For many years, terms such as “blacklist” and “whitelist” were commonly used within cybersecurity and infosec circles to simply designate what person or application had access to a system or network (and which ones were denied).
In the wake of months-long, nationwide protests over issues such as racial injustice and police misconduct, the cybersecurity and infosec communities are having their own debate over terms such as “black” and “white” and what those connotations mean. Is it now time to change the terminology of security to make the industry much fairer and a more inclusive community?
Some of these issues have already bubbled up to the surface.
In late April, just as protests in the U.S. and elsewhere were building, the U.K. National Cyber Security Centre, which is part of the British intelligence agency GCHQ and runs that nation's incident-response team, published an announcement that it would now use the terms “allow list” and “deny list” in place of the more traditional whitelist and blacklist.
In June, Cisco Talos, the threat research arm of Cisco’s security division, announced a similar measure.
“While we acknowledge it is a small change, Cisco Talos is moving to replace our use of the terms ‘blacklist’ and ‘whitelist’ with ‘block list’ and ‘allow list,’” according to the Cisco Talos team. “Even though these terms are commonly in use in the security industry, we will not go along with casually assigning positive connotations to ‘white’ while assigning negative connotations to ‘black.’”
There’s even a debate brewing over whether one of cybersecurity’s most recognized events—BlackHat—should change its name to reflect the broader debate. In early July, David Kleidermacher, the vice president of engineering at Google who oversees Android Security and the Google Play Store, announced he was withdrawing from a scheduled talk to spur the infosec community into using more neutral terms.
“While many people will rightly claim they never consciously associated such terms with racism, the reality is that words matter, and these words perpetuate the notion of ‘white’ as ‘good’ and ‘black’ as ‘bad,’” Michelle McLean, vice president of product marketing at security firm StackRox, told Dice. Her company has also started using more race- and gender- neutral terms such as “allow list” and “deny list.”
“Linguists have long made a compelling case that words directly shape our consciousness and our reality, so we need to take steps like removing such racist terms from our technical vocabulary as a small part of a much larger effort needed to create positive environments and opportunities for Black and other underrepresented people in tech,” McLean added.
While it might seem that the IT, developer and security communities have only recently started debating word choices such as whitelist and blacklist, as well as “master” and “slave,” concerns over the use of these terms and what they mean have been part of the discussion for some time.
In 2018, for example, two Irish scholars published a research paper addressing “widespread use of racist language in discussions concerning predatory publishing,” including the terms blacklist and whitelist.
Thomas Hatch, CTO and co-founder of security firm SaltStack, believes that not only do more modern and race-neutral terms help eliminate racist language, but they also offer clearer definitions of what security should mean to an organization.
“In the past, most of us did not consider the connotation within the terms whitelist and blacklist. We just thought about them as standard computing terms,” Hatch told Dice. “However, moving away from using terminology that has originated specifically from such inhumane practices is positive for the security industry as well as other industries. It has been refreshing to see this trend sweep through tech.”
A More Perfect Future
While the debate over terms such as blacklist and whitelist has really only started, and not everyone may feel the need to change these, Heather Paunet, vice president of product management at security firm Untangle, believes that eliminating certain terminologies now can pay off down the road by making cybersecurity and infosec more inclusive and respectful of the talent it wants to draw on.
“‘Blacklist’ and ‘whitelist’ are terms that needed to be learned by newcomers to a security company, or security product, because it’s not clear when you first come across them what they mean,” Paunet said. “Using terms where it’s obvious what they do will make for easier to understand security solutions, as well as promote a culture of not going along with the use of terminology that promotes positive or negative associations with the colors ‘black’ and ‘white.’”
StackRox’s McLean also believes that updating the words the industry uses can help change the culture, making cybersecurity a more attractive career for many more talented people from diverse backgrounds.
“The security industry will only benefit from being able to tap into a larger and more diverse talent pool as we work together to protect critical applications and infrastructure,” McLean said. “Thinking more broadly creates better solutions, and the security industry needs that talent tool more than ever.”