Artisanship in Cyber Security

Craftsmen, guilds and doing things by hand are commonly associated with classic professions. If one started out as a carpenter or a blacksmith, it would take years to become an artisan, learning on the job. Skilled artisans had always been amongst the higher of social classes, being defined as able to self-control their means of production and self-direct their own labor.

But artisanship was dying out. As very eloquently put by Thiemann (2014): “Over the 19th and 20th centuries, the term ‘artisan’ had acquired a fluid mixture of romanticized as well as condescending meanings, forming to conceptualize artisans as those who still make things with their hands because they are unable (or unwilling) to use the new technological means. Such people are to be found in the ‘dying professions’ or in insignificant niches as high-end producers of luxury items, and around tourist magnets, selling hand-made souvenirs”¹.

Except it isn’t.

I believe that the idea of artisanship even stands firmly in one of the most modern professions: cybersecurity. A profession where properties opposite to artisanship, like automation and scale, are key nowadays. I believe that despite the enormous variation, scale and flexibility of current security solutions, artisanship still has a very important role — especially in digital security. Come, join my thought train here.

TL;DR:
1. I believe you need tailor made solutions for securing really important stuff; and
2. tailor made stuff comes from craftsmen working closely with a client; so
3. artisanship still has its place next to automated security solutions.

In short: in 1999, I was a tool.

So, I work in digital security. A “modern profession” by any standard. Have been for 20 years this year. How I started? By getting fired on the spot when working as a helpdesk employee through an employment agency. I was bored on the job and decided to have some fun. Mind you, this was pre-Y2K, so that basically meant hacking the Windows registry to bypass proxy restrictions to the internet, sending out fake emails to co-workers and snooping around the network and the internet, looking for places that ought to be unaccessible. Nothing too serious, but serious enough to get noticed.

As you can tell from these actions, I didn’t know anything about operational security, digital forensics or Locard’s principle. I had the right mindset for security — although the company begged to differ — but lacked skill in every sense of the way. In short: in 1999, I was a tool. The company had collected quite a file on me, pulled me from my desk, confronted me and led me out the front gate.

I still thank them for doing that.

Because letting me go eventually got me talking about this experience to a friend of one of Fox-IT’s founders. They had just started the company when I landed a job as a junior employee, not in spite of, but because of what I did. “Really nice guy. We’ve pulled him from behind the bar and gave him a job”, one of them said about that in a reference earlier this year. True story. And I still thank them for doing that.

Over the next years, I learned a trade. Bottom up. I started by helping out in computer forensic investigations, run the lab, write parts of reports. Then penetration testing became a thing and we picked that up as a company. More people with different skillsets joined the company, and we learned with and from each other. Then digital security became bigger and we could work out what was needed because of our offensive and forensic skills. Forensic investigations often included open source investigations, so we Bellingcatted (this is still 2000–2008, remember). No one knew everything, but everyone had a common knowledge baseline and a common mindset, and while some were better at this, others were better at that. We trained a hell of a lot of people in the public and private sector. And as a (small, at the time) team we succeeded. Big time.

See where I am getting at?

I learned a modern trade, by indulging in it every working hour of every day and most days in the evening as well. Skillz got better, relationships got ruined. Much like a blacksmith apprentice, I became a craftsman. As a team, we became the best of the best — in that time and place.

It begs the question: does automation replace artisanship in digital security?

Around that time, moving stuff from on-premise to datacenters happened. Cloud happened (which is not that different). BYOD happened. Smartphones got smarter. Where the networks we attacked and defended were pretty much overseeable early this millennium, the sudden surge in infrastructure growth and demand now quickly outpaced visibility. Much like the growth of small villages into megacities, but compressed in a few years and not centuries (on a side note: I think there is a lot to say about the resemblance between urban crime prevention and modern day cybersecurity, but that is another tale for another time).

With that growth, many tasks that were done by hand at first became automated. This is nothing new. In every industrial revolution, tasks done by people get automated. And for many tasks, this is a good thing. Automation enables scale and reduces implementation error. It also reduces operation time and personnel expenses. But it also displaces workers.

In digital security, we see the same thing. Security tasks have moved from something-the-sysadmin-guy-does-as-well to dedicated jobs, into Security Operation Centers and from there into commercial SaaS-solutions that will automate deployment, analytics, response and even forensic readiness for you. And the variation in digital landscape a security company like Palo Alto accommodates, for example, is ridiculously large. For cloud collaboration platforms, security features are more and more automatically integrated in the product, like in Microsoft365. Gone are the days of bypassing login screens by pressing <ESC>. The growth in scale, automation and coverage is beyond imagination, although they still cannot make you coffee. It begs the question: has automation replaced artisanship in digital security?

“I think shokunin are a kind of people that care about what “WE” make, instead of what “I” make. — Hōsai Matsubayashi”.

Despite being top-notch craftsmen, I think that around 2007, we were still tools in a certain way: because we were so good at what we did, we sometimes failed to see the strength of other disciplines.

The Japanese extend the definition of artisanship. Their notion of shokunin involves a transcendence of the individual gain besides accumulating exceptional skill generation after generation. They argue that artisans exist only because they co-exist with others. I think in hindsight that notion is what drew me to the public sector and my volunteer work. If anything, my years in public service made me realize two things:

• no matter how skilled you are, you are always part of a bigger picture. Do you have a great idea to make life harder for criminals in an innovative way? You need to be able to get your legal experts, your team, your boss and their bosses on your side. Have a great idea for a product? You need other people besides you to bring it to its full potential. Shokunin act as team members, with respect towards the other skills needed to fulfill the mission.
  The key take-aways from this are that a) there is no automating human persuasiveness and attentiveness and b) there is no automated substitute for human2human communication. Human teamwork works.
• there is no one-size-fits-all when it comes to the really important stuff: every criminal investigation, every assessment of the protection of highly classified material, every course given to a group of students had one thing in common: they were all, without exception, tailor made to the specific goals and needs of that particular situation. When criminals learn from previous investigation tactics, you adapt your modus operandi to outsmart the ones you are investigating at the moment. You don’t keep your crown jewels in the IKEA IVAR with the other commodities. A teacher adapts to his students. All these situations deserve a tailored solution. As with clothes, food, jewelry or art, tailored solutions are solely provided through artisanship.

So in short: no. Artisans aren’t some artifact from the dying professions, going against modernization. Even in a modern day profession like digital security, which is defined by scale and automation, artisanship still has its place — and a very important one.

[1] — Thiemann, L. Artisans of the world, unite. Den Haag, 2014.

About the author: Pepijn has a MSc in criminology and over 20 years experience in cybersecurity. He has worked in commercial and nation-state environments, on both operational and strategic levels. Recently he co-founded Chapter8, which specializes in Purple Team security missions. Besides being a family man and fitness enthousiast, he is a cyber volunteer at the Dutch National Police.