Euro Security Watch with Mathew J. Schwartz

Governance & Risk Management , IT Risk Management , Risk Assessments

Forget Whitelists and Blacklists: Go for 'Allow' or 'Deny'

Terminology Shift Announced by Britain's National Cyber Security Center
Forget Whitelists and Blacklists: Go for 'Allow' or 'Deny'
Photo: Joel Cramer (via Flickr/CC)

Forget "whitelists" and "blacklists" in cybersecurity.

See Also: Maintain a Clear Bill of (Third-Party Risk) Health

For those not in the know, in the digital realm, these refer to lists of things that should be respectively allowed or denied. For example: Lists of approved or denied websites that web monitoring tools either allow users to visit, or not.

If it's good, say it's allowed. If it's bad, then say it's denied. 

Given the racial connotations inherent in the terminology, however, here's a no-brainer move: Instead of whitelist and blacklist, why don't we just say allowed or denied?

So recommends Britain's National Cyber Security Center - part of intelligence agency GCHQ - which is the U.K.'s national incident response group and computer emergency response team.

Henceforth, the NCSC says it will be using the terms "allow list" and "deny list."

"It's fairly common to say whitelisting and blacklisting to describe desirable and undesirable things in cybersecurity. For instance, when talking about which applications you will allow or deny on your corporate network; or deciding which bad passwords you want your users not to be able to use," says the NCSC's "Emma W." in a Thursday a blog post on the NCSC website. (As they work for an intelligence agency, none but topmost NCSC officials publicly reveal their surnames.) "However, there's an issue with the terminology. It only makes sense if you equate white with 'good, permitted, safe' and black with 'bad, dangerous, forbidden.'"

As the title of the NCSC's blog post reads: "Terminology: it's not black and white." Blacklists and whitelists, in other words, are not wholly neutral terms.

"So in the name of helping to stamp out racism in cybersecurity, we will avoid this casually pejorative wording on our website in the future," Emma W. says. "No, it's not the biggest issue in the world - but to borrow a slogan from elsewhere: every little helps." (For non-U.K. residents, that's the slogan of British supermarket giant Tesco, meaning that while it might only save you a few pennies here and there, it all adds up.)

Will people buy into the NCSC's move? The NCSC isn't seeking permission; its management board has fully backed the move. "If you're thinking about getting in touch saying this is political correctness gone mad, don't bother," says Ian Levy, the NCSC's technical director.

Extra Points for Clarity

Bonus: Saying "allow list" or "deny list" is simply clearer. As the Brits say, they literally do what they say on the tin, no additional explanations required.

Based on previous discussions I've had with those outside the cybersecurity field, the meaning of blacklist and whitelist in an information security context is not inherently obvious. Anything that makes these concepts easier to understand is to be further embraced.

This isn't the first attempt to move beyond these terms.

"Years ago I saw some suggest the use of 'block list' instead of 'blacklist,' but I don't think that caught on widely," says British security expert Graham Cluley in a blog post.

"Maybe 'allow list' and 'deny list' won't become the norm either, but I think we should all do our little bit to try to help move away from old terms which equate good things with white and bad things with black," he says. "Furthermore, you don't have to explain what 'allow list' and 'deny list' mean - it's clear language which is self-explanatory."

Human-Centric Security

In the bigger picture, file these suggestions under the category of trying to make cybersecurity a more inclusive and human-centered discipline.

And this isn't the first time Emma W. - NCSC's people-centered security lead, meaning she looks for ways to make cybersecurity work better for humans - has weighed in on such matters. Previously, she's issued NCSC guidance on the role of training for combating phishing - namely, that while it's helpful, it's not foolproof, and blaming users when it fails is counterproductive (see: Successful Security? Stop Blaming Users).

She's also warned that when it comes to expecting users to maintain and manage complex passwords for the dozens or hundreds of accounts and services they use, the only way to do so is to employ password managers (see: Experts' View: Avoid Social Networks' Single Sign-On).

"Until recently, we haven't put anything like enough emphasis into understanding how people function as elements of sociotechnical security systems," Emma W. says."We haven't really known how best to support people in doing their jobs, so they can do those jobs as well as they can without security getting in the way. And as a result, we've been getting a lot of things wrong."



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.