An Oeuf With Blockchain, Already

Blockchain Eggs

I created a short video and slide deck to help illustrate how a blockchain works. This is not about Bitcoin, but is intended to help people who aren’t as experienced with Merkle trees understand that the idea of a blockchain is to be able to independently verify where and when a thing happened without being able to go back and alter it to make something else have happened instead.

That’s an oeuf for now.

PDF Slides here:

Video here:

Where are the women in cybersecurity leadership roles?

This post originally appeared on the OECD Forum’s site.

It’s easy to feel like everything has already been said about why we need more women in cybersecurity. I’ve been explaining the economic benefits of hiring women as engineers, bringing in women as senior information security leaders, and going to work for women as board members and national influencers for a long time. 

I felt so much like I didn’t know what was left to say on women in cybersecurity. Women in my field have been pointing out the efficiencies, the improved problem space, and the improved outcomes for years. 

So I went and asked my husband what to say.

Stay with me on this one. I said, “I can’t think what’s left to say on the topic. Women have been decreasing in their representation in cybersecurity C-suite roles and board memberships for years, and the entire trend of women in technology and engineering positions has been steadily decreasing, at least in the United States, since 1984. There’s been no real improvement on about 1% women in senior engineering positions holding steady for a decade”. And my lovely spouse said to me, “Well, if you’re writing a piece for the OECD, what’s happened with the European numbers over the last year? What’s happened to women in cybersecurity according to the statistics during the pandemic? Can you talk about that?” I was drying a dinner plate and I stopped, shoved the plate and the towel at him, and ran to a keyboard because I realised what the problem was.

Reader, I cannot. I can’t talk about what happened to senior women in cybersecurity during the pandemic because they’ve all disappeared. 

It will be decades before the career gaps experienced by women and primary caretakers during this pandemic are fully erased, and we’re back to the “normal” gender pay gap. 

During the pandemic, every technical woman with children I know has stepped back from her job. Every single one. She’s already being paid 81% of what her male spouse is being paid, if she’s a married parent. Women who are primary caregivers are buried in childcare, family care, and the absolutely never-ending drudgery of cleaning the house. Their spouse makes more than they do, so it makes sense that if one spouse must pull back from the workforce, it should be the one making less money.

It’s a cruel and economically inefficient joke that during this worldwide pandemic, the women and non-gender binary people who have the most to gain from upskilling and negotiating new salaries and charging ahead in the workforce—because the difference between their realised and potential values is so much greater due to discrimination—are the ones losing the most ground. 

It will be decades before the career gaps experienced by women and primary caretakers during this pandemic are fully erased, and we’re back to the “normal” gender pay gap. 

In the early 1990s, Nobel Prize-winning economist Amartya Sen posited that there were more than 100 million missing women in the world based on sex-selective abortions, undereducation and health care provision to women, and a multitude of factors that prioritised the health and education of boys over girls. As academics, professionals of all kinds, essential workers and health care experts are again noticing that women are going missing, we have to ask ourselves: so what? Why does it matter that women are missing from cybersecurity? 

I have pointed out that the potential gains in efficiencies in salary and benefits for women being properly compensated are far higher than for men. But without the perspectives of diverse professionals in cybersecurity, gaps and problem spaces remain unidentified and, statistically speaking, are larger than they would be with the active participation of all the potential perspectives in the field. Inventions arising out of mixed teams, or women-only groups, appear to have wider technological breadth (and may therefore be more economically valuable) and higher impact from a technological viewpoint than those in which only men are involved.

What can we do to solve this situation?

  1. When vaccines for COVID-19 come out, lobby to have child care workers in as early a priority tier as possible, in order to support primary care givers for children and families (most of whom are women) to have an outsised impact on economic gains.
  2. When hiring and creating leadership roles in the next decade, acknowledge women and primary care givers/workers as being so essential that human beings couldn’t do without them, let alone companies. 
  3. Make your protections against groupthink in your organisations robust and antifragile by ensuring that you have more than one diverse voice in each section/team/location of your organisation. Millennial men expect to spend as much time as their spouses on child and family care, so don’t be surprised if requests for family leave come from an unexpected quarter. Hire, promote and sponsor multiple people from all parts of society, education and the gender spectrum to strengthen your organisation’s impact and resilience.

Finally, none of this is fair. Stop trying to make it fair: instead, try to make your solutions just and robust. No single organisation can fix all of the horrors and unfairnesses visited upon women and families during this period of global mourning and recovery—but each person can choose to see the future as different than the track we are on now. Women belong everywhere in cybersecurity to make the world more efficient, to make problem space more known and to keep the world safer than it would be without our voices added to the chorus.

NATO, We Want To Go To War With You

Originally on Foreign Policy, December 22nd, 2020.

Wargames can provide essential cybersecurity training for soldiers. But they won’t succeed unless the players confront real, independent hackers.


A member of the hacking group Red Hacker Alliance uses a website that monitors global cyberattacks on his computer at their office in Dongguan, China.

In recent years, NATO has begun to incorporate some innovative new cyberwarfare games and exercises into its annual wargames. But there is something missing. If NATO wants to see what nation-state hacking is like in the chaotic multiactor online world, it needs to practice fending off some actual hackers.

