A computer screen's projection is a digital abstraction of reality, where we make meaning through talking with the computer both literally through code, and figuratively through symbol systems - think trash bins for digital disposal, or e-mail as an abstraction of physical mail. Even if you’re not particularly fond of them, or outright refuse to use them, computers are ubiquitous now, which opens up humans to inherent risk. Nearly every ounce of our being is connected to the digital whether we choose it to be there or not: personal details, health records, financial transactions we make with our credit or debit cards, photos and posts on social media, personal websites; this list could continue endlessly. The implication of this interconnection is that humanity is inherently at risk for being compromised. Therefore to protect ourselves, the computer must be secured.
Cybersecurity professionals are tasked with this daunting job. Technical documentation is necessary for record keeping, education, and so forth, but a softer and more interpersonal approach towards instructing people on how to use specific systems or mitigate threats preemptively is necessary. Switching language “codes” is difficult, and what often happens is that professionals talk about mitigating risk and how phishing works by focusing on indicators based on technical concerns such as bad links or spoofed Received-SPF - which is fine if you know what that even is. The end user you support may not how to find that, much less why opening a VBS file from an email from someone they trust is bad, or even know what a VBS file is. Some training focuses on functional language rules such as bad spelling and poor grammar. This is helpful, but doesn’t get at the root of how despite these indicators being visible, phishing works anyway because of how persuasive language functions. I like to think of a computer as a tool turned into an attack vector for malicious language to transmit. So if cybersecurity is concerned with securing computers, it must also be concerned with understanding language. And that’s where rhetoric comes in - language is rhetoric’s domain, making meaning through communication.
Unfortunately rhetoric and cyber security don't often talk to each other in a common language, if at all, leading to barriers in learning what each has to offer. There isn't a natural tendency to become interdisciplinary as rhetoric doesn't appear to have anything directly useful to daily operations in cybersecurity, and vice versa. The irony is that the disciplines are concerned with the same thing at their core – seeking to understand how and why things work the way they do – and would be a natural progression for the disciplines to interact. That's what the rhetsec_ project seeks to create: a common language to help facilitate the convergence of rhetoric and cybersecurity.
Because humans make meaning from communicating with a computer, and a computer needs to translate its language to be readable to someone interacting with it, we need to understand the common components of language between machines and humans on a fundamental level. Much like natural languages, the idea of identification and understanding is present in computer programming languages, with their structure inherently philosophical. Computers are created in our image, interfacing with (and for) us, and have converged into our understanding of spirituality. We anthropomorphize them with phrases such as referring to malicious code as being infected with a virus. We give computers a semblance of personhood through language, both in how we communicate about and with them, which only blurs the lines between the screen and the individual.
Even interpreters make "meaning" to the computer based on what's given in high-level code, translating it to machine language, and producing a program that a human can interface with and make meaning from. This provides the translation of abstract symbols into a formal (programming) language, something computer scientists and linguists would be familiar with in automata theory. In fact Larry Wall, creator of the Perl programming language, is trained as a linguist and that perspective is ever present in Perl, using theories of natural language to influence how the programming language operates. Detailed expansions of Wall's ideas on natural language concepts in Perl are found on his homepage. The creators of many programming languages seek to make communication with the machine nearly seamless for those willing to learn the language, crossing the barrier between machine and human with an interactive interface.
Security researchers seek to understand how human nature influences cyber attacks through behavioral science, psychology, and social engineering, examining how attacks are executed and how to prevent them. Rhetoric examines how symbol-systems shape the way people interpret reality and make meaning. It makes perfect sense then to invoke rhetoric to understand how these communications work in cybersecurity. A symbol-system can be a multitude of things: the language you're reading this in, an ideological system like religion or government, or even something like bytecode. Understanding that a computer is a symbol-system that we interact with, the computer itself becomes rhetorical.
Knowing these symbol-systems are inherently influential, modern rhetoricians focus on two-way communication as opposed to a one-way influence on the intended party. Rhetoric seeks to actively engage participants in the public sphere, while making meaning from those interactions, to understand how language acts and shapes the world around it. If rhetoric is the act of meaning-making through language, we can enhance the way that computers and cybersecurity are discussed and understood through that lens. By focusing on communicative practices in both offensive and defensive positions, rhetoric enhances what's already available, and creates a space for interdisciplinary studies. Specifically, digital rhetoric seeks to understand this relationship between writers and audiences through digital mediums, so why not the counter itself? It would be an excellent genre for other open-source and academic researchers to jump into, and I would personally enjoy the company.
