Many people identify with computers, seeing the screen's projection as a literal representation of reality in front of them. This abstraction happens because of language. People make meaning with computers because they can "talk" to them, both literally (through code) and figurately through symbol systems; think trash bins for digital disposal, or e-mail as an abstraction of physical mail. Computers have become ingrained in our lives, and there is no way of escaping the beast intertwined any longer. Nearly every ounce of our being is connected to the digital, so the computer must be secured.
Cybersecurity professionals are tasked with this daunting job, and while their first goal is security, they must understand the language of computers to secure them. While the technical language necessary for the computer side, interpersonal language is also a must to instruct people on how to use specific systems or mitigate threats preemptively. But what often happens is that professionals talk about risk and teaching how the language of phishing works by focusing on "indicators," such as bad spelling, fake links, or other markers, but not necessarily how the language functions. But even with education about these "indicators," phishing attacks still are successful. But while phishing is one way to compromise security using computers, it's not only done via computer. A computer is simply a tool, an attack vector for malicious language to transmit. Therefore if cybersecurity is concerned with securing computers, then it must also be concerned with language. Language then is where rhetoric comes in, as its primary focus is meaning-making through communication.
Unfortunately, rhetoric and cybersecurity domains don't often talk in a common language, leading to barriers in learning what each has to offer. There isn't a natural tendency to reach out to the other domain because rhetoric doesn't appear to have anything directly useful to daily operations in cybersecurity, and vice versa. The irony is that the disciplines are concerned with the same thing at their core – seeking to understand how and why things work the way they do – and would be a natural progression for the disciplines to interact. That's what the rhetsec_ project seeks to create: a common language to help facilitate the convergence of rhetoric and cybersecurity.
Because humans make meaning from communicating with a computer, and a computer needs to translate its language to be readable to someone interacting with it, we must understand how language itself is essential to both machines and humans on a fundamental level. Much like natural languages, the idea of identification and understanding is present in computer programming languages, with their structure inherently philosophical. Computers are created in our image, interfacing with (and for) us, and have converged into our understanding of spirituality. We anthropomorphize them with phrases such as becoming infected, naming calculations gone awry as a virus. We give them a semblance of personhood through language, both in how we communicate about and with them.
For instance, interpreters make "meaning" to the computer based on what's given in high-level code, translating it to machine language, and producing a program that a human can interface with and make meaning from. Essentially, it's the translation of abstract symbols into a formal (programming) language, something computer scientists and linguists would be familiar with through automata theory. A more easily readable example of this comes from Larry Wall, creator of the Perl programming language. Trained as a linguist, he's brought a unique perspective into Perl, using theories of natural language to influence how his programming language operates. Detailed expansions of Wall's ideas on natural language concepts in Perl are found on his homepage. We've designed them from the beginning to make communication nearly seamless for those willing to learn the language, crossing the barrier between machine and human with an interactive interface.
Security researchers seek to understand how human nature influences cyber attacks through behavioral science, psychology, and social engineering. They use these disciplines to examine how attacks are executed and how to prevent them, but I say that we need to go a step further and invoke rhetoric to help us understand how these communications work. To clarify that when I discuss rhetoric here, I refer to modern rhetoric, not the traditional "art of persuasion" rhetoric. While rhetoric does focus on appeals and persuasion, modern rhetoric goes further, examining how symbol-systems shape the way people interpret reality and make meaning. A symbol-system can be a multitude of things: the language you're reading this in, an ideological system like religion or government, or even something like bytecode. Understanding that a computer is a symbol-system that we interact with, the computer itself becomes rhetorical.
Knowing these symbol-systems are inherently influential, modern rhetoricians focus on two-way communication as opposed to a one-way influence on the intended party. Rhetoric seeks to actively engage participants in the public sphere while making meaning from those interactions to understand how language acts and shapes the world around it. If rhetoric is the act of meaning-making through language, rhetoricians can enhance the way that computers and cybersecurity are discussed and understood through the very act of rhetoric itself. By focusing on communicative practices in both offensive and defensive positions, this act enhances what's already available, and creates space for new studies. Digital rhetoric specifically seeks to understand this relationship between writers and audiences through digital media.
