Ontario Library Association Super Conference 2025

I feel great shame. I wrapped up this year’s Ontario Library Association super conference a few weeks ago, but my Kawasaki needed me and I’ve been neck deep in engine heart surgery instead of reflecting on this fantastic conference. Mechanics that my life depends on is sufficiently engrossing.

This reaction is (in part) happening because I have begun the process of separating myself from the my decades long role in Ontario public education. I’m still committed to changing the system but it isn’t, and it has processes in place to remove any foreign contaminants that try to change the status quo. I suspect my ‘innovative’ approach has led to some early constructive dismissal. In talking to other refugees from OntEd who tried to change it and found their return unwelcome, this is a systemic mechanism across all school boards. All that aside, here are my reflections from OLASC 2025

 

This was my second go at the OLA Super Conference, I last went in 2023. This year, like the former one, was remarkably emotional. You can’t help feeling that these are the front line people trying to hold civilization together even as it seems determined to tear itself apart. I’m left dizzied by the size of the fight against them.

Tech billionaire oligarchs are leveraging bottomless resources to direct a biblical flood of idiotic panic mongers who are happy to churn out disinformation that buys political victories. Once in power they have the tools to dismantle the critical thinking based education that we all used to aspire to.

Nothing is easier to incite than ignorant, misinformed, angry people. Our tech overlords have designed systems that encourage propaganda and reduce people to shallow, self-contradicting talking heads. I’ve been struggling to get pedagogically meaningful digital literacy into more classrooms throughout my career, but I’m beginning to realize that this is contrary to the direction society is going. Swimming upstream against this big money gets tiring in your mid-fifties.

Libraries standing against this political onslaught are having their resources systemically cut because libraries are precisely the institutions we designed to stop this sort of thing. How do you win such a one sided fight? I’m beginning to think that the democratic elections being gamed by this process can’t produce governments capable of stopping it, and I’m getting all Asimov-Foundations about it. Perhaps it’s time to save what we can for civilization until we start rebuilding again. And yes, these are my thoughts as I watched the Ontario Library Association standing against book bans and funding cuts.

Belief in the mission is one way to keep up the fight, but everyone seems worn thin by the effort. Keeping a strong front becomes difficult when your allies dwindle and everything you’ve built around literacy and critical information analysis is dismissed as meaningless. We live in interesting times. Being able to tie one on at the evening social with the brilliant women leading this fight was a highlight.

Carol Off‘s closing keynote was earth shaking. I wish they’d put it out so more people could hear it. Her retirement from As It Happens on CBC coincided with the rise in hate and division we’ve seen around us. Her talk cut to the quick describing the mechanics of this nastiness in vivid detail. It was a much needed rallying cry even as the barbarians hammer at the gates.

***

I’d signed up to present at the conference because I wanted to demonstrate (rather than just talk about) the importance of government, civil society and industry working together for our mutual cyber well-being. If you think that’s not a priority, 2025 is only a few weeks old and dozens of Canadian school boards have already been crippled by cyber-attacks, most of which depend on clueless users to get in. The vast majority of our cyber woes are a human education problem, not a technical one.


While we were at the conference one of Ontario’s bigger urban boards was off-line due to another cyberattack. This persistent problem isn’t just affecting school boards. The automated nature of cyber attacks these days has clueless criminals with no technical skill buying ‘cyber-crime as a service (CaaS) that lets them launch hundreds of cyber-attacks to see which one sticks. This is why you’re seeing a rise in attacks on organizations that make no sense, like libraries. As a result, this year at OLASC and in addition to our talk, there were multiple well attended presentations focused on getting libraries and their patrons better cyber-defended. I wish Ontario school boards felt the same way, but they prefer to play victim rather than solve the problem.

In the spirit of cooperation I reached out to many cyber organizations, but the common response seems to be a shrug when you’re sitting on a comfortable amount of funding, which isn’t very mission driven of them. I did connect with Debra at Knowledgeflow who is nothing but mission driven and she worked tirelessly to help build our collaboration in a country designed against working together. This ended up being our pitch for the talk:


To demonstrate the width of our collaborative approach, Marie at the Canadian Centre for Cyber Security joined our motley crew along with Cheryl from Cyber Legends. This gave us a full complement of cyber expertise from federal government, civil society and private industry. I can only shake my head at the many other not for profits, industry and provincial organizations who weren’t interested in participating because they’d rather just do their own thing poorly. Gaps caused by these little fiefdoms are why Canada is considered a prime target in global cyber-crime circles.


You might think that school boards are ‘doing’ cyber education locally, but the material I see (if there is any at all) is reductive, outdated, performative and not at all pedagogically valid in terms of teaching skills. Most of the cyber awareness stuff being trotted out locally looks to be made by people with no background or experience in cybersecurity. In many cases the cringy media they produce doesn’t look like it was made by anyone with an instructional background either.


Cybersecurity education needs to be developed by qualified people and delivered with best pedagogical practices in mind if we’re to get at the prickly subject of digital safety. A reasonable expectation would be that this outreach produces a demonstrable improvement in real world cyber-safety skills in both students and staff as evidenced by a substantial drop in the neverending reports we’re getting about school boards being hacked. You can tell what we have isn’t working by simply looking at the headlines.

Until we stop handing this off to “a guy in IT” or a relative of administration who is “good with computers”, we’re going to keep making these headlines.

Debra has this slide up in our presentation and suggested that these kinds of systemic failures aren’t something that individuals can influence, but I disagree. If the vast majority (research suggests over 80%) of breaches are caused by someone clicking on something they shouldn’t and letting criminals in past otherwise effective defences, then a skills based approach to cyber-education would also reduce these kinds of headlines!


Our talk can be found here: https://knowledgeflow.org/wp-content/uploads/2025/01/OLA-Conference-Cybersecurity-Isnt-a-Scary-Word.pdf and includes piles of material designed by cyber specialists. Whether you’re working with post-secondary, K-12 or even with adults, you will find credible material designed to teach actual cyber skills rather than questionable performative marketing material that checks a box.


The talk went very well in front of a full house and many stayed afterwards to get contact information and talk about next steps. This kind of outreach is essential if we’re to turn the tide. I wonder were all the other catalysts for cyber in Canada were that morning.

***

After our talk I popped over to a presentation on the role of AI in student research:

DIana and Kim took on a subject that alternately instills fear and provides hope for a better education system. The fact that we’re turning to machines to create a better educational outcomes is (I would suggest) because the humans doing it have given up on that responsibility themselves – which speaks to my main concern with AI: if we let it replace us it will, and that won’t be better.
 

Kim and Diana started with a look at how relationships with AI have changed over time through media, and then got into the nuts and bolts of critical uses in process driven learning. If every educator approached teaching with the same lens we wouldn’t be worrying about AI’s influence on an education system that has remained mired in a pre-information revolution mindset. The humour and honesty was much needed and helped clear away all the edtech marketing clutter which has become a roar in the last year.
The inconsistencies in the edtech AI sell are difficult to make sense of. No AI for students, but teachers can happily use it to replace even core human activities like reporting on student learning? This is going to end well.

If you think the solution is to ban AI you’ve missed the boat while also putting your students in real cyber-peril. The ‘free’ VPNs that students use to get around blacklisted sites on school board wifi are anything but free. The shady organizations (mainly criminal) that pay for this bandwidth get a chokehold on a user’s data. Imagine school boards saying they aren’t going to run buses any more but at the same time a stranger in a white van pulls up and offers them free rides. Schools do nothing to stop the white vans lining up at the front of the school day in and day out; same thing.
Students *are* using AI in their school work and I think they should if your assignments are still final product nonsense stuck in the idea that information is difficult to find (like it’s 1985). If you’re assessing process, AI is a powerful tool for enriching student thinking. If you’re still handing out assignments that only describe the final product you’re looking for that students can drop into an AI that will spit out an answer you think is real, then AI plagiarism is what you deserve. There was a moment in this year’s Davos talks about it:
Go to 40:52 if the video doesn’t automatically.
The worst thing we can do is ignore AI or think that board IT that can’t stop breaches can stop AI from being used. This head in the sand thinking is exactly why we’re in a multi-generational digital literacy crisis that is crippling democracies and making it impossible for young people to find work. Reaching for an emerging technology like AI that demands so much inter-disciplinary digital infrastructure to operate (none of which most people have a first clue about) is like reaching for a nuclear reactor when you’re learning how to start a fire, but that’s exactly what we’re doing.

I made a point of attending talks on cyber attack recoveries to understand how mature public library policies are around dealing with them (rapidly improving because they had to is the answer). Of interest was a comment from the Toronto Public Library head of IT who mentioned that their outage resulted in a huge spike in users accessing their terminals when it finally came back on, underlining the important role public libraries play in helping many Canadians cross our widening digital divide.
There is still room to improve though, and even when an organization recognizes the need for a cyber skilled approach to breach management they seldom want to consider putting anything towards cyber in a preventative manner.

A heartwarming moment on day two was seeing Joseph Jeffries and Jennifer Casa-Todd recognizing the yawning digital skills gap in our education systems and tackling digital skills head on with the Canadian School Libraries. Seeing this happen across provincial lines gave me hope as this doesn’t happen a lot in the true north siloed and self-interested.