Unfortunately, the convergence of rhetoric and cybersecurity allows for miscommunication when neither side is fully understood. Technical researchers and professionals can often become frustrated when they discover research from an outsider's perspective in a domain divorced from their own (such as the humanities) that makes evident the system isn't understood by the author, causing credibility concerns and easy dismissal of the research. Humanities researchers, in turn, are frustrated with the technical sphere's lack of nuance, and their nonacceptance of interpretations that isn't "logical" when relating to logical concepts.
Security has an excellent technical understanding of how cyber attacks work, but can fail to recognize that functional, technical knowledge is often not enough to prevent them. Many defensive responses to cyber attacks, specifically security awareness training programs, lack a deeper understanding of why the attacks work on a human level. Some companies are looking to change that through the inclusion of psychology, sociology, and other sciences of the mind, but they still lack the context of the humanities - of what it means to be human. Security awareness must be made with educating the end user in ways that they can understand on a level familiar with them, instead of as a training session to fulfill an audit requirement.
But rhetoricians are not immune to this lack of context, either. An article in Rhetoric Review discusses phishing in terms of terrorism and racial violence, suggesting we rename phishing to digital forgery so we can understand the motive behind it better. The problem is not with the cultural analysis, but that digital forgery is a collection of sub-fields within computer science, forensics, and cybersecurity. While digital forgery could be applied in some situations like clone phishing, as it is a forging of a legitimate email, it cannot be used as a blanket term because it already is in use for the actual domain of digital forgery. Phishing is aptly named as it functions as a fishing line cast in the form of a malicious email, hoping someone will bite; renaming phishing to something else serves no communicative purpose. Phishing documentation and training sessions even use the “line, bait, and hook” imagery – it describes how it’s working as intended. A tangible example resides in an article I found in Rhetoric Review discussing phishing in terms of terrorism and racial violence, suggesting we rename phishing to digital forgery so we can understand the motive behind it better The problem is not with the cultural analysis, but that digital forgery is a collection of sub-fields within computer science, forensics, and cybersecurity. While digital forgery could be applied in some situations like clonephishing, as it is a forging of a legitimate email, it cannot be used as a generality. Phishing is aptly named as it functions as a fishing line cast in the form of a malicious email, hoping someone will bite; renaming phishing to something else serves no communicative purpose. Phishing documentation and training sessions even use the “line, bait, and hook” imagery – it describes how it’s working as intended. Here is an example of this phishing imagery in action from the Federal Trade Commission:
The author’s decision to pick the name digital forgery is well meaning, and an easy decision, because he likely was lacking context on what digital forgery actually is as a rhetorician. I noticed this in my own research when I began, because the segregation the academic domains through algorithms is very noticeable when you’ve spent many years giving Google your search preferences. I tested my theory on contextual research by deleting eight years of Google search history, and running a web search for digital forgery after roughly two weeks of researching rhetorical theory. After I had decided enough time had passed, I looked up digital forgery again the results were related to physical forgery using a computer. I had to add the search term “cyber” to get results which matched true digital forgery. I had a cybersecurity engineer test this theory by searching “digital forgery” and unsurprisingly, he received results directly related to digital forgery. The lack of context from the author is because he likely did not see his results describe what data forgery is, or how digital forgery includes things like SSL certificates and blockchain forgery. But without being involved in the security discourse community, it's no surprise that the author was unaware of any of this, and unable to discover this information simply because of what he’s researched in the past.
It’s like referring to a politician's "rhetoric" with the underlying implication that rhetoric is manipulative, untrustworthy, or inflammatory. This cultural definition is frustrating for rhetoricians, as it damages the credibility of rhetoric and creates barriers for understanding. Rhetoricians know that rhetoric is not deception, but persuasion - those two concepts are very different. Rhetoric focuses on identification, meaning- making, and understanding communicative practices. Outsiders do not know this, because they are not exposed - much like the above researcher trying to dip his toes into phishing. Terminology is inherently discipline-specific when defining advanced terms, so sharing concepts becomes equivalent to learning a new language to communicate. While incredibly difficult for each side, a shared, common language is the interdisciplinary bridge fundamental for understanding each other.
To create positive change in the relationship between cybersecurity and rhetoric, scholars must be willing to step into both domains and become experts. It's uncomfortable, and it’s a lot of work, but the work is worth doing. My theory of rhetorical security, or rhetsec, aims to establish a language about rhetorical and security concepts that both groups can use for the greater good. Rhetorical security starts by examining phishing methodologies and mitigation strategies of bulk phishing, clone phishing, malspam, personal solicitation, and spearphishing through the lens of rhetorical appeals, with the goal of expanding into other attack vectors in the future to create this interdisciplinary framework. If we can create a shared language between rhetoric and cybersecurity, the potential for a deeper understanding of how cyber attacks work on both offensive and defensive sides is rich with opportunity. We can develop more effective training for everyone, making all of us a little safer in the end.