To understand why and how we hope to make a dent in the universe we think it’s important to understand our perspective on how we see the world and to know how we have come to be where we are. This background gives insight into our raison d’être – the why of our existence.
The rate at which technology is changing our world is faster than our ability to adapt to that change through our society, culture and humanity. The adoption of computerization and digital connectivity is pervasive, yet we are by-and-large still struggling with the issues these technologies bring. Large gaps have emerged in our shared understanding of social norms and contracts. We need no longer to ask our technology whether current it is capable of doing a thing; instead we must begin to ask ourselves whether a thing ought to be done at all.
We are not necessarily in the midst of an unprecedented shift, we are simply in an unfamiliar situation. New technologies continually alter our society, culture and humanity as we humans develop and improve them. From time to time technology alters us at a rate faster than our ability to cope with the change it brings. We are in such a period now. In 100 years our era will look like the clumsy growth spurts of adolescence and many of the issues we are today wrestling with will be resolved. How long it takes us to emerge from this awkward age is up to us. We hope the world acknowledges and addresses the situation we are in, rather than prolongs our struggle to cope.
One part of coping with our new reality is the intersection of software-enabled, always-connected devices with public safety and human life. Our interdependence on software and connectivity has grown faster than our ability to safeguard these technologies. No one is rising to meet these challenges. The cavalry isn’t coming. We are the domain experts and we are the adults in the room. It falls to us. We Are The Cavalry.
When issues in computer security intersect humanity they become issues in public safety and human life. We are rapidly introducing computerization and digital connectivity technologies into our homes, cars, medical devices and our public infrastructure. We must ensure that the trust we place in the technologies we increasingly depend on is justified; that the benefits they promise greatly exceed the risks they pose.
We have seen the mass market adoption of new technology bring security issues from our offices into our family lives. As our hobbies and our passions became our careers, computer and information security professionals have become increasingly frustrated and disillusioned with our capabilities to prevent, detect, respond and recover from security issues. We must not allow failures in protecting business computer systems to follow us home to the technology that surrounds us.
The Cavalry as a namespace and a group was launched at two computer security conferences in Las Vegas in 2013. The ideas and momentum, though, has been building for years.
On August 2nd Josh Corman and Nick Percoco at BSides Las Vegas and later that weekend at DEF CON. The goal of those presentations was to attract like-minded security professionals at the conferences and to start to see where a movement like The Cavalry could go. The message was that the widespread adoption of computerization and connectivity is affecting our body, mind and soul. These technologies have the ability to affect human life and public safety – our body – when applied to the Internet of Things, cars, medical devices, etc. The many cases in recent memory where security research has been criticized and where researchers have been criminalized was seen as a threat to our mind. And the effect on our soul from the way these technologies have transformed law enforcement and oversight capabilities, without an equivalent discussion, reenvisioning or change in the common idea of our social contract or constitutional values. This nascent version of The Cavalry message attracted dozens of like-minded security professionals, journalists, researchers and policymakers.
In late September at Derbycon, the first (that we know of) Hacker Constitutional Congress was held. Over two days security professionals crowded into a room in Louisville, Kentucky to learn about the message and to help define and shape the movement. Many of those in attendance had traveled to the event just to attend this meeting. During this event The Cavalry message was refined to focus on the body component as we came to understand that the mind element would follow from demonstrated good done by security research, and that many other groups were already taking necessary steps to address the soul issues.
Over the next few months we continued to refine the message; at the same time the number of people involved grew rapidly. We took the message, through talks and workshops, to Bluehat – a private event held by Microsoft; to Shmoocon – a premiere information security conference in Washington DC; to OWASP AppSec USA and California conferences, attended by highly technical web application security professionals.
In February, 2014 The Cavalry went to San Francisco for two security conferences: BSides SF and RSA Conference. At BSides SF The Cavalry had use of a room for two days during which we held media training, debriefed lessons learned from talking with lobbyists and legislators and worked to refine the message again, with members of the security committee. The RSA Conference provided The Cavalry exhibition floor space, three speaking slots, volunteer badges and space on their website. The turnout for both events was high, as was the value of the conversations and interactions.
The Cavalry movement is still in its infancy. In less than a year it has gone from conception and birth to talks and discussions. The most exciting times come next. These activities are already in progress and we will be talking more about them soon.
Instantiation. In order to put the ideas and discussions into action to get results we need to have a legal entity. This entity presents a consistent visible point of presence for others to approach, get information, facilitate interaction, make connection and other types of tasks. Establishing this entity also allows for financial transactions so there is a way to fund the work that ultimately will lead to achieving our goals. There must be at least one formal legal entity, though there can be several with different missions, goals and funding models.
Promoting Research. The formative philosophies and ideas for The Cavalry revolve around security research. One of the goals and missions of The Cavalry is to see high quality information in use by decision-makers. The way to that leads through coordination, generation, publication, public discussion, scrutiny, refinement and application of research. In the realm of security research, technical assessments only go so far – we will need to promote research on policy, law, prior work, economics, medical efficacy, usability and many other fields.
Advice and Guidance. To ensure the safety of devices that have the potential to affect human life and public safety, manufacturers need our input. This can be in the form of white papers, consultations, think tank sessions, working groups or other activities. This type of work is what makes the research actionable so that necessary changes can be made to all types of systems that exist – technical, oversight, social and others.