Though they had a first thing in the morning slot they brought together a room full of educators from coast to coast and got everyone thinking about the many skills that full under the auspices of digital fluency. For a long time there was a reductive approach that believed that putting coding in the curriculum would solve all our digital woes, but this is like studying grammar and spelling closely and then assuming it will produce literate people. There is a reason why we call it digital literacy and not digital skill. The latest fade is computational thinking, but again this is reductive.  The skills needed to build a network, program an IoT sensor or resolve a breach are very distinct.
Like traditional literacies, digital literacies are interdisciplinary and complex. Some are more technical than others and some are more media adjacent, but they all have to be developed if we want to start producing digitally fluent graduates. The OSLA/CSL digital skills toolkit will be a good step in that direction, especially as we’re all fixated on grabbing the latest magic fruit to fall from the digital tree.
No regrets about attending OLASC this year. It was heart breaking and warming all at the same time. If we ever see the superconference quietly disappear, civilization is sure to be next.

from Blogger https://ift.tt/VWjin4q
via IFTTT

Cyber Resilience: the evolution of cybersecurity beyond the technical

Navigating a Generational Digital Skills Crisis

The World Economic Forum’s Centre for Cybersecurity recently (Nov ’24) released a white paper called Unpacking Cyber Resilience. The goal of this paper is to redefine digital information security (currently called ‘cybersecurity’) beyond the technical box it currently sits in.

Digital transformation has forced unprecedented change in all aspects of our lives, yet digital literacy has remained at best an afterthought in education even as education systems across the world embrace mandatory eLearning and place students in online learning environments from the earliest grades. Our failure to recognize digital fluency as a foundational skillset has resulted in generational global digital skills crisis demonstrating shocking digital habits that are the main cause of an epidemic of cybersecurity breaches. Hiding cyber in a technical bubble is probably both a reaction and the result of this mess.

WEF’s opening remarks in the Unpacking Cyber Resilience white paper describe an expansion of cyber awareness using business language that many educators will use to say, ‘that’s not our job!’ (i.e.: training students for workplace readiness), but this digital illiteracy also damages our democracies by destroying our trust in institutions, creating disinformation echo-chambers that erode public discourse and also preventing us from accessing trustworthy news sources. Surely some of that is the job of public education?

“The digital transformation continuously reshapes and evolves businesses and governments. The primary goals and objectives of organizations are often supported by business processes that are critically reliant on digital technology, commonly without any analogue  alternativesWhile primary goals and objectives will differ between organizations, they will always  include the protection of critical service delivery, stakeholder confidence and the principle assets  that underpin value and position in the market. Achieving true cyber resilience is fundamentally a leadership issue, and is paramount to retaining shareholder value.”

– Executive Summary, Unpacking Cyber Resilience

Those ‘business processes’ underlie all aspects of modern life, including those in education. School boards call their operational network domains ‘corporate’ because it’s lifted from the same digital systems that support business and government. Educational operations aren’t digitally distinct from those in the public and private sectors, they’re the same technologies but with higher security needs because they collect the data of minors (and their families) on a massive scale. Putting employees and students onto these systems without teaching them fundamental digital literacy is akin to putting them in a car and hoping they’ll drive it without having an accident.


WEF’s efforts to reframe cybersecurity are important because there aren’t many aspects of our lives left that are independent from networked information technology. This dependence is absolute because the analogue processes that proceeded digitization have been jettisoned with a promise of cost savings. We live in a world run on ICT where almost no one understands ICT.

Cybersecurity is a particularly difficult nut to crack because it is an interdisciplinary field of study that exists within a larger framework of digital expertise that very few people possess. Cyber also suffers from being the edge of digital where zero days and emerging technologies can have devastating impact. Instead of building stable systems that then change slowly over time, cyber stares into the edge case abyss where you not only need deep digital fluency but also a willingness to step into the unknown.

If we address digital skills at all in education it tends to be a rote coding plug-and-play edtech solution. This one and done approach fails to recognize the complexity of digital literacy.


The Evolution of Digital Information Security


The idea that ‘cybersecurity’ was the final conception of this rapidly evolving field demonstrates a lack of understanding both in how new it is and how quickly its scope is changing. For a long time the cool kids on the West Coast hated the term cyber and created a lot of political tension in a field that was barely conceptualized. You know you’re in trouble when the people doing the thing can’t even agree on what to call it. If you take a step back and look at how things have evolved over the past four decades you begin to see the broad strokes of digital information security:

For many even what to call cybersecurity was a sticking point. The good news is that if you don’t like it now, it’s already moving on. From WEF’s Unpacking Cyber Resilience.


One of my favourite early graphics pushing back against the framing of cybersecurity as a purely technical field of study was this one:



Not because it’s complete, but because it reframes cybersecurity in a multi-dimensional manner. Through my coaching of student teams in cybersecurity I’ve found that a mix of talents is much more effective than a group of identical ‘head-in-the-machine’ types deep diving the technical. That skillset in cybersecurity could be parallelled by a lawyer or surgeon who is doing the point work but is surrounded by specialists with varying skillsets that allow the technical resolution of problems to happen. Can you imagine someone saying that the only people in the medical professions are surgeons, or the only legal professionals are lawyers? These more mature disciplines have a wider understanding of what’s necessary to do the work. Clinging to this lone haxor fixation has been one of the mechanisms used to keep cyber a male dominated profession for far too long.


You need team members with organization and communication skills or the technical discoveries get fumbled between detection and response. You also need researchers and admin who understand what everyone is doing so that they can provide resources where needed. Those skillsets are essential to a cybersecurity operation, even a predominantly technical one, but the world of digital information security has expanded far beyond even that scope.

I wrote about this a year ago in a Cybersecurity Secret Sauce post. At that point I was still arguing for better technical training in cyber, but that’s the tip of a digital skills iceberg that leans on abilities often ignored in STEM education. The creativity and self-direction demanded by the edge-case nature of cybersecurity is more often found in the arts. My strongest cybersecurity teams included a mix of students from a variety of disciplines, and the very best were also wildly neuro-diverse. Reframing the field to cyber resilience opens the door to those alternative and much needed talents.

Considerations of inclusion are often framed as charitable, but in this case diversity was a genuine performance enhancer, especially once I could convince non-technical students that they had a place on a national championship bound cybersecurity team. STEM education does a great job of selecting out creative thinkers early on. Hopefully reframing to cyber resilience ends this gatekeeping.


Cyber Resilience Reframing Digital Information Security


Multidisciplinary collaboration is a force multiplier well beyond blue teams doing competitive defensive work in capture the flag exercises. I should add here that no one should avoid a hackathon or cyber-defence competition because they are afraid they don’t have the hands-on technical skills to do the hacking for a couple of reasons:

CyberTitan Top Defenders in 2021 had
diverse 
and complementary skillsets.

1) The detective process for determining  damage from a cyberattack is remarkably intuitive and the best way to learn it is to watch someone who has developed this intuition display it.


2) If you have half a dozen haxors all digging into a hacked system and attempting repairs at the same time you have chaos, so it’s typical to have one operator in the system while others support them. Again, think of the operator as a surgeon with a team of supporting talents around them and you begin to see how even technical cyber needs diversity.

Even in technical cybersecurity team based/complimentary skillsets are the norm. Attempting to solve the global cybersecurity skills gap by minting as many hands on cyber-operators as you can misunderstands the needs of the field, especially with the onset of AI automating basic tasks.

Cyber resilience recognizes the diversity of expertise needed to create functional digital information security. Another example of this expansion is in international collaboration. You can’t work across languages and cultures without being eye to eye on the technical aspects. The work I’ve done this fall around cyber diplomacy both in DC and the DR have shed light on this emerging field and the importance of us understanding the same terminology. You’d think this is how things are done but training is often rolled out by insular regional interests who (incredibly) often lack an understanding of the subject and don’t give much thought to national let alone international collaboration. You can’t work together defending against cyber attacks when you don’t share common understandings. The work Global Affairs Canada has done in providing internationally recognized industry certifications for developing countries is a great example of this in action.

Hundreds of people from dozens of countries all working
together on cyber resiliency at the GFCE annual meeting
in Washington DC in September, 2024 (I’m on the left).

From talking to the newly minted director of cyber at GAC to presenting on emerging technology disruptions in cyber internationally, I’m more aware than ever of the challenges in creating global connections encouraging cyber resilience. Unless we align our terminology and technical awareness we cannot communicate and collaborate effectively. In our one sided world of digital defence where they only have to get it right once but we have to get it right every time, this is a recipe for disaster. Without collaboration and cooperation there is no way organizations can defend against the asymmetrical nature of cyber attacks, the largest of which have the funding of nation states behind them. 



Hope For The Future


Locally, I hope that reframing cybersecurity to cyber resilience means more leaders begin taking it more seriously, especially in education. But even cyber resilience remains problematic because it is hidden inside a larger digital literacy crisis that has grown to such a degree that many in education ignore it rather than recognize the cross curricular damage it is doing, not to mention the societal damage it is doing to our democracies.

