NCSC Tackles Unconscious Bias In Security Terminology
Views: 2312

The UK’s National Cyber Security Centre (NCSC) is to stop using the terms whitelist and whitelisting, and blacklist and blacklisting, with immediate effect in a bid to help eliminate implicit or unconscious bias from the cyber security industry.

It is not uncommon within the security sector to use the terms black and white to describe undesirable and desirable things, such as allowed applications, passwords, IP addresses and so on.

However, as the organisation’s head of advice and guidance pointed out, the terminology only makes sense if one equates white with good and black with bad.

“There are some obvious problems with this. So, in the name of helping to stamp out racism in cyber security, we will avoid this casually pejorative wording on our website in the future,” they said.

The NCSC said it took the decision after being contacted by a customer to ask if would consider making the change – which, while small, is highly significant, even though it may not appear to be.

“You may not see why this matters. If you’re not adversely affected by racial stereotyping yourself, then please count yourself lucky. For some of your colleagues (and potential future colleagues), this really is a change worth making,” the organisation said.

In place of whitelist and blacklist, the NCSC will now use ‘allow list’ and ‘deny list’, which it said is to some extent clearer and less ambiguous, representing a net benefit to its web content as a whole. It will be updating its website to reflect this over the course of the next few weeks.

Ian Levy, NCSC technical director, said: “If you’re thinking about getting in touch saying this is political correctness gone mad, don’t bother.”

Unconscious bias – the unconscious attribution of certain qualities to members of particular social groups – is a big problem in the IT industry and plays an important part in reinforcing the lack of diversity in technology. This is not just in terms of ethnic background but in terms of diversity of gender, sexuality and disability as well.

It is a problem that is also becoming more acute as it relates to the algorithms that govern decisions taken by machine learning and artificial intelligence, which often reflect the unconscious biases of human developers.

The security industry uniquely suffers from other forms of unconscious bias as well, relating to the widespread perception of security practitioners and hackers as basement-dwelling, unwashed teens in hoodies, described as a systemic problem by many.

In April 2020, hackers and security pros came together to address the stereotype on Twitter by sharing selfies using the hashtag #ThisIsWhatAHackerLooksLike, and back in January, Computer Weekly’s expert Security Think Tank considered how to challenge this stereotype in a series of articles.

The NCSC itself has taken other steps itself to address diversity in the security industry, and has been running a mass participation survey on the issue. Government funding to encourage diverse security recruitment is also available.

In a recent report titled Cyber security skills in the UK labour market 2020 report, the Department for Digital, Culture, Media and Sport (DCMS) said that just 15% of security professionals are women, compared with 28% in the wider industry, and just 16% come from a minority ethic background, compared with 17% more widely.