The convergence of rhetoric and cybersecurity must occur to clarify the miscommunication, which functions much like the trope of science versus humanities. Technical researchers and professionals are frustrated when they discover research from an outsider's perspective that makes evident the terminology isn't understood by the outsider. This misunderstanding creates issues of credibility within the technological sphere, as well as easy dismissal of existing outside research.
The humanities, in turn, are frustrated with the technical sphere's side's lack of nuance, and their nonacceptance of anything that isn't "logical." Even though security has an excellent technical understanding of how cyber attacks work, but also recognize that functional, technical knowledge is not enough to prevent them. Many defensive responses to cyber attacks (such as security awareness training programs) lack a deeper understanding of why the attacks work on a human level, with many seemingly made to check off a box during an audit. While some companies are looking to change that, many materials still are left with a lack of creativity in delivery, and the language can feel patronizing at best. It seems there is a glaring lack of contextual unawareness on both sides.
A tangible example resides in an article I found in Rhetoric Review discussing phishing in terms of terrorism and racial violence, suggesting we rename phishing to digital forgery so we can understand the motive behind it better. The problem is not with the cultural analysis, but that digital forgery is a collection of sub-fields within computer science, forensics, and cybersecurity. While digital forgery could be applied in some situations like clonephishing, as it is a forging of a legitimate email, it cannot be used as a generality. Phishing is aptly named as it functions as a fishing line cast in the form of a malicious email, hoping someone will bite; renaming phishing to something else serves no communicative purpose. Phishing documentation and training sessions even use the “line, bait, and hook” imagery – it describes how it’s working as intended. Here is a typical use example of the phishing imagery in action is from the Federal Trade Commissions’ infographic on protecting yourself from phishing attacks:
Even with the prevalent use of phishing as fishing, I can see why the author would choose to suggest renaming phishing to digital forgery without prior context on what digital forgery is. I tested my theory on contextual research by deleting the entirety of my Google search history, and running a web search for digital forgery after roughly two weeks of researching rhetorical theory-based subjects and other unrelated items. After I had decided enough time had passed, I performed a cursory web search and found data about digital forgery not related to cybersecurity at all; in fact, the links were related to physical forgery using a computer. While relevant, it was miscommunicative – I had to add the search term “cyber” to get relevant (and correctly defined) results. I had my husband test this theory as well, as he is a cybersecurity professional. Unsurprisingly, he received vastly different results directly related to security's definitions of digital forgery. Even cybersecurity resources online describe what the author was talking about as data forgery. In contrast, digital forgery includes things like SSL certificates, blockchain forgery, and can even encompass things seemingly “undigital” such as counterfeiting inkjet printers. Without being involved in the security discourse community, it's no surprise that the author was unaware of and unable to discover this specific delineation.
It's much like referring to a politician's "rhetoric" with the underlying implication that rhetoric is manipulative, untrustworthy, or inflammatory. This cultural definition is frustrating for people in rhetoric, and it damages the credibility of rhetoric to those who aren't familiar with it. Rhetoricians know that rhetoric is not merely a deception, but is about identification, meaning-making, and understanding communicative practices. Terminology is inherently discipline-specific when defining advanced terms, and so the difficulty in merging opposed fields is learning how to communicate cooperatively. This again reiterates the importance of a shared, common language as a bridge between two seemingly opposing (but incredibly alike) fields.
To combat these growing frustrations and create positive change in both fields, scholars must be willing to step in between domains to become experts in multiple domains. It's uncomfortable, and a lot of work, but the work is worth doing. If we could discover how to communicate between rhetoric and cybersecurity cooperatively, the potential for a deeper understanding of how cyber attacks work on both offensive and defensive sides creates more effective training for everyone, making all of us safer in the end. Rhetsec_ aims to establish a language about security that both groups of people can use for their benefit, whatever that benefit may be.