Nationally, I hope that cyber resilience creates more diverse pathways into the field. I would love to see the absurdly privileged ‘comp-sci degree’ base expectations disappear (this is the equivalent of saying everyone who works in the field of law has to be a lawyer). Cyber resilience isn’t for specialists, it’s for everyone and I hope this reframing encourages more diverse skillsets to engage with it.

Internationally, cyber resilience is where emerging fields like cyber diplomacy and multi-country partnerships grow. If we want the benefits of digital transformation to be available to everyone while relaxing the grip of surveillance capitalists and ensuring our democracies are functional, critically looking at how we compartmentalize digital literacy and opening them up to reinterpretation is essential. Digital technology is only accelerating and clinging to old frameworks makes no sense.




NOTES

The idea that we can resolve a lack of cyber skills when they hide within a much larger digital illiteracy crisis has caused a lot of frustration in cyber training. Teaching information security awareness when users lack basic digital skills is akin to attempting to teach Shakespeare to people who can’t read.


Rather than base your cyber stance on this impossible situation and watching training fail to stop the vast numbers of breaches digital ignorance causes, reframing cyber resilience through a human risk management lens reveals a more effective tactic. If people are the weakest link (and they are), don’t expect their illiteracy to be an easy fix. Leveraging a wider human risk management approach lets you ensure safety regardless of how digitally clueless your users are.


“In 2024, the idea of human risk management shifted from concept to reality as frustrated CISOs looked for solutions beyond security awareness and training to make real change.”


The EU isn’t hanging around:  The Cyber Resilience Act

from Blogger https://ift.tt/GEjouO0
via IFTTT

The Organization of American States’ Carribean Regional Cybersecurity Symposium DR 2024

*** Simposio de Ciberseguridad de la OEA

Cyber Pirates of the Caribbean.
Sorry, couldn’t help myself.

In September I got an invite to sit on a panel at the GFCE’s annual meeting. Then the Organization of American States got in touch and asked if I’d sit on their emerging tech panel at the regional pre-meeting. I guess that went well because they then asked if I’d be willing to cover for their quantum cyber specialist who couldn’t make a Cybersecurity Symposium in the Dominican Republic at the end of the month. My approach to this sort of thing is to always say yes; that’s how I found myself in Ghana last year.


Most people think of Punta Cana and an all inclusive week on a resort when it comes to the Dominican Republic, but I was headed to Santo Domingo which can be a bit rough around the edges. It was an intense week of coming to understand the cybersecurity needs of a region facing the results of climate instability head on while also rapidly developing their digital economy.


Our panel was set to go on the first day, which was good – I like to get them done sooner. Co-panelist Heather happened to be coming in on a flight right behind mine so we met at the airport and shared a cab across the city to the hotel. Having not eaten since 5am, I sat in the empty hotel restaurant and ate a poor club sandwich that cost an eye watering $30USD while wondering what I was doing here. There is nothing like hunger and exhaustion to make you doubt yourself.


I finally got into the room and collapsed for a couple of hours and awoke feeling more like my usual, confident self; food and rest resolves most anxiety. I went for a wander around the hotel and found Heather on the pool deck watching the sun going down (dramatic sunsets in the DR). She works in AI research and we had a good chat about how it’s being used in cybersecurity and both left with enough context to take on the panel in the morning.

Our moderator got switched right before the event but Donavon was agile, knowledgeable and did a great job chasing down themes as they came up rather than following a script. The conversation dove into AI but also left space for IoT and quantum in a cyber context.

I came away from the GFCE event in DC earlier in the month cognisant of the need to keep technical detail out of these kinds of high level talks, especially if you’re talking to most of the people in the room through a translator. The technical side of cyber isn’t necessarily what you need to focus on because it doesn’t really change how most people interact with it. An easier to grasp example might be to ask if you need to have a strong understanding of the metallurgy involved in casting your car’s engine in order for you to drive it. This isn’t to say you need to simplify the the point of absurdity, but getting into the technical weeds tends to be an academic back-patting exercise rather than being helpful to the audience.


On this panel (as I’ve done in all of them), I don’t pretend I’m something I’m not. I’m a teacher, an I.T. technician and a cyber operations instructor and often refer to anecdotal cyber teaching situations to land a point. People seem to appreciate this approach because presenting material as a teacher is something everyone can relate to, and there is enough intellectual intimidation in cyber as it is. There is also enough marketing misinformation that a clear eyed, educationally focused approach resonates.

Our talk mainly focused on artificial intelligence but quantum did get some airtime, though many questions (as at the GFCE) orbited the complexities of trying to teach cybersecurity. As mentioned at the Serious Play Conference in August, teaching a subject that few people have the basic digital media literacy to even contextualize is a challenge. The fear that arises from this ignorance is real and makes teaching cyber especially difficult.

I’m always conscious of the Canadian perspective I bring to an international event like this. Canada seldom participates at the international cybersecurity events I’ve attended. We fund a lot of them (including this one), but finding Canadians willing to make the trip and talk the talk seems difficult. I was the only Canadian on any of the panels at this one too though I’m hoping to change that. If international cooperation is about relationships, having Canadians talking at events like these is paramount.

When asked about IoT threats I brought up two Canadian instances that resonated with the room (I was asked about them repeatedly across the week). One was my visit to the Canadian Institute for Cybersecurity in Fredericton last spring which included a look at their IoT lab. The curiosity this generated has me wondering if an OAS event in Fredericton at UNB wouldn’t go amiss. Does Canada ever host these things?

The second Canadian cyber challenge was the rash of car thefts Canada is experiencing. It’s tempting to define this under traditional criminal activity but these are new vehicles with ‘state of the art’ electronics that are being hacked, making this an IoT cyber problem. When you know enough about cybersecurity you start to think differently about how it’s integrated into your day to day life. My cunning solution is to drive manual vehicles that are ‘pre-smart’. They’re unhackable and also undrivable for most thieves. If you don’t expect technology to do everything for you, you’re not beholden to its weaknesses.

With our panel in the rearview, I made it a point of understanding the context through which Caribbean and Latin American states are tackling cybersecurity. Our very nice hotel provided bottled water because you’re not supposed to drink what comes out of the taps. It’s astonishing to me that people without available drinking water are going after digital transformation and the cybersecurity that enables it, but if you want to participate in the 21st Century economy that’s the price of admission. Perhaps digitization will solve the water problem too.

One of the first speakers at this event did a deep dive into misinformation and how it is generated using the latest in deepfake technology. Extremists are using this tech in propaganda campaigns. The corrosive effect this has on our shared media is interesting. I had a number of chats with Daniel throughout the conference and discovered that his motivating interest is in the nature of online communities and how they work in terms of social norms and expectations. This kind of decentralized, narrow (as opposed to broad) band media transmission is becoming the new norm, yet no one seems to be teaching how it is influencing society in media theory classes. It’s something I want to go after in terms of updating digital media education in Canada.


The theme of the symposium was, DisruptX:Redefining the future of cybersecurity in Latin America and the Caribbean”, so many of the talks revolved around the impact A.I. is having in cybersecurity. As in most places, it’s a force leveller. People writing phishing emails now write with perfect grammar and spelling, and don’t use form letters anymore because AI can generate targeted, articulate messages specifically for individuals. This enabling of cyber criminals by automated systems targets our existing cyber-illiteracy, but that’s just the tip of the iceberg. Automated malware as a service can be purchased by anyone who can turn a computer on. The days of technically talented hackers are far behind us as AI serves to elevate anyone looking to cause problems through online communications.

To further complicate the landscape, you’ve got state actors (including world superpowers) performing offensive cyber operations against governments, businesses and even individuals. At this cost-no-object end of the spectrum you’ve got cyber militaries operating on budgets in the billions possibly taking aim at your company or government.  If you’re a developing economy with minimal digital infrastructure, how do you possibly keep it secure against that? The short answer is you don’t, sometimes you just get pwned.


OK, so what do I do, you ask? You’ve got a couple of options when it comes to protecting your internet facing systems (in this case critical systems that make society work and provide things like electricity):


1) Put money up front building the most secure network you can, but this requires talented people who are in short supply (the cyberskills shortage isn’t just happening in Canada). It also means paying up front for something that hasn’t happened yet, and isn’t can’t be guaranteed secure no matter what you throw at it. The case for preemptive cyber capacity building remains a struggle and not just in the Caribbean, it’s a problem in Canada too.

2) The other option is to design full backup systems so you can recover when the inevitable happens, but this too requires technical talent, forethought and a willingness to invest in the future – all aspects of cyber that humans everywhere struggle with.
Like the GFCE event in Washington, a lot of time was given to thinking about governance and policy. These frameworks are vital, especially if we want to push back against the human nature that isn’t likely to invest in anything precautionary, but the nature of the cyber means also needing to be proactive and agile because of the asymmetrical nature of the threats. 
I hope there is room in policy and governance to ensure that there are resources left over to support this kind of agility. This work often happens in companies and government agencies rather than in university research labs and needs to be more accessible to the people on the ground doing the work. So much of the research funding in Canada is tied to post-secondary institutions. Agile action research in cyber by practitioners rather than academics is essential if we’re to retain any ability to deal with emerging threats in a timely fashion.
This confusion around the nature of cybersecurity (is it an apprenticeable skillset or an academic pursuit?) is another one of those evolving understandings still somewhat out of focus as we come to understand what cybersecurity it. It was nice to see one of my favourite cyber graphics come up in one of the first RICET education talks reminding everyone that cyber is a complete field of study ranging from apprenticelike hard technical roles to academic legal and human facing work in subjects ranging from HR to education.
Like any other field of study, cybersecurity is full of nuance.