In mid-November 2020, NATO conducted its 13th annual cybergames in Estonia, with about 1,000 participants and observers from 33 states. Through the five-day exercise, NATO simulated an attack against the fictional nation of Andvaria as well as defending against a cyberattack on a NATO member state’s critical infrastructure. NATO specifically allowed and requested participating nations to practice working together in cyberspace and, for the first time, ran the entire simulation virtually due to the pandemic.

This was a wonderful opportunity that NATO mostly seized. Moving the games online meant that every connection, every network, every target machine could be tested and at realistic and differing levels of vulnerability. But in some key ways, the scenario played through by the various countries’ militaries did not reflect the actual state of the world during the pandemic. The most recent U.S. Treasury and Commerce Department hacks and the still developing U.S. National Nuclear Security Administration hack show how in the cyber-realm, everything, including civilians and weapons of mass destruction, is a target.

Wargames have been used for centuries as a way to train and improve on military strategy. NATO tried to replicate the online nation-state world by engaging with military and national security institutions using tried-and-true wargame planning. However, retrofitting the two traditional wargaming models—either assuming perfect knowledge of the enemy or re-creating 200-year-old Napoleonic and Prussian campaigns—into cyberspace simulations just does not work. In the cyberdomain, the fog of war can be exponentially greater, cyber-capabilities can be more completely hidden, and the enemy is using brand-new tactics.

The reality of the online world is much more chaotic than the NATO simulations presume. There are independent actors, cyber-criminals, white hats, respected security firms, broken infrastructures, country-sized firewalls, a massive and messy differential in power between the largest and smallest actors, and all the chaos of artificially intelligent tools that can automate overwhelming attacks based on leaked personal data.

Unfortunately, NATO does not include nonstate actors in the annual cybergames. This creates three problems. First, there is no guarantee that an attack will come from uniformed soldiers of a hostile country. Bad actors will use whatever low-cost hacks they can find, make, buy, or steal.

Second—and crucially—defending cyberspace requires people who think differently. Even the U.S. government has reached out to hackers to staff up agencies such as the FBI and National Security Agency, realizing that traditional information technology education does not produce innovative offensive security researchers. Limiting contributions to active military and public sector employees will result in a certain amount of groupthink. It is critical for NATO to include nonstate actors, independent researchers, and respected industry experts (who aren’t solely military contractors trying to pump up weapons sales by sponsoring these wargames).

Third, we in the cybersecurity community have been aware that civilian medical facilities and research stations have not only been fair game but the primary targets of international bad actors for half a decade. After we saw vaccine research stations targeted by North Korea and others at the beginning of the pandemic, we in the industry and the cybersecurity community predicted repeatedly that vaccine production would be targeted by nation-states, and we are now seeing evidence in recently reported successful espionage attacks on Pfizer and BioNTech facilities that we were correct. NATO should include in their cybergames the kinds of urgent current events we are already seeing play out in the news.

In the past, NATO has been caught off guard when its cyber-exercises failed to account for real-world attackers. In October 2018, 50,000 soldiers, sailors, and pilots from 31 countries simulated war off the coast of Norway. NATO’s Operation Trident Juncture did not include cyberattacks in the wargames at all—until real-world Russia actually began jamming the real GPS systems of the conventional weapons being tested on the battlefield as part of the simulated conflict.

Everyone planning the games had previously agreed on the polite and necessary fiction that the computers embedded in their vehicles and weapons—and managing their air, water, fuel, targeting, and health—were not permissible targets in this engagement. Russia’s behavior highlighted the absurdity of NATO excluding the cyberdomain from conflict simulations. Even after this real-world mid-scenario attack, NATO has still not incorporated the randomness of actual cyberspace in its simulations.

Recent attacks on vaccine production facilities show how failing to model cyberthreats appropriately will come back to bite you, and we predict that medical facilities will be a popular target for cyberattackers in the future.

Therefore military and government cyberdefense forces should use hackers’ skills and noninstitutional creativity to help predict attacker tactics.

The organizers of future wargames need to recognize that having independent experts see and participate in wargames means the ability to model opponents other than nation-states, test the scenario and the network under use from a fresh perspective, and ultimately make for a stronger training outcome. Cyberwar is new, and soldiers who have been conditioned to see only clearly delineated battlefields will enjoy the challenge of needing to think orthogonally, strangely, and innovatively.

It is important to build NATO’s ability to monitor, manage, and conduct cyberwar because these simulations often lead to a de-escalation of conflict after capabilities become known to the players (and their potential opponents). The same quality that makes cyberwarfare so rapid and difficult to detect—its relative cheapness in terms of cost and time—also makes it much easier to simulate than naval warfare, for instance.

The international information security community is filled with smart people who are not in a military structure, many of whom would be excited to pose as independent actors in any upcoming wargames. Including them would increase the reality of the game and the skills of the soldiers building and training on these networks. Hackers and cyberwar experts would demonstrate how industrial control systems such as power supply for refrigeration and temperature monitoring in vaccine production facilities are critical infrastructure; they’re easy targets and should be among NATO’s priorities at the moment.

Diversity of thought leads to better solutions. We in the information security community strongly support the involvement of acknowledged nonmilitary experts in the development and testing of future cyberwar scenarios. We are confident that independent experts, many of whom see sharing their skills as public service, would view participation in these cybergames as a challenge and an honor.