Today we go on a different kind of hayride.

It is October, after all; there’s a new crispness to the air, a thinness to the world’s veneer as we move towards the death of 2023, and to 2024 being born of its cold ashes. Fears carve our masks – which may be why the best ones elicit quiet discomfort before laughs and merriment. Consider Poe’s “Masque of the Red Death” in its juxtaposition of horror and joviality: in the magnificent ball that takes place amidst a furious pandemic outside the compound, “There was much of the beautiful, much of the wanton, much of the bizarre, something of the terrible, and not a little of that which might have excited disgust.” Revelers convinced themselves the masks they wore encompassed and controlled their fears until the moment they realized the mask was the walls raised around them, the illusion that those walls were enough, and the mistaken impression that the people could know the nature of their peril.

Could it be the same for cybersecurity? 

Vincent Price in Masque of the Red Death, 1964.

“Let us call the world in which we live,” writes philosopher Eugene Thacker, “the world-for-us. This is the world that we, as human beings, interpret and give meaning to, the world that we relate to or feel alienated from…” Thacker goes on to posit two more worlds: firstly the world-in-itself, the parts of reality that often “bite back” against attempts to mold it into the world-for-us. The world-in-itself represents a kind of paradoxical thought horizon. It’s that part of our world accessible by methods like scientific inquiry, and manifested in natural disasters, but in thinking and acting on it people fold it into the world-for-us; otherwise we would not be able to work with, or in, or on, or around it.

But Thacker, in his delightfully spooky approach perhaps best referred to as Cosmic Pessimism, then proposes a third world beyond this human limit: the world-without-us. It is “the subtraction of the human from the world” in a clinical sense; it cannot coexist with the world-for-us, as the world-in-itself can. The world-without-us is defined by “characteristics not accounted for, that are not measured, and that remain hidden and occulted. Anything that reveals itself does not reveal itself in total.” This remainder is the world-without-us, “moving the scale of things out from the terrestrial into the cosmological framework.” 

This is where the “cosmic” kicks in as part of Thacker’s Cosmic Pessimism. The world-without-us represents a hard limit of human understanding on a whole-reality scale, beyond which it operates occulted and unfathomable. How then, do we approach it?

I remind you, reader, that October is here and gourd-carving, fright-watching, and spook-planning have begun.
Suggests Thacker, a dark twinkle in his eye, “‘horror’ is a non-philosophical attempt to think about the world-without-us philosophically.”

Certainly a short story about an amorphous, quasi-sentient, mass of crude oil taking over the planet will not contain the type of logical rigor that one finds in the philosophy of Aristotle or Kant. But in a different way, what genre horror does do is it takes aim at the presuppositions of philosophical inquiry – that the world is always the world-for-us – and makes of those blind spots its central concern, expressing them not in abstract concepts but in a whole bestiary of impossible life forms – mists, ooze, blobs, slime, clouds, and muck. Or, as Plato once put it, “hair, mud, and dirt.”

As the days grow shorter and light dims, cold creeping across our part of the world-for-us, and we spend the month telling tales that skirt the boundaries of our understanding and existential comfort, I propose similar: that our attempts to understand cybersecurity as a discipline fall short because we approach it as an element of the world-for-us or world-in-itself, when large territories within cybersecurity hold fast in the cosmic scale and horror of the world-without-us.

“Whereas traditional occult philosophy is a hidden knowledge of the open world, occult philosophy today is an open knowledge of the hiddenness of the world,” Thacker playfully intones, and what better description can there be of our professional discipline? We have sought to measure, define, and encompass for decades; we open-source our Indicators of Compromise (IOCs) and tactics, techniques and procedures (TTPs) enthusiastically; and yet the phantoms grow larger, the quasi-sentient amorphous blobs only more active. Thacker then arranges the juxtaposition of magic circle and magic site; the former meant to protect the user as one explores this world-without-us, much like a sandboxed workstation of Lovecraftian import, a bubble of humanness confronting the non-. Magic sites, in comparison, are the inhuman or even the nonhuman, a limited and liminal space whereby we catch glimpses of the world-without-us and what it may hold. In one sense, the magic site is hostile territory; in another, merely entirely indifferent. The comparison serves a distinct purpose: experimenting and exploring and discovering how to live in and as a part of such hiddenness.

Scholar Thomas Rid approached similarly in his book Cyber War Will Not Take Place.

