got up to about 30°C each day) but cooled off and our talk that morning about emerging technology impacting cybersecurity was wide ranging. Kerry-Ann, our moderator, surprised me with a question about how approaching cyber challenges as a technician gives me a different (and valuable thanks to how she framed the question) insight into the rapidly changing state of things.

Talking to engineers and the legal experts doing policy is one thing, but talking to the trades people who do the operational work of keeping the lights on does offer an interesting angle. I'd been expecting to talk about quantum technology emergence, but an opportunity to speak about the value of hands-on, applied skills in the field was appreciated and well received.

Many of the panels focused on the clear and present danger in cyber at the moment: artificial intelligence. From the automation of big data analysis that humans never excelled at on the defensive side to how criminals are leveraging GenAI to produce customized phishing material well beyond grammatically incorrect emails (stretching to include deepfake video, voice, photos and other digital media), these talks were designed to assist policy makers with understanding what has come out of Pandora's box of AI.

One theme that resonated with me was how people don't want deep technical explanations of these emerging technologies. What they want is an easy to grasp explanation of how these technologies will impact the digital spaces they work in. This remains a problem in cybersecurity and an even bigger one in the quantum world where I just finished my secondment. The urge for academics to obfuscate and complicate their explanations of these rapidly emerging technologies doesn't make them ideally suited for presenting on them, especially to the operations and policy people who are entirely focused on real world impacts and couldn't care less how the maths looks.

I've gotten a lot of static for how I've simplified deep technical details in quantum in order to get concepts across, but you honestly don't need to start neck deep in linear algebra any more than you need to have knowledge of the metallurgy involved in casting your car's engine in order to drive it. Guess what background is really helpful in bridging this information divide: 22+ years as a teacher! Early in my career I came across a quote that described teachers as, "public facing intellectuals" and took that to mean we're not about ivory towers and knowing more and more about less and less, but about the democratization of knowledge. Part of that comes with knowing what to keep out of the mix in order to help people get a handle on emerging technologies.

My age is also handy. Being a genuine digital immigrant who remembers a time before personal computers and the internet (I got my first PC, a Vic 20, in 1979 when I was 10), I have a big picture outlook that those who have always lived in this chaos find helpful. My other secret weapon is a university background focused on thinking and communications (philosophy & English).

After the OAS event we had an evening meet and greet at the Museum of the Americas right behind the main building, which had a permanent collection of powerful pieces looking at colonialism and culture. Upstairs they had a Spanish diaspora collection featuring the people who fled Spain during the Franco period; powerful stuff.

At the meet and greet I got to introduce Juan to Michelle and Nina from CyberLite, one of my favourite international cyber education organizations. We did an around the world webinar with them for Safer Internet Day in February, but it's always nice to see people in 3d rather than on a screen, and introductions like this are what GFCE is all about.

Another good example of this networking was running into Christina from Global Affairs Canada. From our talks I've come to understand the complexities and difficulties of international cyber policy. I'm also particularly aware of how important it is to shed better light on the work our federal government does internationally. Some of this needs to be kept on the down low for security reasons, but much of it (and especially on the diplomacy side) needs more media coverage so Canadians better understand the work that their representatives are doing on their behalf. Being purely insular and defensive doesn't work in sport and it won't work in cybersecurity either. If we can help other countries develop better cyber capacities, we all win, and that starts by doing the hard work and developing trust.

Day 2

The next day we were up early again and this time took an Uber to the right building (kind of, it still took us to the wrong one first), and began the Global Forum for Cybersecurity Expertise Annual Meeting.

Our panel came up quickly and Juan brought in a fantastic angle focusing on the Global South and the formation of a 'quantum divide' that will, like the digital one, further separate developed countries from everyone else. I've seen this happening with tightening restrictions on public facing quantum education resources. In some cases this may be under the auspices of national security, but the end result remains: countries that have the resources to develop quantum technologies will have capabilities that the others can only dream of.

There is also an academic ownership of quantum that favours those with the resources to spend most of their lives in post-secondary. Quantum mechanics is how the universe works, yet most schools stick to Newtonian physics because it's intuitive and easier to deliver, except that Newtonian truth is a fiction caused by our scale. If you look closer, it is (as Brian Cox says) quantum all the way. We need to demystify our best understanding of how the universe works so that everyone can grasp the technologies that are emerging out of this science.

Our panel couldn't have happened without a secure internet because our moderator was virtual in Europe and one of the panelists was in Central America. This highlights the importance of the awareness I've been doing in Canada and beyond around quantum encryption readiness in cybersecurity. In a few years that secure internet may be a thing of the past.. After we wrapped up our panel I showed Juan the William Gibson quote about the future already being here, but not evenly distributed.

