GFCE Annual Meeting 2019

The GFCE’s 2019 Annual Meeting was its first in Africa. It marked the start of its regional outreach and the launch of a new online portal.

The 2019 GFCE Annual Meeting (#GFCEAM2019) was held on 8-10 October at the African Union commission’s headquarters in Addis Ababa.  Six months on, this post is a look back on what it was like to be there, the meeting’s significance and what it led to.

A quick recap of GFCE Annual Meetings

For those new to the Global Forum on Cyber Expertise, it is an international forum where any country or organisation interested in international cyber security capacity building can come to share knowledge, coordinate their projects and find new partners and support.  As I write, it has 104 member and partner countries, companies and international organisations.

The GFCE’s origins lie in the Global Conferences on Cyberspace, which began in 2011.  In 2015, this series of international policy discussions spun off the Global Forum on Cyber Expertise to focus on capacity building.  Every year since, the GFCE has held its Annual Meeting in a different city.

Timeline of GFCE Annual Meetings and Global Conference on Cyberspace

Impressions of the GFCE Annual Meeting 2019

My perspective on the 2019 Annual Meeting will be a little different to others, because I was part of the GFCE secretariat team organising it.  As an organiser, you miss a lot of the conversations that happen in the margins.  Those are so important that some people go to international conferences just to do business in the corridors and never step foot inside a single session in the programme.

Nonetheless, as an organiser you get to speak to a lot of people about what they are hearing.  One of the main topics of conversation I picked up on was just how productive people felt it was to be meeting at the Africa Union.

Being at the AU and having so many African delegations present – 35 in total – gave the conference a sense of purpose and a feeling that we were discussing capacity building with the right people: those who were working with projects on the ground and who wanted to take home ideas they could implement.

The African Union venue itself was an impressive modern conference facility that combined the grandeur of the UN without its fussiness. Taking selfies was positively encouraged!

Delegates at the GFCE Annual Meeting 2019 at the African Union

Structure of the conference

For those not there, I think it’s worth briefly summarising the programme.

Day one was filled with workshops organised by volunteers from the GFCE’s working groups and task forces.  For example, one workshop brought together people who had drafted national cyber security strategies to present to delegates who were drafting them at the moment and those interested in the process.  At the end of the workshop representatives from five countries, most of whom had previously no involvement with the GFCE, expressed interest in finding partners who could help them with the strategy setting process.

Day two was the plenary day, with speeches, roundtable discussions of the GFCE’s future direction and a choice of half hour presentations from members on their initiatives or research.

Day three was for working group and task force meetings.  These groups are the place where members come together to agree and implement work plans that move forward or improve international cyber capacity building.

The first GFCE Annual Meeting in Africa

This Annual Meeting had several firsts for the GFCE.  Arguably the most of important of which was that it was the first one to deliberately reach out to, and invite, all the countries in a continent.

The seed for this was planted at the 2018 Annual Meeting in Singapore. At a session on projects in Africa, the room looked at a map of projects in the region.  They discussed how they were concentrated in a few countries and how a large portion of the continent had experienced no direct projects at all.

A map of international cyber security capacity building projects in Africa as of 2018.
Heat map of international cyber capacity building projects in Africa discussed at GFCE AM 2018

Several people suggested that instead of talking about this in Singapore, we should instead be talking about it in, and with, Africa. Some excellent principals underlie this: try to talk with countries, not about them; and try not to ask country representatives to come to you, when you could go to them.

After the 2018 meeting in Singapore, the Africa Union Commission offered to host the GFCE in 2019.  Several donors then stepped forward to sponsor the travel of delegations from every African country, should they choose to accept the invitation. 

The feedback from African delegates was very positive and several are now in the process of becoming GFCE members.

The first GFCE Annual Meeting with a day of workshops

Another first for a GFCE Annual Meeting was that we devoted a day to community-organised workshops.  This was highlight of the conference for many people.

The workshops ensured the conference served a practical purpose.  They also kick started practical, action-orientated conversations among the delegates for the rest of the conference.

The first GFCE Annual Meeting with a clearing house session

The 2019 Annual Meeting was the first to have a clearing house meeting.  This was focused on Sierra Leone and attended by Minister Swaray, Minister of Information and Communication.

At Minister Swaray’s request, the GFCE had earlier held several months of conference calls and email discussions with everyone running cyber capacity building projects in Sierra Leone. These were to understand all the projects in Sierra Leone and, also, who might be able to contribute more to meet the countries requirements in the next phase of its capacity building.

By the time of the Annual Meeting, this clearing house effort had already resulted in at least one new project – national cyber risk assessment support from the UK Home Office – and moves towards new collaborations. 

At the Annual Meeting itself, Minister Swaray held a meeting with 17 partners who were already working with Sierra Leone or were interested in doing so.  He set out the countries’ priorities and the attendees discussed how they could each respond.