*** Extracurriculars

Fascinating conversations and an opportunity to network without a schedule or talking points. These ‘extracurricular’ evening events are often the most informative!

The conference had a couple of extracurricular events where I often hear the most enlightening things. A delegation from the South Pacific was attending this event with the thinking they they are facing many of the same challenges that the Caribbean states are. Tim from the Cook Islands and I had many great talks about the sudden change they are going through. About two weeks before the conference Elon flipped a switch and suddenly everyone on the islands could afford high speed internet for the first time through Starlink. The rest of us have been in the digital pot as the heat has been slowly turned up over the past two decades and don’t realize it’s boiling. Can you imagine going from 90’s dial up to 2024’s AI/social media/fake-news cyber-nightmare in one week? Tim’s managing the IT there. Someone should be writing a book about this time travelling digital experiment.
The fortress in colonial Santo Domingo at sunset. The DR’s relationship with its past, like Canada’s, is complicated and unfinished.

On the final evening they took us out to the colonial tourist area and a look around Fortaleza Ozama. Being me, I found watching the chaos of the evening commute around the castle distracting. Like the evening social the night before, this was an opportunity to chat with people working in cyber from many different perspectives. I’d run into Franklin from Suriname who I’d met in Ghana last year and we picked up right where we’d left off. Suriname is about to go through some dramatic changes.

When you find yourself having a drink with the head of Mastercard’s security division and the entourage from Columbian cyber, you wonder how you got here. Tim from Cook Island’s wife messaged him asking what he was up to now. His response was, ‘I’m drinking rum at a castle at sunset!” Indeed.

The trip included a projection onto the fortress of the DR’s history. It reminded me of the projection show they were doing on the Houses of Parliament in Ottawa a few years ago and raised some interesting questions about how digital is insinuating itself into island life.
The seemingly incongruous VR experience at the fortress was complimented by animated digital projections throughout, to the point where it was easy to forget you were in a centuries old fortress, which is the point of being there, isn’t it?  A few times in the conference the corrosive effect of AI on regional culture was noted (AI’s fixation on large datasets tends to stamp out anything but the biggest producers of data). I suspect digitization (itself a byproduct of globalization) has a generally corrosive effect on people’s ability to be where they are. We spend an awful lot of our time taking photos to share online instead of being where we are (like the ones in this post? -ed).


*** RICET

The final day switched gears and became RICET, the Regional Initiative for Cybersecurity Education and Training, put on by the OAS and Florida International University. This focus on education and training is essential if we’re to establish sustainable and effective cybersecurity.
I’ve said it before and I’ll say it again, the vast majority of cyber incidents are the result of human failure. No matter how you want to frame it, our current cyber woes arise from a multi-generational failure to develop effective digital media literacy of which cybersecurity is perhaps the most interdisciplinary and complex because it’s all about the edge cases. You can’t hack something you don’t fundamentally understand.
We’ve been fixated on coding as a solution to the digital skills crisis, but digital media literacy is about much more than coding. In cyber you need flexible, stochastic approaches with familiarity across a much wider range of digital technology. I’ve met too many compsci specialists who are sidelined by simple technical issues to believe that this is the epitome of digital literacy. I also heard the dreaded term ‘digital native‘ during some of these talks, but I’m not going to get into that nonsense again here. 
RICET panels talked about the usual worries around the lack of talent, though like everyone else they spent much of the time on bandaid solutions like adult retraining instead of looking at strategic fixes like implementing nationwide cyber skills talent discovery and development in public schools that would not only address the user negligence problem, but would also resolve our cyber-professional shortage.
We’ll never resolve this global digital skilling failure with stop gap solutions. We need both short term and long term strategies, but like the funding for seemingly obvious things like network security and data backups, getting anyone to fund that future is a struggle.
Watching these earnest cyber developers working on shoestring budgets trying to make this work while Canadians literally watch drinkable water go down the toilet has me wondering why we face so many of the same challenges they do. On my way back home I messaged a colleague in cyber education and lamented the fact that cyber expertise in Canada seems to be more about marketing than it does cybersecurity. I summarized the problem with genuine cyber-education in simple terms: there’s no money in it.  That observation extends to cyber in general. One of the reasons for the high burnout rate is asking the people who know what they’re doing to do it without needed resources.
I enjoyed learning about the regional challenges being faced in the Caribbean, but what always surprises me about these glimpses into international cybersecurity is just how similar the problems we all face are. In a discipline where the bad guys only have to get it right once but the defenders have to get it right every time, the only hope for cybersecurity professionals is to develop connections, build international cyber-diplomacy and work together. Circling the wagons and sharing intelligence, tools and best practices is the only advantage we have against the cyber pirates (it’s ok, I’m bringing it back) that surround us.  This event was a prime example of that kind of networking. I hope to be a part of future ones.

Winging out of Santo Domingo at sunrise on Delta’s A320 Airbus. What a beautiful country. Wish I’d had the opportunity to see more of it…

The Bermuda Triangle on a sunny Friday morning in October.

from Blogger https://ift.tt/l2Ycv4b
via IFTTT

The Global Forum for Cybersecurity Excellence (GFCE)

 I got an invite to speak on a panel at the Global Forum for Cybersecurity Excellence‘s Annual Meeting last week. It was my first time in DC since I went on a trip there with Air Cadets in the 1980s, so it was an exciting prospect. More so when I saw it was going to be taking place in the Organization of American States’ building.

Attending these things is a high wire act for me as it looked like I was going to have to self fund my way there, but then the OAS’s Cybersecurity directorate got in touch and asked if I’d sit on one of their emerging technology panels for the region of the Americas pre-GFCE meeting too, so I managed to get hotel and flights covered.

I got in on Sunday and my hotel was in Georgetown, so I got out and about and soaked up some Washington area history – the place is thick with it! 

That night I met up with Dr Juan from Mexico who I did a presentation with in June and we enjoyed some Potomac wings at the local Irish pub (as you do) and caught up. The last time I’d seen him was as we passed through US customs on our way back from Ghana last year so we had a good chat. The opportunity to solidify these connections was impressed upon me as an important consideration later in the week. Never underestimate the appreciation inherent in making an effort to see people live, especially post-pandemic.

Day 1

The next morning, after breakfast at the Fairmont (!), we walked to the Organization of American States building only to discover it was the wrong one. We ran into Alex from Ghana who was on the OAS panel with me later that morning and he knew where we needed to go, so we all backtracked four blocks ot where we should have been in the first place.

I got there sweaty (DC got up to about 30°C each day) but cooled off and our talk that morning about emerging technology impacting cybersecurity was wide ranging. Kerry-Ann, our moderator, surprised me with a question about how approaching cyber challenges as a technician gives me a different (and valuable thanks to how she framed the question) insight into the rapidly changing state of things.

Talking to engineers and the legal experts doing policy is one thing, but talking to the trades people who do the operational work of keeping the lights on does offer an interesting angle. I’d been expecting to talk about quantum technology emergence, but an opportunity to talk about the value of hands-on, applied skills in the field was appreciated and well received.

Many of the panels focused on the clear and present danger in cyber at the moment: artificial intelligence. From the automation of big data analysis that humans never excelled at on the defensive side to how criminals are leveraging GenAI to produce customized phishing material well beyond grammatically incorrect emails (stretching to include deepfake video, voice, photos and other digital media), these talks were designed to assist policy makers with understanding what has come out of Pandora’s box of AI.

One theme that resonated with me was how people don’t want deep technical explanations of these emerging technologies. What they want is an easy to grasp explanation of how these technologies will affect the digital spaces they work in. This remains a problem in cybersecurity and an even bigger one in the quantum world I just finished my secondment. The urge for academics to obfuscate and complicate their explanations of these rapidly emerging technologies doesn’t make them ideally suited for presenting on them, especially to the operations and policy people who are entirely focused on real world impacts and couldn’t care less how the maths goes.

I’ve gotten a lot of static for how I’ve simplified deep technical details in quantum in order to get concepts across, but you honestly don’t need to start neck deep in linear algebra any more than you need to have knowledge of the metallurgy involved in casting your car’s engine in order to drive it. Guess what background is really helpful in bridging this information divide: 22+ years as a teacher! Early in my career I came across a quote that described teachers as, “public facing intellectuals” and took that to mean we’re not about ivory towers and knowing more and more about less and less, but about democratization of knowledge. Part of that comes with knowing what to keep out of the mix in order to keep people engaged.

My age is also handy. Being a genuine digital immigrant who remembers a time before personal computers and the internet (I got my first PC, a Vic 20, in 1979 when I was 10), I have a big picture outlook that those who have always lived in this chaos find helpful. My other secret weapon is a university background focused on thinking and communications (philosophy & English).

After the OAS event we had an evening meet and greet at the Museum of the Americas right behind the main building, which had a permanent collection of powerful pieces looking at colonialism and culture. Upstairs they had a Spanish diaspora collection featuring the people who fled Spain during the Franco period; powerful stuff.

