'Gender Affirming Care' is a Social Engineering Attack
What cybersecurity can tell us about institutional capture
Gender identity affirmation is a distributed social engineering attack on healthcare systems, and not just as a metaphor borrowed from cybersecurity: it is the method used for access to resources to which users of the system are not and should not be entitled.
In June 2024, the UK's National Health Service experienced the latest in a series of cyber attacks on its systems, which took several London hospitals out of action. The resources of this state healthcare system are considerable; in 2022/23 the UK government's Department for Health and Social Care spent £182 billion. Those resources make it an attractive target for this type of cyberattack, and of course, being exposed as vulnerable in the past makes repeated extortion attacks more likely in the future.
An ‘Anonymous’ Movement
Birmingham, England is the UK's second-largest city, home to an estimated 1.1 million residents. In the centre of this post-industrial conurbation lies the Bullring, a typical mall where teenagers go to window-shop and hang out. On 5th January 2013, a group of street protesters in plastic Guy Fawkes masks using the name 'Anonymous' confronted staff at the city's businesses, alleging that they were corporate tax avoiders. The protest comprised shouting, flag waving, and pushing and shoving staff in shop doorways, to little effect. The Bullring Centre was subsequently threatened with a disruptive cyberattack after one fifteen-year-old activist had a less-than-pleasant experience with mall security. A video was posted on YouTube stating that the Bullring website would be caused to crash with a distributed denial of service (DDoS) attack. That threat resulted in a police raid on the teenager's home, with the front door broken down, and an arrest made on suspicion of blackmailing a corporation, according to local newspaper, The Coventry Telegraph on 14th February 2013.
The denial of service or 'DoS' cyberattack floods the target with demands, which results in that service provider being unable to function normally. This type of attack overwhelms server systems by exhausting their resources for processing data and memory. The most devastating form is the distributed denial of service or 'DDoS' attack, as threatened at the Bullring, in which multiple attackers are orchestrated to flood the target with demands simultaneously.
Frequently, these multiple attackers participate unknowingly, as their computers have previously been taken over and controlled by the primary attacker. The computers to be used as proxies will be compromised using a separate vulnerability or 'security hole' in those machines, on a different platform from the ultimate target. Using 'zombie' computers as attack proxies also helps obscure the identity of the primary attacker.
What is Social Engineering?
As I have written previously, health care systems funded by taxation or insurance usually exclude treatments which are not considered medically necessary or relate to 'life goals' rather than clinical need. Therefore, changing which treatments and procedures are funded depends on redefining what is 'necessary' and ethically permissible or legal. That process is slow and difficult using normal channels, but hacking the system delivers much faster results.
I believe there has been a concerted, distributed attack on Western healthcare systems to obtain resources for questionable treatments, but nothing so simple as a DoS attack on a web server. There is another type of cyberattack which does not depend on exclusively technical means. A 'social engineering attack' involves human rather than computer manipulation.
For example, a password which has been encrypted with a sufficiently robust technique takes a lot of time and computing resources to crack. It can be far quicker and easier to persuade the target to reveal their password, and this type of persuasion is referred to as 'social engineering’. In the cybersecurity context, this phrase does not mean the creation of a better society via central planning; instead, it refers to interpersonal manipulation based on deceit, relying on misplaced trust and weaponised empathy. Most phone and email scams use elements of this approach, which is especially effective against naïve and well-meaning individuals.
In the social engineer's mindset, other people are objects to be manipulated. It is even better, from the attacker's point of view, if those targets persuade or coerce even more targets to participate in the manipulation. This is what I am calling a 'distributed social engineering attack', a self-replicating meme or 'mind virus', created with purpose. In the case of Western healthcare, the result of this attack appears to have been a crash in the safeguarding system which would otherwise deny powerful drugs being prescribed on demand. There was a malfunction which overwhelmed the small number of therapeutic services available to gender non-conforming people. The service denied them was a thorough, personalised and holistic investigation, creating a short-cut to prescriptions including cancer medication Lupron for healthy young people who simply asked for it.
WPATH and the Cass Review
Researchers including Eliza Mondegreen and Mia Hughes director of Genspect Canada, have documented at length how the World Professional Association for Transgender Health (WPATH) influenced gender-affirming 'healthcare', in fact elective medical and surgical interventions on gender incongruent people. One of the unusual features of WPATH is that it claims to be a professional healthcare association, but offers membership to non-medical professionals, members of the general public and students. Whether you are a lawyer, social worker, or a queer studies major, you can join WPATH starting at the low, low price of 15 US dollars. If you reside in an upper-middle-income country such as Iran, China, or Cuba, you can have full voting rights for $70 a year.
