As a tech editor who apparently hit the glass ceiling, perhaps my only value to the industry is reminding people what words mean. Usually that is done for the author before something is published but it is clear the industry could gain some value this time. With the terms “bully” and “bullying” being thrown around more liberally recently, it is important to remember what it really means. Like most words in the English language, that answer varies greatly. Not only with historical changes, but with social changes as words are used, reused, and co-opted. Let’s start with what Google tells us!
According to stopbullying.gov, the definition is:
Bullying is unwanted, aggressive behavior among school aged children that involves a real or perceived power imbalance. The behavior is repeated, or has the potential to be repeated, over time. Bullying includes actions such as making threats, spreading rumors, attacking someone physically or verbally, and excluding someone from a group on purpose.
Some readers are certainly homing in on this definition while glossing over an important qualifier. We are not “school-aged children” despite often acting like it on Twitter. This definition is custom-written to be suitable to kids in school that face bullies. Next up, Wikipedia defines it as:
Bullying is the use of force, threat, or coercion to abuse, intimidate, or aggressively impose domination over others. The behavior is often repeated and habitual. One essential prerequisite is the perception, by the bully or by others, of an imbalance of social or physical power.
Those same readers may now be homing in on this definition based on the last line, but it is important to note that is a two-way street. If we can arbitrarily call it “bullying” solely based on one side’s perception, then we’re all equally guilty of bullying. If I call you a jerk, and you call me an ass in return, we are both potentially guilty of it. In reality, I think we can all agree that is a bit absurd. I think if you drop that last line and focus on the first two lines the definition is pretty good, especially given the next choice. According to the dictionary:
- 1 (archaic): sweetheart or a fine chap
- 2a : a blustering browbeating person; especially one habitually cruel to others who are weaker
- 2b : pimp
- 3 : a hired ruffian
- bully verb
- : to frighten, hurt, or threaten (a smaller or weaker person)
- : to act like a bully toward (someone) to cause (someone) to do something by making threats or insults or by using force
- transitive verb
- 1 : to treat abusively
- 2 : to affect by means of force or coercion
We can certainly agree that the archaic definition isn’t what anyone means when using the term. Similarly, a pimp or hired ruffian is probably just as archaic and not intended. Focusing on the rest you have a variety of definitions that range from “treat abusively” to the more dominant that includes the purpose of the activity. The words threat, force, and coercion appear more than once in the definitions above and are the crux of what bullying is about. Everyone who is now equating the term “bullying” with anything less than a malicious, sustained campaigns of hatefulness with the intent of coercing/threatening is the worst sort of cowardice and dishonesty. They are doing a disservice to society and themselves.
Someone stating their opinion is just that. Calling someone a name or insulting them over appearance or action makes them an ass, nothing more. They aren’t trying to coerce you, they aren’t trying to force you to do something, and they aren’t threatening you. In this country they are simply exercising their first-amendment rights. As such, you have the right not to listen to them. If someone on Twitter is saying something you don’t like, stop following them. If they are including you in the messages, block them. Add their Twitter ID to a filter so it helps ensure you don’t read anything to, from, or about them. Remember, it is a push medium that you opt into. By using the service, by following people, by subscribing to lists, or by searching for specific words, you are specifically choosing to read it.
Cliff notes for the rest of you. Simple name calling or stating opinion on Twitter is not bullying, even if it is mean and you don’t like it. Those using the term in such a fashion are the real bullies here; they are capitalizing on a social stigma and social movement to brand what has been our way of life for hundreds of years as some new form of persecution. You are trying to use social pressure to coerce us into changing our behavior. Worse, by equating simple insults and jabs as bullying, you make it harder for those who have truly been bullied to be believed. Sorry, I won’t cave into bullies, something your crowd keeps telling us to do ironically enough.
To finish this post, I want to answer a question put forth by someone crying “bully”:
Can my daughter take criticism? Yes but not publicly. You got to have a pretty tough skin to be able to take criticism publicly. Most of us don’t have that tough skin. I think that’s good because that usually goes hand in hand with compassion. If I had to choose only one thing missing in this InfoSec community, it would be compassion. The nonconstructive criticism is so public and so vicious that you end up missing that one nice person who is trying to offer the constructive criticism that could really make a difference. And that’s sad. That person who is trying to help gets lumped in with the naysayers, and no one benefits. Is this really the InfoSec community you want?
Yes! That is exactly what I want the industry to be. More importantly, that is exactly the type of industry our society needs. There are two aspects to this, and one of them is so entirely simple, but seems to be missed time after time.
First, the InfoSec industry has two fundamental sides; those who break things (attack), and those who fix things (defend). The entire attack (a.k.a red-teaming, tiger teaming, vulnerability assessment, or offense) side of it is built itself on the act of tearing others down. When you perform a penetration test, you are showing how the programmers and/or IT staff have failed in some way. In some cases, you are taking years of their work and shitting all over it in a PDF or by PowerPoint with pretty colors. That million lines of code to perform incredibly complex actions to make a seamless experience for their paying customers? You tell them it is Swiss cheese, that it shouldn’t be on a production network, and that they must go back and make it better while flippantly giving them the oh-so-helpful remediation instructions of “sanitize user input“. You get paid, handsomely even, to do just that day in and day out. Did you develop software that makes that process easier? Then you are facilitating colleagues so they can more easily tear down the work of other people. This is a simple fact and how our industry operates. You are offering what you think to be constructive criticism. The developers and admins receiving the report do not think it is constructive. You are a “naysayer” and yet both sides benefit ultimately. The notion that “no one benefits” is absurd.
Second, the more emotional answer. Our industry, and society at large, need more people that are not afraid to speak their mind, tell the truth, and demand better from everyone. That is how things get fixed, and that is how we improve as a society. Your friend being a douche-nozzle? Do you think they intend to act that way? No, so you tell them in whatever terms are needed so they stop acting like one. Your customer running insecure software that would allow little Bobby Tables to expose all of their client data? You tell them so they can fix it. Your report can soften the blow a bit, but ultimately you are telling them they have failed in a spectacular fashion. This isn’t some circle-jerk hug fest. This is an industry largely based on critique, which is a vehicle to improve.
When your day job is based on leveling criticism at other people, it is your responsibility to be able to take criticism. If you release software to the world, you are a vendor so to speak. Someone reporting a vulnerability in your software is not them “picking on you”. That is them making a sincere effort to help you improve your software, just as you are trying to help your customers (or students) improve. If you don’t understand how these are fundamentally the same, then you don’t belong in this industry. That is not a threat, force, or coercion. That is a fact.