At the meet and greet I got to introduce Juan to Michelle and Nina from CyberLite, one of my favourite international cyber education organizations. We did an around the world webinar with them for Safer Internet Day in February, but it’s always nice to see people in 3d rather than on a screen, and introductions like this are what GFCE is all about.
A good example  of this networking was running into Christina from Global Affairs Canada. From our talks I’ve come to understand the complexities and difficulties of international cyber policy. I’m also particularly aware of how important it is to shed better light on the work our federal government does internationally. Some of this needs to be kept on the down low for security reasons, but much of it (and especially on the diplomacy side) needs more media coverage so Canadians better understand the work that their representatives are doing on their behalf. Being purely insular and defensive doesn’t work in sport and it won’t work in cybersecurity either. If we can help other countries develop better cyber capacities, we all win, and that starts by developing trust..

Day 2

The next day we were up early again and this time took an Uber to the right building (kind of, it still took us to the wrong one first), and began the Global Forum for Cybersecurity Expertise Annual Meeting.
Our panel came up quickly and Juan brought in a fantastic angle focusing on the Global South and the formation of a ‘quantum divide’ that will, like the digital one, further separates developed countries from everyone else. I’ve seen this happening with tightening restrictions on public facing quantum education resources. In some cases this may be under the auspices of national security, but the end result remains: countries that have the resources to develop quantum technologies will have capabilities that the others can only dream of.
After our panel, which was quantum focused and couldn’t have happened without a secure internet because our moderator was virtual in Europe and one of the Panelists was in Central America, I showed Juan the William Gibson quote about the future already being here, but not evenly distributed.The idea of a growing quantum divide is another indicator of the state of maturity of rapidly improving quantum computers. I’m motivated to continue building ‘technology literacy for all’ which includes quantum and AI because no one should make the technologies that have the best chance of saving ourselves from ourselves proprietary. I also have a nagging urge to help everyone reach their maximum potential regardless of how much they have in their bank accounts.
The end of day event on day two was both fantastic (it was a retirement party for founding
GFCE president, Chris Painter), but also profoundly insightful. When someone with extensive, top draw international research resources tells me that they aren’t worried about AI taking us down because climate collapse will get us first, I listen. Moments like this make me vividly aware of just how fragile the house of cards we’re standing on is.

This observation wasn’t helped by the book that a colleague suggested that I’m two-thirds through. The idea of long term thinking in a world that only rewards short term gain is a challenge, but the most recent chapter is about how all civilizations collapse. Historically this happened regionally (Roman Empire, etc), but the global civilization we’ve build this time is going to crash harder, and when it collapses we’re going to be wishing we had made some of Asimov’s Foundations in order to recover more quickly (assuming we don’t make our only habitable planet uninhabitable in the process). That’s the thing about attending a GFCE event – it makes you reflect on the big things.

Day 3

All of the delegates from dozens upon dozens of countries coming together in DC to make digital transformation secure and accessible to everyone.
Day three began with the women in cybersecurity breakfast. The moderator at our table told hair raising stories of her being the first female cohort in engineering in South Africa and the overt sexism they faced. I told them about Canada’s tragic history with this kind of sexism, which the table found astonishing – Canada is considered forward thinking until we’re a bit more forthcoming about the dark currents in our history. I also told the story of the quiet sexism that made founding the first all-female cybersecurity team in our school so difficult. It amazes me that half our population still experiences these systemic prejudices and that equality isn’t something we’ll get to before the 22nd Century.

These GFCE events are thick with insights and opportunities that lift your head out of your personal context and prompt you to consider the big problems we face. I’ve tried to cover the main pieces here, but there are so many more that I’m still subconsciously noodling on.

The emerging tech panel on AI towards the end of the day was another of those eureka moments. The policy expert from France’s advanced technologies department had a good response to my question about how we devise policy for near future AIs that will have the agency and resources to ignore them, not out of spite, but because even considering them isn’t in their programming. She referenced the US Section 230 law that let social media run rampant and pointed out that if we recognized this cautionary tale we’d be able to better direct AI use now. A sharp response, but I think the AI horses are out of the barn and will shortly have the capabilities to do real damage to our digital infrastructure. I remain curious as to when AI policy to try and restrict development turns into defensive policies designed to mitigate the damage that self-directed AIs will do to our piecemeal digital infrastructure.

I ended the event having lunch with Abdul, my swimming buddy from Accra, and Juan, my co-conspirator. What do you talk about at a Nigerian/Canadian/Mexican table? Abdul told me he is in ‘legacy mode’, which is a great way of framing your closing professional years. I enjoyed our talks in the pool at Accra City Hotel because Abdul always seems to see beyond the horizon. Taking a minute to soak up that wisdom is never wasted time. He was going to see his friend’s grave and visit his cousin after the event. These seemingly technical meetings can be profoundly human, if you let them be.

We wrapped up our time at the OAS HQ, but we weren’t quite done yet. At the museum event Monday night we met a Spanish attaché and that prompted an invite to the embassy for a Wednesday evening networking event. It was a short walk from the hotel and I talked to a lot of people but really got into it with Jose Manuel who runs telecoms and startups in Spain including a new one that helps you park your boat in a marina you haven’t visited before. We also had a good chat about the innovative quantum key distribution research he is a part of. I’m hoping to follow up and develop some transatlantic partnerships to move us all forward there.

***
I must have covered 20+kms on foot over the week (in dress shoes!), but I have no regrets about the schlepping or having to self fund some of this. Hope is hard to find in 2024, but the GFCE exhales it like plants give off oxygen. Just as Ghana did last fall, my mind is left turning over the complex challenges and opportunities that this meeting highlighted. If you’re looking for organizations that improve your practice, expand your context, and challenge you to take on the seemingly insurmountable global issues we face, meeting the OAS and experiencing my second GFCE event has done just that.
DC looking like a post card on the ascent out of Reagan Airport.

Just over 500kms as the crow flies from DC, I was back in The Six before I knew it!

from Blogger https://ift.tt/nCpglAM
via IFTTT

The Serious Play Conference and a Canadian Solution to Cyber-Education in Canada

The Serious Play Conference took place in August at University of Toronto’s Mississauga (Erindale) campus. Even though I’d fallen off the end of my secondments, gamification has also been a central tenant of my teaching practice and I’ve been actively researching cyber-education using immersive simulations for the past four years, so I took this opportunity to present what I’d found.

Paul Darvasi runs this conference. I met him last summer when we did a quantum training week together at UBC in hopes of building a quantum game that takes the academic privilege out of how the subject is presented. That hasn’t yet come to be, but I did manage to recently get our quantum arcade idea funded (from Finland because finding that kind of support for emerging technology education in Canada isn’t easy). Canada likes to be surprised by emerging technology in education rather than getting in front of it.



Games have played a central role in my life. I got into Dungeons & Dragons in a big way in my teens and my first long distance road trips were with friends to GENCON in Milwaukee in the late 1980s (where I got to play a tournament round of D&D with Gary Gygax!!!). As a result my teaching practice has always been informed by those early years dungeon mastering. If I have an opportunity to create a simulation or immersive gaming experience in my classroom, I’ll go out of my way to arrange that rather than falling back on worksheets of one way knowledge transmission. My experience has shown me that suspension of disbelief can be a powerful learning tool if the gamified learning experience is pedagogically viable.

My presentation at Serious Play was specifically about how immersive simulation can help learners tackle subjects that might scare them into disengagement. By using suspension of disbelief, subjects like cybersecurity can be approached without out the risk aversion prompted by worries about breaking technology almost no one understands because we seem to have given up on modern media literacy about two decades ago.

I’ve put students on Field Effect’s Cyber Range in classrooms across Canada. In some cases they were competitive CyberTitan teams containing students with the top 1% of digital skills in the country, but in most cases it was with the other 99% who had never touched cybersecurity at any time in their learning journey. With the right scaffolding and support even the newest of n00bs can get their hands dirty iteratively learning essential cyber skills in this digital sandbox:

Engaging Canadian education with cybersecurity remains an uphill struggle, but cyber sandboxes like Field Effect’s Cyber Range offer a solution.

The Serious Play Conference had a wide range of educators working in digital and analogue simulation across a staggering range of subject areas. From museums engaging patrons to a think tank designing war games for the Canadian Forces, it was a tour de force of what immersive simulation and gaming can do to engage and teach in pretty every learning context.

I was absolutely thrilled to learn that our all Canadian made simulation that offers a key to cyber-education – one that is more advanced than the systems we use when our CyberTitans take part in CyberPatriot south of the border because it allows for interactive networking between virtual machines instead of just putting students into isolated desktop VMs – won the gold medal for K12 immersive learning simulation.


ICTC and Field Effect have worked hard to get this world class immersive learning opportunity in front of Canadian students. The trick now, as it has always been, is to get insular Canadian education systems who have taken a head-in-the-sand approach to cyber education to pick up this federally funded, world-class tool we’ve built and use it to get past their own fear and ignorance and begin teaching essential defensive 21st Century digital skills.