In the language of cybersecurity, this lack of gatekeeping regarding professional membership provided an 'attack surface' by which the organisation could be manipulated. Just about anyone could get involved in WPATH conferences, including Mondegreen who reported back from those events. The WPATH Files and other reports have demonstrated that this organisation has become progressively user-driven, to the extent that it now takes advice on gender from self-identified eunuchs.
One of the details within the recent Cass Review of gender services for England's children and young people was that the GIDS (Gender Identity Development Service) clinic at the Tavistock and Portman NHS Trust did not just accept referrals from the National Health Service, such as its general practitioners providing local, front-line medical services. Paragraph 139 on page 41 of the final Cass Review document notes that GIDS accepted direct referrals from schoolteachers and even youth workers, people who were highly unlikely to be qualified to recommend medical and surgical intervention for gender non-conforming children. As a child, I went to my local youth club to dance, eat sweets and play Space Invaders, not to be selected for experimental hormonal treatment. Nor did I notice any teenagers having their body parts removed in the name of ‘progress.’
Like WPATH's decision to accept people with no medical qualifications as voting members of an organisation which can set professional standards for endocrinologists and surgeons, the open access to referrals at GIDS created another target surface for distributed social engineering attack. Pressure from parents and young people themselves on intermediaries who were not even qualified to prescribe a paracetamol tablet turned out to be an effective route of entry for children to the GIDS clinic.
Dr Cass referred in her review to England's children and adolescent mental health services being 'stretched', which is quite the understatement, especially where gender is concerned. When mental health practitioners do not have sufficient time allocated to assess young people, that creates another attack surface. One of the easiest cyberattacks uses a prepared script to exploit a known, systemic weakness in a particular version of server software. It is so trivial to execute this technique that hackers relying on the method are disparagingly referred to as 'script kiddies' by more capable cybercriminals. In the family doctor's surgery or specialist gender clinic, scripted answers obtained online can be used to elicit a rapid diagnosis of gender dysphoria and a referral for puberty blockers or cross-sex hormones.
And so, the chain of referrals proceeded from an activist teacher or youth worker with no experience in gender psychology, to a front-line mental health worker or general practitioner with no training in gender medicine, to gender clinics with limited medical experience or capability. Those clinics referred young people to endocrinologists and surgeons without regard to the motivated reasoning that saw so many more children access this pathway in response to an existential problem of gender identity. In the terms used by cybersecurity, this could be called a cascading failure.
Civil Rights and Wrongs
Stonewall, formerly the UK's preeminent gay, lesbian, and bisexual rights organisation, also had a role to play in this cascading failure to protect the bodily integrity and fertility of young people. Conventionally, the switch from defending LGB rights to advocacy for medical and surgical experimentation on gender non-conforming people is considered a result of Stonewall need for a new mission after successfully lobbying the UK's Conservative government for causes including marriage equality.
However, there has long been a tension between assimilation and liberation factions of the sexual rights movement, dating back to at least the 1970s when some activists argued that any restrictions on behaviour whatsoever, including an adult age of consent, were unacceptable. The National Council for Civil Liberties, the UK’s nearest equivalent to the American Civil Liberties Union, previously campaigned for the age of consent to be reduced to just ten years where consent could be ‘proved’. These activists for ‘minor attracted persons’ and pederasts not only successfully infiltrated civil liberties organisations, but they also targeted gay rights campaigns, youth and social worker groups and mental health charities.
Before queer theory became mainstream, ‘Operation Spanner’ highlighted that some of the UK's campaigners for sexual rights were not content with assimilation into social norms and customs such as marriage. This legal case began with the police discovery of sadistic abuse on video tapes in 1987 and went through all levels of the European court system over a period of ten years. The 1994 House of Lords decision R v Brown confirmed that the consent of the person being harmed is not a defence for a person who causes serious harm for sexual gratification. Every sadist needs a masochist, which is why consent is an exceptionally low bar in the consideration of human rights. This decision was later added to statute for England and Wales in section 71 of the Domestic Abuse Act 2021.