Sierra Leone's Minister Swaray meets international capacity building partners at the GFCE Annual Meeting 2019
Sierra Leone’s Minister Swaray meets international capacity building partners at the GFCE Annual Meeting 2019

The test of whether that clearing house process worked is whether it led to anything afterwards.  I’m pleased to say it has.  At the US’s suggestion, Sierra Leone has joined STOP.THINK.CONNECT and is using its public awareness campaign materials.  The Council of Europe and EU are providing further advice on cybercrime legislation.  I believe other concrete offers of support are in the pipeline, either as a result of or informed by that meeting.

When Minister Swaray returned to Freetown he briefed the Cabinet on the meeting, as an example of how international partner coordination can work.

The first GFCE Annual Meeting with an online knowledge portal

The final first of the Annual Meeting was that it launched a new online portal for sharing information on international cyber security capacity building projects, tools, publications and events: www.CybilPortal.org.

The Portal has a full-time manager and an international oversight committee.

Having written before about the GFCE effort to map all cyber capacity building projects, I’m pleased to say that the Cybil Portal has now uploaded all the projects in the GFCE database: over 570 now. It is adding new features and improving every month.

Logo of the GFCE Annual Meeting 2019

What next for the GFCE and Africa?

The bottom line is that the GFCE’s first Annual Meeting in Africa was a real success.  What we need to do now is help convert promising conversations into concrete capacity building collaboration, coordination and activity.  That will be a task for the working groups, with support from the GFCE secretariat.

We also need to maintain the momentum of the GFCE process in Africa.  There was a lot of interest in holding annual regional GFCE meetings on the continent.  The question now is when and where?  The front runner idea is to choose a conference that already brings together many on the continent and hold a GFCE meeting in the margins.  SMART Africa came up several times as an option.

What do you think?

Why is cyber security blue? The cybersecurity visuals challenge.

Ideas from colour psychology have led us into feedback loops that turned cyber security as blue as the sea. We can escape if we rise to the challenge.

The Hewlett Foundation thinks it’s time to improve how we communicate and visualise cyber security. I agree.  To find fresh ideas, the Foundation has launched a Cybersecurity Visuals Challenge, rewarding artists with substantial grants for creative solutions.

Having more modest financial means than the Hewlett Foundation, I thought I would make a small contribution to the Cybersecurity Visuals Challenge effort with this blog. 

As I’ve mentioned before, I think it helps us improve things in the future if we first know how we got where we are today.  In that spirit, I want to use this post to take a long view look at the question…

… why is cyber security blue?

Cyber security is as blue as the sea

Before diving into the answer, I wanted to first check cyber security really is blue.  A quick google image search for “cyber security” soon confirms that it is. Or to be more precise, cyber security has an average RGB colour value of Red:111, Green:135 and Blue:152.

A screenshot of image search results for cyber security.  Blue is the dominant colour.  The Cybersecurity Visuals Challenge will help us explore other ways of visualising cyber security.
Image search results for “cyber security”

Repeating this rigorously scientific (!) image search experiment on other ‘blue things’ we find that cyber security is nearly as blue as the sea.  Only with more hoodies and fewer seals.

Image search results for “sea”

So cyber security is blue. But why?

The birth of Colour Theory

You’ve probably heard the myth that Isaac Newton discovered gravity when an apple fell on his head. Unfortunately, I have no fruit-based explanation as to why he discovered that light could be split into a rainbow of colours using a glass prism.  What I can tell you is that having made this discovery, he proposed that every colour in this rainbow could be formed by mixing three primary ones: red, yellow and blue.  From this idea, modern Colour Theory was born.

A hundred years later and some academics were still claiming that Newton had got it wrong.  His critics said all colours were a mix of darkness and light.  Blue, for example, was the first colour to emerge from darkness when you add a little light.

Johann Wolfgang von Goethe was one of those critics. But the reason we should be interested in him is not his argument with Newton, but because he introduced a new topic to the field of Colour Theory: psychology. 

Goethe thought we all share psychological associations between colours and concepts.

Blue gives us an impression of cold… The appearance of objects seen through a blue glass is gloomy and melancholy.

Johann Wolfgang von Goethe (1810)

Importantly, the concepts Goethe had in mind were very abstract and mostly related to feelings.  We are still a long way from concepts as concrete as cyber security.

A colour revolution

We jumped a hundred years from Newton to Goethe and now we jump two hundred more to reach our next key character: Faber Birren

After WWII, America’s government and industry were open to big, bold ideas. Into this fertile ground, Faber Birren planted the idea that colour had a more powerful influence over individuals, societies, organisations and brands than Goethe or anyone else had previously suggested.  He also proposed that colour’s psychological associations were much more concrete than the emotional associations that Goethe had in mind.  Birren said we associate colours with very precise concepts such as intelligence, arrogance, modernity and remorse. 

Birren was described as a colour revolutionary and America’s management class loved his theories.  The US Navy hired him to colour coordinate everything it owned: every item, structure and piece of clothing.

Working with DuPont, Birren designed a safety colour code for industry: all fire safety equipment should be red; all equipment for handling materials should be yellow; and so on. The American National Standards Institute adopted his code and then it spread across the globe.