***

Sign up for CyberTitan, Canada’s national student cybersecurity competition, is open until October. Teams of girls and other under represented groups in the field are fully funded. The early rounds are on individual virtual machines through CyberPatriot in the US, but if you push on you eventually get to Field Effect’s Cyber Range and get a taste of the future of cyber-education.


Check out the interactive team signup map here. You can ask yourself questions like, why one of Canada’s smallest provinces (New Brunswick) has more student teams than Ontario and Quebec combined, or wonder why Saskatchewan and Nova Scotia have no teams at all. Perhaps they don’t use the internet?


The vast majority (over 90%) of cyber attacks on Canadian systems depend on user ignorance and lack of education to succeed. We can’t build a secure Canada if oblivious Canadians keep opening all the doors. You don’t have to pretend it isn’t happening, it can start here:

Join the competition and sign up student teams of 4-6.
There are middle and high school divisions and community groups are also welcome to participate.

from Blogger https://ift.tt/bvC65Z9
via IFTTT

Turtles all the way Down

I tried to get AI in front of Ontario teachers at
the ECOO Conference in 2019, but it was a
pretty empty room.

I’ve been working with generative artificial intelligence with students in my computer technology program since 2018 when we were fortunate to get a new grade 9 whose dad was on the team that brought IBM Watson to Jeopardy. That got us connected to IBM cloud and building AI chatbots five years before the “AI revolution” everyone has been caught out by.

That wasn’t our first point of contact with AI though. I’d been keeping an eye on AI dev as far back as 2015 because we launched our gamedev course in ’15 and getting handle on building intelligent responses to player actions in our games immediately became our biggest challenge. Thanks to Gord and IBM we were able to get our juniors familiar with AI prior to asking them to take on significant software engineering challenges with it in the senior grades.

I presented on AI use in the classroom at the ECOO conference pre-COVID in fall of 2019. Gord from IBM even came all the way down to Niagara Falls to offer world class suppport. The room was all but empty:

This is how many Ontario educators (already interested in edtech because this is ECOO!) you get in an introduction to gnerative AI in 2019 (yes, it was four in an otherwise empty room). Ahead of our time (again)? Four years later it’s an emergency and suddenly there are education AI experts everywhere. I wonder where they were in 2019.

If you ever wonder why education always seems two steps behind emerging technologies that will have profound impacts on classrooms, here’s a fine example. Except you won’t even see four people sitting in an empty room in 2024 because all edtech conferences like ECOO focused on teacher technology integration have evaporated in Ontario.

***

OK, so I’ve been banging my head against pedagogically driven AI engagement in education for almost a decade only to see it swamp an oblvious education system anyway, so what’s happening now? I’m ressearching the leading edge of this technology to see if we can’t still rescue a pedagogically meaningful approach to it.

In the summer Katina Papulkas from Dell Canada put out a call for educators interested in action research on AI use in learning. I’ve been talking to Aman Sahota and Henry Fu from Factors Education over the past year looking for an excuse to work on something like this, so I pitched this idea: De-blackboxing AI technology and using it to understand how it works.

Our plan is to use the Factors AI engine that Henry himself has built and Aman administrates to build custom data libraries that will support an AI agent that will interact with students and encourage them to ask questions to better understand how generative AI works. As mentioned before on Dusty World, GenAI isn’t intelligent and it’s important that people realize what it is and how it works to demystify it and then apply it effectively. Getting misdirected by the marketing driven AI tag isn’t helpful.

So far we’ve built modules that describe the history and development of AI, how AI works and the future of AI. In the process of doing this I’ve come across all sorts of public facing research material that breaks down generative AI for you (like Deep Learning from MIT Press), but it’s technically dense and not accessible to the casual reader.

During the last week of August Factors had a meeting with interested educators through UofT OISE (their AI system came out of the OISE edtech accelerator). I demonstrated in the presentation how the AI engine might be used to break down a complex article for easier consumption through agent interaction. The example was WIRED’s story on how Google employees developed the transformers that moved generative AI from a curiosity to real world useful in the late teens. I picked this one because it explains some of what happens in the ‘blackbox’ that AI is often hidden in.

With some well crafted prompting and then conversational interaction, students can get clear, specific answers to technical details that might have eluded them in the long form article. The reading support side of GenAI hasn’t been fully explored yet (though WIRED did a recent interesting piece on cloning famous authors to become AI reading buddies as you tackle the classics which is in the ballpark).

What have I learned from working directly with building an AI library of data and then tuning it? AI isn’t automatic at all. It demands knowledgable people providing focus and context to aim it in the right direction and maximize productive responses with users. An interesting example of this was finding documents that provided focused data on the subjects we wanted the AI to respond to. When I couldn’t find specific ones Henry suggested using Perplexity, an AI research tool that coalates online sources and then gives you concise summaries along with a bibliography of credible sources.

I thought I was being perverse asking them to design an AI that expalins AI using AI, but Henry’s always a step ahead. He wants to use an AI to build a library of information to feed the AI engine that then uses AI to interact with the user… about AI. It’s turtles all the way down!

from Blogger https://ift.tt/MB3gxQ4
via IFTTT

It’s a War Out There

In the beginning of July the Communications Security Establishment (CSE-CST) produced two news briefs that many Canadians remain oblivious to. On July 9th a warning was published describing a Russian government backed foreign interference project that uses artificial intelligence to create false social media output from many different countries designed as propaganda for Russian state interests. By using these tools Russia hopes to direct national discourse in democratic countries, including Canada, in its favour.

The day before, on July 8th, CSE posted a warning about Chinese state sponsored cyber intrusions across public and private networks in many countries, including Canada, designed to give the Peoples Republic access to sensitive state and industry data. What is most concerning about these warnings is that they aren’t unique, they aren’t even rare.

We have come to depend on networked digital information in all aspects of our lives. For many this means social media on their phones, but our dependence on networked digital information runs far deeper than that. Essential systems like the power grid and water supply (and regular classroom activities) are managed through networked digital systems, as are our supply chains. This offers us tremendous opportunities for efficiency and oversight, but it also brings with it the danger of cyber-attack, and not by the stereotypical lone hoodied hacker.

Incredibly, in 2024 most Canadian schools do not teach any cybersecurity education at all. With the exception of New Brunswick there is no curriculum in Canada that even mentions cybersecurity. This has put us in a difficult situation as Canada faces a generational shortage of cyber-talent. But the real danger isn’t our failure to get students interested in working in the field, it’s the apathy and  ignorance Canadians seem to revel in.

The vast majority of successful cyber-attacks depend on user ignorance to find a way in. Canadian defensive technologies are world class, but if the people using them are dangerously oblivious, that’s where the opportunity for abuse lies, which is why Russian and Chinese government organizations are focusing their attention there. If you want to destabilize a democracy, you create division in its people, and with most people going online wearing a blind fold of apathetic ignorance, it’s the easiest opportunity.

If you provided your military with state-of-the-art weapons but didn’t train any of them in how to use them, you wouldn’t have a very effective fighting force, yet that is how we approach cyber-readiness in Canada. Connected digital technologies have become central to most aspects of life, yet the vast majority of Canadians take no responsibility for the dangers these digital opportunities present.

Meanwhile, countries with vested interests in Canadian destabilization have created enormous offensive cyber-attack groups. China’s offensive cyber military arm – just their offensive cyber personnel – number more than the entire Canadian Armed Forces. But the threat doesn’t end there. In addition to large cyber-military capabilities, many foreign powers have also hired private companies to conduct foreign cyber-espionage. If you think the threats we face online are lone hackers trying to make a buck or two you’ve failed to grasp how cyber operations have evolved in the past decade.

Allied Western powers have built defensive systems in partnership with industry, but our ability to perform cyber-attacks on the scale that Russia and China do is anything but equal. If this were a ‘hot’ war the map would be dominated by those countries while Western responses are minimal in response. Unlike a conventional war, there would be no lines with safe zones behind them. In cyber-warfare you see malevolent skirmishes happening in every region of Canada; nowhere is safe because connected infrastructure is everywhere.

Around the edges of these state sponsored cyber-attacks partner organizations are leveraging similar tools for cyber-crime, often in an effort to fund the state sponsored attacks. The ransomware attack your company just paid to try and resolve may well be going to fund the next round of state sponsored digital violence.

Thinking that this is all someone else’s problem is one of Canada’s greatest weaknesses. ‘Loose lips sink ships’ was a common reminder during World War Two. It reminded people that you never knew who is listening and that your blabbing may well get people killed. The Twenty-First Century equivalent is ‘careless clicks can hack everything you depend on.’ Not as catchy, but terrifying.

One of the scariest parts of attending a cybersecurity conference is listening to the people trying to hold Canada together talking about how razor thin that line is. I’ve heard people who are defending against these wildly asymmetrical attacks say things like, “I’m amazed the lights are still on”, and “in the next five years we will have a cyber-attack that takes out critical infrastructure for weeks at a time.”  Perhaps when we’re all sitting in the cold and dark wondering what happened we’ll also start to wonder why we didn’t so something about it when we had the opportunity.

Saying it’s a war out there isn’t hyperbole. Thanks to artificial intelligence many cyber attacks have become fully automated. These A.I. automated attacks iterate their approaches allowing even the most digitally illiterate criminals access to leading edge cyber incursion tools, and many foreign powers are more than happy to support that chaos for their own ends.