The 'consensual' genital cutting recorded on video tape by a group of sadists which featured in the Spanner case was defended by some of the very same activists and organisations which campaigned on behalf of 'minor attracted persons' in the 1970s and claim to support 'trans rights' for children today. Back issues of the magazine 'Socialist Lawyer', to which the UK’s current prime minister was a contributor, show that the National Council for Civil Liberties was directly involved in bringing the failed ‘Liberty Five’ case to the European Commission on behalf of a group of sadomasochists.
The argument made by the Liberty Five was that the right to be harmed was part of the feminist right to choose, which echoes down the decades as support for radical medical and surgical interventions on gender non-conforming girls in the name of intersectional ‘progress.’ The right to be free from bodily harm, whether iatrogenic or done for someone else's sexual gratification, does not appear to feature among the rights these organisations work for.
In 'Destruction as the Cause of Coming into Being', Sabina Spielrein wrote "Self-destruction can be replaced by sacrificial destruction", and posed the question "What is punishment in reality? It is an injury to the individual; because the reproductive drive requires destruction of the individual, it is entirely natural that images of punishment so readily incorporate a sexual colouring."
Remarkably, the sadism lobby which advocated for the Operation Spanner defendants managed to insert a series of defences into section 66 of the UK's Criminal Justice and Immigration Act 2008. If you are photographed apparently carrying out 'non-consensual penetration' or seem to be having sex with a corpse, you will be pleased to know that in England and Wales this isn't illegal, as long as the person who appears to have been raped, or be dead, or both, has given their consent. One has to wonder who thought that they would need this defence in future, and how they managed to lobby politicians to ensure that it was included in legislation.
The Volunteer as Social Engineer
Politics provides another target surface for distributed social engineering attacks. Beyond direct lobbying efforts, volunteers willing to take on obscure work can achieve undue influence. Particularly in socially progressive movements which always claim to be short of money and the staff required for due diligence, such as the review of policy documentation before it is published. Other forms of social engineering attack can include volunteering for disciplinary panels which punish dissenters or working in the ‘human resources’ department which hires and fires people. And of course, working as a social media moderator or press officer, who literally controls the organisation’s narrative.
On 26th May 2017, during an election campaign for the UK's Parliament, the Coventry Telegraph obtained an admission from Green Party candidate Aimee Challenor that they were the teenager arrested for the cyberattack threat against the Bullring in 2013. In 2020, Graham Linehan's blog published an article
by 'JL' covering Challenor's role as an advisor to Stonewall, as a Reddit moderator and subsequent political career in the UK's Liberal Democrat party
Conclusion
The cyber attacker uses access to systems they are not meant to have, in order to acquire resources that they are not entitled to. Many organisations, both governmental and non-governmental, have been used in a distributed social engineering attack on healthcare systems with the goal that people who are not sick can access harmful medical and surgical interventions in the name of ‘gender affirmation.’
Those organisations need to consider how they were compromised, and the measures, if any, that they have in place to prevent future breaches of security and integrity. In the cybersecurity field, an organisation must have an active system of intrusion detection which alerts it to an attack underway. One indication of potential compromise is that fundamental policies are being changed or weakened to the point that those policies become impossible to enforce. Creating systemic dysfunction through deliberate inaction, the use of double standards or the diversion of resources are other, often passive-aggressive means of obtaining control of an organisation.
Whenever we use a euphemism such as ‘gender-affirming healthcare,’ or allow others to use these phrases without challenge, we are participating in social engineering. Anyone who believes that healthcare should first do no harm needs to be clear in their use of language regarding elective medical and surgical interventions in pursuit of biologically incongruent gender identities. They also need to stay alert to unauthorised access to these interventions and attempts by whatever means to make the unethical permissible.
Genspect publishes a variety of authors with different perspectives. Any opinions expressed in this article are the author’s and do not necessarily reflect Genspect’s official position. For more on Genspect, visit our FAQs.
Institutions seem to think they're immune to 'social contagion', but they are not, it's just called 'runaway diffusion' instead.
It's so frightening being in amongst runaway diffusion and being isolated, screaming into a vacuum.
"Whenever we use a euphemism such as ‘gender-affirming healthcare,’ or allow others to use these phrases without challenge, we are participating in social engineering." I am amazed how many people have no idea what 'gender-affirming healthcare' actually means. It sounds so nice, but the reality is not.