The idea of a growing quantum divide is another indicator of the state of maturity of rapidly improving quantum computers. I'm motivated to continue my 'technology literacy for all' approach (which includes quantum and AI) because no one should make the technologies that have the best chance of helping us save ourselves from ourselves proprietary. I also have a nagging urge to help everyone reach their maximum potential regardless of how much they have in their bank accounts.

The end of day event on day two was both uplifting (it was a retirement party for founding GFCE president, Chris Painter), but also profoundly insightful. When someone with extensive, top draw international research resources tells me that they aren't worried about AI taking us down because climate collapse will get us first, I listen. Moments like this make me vividly aware of just how fragile the house of cards we're standing on is. If we don't come together to make it accessible, secure and safe, that house of cards is coming down.

This observation feels even more perilous because of the book a colleague suggested that I'm two-thirds through. Advocating for long term thinking in human societies that only reward short term gain is a challenge, but the most recent chapter is about how all civilizations collapse. Historically this happened regionally (Roman Empire, etc), but the global civilization we've built this time is going to crash harder, and when it collapses we're going to be wishing we had made some of Asimov's Foundations in order to recover more quickly (assuming we don't make our only habitable planet uninhabitable in the process). That's the thing about attending a GFCE event - it makes you reflect on the big things (kinda like Tamara's book recommendations).

Day 3

All of the delegates from dozens upon dozens of countries coming together in DC to make digital transformation secure and accessible.

Day three began with the women in cybersecurity breakfast. The moderator at our table told hair raising stories of her being in the first female engineering cohort in South Africa and the overt sexism they faced. I told them about Canada's tragic history with this kind of sexism, which the table found astonishing - Canada is considered forward thinking until we're a bit more forthcoming about the dark currents in our history. I also told the story of the quiet sexism that made founding the first all-female cybersecurity team in our school so difficult. It amazes me that half our population experiences these systemic prejudices and that equality isn't something we're likely to get to before the 22nd Century.

These GFCE events are thick with insights and opportunities that lift your head out of your personal context and prompt you to consider the big problems we face. I've tried to cover the main pieces here, but there are so many more that I'm still subconsciously noodling on.

The emerging tech panel on AI towards the end of the day was another of those eureka moments. The policy expert from France's advanced technologies department had a good response to my question about how we devise policy for near future AIs that will have the agency and resources to ignore them, not out of spite, but because even considering them isn't in their programming. She referenced the US Section 230 law that let social media run rampant and pointed out that if we recognized this cautionary tale we'd be able to better direct AI use now. A sharp response, but I think the AI horses are out of the barn and will shortly have the capabilities to do real damage to our digital infrastructure. I remain curious as to when AI policy to try and restrict development turns into defensive policies designed to mitigate the damage that self-directed AIs will do to our piecemeal global network.

I ended the event having lunch with Abdul, my swimming buddy from Accra, and Juan, my co-conspirator. What do you talk about at a Nigerian/Canadian/Mexican table? Abdul told me he is in 'legacy mode', which is a great way of framing your closing professional years. I enjoyed our talks in the pool at Accra City Hotel because Abdul always seems to see beyond the horizon. Taking a minute to soak up that wisdom is never wasted time. He was going to see his friend's grave and visit his cousin after the event. These seemingly technical meetings can be profoundly human, if you let them be.

We wrapped up our time at the OAS HQ, but we weren't quite done yet. At the museum event Monday night we met a Spanish attaché and that prompted an invite to the embassy for a Wednesday evening networking event. It was a short walk from the hotel and I talked to a lot of people but really got into it with Jose Manuel who runs telecoms and startups in Spain including a new one that helps you park your boat in a marina you haven't visited before. Besides travel, work life balance and entrepreneurship, we also had a good chat about the innovative quantum key distribution research around mesh networking QKD into live networks that he is in the vicinity of. I'm hoping to follow up and develop some transatlantic connections that move us all forward.

***

I must have covered 20+ kms on foot over the week (in dress shoes!), but I have no regrets about the schlepping or having to self fund some of this. Hope is hard to find in 2024, but the GFCE exhales it like plants give off oxygen. Just as the GC3B in Ghana did last fall, my mind is left turning over the complex challenges and opportunities that this meeting highlighted. If you're looking for organizations that improve your practice, expand your context, and challenge (and enable!) you to take on the seemingly insurmountable global issues we face, meeting the OAS and experiencing my second live GFCE event has done just that.

DC looking like a postcard on the ascent out of Reagan Airport.

Just over 500kms as the crow flies from DC, I was back in The Six before I knew it!