What’s a democracy to do? Start taking cyber-education and digital citizenship seriously. Instead of graduating students that only add to the cyber skills gap, we should be making all students (and the families they come home to every day) aware of this secret war we’re all on the battlefield of every time we pick up a device and access the interwebs. How many times have you amplified a social media post that may well have been written by a Russian A.I. bot with the intent to damage Canadian interests? Time to stand up to this hidden war.

I presented on using state of the art cloud based cyber simulation to teach essential cyber skills at the Serious Play Conference at UofT Mississauga this month. We have the tools to address the cyber-literacy gap in Canada and make our country cyber-secure, we just have to make using them in classrooms a priority.

You can sign up for CyberTItan now – it’s Canada’s biggest student cybersecurity competition. There are divisions for middle and high school students and youth groups can all join up. Teams are 4-6 students and you learn real world defensive cyber skills. Support is also provided if you need mentors. www.cybertitan.ca


Want to read more?

Why State-Sponsored Cyber Attacks are a Global Threat

It’s not human error if it’s wilful ignorance.

Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

National Cyber Threat Assessment 2023-2024

Cyber Operations Tracker

The Cost of a Breach: 10 Terrifying Cybersecurity Stats Your MSP’s Customers Need to Know


from Blogger https://ift.tt/c2Ib8Kg
via IFTTT

Hands On Learning: Haliburton School of Art & Design’s Blacksmithing Summer Program

 

 I’ve been wanting to refamiliarize myself with metal work for some time.  I don’t like farming out work that I’m capable of doing myself and there was a point early in my working life when I was welding weekly as part of my millwright apprenticeship, but I haven’t joined metal in over three decades. It’s amazing how the time flies when quantum cyber research gets in the way.

Finding opportunities to develop these DIY technical skills in Canada where people don’t like to DIY is a challenge. The only welding courses I could find were full-bore certificate courses for professionals, but then my wife found the Haliburton School of Art & Design. HSAD takes place in Haliburton, which you’ll have heard about on TMD before because it’s one of my favourite places to go for a ride in Ontario. It’s also only about three hours from home.

HSAD offers piles of course options ranging from visual arts to technical crafts. If you’re reading this you’ll probably be interested in the blacksmithing course, not necessarily for the smithing but because it offers you access to expert metal workers in a fully tooled shop that will make you hands-on familiar with not only the hot forging of metal but also various other related technologies such as welding, grinding, polishing and plasma cutting. The three of us went up for the week with me doing the smithing, my son glass blowing and my wife water colour painting.

We were asked to bring a project, but what you really need to do for this is to start amassing ideas so when you’re in the forge you’ve got a list to go after, that way you’re not wasting time in front of a hot forge wondering what to do next. I showed up with my copy of the Rudge Book of the Road and an idea to build a metal sculpture of the line art in the front of the book.

My blacksmithing experience consists of an afternoon, so I thought this would take me the week, but by the end of day one I’d already worked out the rider in hot steel and started worrying that I’d run out of project.

I figured getting handy with welding would take a some time, but I forgot to take into account technological progression. Back in the day (in the late 1980s) when I was learning how to weld it was all stick (and no MIG carrot). It took about 15 minutes for Amie to talk me through the MIG process and ten minutes later I was tacking pieces together to get my layout right. No sparking a rod to see where you are either with modern instantly darkening welding helmets. Early efforts at joining pieces were messy but by Thursday I was knocking together pieces at will with clean welds. It’s now just a  matter of practice to get back to a point where my joins are a point of pride.
Monday was a real hot-box with temps in the mid-thirties. In the forge it was well into the forties and I was drenched when I left. I should have shown up with better heat management methods and was very dehydrated when I left. I recovered as best I could overnight. The next morning I was still not feeling well but got myself in, got a handle on welding and put the rest of the design together.

I woke up Wednesday properly sick with the mother of all summer colds, but the only thing I needed to do to finish was the rider’s scarf. With a bit more hot forming of steel and welding I had my 1920s art deco styled Rudge metalwork sculpture done.

On a side note – the propane forges aren’t very big and don’t work for long, complicated pieces, but the shop had dual coal forges with four working sides in the back room that let you heat longer pieces. The only trick with the coal forge is that it can get so hot it’ll burn the steel (which looks like sparklers when it goes). The propane forges are set to not get that hot, but the coal forge can, so in addition to feeding the beast you also have to be careful it doesn’t burn your steel. I ended up leaving the scarf in too long and it burned through at the back, but that wasn’t necessarily a bad thing as I wasn’t able to create the creases I was looking for in the ends. After burning it in half I was able to make the creases and weld the two sides back together, making it better than it would have been otherwise.

  

Old school, but it does offer some advantages along with some challenges…

I then got a primer on how the grinding room worked. The temperatures were dropping from Monday but when you’re wearing face protection, a leather apron, long trousers, steel toe boots, leather gloves and a respirator, it’s hot anyway. Even with all that and feeling right rotten I enjoyed getting a feel for grinding and cleaning up finished pieces. I get the sense that grinding is another one of those hands-on skills that can go surprisingly deep.

The end result was hung outside and I got given a spray on chemical that would prevent it from rusting while showing off the ground metal finish.

The finished piece looked so nice I got a clean image of it and then updated the logo on the motoblog with it…

 
That’d be your metal work being put through a digital forge!

Amie Botelho was our instructor and she is all about hands-on learning. Most mornings we did a 15-20 minute demo of tools and techniques that you could immediately find a use for. Any time you needed other equipment you’d do one on one safety and how-to training and be let at it. On the forge (and everywhere else in the shop)  Amie is incredibly efficient and that teaches you all sorts of lessons if you watch closely.

It isn’t about how hard you hit, it’s about how efficiently you get get hot steel out of the forge and under the hammer. It’s also about turning your project over and looking at it closely as you work it. Smithing isn’t about brute force, it’s about attention and precision, but watching a master smith do it is infinitely better than reading about it in a book or hearing someone drone on about it in in a lecture.

Every demo was immediately followed by the suggestion to ‘just do it’, complete with lots of support in a class of 16 from Amie and shop-tech John. But the best part is that most of the ‘students’ are actually experienced smiths themselves. The ones around me had all done the four month certificate program at Fleming, so you’re surrounded with experienced metal workers who are very free with support and advice (if you want it – you’re left to your own devices if that’s your jam).

If you’re looking to hone your metalworking skills, or want to jumpstart them from scratch, this is a great place to start. Just make sure you show up with lots of ideas if you don’t want to be cranking out spoons and bottle openers all week (unless that’s your jam) – they’re totally open to whatever you want to tackle. We had students working on everything from building a barrel forge of their own involving big industrial pieces, to yard art metal work using the small stuff.  Those experienced smiths in many cases were churning out all the smithing they needed for the year. One told me he’d make the $700 fee for attending for the week every day in what he was producing, making it well worth the cost.

Why come at it like this? Canada being Canada makes it very difficult for you to do things like forging or doing metal work on your own property without hanging you out to dry with insurance and infinite municipal, provincial and federal paperwork. Coming at it this way gives you access to a full service metal shop with all the tech and consumables, and with the safety and insurance challenges all taken care of. The bonus is you also get to hang with an interesting group of like-minded DIYers for the week, which is worth the price of admission alone.


The bandsaws looked like they were older than I am, and I’m feeling old this week!





Once I had the Rudge line art metalwork done I had a go at plasma cutting. I was originally thinking of making a variation on the Isle of Man TT trophy, but symmetrical wings are well out of my wheelhouse without more practice, so I turned it into an absurd door stop with a vaguely Honda theme.

 

Not bad for my first go with a plasma cutter!

Spoons are properly hard work. I found the edge of my forging techniques there quickly!


True that.


The forge at work.


He was early for lunch… this takes place in Haliburton, there are (lots of) deer.


Yep, I did a bottle opener too.


The propane forge at work.

Highly recommended: https://flemingcollege.ca/school/haliburton-school-of-art-and-design

from Blogger https://ift.tt/ItYhMOB
via IFTTT

Stay With Me, this is Going to Get Quantum Weird

 This was originally posted on the Canadian Cybersecurity Network’s CyberVoices page: Stay With Me, this is Going to Get Quantum Weird 


CyberVoices is well worth a look if you want to get a sense of cybersecurity in Canada from many different perspectives in 2024. It gets you away from the goverment / business / marketing talk about cyber which tends to contain a lot of self-interested spin.

Canadian Cybersecurity Network’s CYBERVOICES.

***

Science and technology were making great strides at the end
of the nineteenth century, to the 
point where we were beginning to discover
problems with the reality we thought we lived in. Newtonian physics does a
great job of describing what we see around us, but it turns out this is an
illusion created by the scale at which we operate. It’s like thinking the earth
is flat because it looks that way, but it only looks that way because we’re not
big enough to see it; reality is in the eye of the beholder.

