There is no "community"
The jumping point of this post is what happened to Chris Krebs, and how the "community" reacted to it. I don't want to dwell on this particular case because a) a lot of people who are smarter and more eloquent than me already did that, and b) it's not surprising at all. What I do want to talk about, though, is the whole "community" thing, and why expecting for-profit businesses to stick to principles is a recipe for disappointment.
Let's start with the whole concept of there even being some sort of cybersecurity community: there isn't one. There are many communities that formed around the subject, but to think there's one big fraternal order is just silly. Like everything else in society, there are in-groups and out-groups, and to pretend otherwise is disingenuous. And that's not even a problem, I don't think: some people have more affinity with some people than others. That's just society in the broader sense of the term. The same way people don't take the "we're all family here" bullshit from their employers seriously, folks should understand that "the cybersecurity community is very close-knit" is also a stretch.
Go to any cybersecurity gathering or conference by yourself and see if anyone will go out of their way to show you around, introduce you to people, invite you for a drink, or anything along those lines. Highly unlikely. Go to DEF CON and ask a goon where the bathrooms are, and they will tell you "do I look like a fucking information kiosk?" (true story). Do the same with a goon you've known for 20 years, and they will not only point you to the bathroom, they will take you there, buy you a beer on the way, and introduce you to Jeff Moss. That's just how interpersonal relationships work: interactions with people you know are obviously different from interactions with people you don't know.
It's hard to break into a community that's already established. And it's also hard to be welcoming when you're in a community that's established because you don't want to disrupt the prevailing dynamics. We can try, and we can tell everyone that our community or industry or whatever is "welcoming" and "friendly", but there's no way to simply will that into being true. In-groups and out-groups will always be there, and being a newcomer is usually a very stressful proposition.
Sometimes this goes to the extreme, and you see the in-groups being actually hostile to newcomers for many reasons and all kinds of phobias and -isms. One time, as an adult, I tried to wedge myself into a conversation between a group that was ostensively "welcoming" only to get some version of "you can't sit with us." It bothered me some, but you won't know if you belong and/or are welcome if you don't try.
This industry is also very fond of "conditional acceptance." This is where you "accept" new people if, and only if, they have the right credentials and qualifiers that may or may not be some moving goalposts. Again, nothing exclusive to our industry, but it is something that happens a lot in our industry: you are welcome if you are XYZ, or have done ABC, or know person Z.
Being truly, fully welcoming is hard, and, sometimes, not even desirable because it opens the group to bad actors and you don't want to let your group implode for the sake of being welcoming. Groups are weird as shit.
I can probably say that our Discord is very welcoming, and I make a point to personally interact with newcomers if they choose to interact with the group. Some people won't even try to interact, and that's totally fine, too. I completely understand the anxiety, but I am telling you right now that I will go out of my way to make you feel welcome there. Link is at the footer.
Anyway, going back to the beginning: the Chris Krebs situation was just an example of people belonging to groups that overlap a little bit picking one group over another when those are at odds and they have to pick one. All the cybersecurity companies saying "We don't have anything to say about this situation." is just them being true to their main in-group: for-profit companies that don't want to upset a big current or potential buyer. They are, first and foremost, part of that "community", and they happen to be involved in cybersecurity. Solidarity is happening there, just not to the people in cybersecurity.
Building a community is hard, and maintaining esprit de corps within said community is even harder. It is not reasonable to expect cohesiveness and solidarity amongst a gigantic group like "the cybersecurity community." It's too big of a tent for everyone inside to pull in the same direction.
- Previous: What can possibly go wrong?