In a much-noted 1981 study, Fantasy: The Literature of Subversion, Rosemary Jackson highlighted the critical and subversive potential of fantastic literature. The fantastic, as Jackson saw it, may trace the unsaid and the unseen of a society’s cultural and political established order, that which has been silenced, concealed, and covered. Telling a story within the bounds of the rational and the accepted would imply using the language of the dominant order, thus accepting its norms and contributing to keeping the “dark areas” covered by the dominant discourse.

The parallel and oft-intertwined threads of hiddenness, subversion, and discovery must again be strummed like a dissonant harp to make important progress, challenging the dominant paradigm like an electric candle in the immeasurable dark.

Occult fiction of the early twentieth century dove into this problem with eagerness and novelty. William Hodgson’s famed Detective Carnacki originated the Electric Pentacle around 1910 – modernizing the candle-arranged magic circle with the newly spreading technology of electricity grids. With such tools and modern thinking, with scientific rigor and steel-eyed curiosity, Carnacki goes spelunking in some of the darkest areas of the world-not-for-us with cosmically horrible results. Most information security researchers and hackers will find such traits familiar, as they will the rituals: find a quiet place, attend to the sequence of lighting the candles or LEDs in the proper way, sprinkle salt and other failsafes around the working area, and then begin The Working. 

And if you find yourself in too deep and surprised by demons, whether they’re yours or others, that is sometimes the price of the hiddenness exploring you back

But again, we are mistaking the nonhuman for human. How do we work with concepts arguably beyond our comprehension, as H.P. Lovecraft so often described his monsters?

Consider Thacker’s approach to demons; anthropological demons as revealing human nature to humans, but just as importantly: the mythological demon an attempt to reveal the non-human to the human.

Dante’s second circle of hell provides a great and terrible illustration in an infernal storm that,

“…eternal in its rage,

sweeps and drives the spirits with its blast;

…with never any hope to comfort them – 

hope not of rest but even of suffering less.”

This storm is no backdrop but a demon in itself; “invisible and yet dramatically manifest, coursing through the swarming bodies of the damned.” Current circumstances in information security feel directly on-point; the tempestuous winds and tumult of breaches across the public and private spectrums as winds toss us and our data to and fro; in fact, the dire state of data brokering intensifying the insult as we lose hope of both rest (reprieve from the breach environment) and suffering less (exerting any kind of agency over personal data produced in the digital world-for-us; or, is it?). Vulnerable not only to a spear-wielding imp, but in this case to the “strange, immanent, and fully distributed” foul wind that is otherwise imperceptible. “…Fully immanent, and yet never fully present.”

Neither Thacker nor Dante own this corner, though. In his foreword to the anthology Fiends In The Furrows II Andrew Michael Hurley relays an attempt by Adam Scovell to provide a framework for the elusive genre of Folk Horror:

… [Scovell] does attempt to establish a framework and proposes the idea of a Folk Horror “chain” that links works that might belong to that category by four essentials. The first—a landscape, “where elements within its topography have adverse effects on the social and moral identity of its inhabitants”—often goes on to inform the others, namely: “isolation”, “skewed belief systems and morality” and a “happening/summoning” (usually of something malevolent).

Folk horror as a genre is often primitively agricultural in scope; and yet what more accurate take on the current cybersecurity threat environment can we find than a landscape (the digital world) where elements adversely affect the social and moral identity (of users) in the context of isolation and a summoning? One need not attend DEF CON’s Misinformation Village or gauge the fatigued nihilism of security thinking to understand that forces beyond our sight continue to warp the landscape and alienate us both to the landscape itself and other aspects of modern life.

Still image from 1973 folk horror classic film The Wicker Man.

It is no surprise that horror holds many parallels for an industry wrestling with cosmic-level mathematics at the same time that it attempts to understand and mitigate cruelty and indifference. But scientific inquiry tells us that despite our good intentions of objectivity, the subjective remains ever-present; and not only does measuring change the thing measured, but it changes us as well. Author Indrapramit Das says much the same in his story Breaking Water, in which zombies have arisen and are part of the current landscape:

As Krishna bussed across the city and back toward Babu Ghat, he saw the world as it always was but now a different place. The air you breathed felt different, when you knew the dead walked somewhere.

Certainly our outlook as security professionals is similarly affected. Even something as fundamental as breathing feels different in a world the more you peel back the hiddenness, the more occulted corners become just another day’s work. Like the homicide detective watching her daughter prepare for a party and worrying about the acute horrors of the world, many of us daydream of the unpatched mail server, the outdated ATM machine, the vulnerable social media platform. We cannot help but breathe in the digital vapor all around us in a different way, a hitch in our lungs that begins in our mind’s eye.