What we discovered as we looked closer with better
technology was that the universe isn’t a deterministic machine. The double slit
experiment caused great confusion because it looked like light was both a wave
and a particle. Rutherford’s gold foil experiment suggested that the recently
discovered atom was almost entirely empty space. Most of what you breathe in is
vacuum! The universe is much stranger than we first thought, and it isn’t
deterministic at all, but very much probabilistic. Einstein hated this ‘spooky
action at a distance’ quantum nonsense, but through the 20th Century
we’ve come to understand that this is how the universe works.  Most people don’t know this because education
finds teaching science in a Newtonian way easier. Professor Brian Cox has a
good quote in his book, The
Quantum Universe
: “It’s not Newton for big things and quantum for small
things, it’s quantum all the way.”

This emerging quantum awareness created the first quantum
revolution. Once we recognized that quantum effects happen around us all the
time, we started designing technology that made use of these newly discovered natural
phenomena. If you think this is only for exotic university labs, you’re wrong. The
flash memory that you’re likely reading this through depends on quantum
tunnelling to work, as do lasers, MRIs and super conductors.

So, what’s all this talk about quantum computing and what
the heck does this have to do with cybersecurity? In the 1970s many researchers
started theorizing about quantum computing and Richard Feynman put it together
in the early 80s, then the race was on to build the theory. What’s the
difference between this and passive 20th Century quantum technology?
We’ve developed the technology and theory now to engineer quantum outcomes
rather than just using what nature gives us. As you might imagine, this is
incredibly difficult.

I had an intense chat with Dr. Shohini Ghose, the CTO of the
Quantum Algorithms
Institute
at the end of our quantum cybersecurity readiness training day
this week in BC. She was (quite rightly) adamant that we can’t know quantum
details without observing them and when we observe them, we change them, but my
philosophy background has me thinking that I’m going to try anyway. An
unobserved universe is entirely probabilistic. It only becomes the reality we
see when we perceive it. It reminds me of the crying angels in my favourite Doctor Who episode.
This bakes most people’s noodles, but the math clearly indicates that in
measuring a photon’s location we can’t also know its velocity and direction –
that’s the uncertainty
principle
in action. I’m probably wrong about all of that, but I’d rather
people take a swing at understanding this strangeness rather than being afraid
of being wrong.

Alright, we’re halfway through this thing and you haven’t
mentioned anything cyber once! If you think about the electronic systems we
use, they’re entirely Newtonian. They reduce information to ones and zeroes and
produce the kind of certainty we all like, but this is a low-resolution approach
that is about to hit its limit. We’re building transistors so small now that electrons
are tunnelling through the nanometer thick walls (atoms are mainly empty space,
remember?) between transistors, rendering future miniaturization impossible;
we’re nearing the limits of our Newtonian illusion. That means the end of
Moore’s Law! Panic in the disco!

Quantum computers don’t use electronics as a common base. A
quantum computer processor might be ionized particles, or photons, or nanotech engineered
superconductors, and those are just a few of the options. By isolating these
tiny pieces of the cosmos away from the chaos of creation and applying energy
to them in incredibly intricate ways, we can create probability engines that
use astonishing mathematics to calculate solutions to problems that linear
electronic machines could never touch, but unlike classic computers we need to
do this without observing the process or all is lost. Imagine if you had to
design the first microprocessors in the dark and you’re a fraction of the way
towards understanding how difficult it is to build a quantum computer, but it’s
happening!

We’re currently in what’s called the NISQ (noisy
intermediate scale quantum) computing stage. We’re still struggling with
applying just enough energy to get a particle to polarize how we want it to,
all while keeping the noise (heat, radiation) of reality out. That’s why you
see quantum computers in those big cylinders as a chandelier. The cylinders are
radiation shields and containers to cool everything down to near absolute zero
(gotta keep that thermal noise out), and the chandelier is to keep the electronic
noise of the control systems (old school electronics) away from the quantum
processor.

My favourite quote from the PhDs I’ve talked to is, “a
viable quantum computer is five years out. And if I’m wrong, it’s four years.”
What does that mean for ICT types? Quantum computers don’t do linear. When you
give them a problem, they leverage that state of being everywhere at once to
produce massively parallel computing outcomes completely foreign to what we’re
familiar with in our multi-core processors. Quantum algorithms are designed to
blackbox the calculation, so observation doesn’t spoil quantum processes and
then spit out answers as probabilities.

What does that mean for cybersecurity? Peter Shor came up
with an elegant idea in the mid-90s that uses a Quantum Fourier Transformation
to calculate the periodicity in prime number factoring. If you can calculate
the period of two large, factored primes (there is a repeating pattern), you
can reverse engineer those primes. In RSA encryption or anything else that uses
factoring you could calculate the private key and tear apart the encrypted
transport layer handshakes rendering secure internet traffic a thing of the
past. From there you could imitate banks or governments or simply decrypt
traffic without anyone knowing you’re there. You won’t see cybercriminals doing
this because the tech’s too tough, but nation states will, though you won’t see
them either because they will be quietly collecting all of that encrypted
online data Imitation Game
style. This process may already have begun with harvest now, decrypt later (HNDL).

There is much more to quantum technologies in cybersecurity
than the encryption panic though. Recent research suggests that instead of running
into limits with electron tunnelling in transistors, our new quantum 2.0
engineering could leverage this quantum effect to create Qtransistors
magnitudes smaller and much faster than what we have now. Cybersecurity will
have to integrate that technology as it evolves. Quantum communication is
another challenge. NIST
is making mathematical quantum resistant algorithms
as I type this, but you
could also leverage quantum entanglement itself to create quantum key encryption.
China has an entire network of satellites testing these hack proof comms links
now. There could be quantum locked portions of the internet in 15 years where
high security traffic goes. Guess who is going to have to manage those secure networks.

If you’re in cybersecurity there is much more to quantum
than panicking about encryption. Anyone in the field would be well served by
digging in and researching this fascinating technological emergence. My
colleague, Louise Turner, and I presented at the Atlantic Security Convention
on this in April. Give
our presentation a look
. There are lots of links to fascinating resources.
It’s time to free your mind, Neo.

from Blogger https://ift.tt/Q1o0vBF
via IFTTT

Little Cyber Skills Bonfires Across Canada

 It’s been one of those months when possibilities for the future keep going in and out of focus. My secondment ends in August. There might be a possibility of an extension, but there are questions around whether or not I’m allowed to do it contractually. There are also questions around whether or not I want to go back into the classroom at all. Here are some of the things that have happened in the past few weeks that have me up at 5am after a14+ hour work day that should have knocked me out for a full night of sleep…

I did a ten day run across the Maritimes a couple of weeks ago. This involved a teacher PD day in Nova Scotia on a Saturday and then in class enhanced technology training days in schools across New Brunswick which mainly focused on trying to leverage the national CyberTitan cyber range competition images from previous years with students with varying backgrounds in cybersecurity. This isn’t edtech as you know it, it’s leading edge technology being leveraged to teach complex, interdisciplinary ideas that we can’t usually get anywhere near in the classroom.

The first day in Fredericton was frustrating due to technical difficulties and pedagogical challenges. Using state of the art cloud based cyber range simulations is always going to be a stretch in classrooms. Doing it on the IT infrastructure in schools is like trying to drive a Formula One car on a dirt road. The range of student skill made it impossible to sufficiently differentiate in order to land everyone in Vygotsky’s zone of proximal development and technical issues only complicated matters further. I finished the day exhausted and frustrated.

Day two completely restored my faith in this experiment. Oromocto High School has a brilliant computer technology instructor who has built a strong community of CyberTitans and the computer lab we were in was fit for purpose. We had a great day on the range where I got to see students grasp concepts that even CyberPatriot can’t address due to it’s old-school desktop virtual machine approach. On top of that I learned I am not alone! Blair, who runs the program at OHS is also Cyber Operations qualified, making us the only two I know of in Canada. Teachers like to invent their own certifications (and degrees) for education technology rather than explore relevance with what everyone else is doing, so it was nice to meet another willing to take on the challenge of a globally recognized industry cert.

Over the week I got to iterate with schools with little to no CyberTitan experience and even a middle school. There are edge cases around exceptional teachers where this kind of enhanced learning is not only possible but essential if we’re to develop students capable of surviving the very technologically disruptive future we all face. One of my key takeaways in that week was to emphasize the importance of tending to these unicorns, they are few and far between.

I wrapped up the trip in Charlottetown where our local partner and I had a great chat with CBC radio about how to build genuine cyber-fluency. This is like starting a fire with wet wood. It takes skill, determination and collaboration to make it work, and none of these things are easily found in Canadian education. Having now taught in classrooms from BC to Newfoundland, I’ve been fortunate enough to experience the wildly inconsistent landscape of Canadian education (there is no such thing, we are the only developed country in the world without a national educaiton strategy), but there are commonalities, like the staggering lack of digital skills we graduate students with. Nurturing local expertise is a way to scale this up. I hope administrators from coast to coast recognize and focus on that.

I finally cracked the TV egg and found myself on CBC Compass. The final question there was a big one, but I stand by my answer: we need to be teaching meaningful digital literacy so that our students can operate safely and effectively in an increasingly technology dependant world. We indeed face global challenges that threaten our future. If we don’t start learning the tools at our disposal effectively, we’re not going to solve them.

The frozen sea on an empty PEI shore…

from Blogger https://ift.tt/9dsTW4Q
via IFTTT