It is no coincidence that skips, hazmat suits and diggers are all yellow.  Faber Birren made them so. 

Skips, hazmat suits and diggers are all yellow because of Faber Birren

Applying Colour Theory to Cyber Security

We might suspect that cyber security is blue because security is blue.  But I don’t think that’s the case. 

Other fields of security – home security for example – are not blue.  And a consensus that security is blue was only reached as recently as this decade.  In previous decades, writers in marketing and the psychology of colour said that security was black. Or grey. Or orange. Or brown. Or pink. Or green. Or, yes, blue. 

I think the word security is a red herring. The key actually lies with the word TRUST.

Faber Birren claimed that trust was one of the concepts we associate with blue and everyone since has repeated this thesis. In contrast, Birren said nothing (that I have found) about security and this left the field wide open for people to describe it as being any of the half a dozen colours I just listed.

So how did we get from Birren’s belief, in the 1940s, that trust is blue to cyber security being blue today?

The story of blue: from trust to cyber security

To understand the final part of the story of why cyber security is blue, we should first recall a time before it was.  Until only a few years ago cyber security had no dominant colour association.  Yes, black and blue have been in the cyber aesthetic since the start, but for a long time red and yellow were just as prominent. Other colours – including green, brown and pink – were in the mix too.

Colour in the early years of cyber security : War Games (1983), Symantec Website (1998), CERT Conference (2002), The Cuckoo’s Egg (2005)

Around 2003, internet use took off and, soon after, cyber security began to rise steadily up business and foreign policy agendas.

My theory is that during this cyber growth spurt (2003-2010), the companies, organisations and influencers involved felt the need for cyber security to have a stronger, clearer visual identity.  They had the motivation and budgets to ask brand managers, graphic designers and creative agencies to come up with the ‘right look’ for the fast-growing number of cyber security brands, services, products, articles and events.

By coincidence, just as this was happening, these same branding and creative experts were being shown research that told them the ‘right look’ essentially meant the ‘right colour’.  In 2006, The Institute of Colour Research pushed out a widely quoted research paper that claimed people make a subconscious judgment about a product within 90 seconds of initial viewing and that between 62% and 90% of that assessment is based on colour alone. It was a powerful return of Birren’s message: colour is king.

Creatives tasked with choosing the ‘right look’ for cyber security – and therefore the ‘right colour’ – had a safe choice to make: blue.  Thanks to Birren’s influence they could confidently tell their clients that everyone agreed blue was the colour of trust.  Even better they could point to the fact that it was because of this that IBM changed its own logo and brand to blue in 1972 – earning it the nickname Big Blue. That in turn created another association in the public’s mind between safe, reliable IT and the colour blue.  All the stars were aligned.

In the 1970s, no IT manager ever got fired for choosing Big Blue. During cyber security’s growth spurt, no creative ever got fired for designing a blue cyber security visual.

Feedback loops

In a field with a relatively small pool of visual products it wouldn’t have taken long for blue to become so prevalent that a tipping point was reached. When an aesthetic becomes dominant, a professional creative who doesn’t follow it isn’t just avoiding the safe option, they are consciously choosing a risky one. Their client is expecting the dominant aesthetic and only a few will want to swim against the tide. There is every chance the client will ask their creative to resubmit something more conventional, at their own expense.

Meanwhile, an army of amateur DIY creatives were churning out micro products (presentations, office posters, community flyers, blogs…) with even less desire or ability to create something unique. They used the images on the first page of google and unintentionally fed a feedback loop that pushed anything non-standard down the search results.

And thus we reach today, swimming in a sea of cyber blue.

Are we stuck with blue forever?

As we’ve seen, cyber security was once colours other than blue and it could be again.

A girl looks at blue cyber security posters thinking there must be a better way to visualise cyber security.    Hewlett Foundation's Cybersecurity Visuals Challenge. #CyberVisualsChallenge.
Our cyber security visuals are tired of being blue

Within the capacity building community green is quite common.  It is associated with the environment, from which many analogies for the internet as a global commons are drawn.  And with health care: the source of analogies used in State Department capacity building training materials. 

CyberGreen – which helps countries fight DDOS – are obviously on team green. As are FIRST, the Forum of Incident Response Teams. In 2005, when the rest of the cyber world started going blue, FIRST bucked the trend by changing their logo from pink/blue to green.

But why stop at green? There is a rainbow of opportunity out there that I hope Hewlett’s Cybersecurity Visuals Challenge will help us explore. 

Maybe then we can turn our attention to the hoodies.

Hello World!

And so it begins. My first blog, to accompany my first twitter account @TheRobCollett.

After two and a half years running international cyber security programmes for the UK, I’ve moved to a new role as Senior Advisor and UK liaison to the Global Forum on Cyber Expertise.

To accompany this new chapter in my professional life I’m starting this personal blog to share thoughts on cyberspace, the internet and capacity building. And possibly cats too. I haven’t decided about the cats.