Of course, zombie allegories abound in information security – zombie servers left to rot online becoming purveyors of disease and active decay, zombie applications shuffling onto unprotected systems as free image software or coupon deals only to be found carrying deadly parasites to the core of our social, financial, and recreational lives. Botnet hordes overrunning targets that blink just for a moment.

But even viruses and vulnerabilities, digital artillery of the most intangible sort, carry their own undead curses onto the area of operations. Army engineer Marcus Sachs, an initial member of Joint Task Force – Computer Network Defense (JTF-CND) founded in 1998 to defend military networks, made the point excruciatingly clear to journalist Kim Zetter as recounted in her book “Countdown To Zero Day”: ‘A cyberweapon was the “type of weapon that you fire and it doesn’t die. Somebody can pick it up and fire it right back at you,” Sachs says. “That was a very strong motivator to not do this.”’ We see how that has unfolded with Stuxnet and similar – the undead hunger of malicious code.

We must not ignore the place of the user in this landscape as well; security professionals educate them where possible, and not always effectively; and better design is needed for systems vulnerable to user negligence or malice – which is to say, all of them. However we must leave no bloodied stone unturned today, and in that context the very human rush to get a good deal or acquire property that provides status or sets one apart is a very useful demon indeed. Dopamine and cortisol – pleasure and stress – can make us into the unthinking, consuming mob before we realize it. And of course the more malevolent actors in the landscape quickly adopted the diabolic pioneering work of dark patterns by corporate user interface experts to fool us into taking each next bite.

It is worth noting here George Romero’s 1978 horror classic “Dawn of the Dead” – survivors struggling in a barricaded shopping mall – in its statements on humanity, inhumanity, security, and consumerism. 

It is further worth noting that Romero encountered no objections filming in a mall without taking extra steps to disguise brands, but amidst the 2004 remake not a single brand would give permission to appear.

Movie poster for Romero’s original Dawn of the Dead.

Why not shamble, then?

Why do we cybersecurity folks spurn the stumbling hordes and subject ourselves to an unending series of vaporous, ephemeral horrors that we’re rarely able to strangle in righteous quiet and light of day?

Paul Piff of UC Irvine makes a career out of the psychology of awe, studying it in the context of human groups as well as solitude. In the process of those studies Piff has, as Aikiko Busch related in “How To Disappear,” found that awe “generates a sense of altruism and that transcendent experience connects us to a sphere outside of ourselves, taking us from self-interest to a sense of greater inclusion in the human community.” Across multiple professions I have never encountered a community like that of Information Security practitioners; it has its lows, of course, as any profession or community does. But the altruism involved is undeniable, especially when you see groups of unassociated hackers get together on social media with no other connection than an interest in solving the problem and protecting folks from harm.

This springs from an often unremarked-on sense of awe we acquire from the problem; from the landscape, alienated as we are, watchful or nihilistic, staring grimly from over a coffee mug or energy drink can. The security problem is one of the world-without-us; it operates at such scale and inevitability that it can only be considered a cosmic horror, but with the intangibility of a demonic wind at once disastrous and hollow, ever-influencing but never present. In his “Groundwork Towards A General Theory Of Horror,” academic Jeremy R. Smith succinctly defines “the embodiment of horror: to be outside of ethical and political responsibility.” Where do threat actors inhabit, and where do we follow?

Working and understanding and theorizing right on that border – or past it – is the work of cybersecurity, and much as cursed mathematics lead Lovecraft characters to paths outside the world-for-us or even world-in-itself, so does cursed computer science, and the trip cannot but install a sense of awe. 

And from there we continue to look, and act – as Rilke put it and hacker-researching anthropologist Gabriella Coleman borrowed, “blooming most recklessly; if it were voices instead of colors, there would be an unbelievable shrieking into the heart of the night.” What is security work but venturing into that ear-splitting occulted night, perhaps to find an ill-starred screeching modem; perhaps to shriek ourselves.

Works Cited

bagley, s.j. Ed. and Strantzas, Simon Ed. (2016). Thinking Horror. TKHR.

Busch, Akiko. (2019). How to Disappear. Penguin Books.

Coleman, E. Gabriella. (2012). Coding Freedom. Princeton University Press.

Neal, David Ed. and Scott, Christine Ed. (2020). The Fiends in the Furrows II. Nosetouch Press.

Rid, Thomas. (2013). Cyber War Will Not Take Place. Oxford University Press.

Thacker, E. (2011). In the dust of this planet. John Hunt Publishing.

Zetter, Kim. (2014). Countdown to Zero Day. Crown.