Meet the New Public-Interest Cybersecurity Technologist

  /     /     /  
Publicated : 23/11/2024   Category : security


Meet the New Public-Interest Cybersecurity Technologist


A grassroots movement is emerging to train high-risk groups and underrepresented communities in cybersecurity protection and skills – all for the public good.



RSA CONFERENCE 2019 - San Francisco - Matt Mitchell was working as a data journalist at The New York Times during the 2013 trial of George Zimmerman, who shot and killed unarmed teenager Trayvon Martin. The case, in which Zimmerman was ultimately acquitted after claiming self-defense, hit Mitchell, who lives in Harlem, close to home. I needed to do something to help my community, he says.
Martins death represented a tragic escalation in what Mitchell had seen over the years with racial profiling. He had witnessed law enforcements targeting minorities in Harlem using electronic surveillance - automatic license-plate readers, CCTV cameras, and social media activity monitoring. He also knew underrepresented groups who lacked the technology resources needed to know how to secure themselves from online scams and other threats.
So Mitchell created CryptoHarlem, an organization that offers free workshops and training in basic cryptography tools in the mostly African-American community. It also inspired him to build a new, full-time career as a public interest cybersecurity expert. Like many pioneers in security, he had honed some white-hat hacking skills on his own as a teenager. I was hacker since I was a kid in the late 80s. There were no jobs in cyber then: Cybercrime was the only job, he recalls.
Mitchell describes himself as a hacker and a civil rights advocate. At his day job for a Berlin, Germany-based nonprofit called Tactical Tech, he assists and trains nonprofits, NGOs, and civil society groups in cybersecurity defenses, practices, and skills. At the end of the day, whether youre underrepresented or marginalized because of your identity, youre going to face a lot of threats ... and digital threats, Mitchell says.
Some cybersecurity experts such as Mitchell are answering this new call in their careers to use their hacking and security skills and technology for the public-interest sector. Their work inspired a mini-track here at the RSA Conference this week on public-interest technologists, led by renowned security expert Bruce Schneier, who convinced the conference organizers to host the
all-day event
.
Schneier, who set up the program in conjunction with the Ford Foundation, points to the legal sectors tradition of offering pro bono work as a parallel to what cybersecurity potentially could do. In a major law firm, you are expected to do some percentage of pro bono work. Id love to have the same thing happen in technology, he says. What I want to do ... is tell the security community, Look, there is a need. Were really trying to jump-start this movement.  
Schneier says this growing public interest tech field currently includes tech policy work for Congress and the Electronic Frontier Foundation, projects such as Tor and Signal for privacy, as well as experts who provide security for nonprofits, such as Human Rights Watch. Johnny Long, a veteran security researcher best known for his pioneering work in Google hacking, also runs a group called Hackers for Charity that donates computers and other technology equipment to underdeveloped nations. It has been in operation for several years now.
Mitchell holds his free workshops in a Harlem community center, where he also helps citizens who have fallen for phishing scams, or want to protect my grandma or help their friends organize without risking online harassment or surveillance. He sees his work at CryptoHarlem, funded by the nonprofit Calyx Institute, both as a way to help those most in need of online protection as well as a way to bring diversity to the traditionally white- and male-dominated cybersecurity sector: He also educates and exposes the Harlem community to cybersecurity best practices and helps budding hackers acquire the skills and key certifications for employment.
Its not learning to code anymore; its learning to hack, he explains. Im part of a community of hundreds of black hackers. You [typically] dont see them speaking at conferences or employed at corporations. Many are in nonprofits, civil service. Im serving my community.
Mitchell, who will speak on the public-interest track this week, admits that a full-time public-interest cybersecurity expert doesnt command the same salary as a commercial position with a private-sector company or security vendor. Even so, you can make a living at it: You can make money, but not crazy money, he says.
Canary in a Coal Mine
Theres also the renowned Citizen Lab, based at the University of Toronto, a research operation that focuses on development, policy, and legal aspects of technology, human rights, and security. There, senior researcher John Scott-Railton studies targeted malware operations, cyber militias, and online disinformation threats to civil society. He says the cybersecurity industrys traditional approach to protecting end users in high-risk groups has been all about training and individual responsibility rather than offering platforms that better protect them.
But, he says, thats starting to shift: [In] a decade weve come away with [what] is a strong sense that we really do need to do more to provide security to these high-risk groups, he says. Its about the security of all users, he adds.
Scott-Railton, who with colleague Bill Marczak discovered how some nations including the United Arab Emirates and Mexico were employing the Pegasus spyware program to target their citizens, says high-risk groups often serve as a canary in a coal mine for the next big threats. What happens to them is often a couple of years before the general population, he notes.
Help for these communities means providing them with security and privacy training, and investigating cases of online spying and hacking, Scott-Railton says.
Phishing, the most common first step of a cyberattack, could be thwarted with one move by the security industry, he says. This is something that tech companies could stop tomorrow if they wanted to push out mandatory two-factor authentication at the time of creation and made it as easy to do, he says. Instead, companies steer clear of adding friction to the user experience or degrading performance, he says.
So, instead, they teach them to spot bad things, like phishes, and thats a human error-prone solution, he says.
Security Vendors Get Religion
Some security vendors already offer free products and services to the public. Ciscos DuoSecurity provides
a free version
of its multifactor authentication application, for example. Yubikey donates its encryption keys to CryptoHarlem. Cybersecurity training platform Cybrary offers Mitchells group access to free security courses. 
[CONTINUED ON PAGE 2]
[CONTINUED FROM PAGE 1]
A glimpse of what security vendors could do for the greater good of society and democracy came in the run-up to the 2018 US midterm elections, when a wave of firms – including big names such as Alphabet unit Jigsaw, CloudFlare, Microsoft, and McAfee – all offered
free security services and products
to state attorneys general, local election jurisdictions, and campaigns to help them secure their websites, end users, data, and communications.
The catch in some cases, though, was that many of the free services – everything from user account protection, DDoS mitigation, email security, and malware detection – were offered gratis only for a period of time before, during, and after the election. Critics said those temporary freebies were more about a new business opportunity than a full-on philanthropic effort.
But not Jigsaw, whose mission is to assist vulnerable communities around the globe. Dan Keyserling, chief operating officer at Jigsaw, which spun out of Googles Alphabet, says the organizations free cloud-based security service, Protect Your Election, also was recently deployed in Ukraine during the elections in that nation, and a team from Jigsaw was on-site assisting. The service includes DDoS mitigation, password manager, password compromise alert, and personalized security recommendations, for candidates, campaigns, publishers, journalists, NGOs, and election-monitoring sites.
We operate in extreme circumstances with high-risk users. We often operate in countries where theres systemic oppression, Keyserling says. They are on the frontlines and need access to information and to share it with people who need it. Theyre journalists, activists, policymakers ... people interested in overcoming barriers to get access to information.
Keyserling says he sees more tech companies beginning to help assist the most vulnerable users. Were really encouraged by our friends at other tech companies who are really showing an interest in these groups of people and making sure they have the tools they need and increased their deep knowledge of security, he says.
While the security industry will always have a for-profit model, he says, theres room to contribute to the most at-risk and needy communities, he notes. That starts with having a public conversation about the issues of public-interest security risks and needs, according to Keyserling.
Reality Check
Schneier says while the freebie election security offerings from security vendors were a good example of what the industry could be doing to serve the greater good, theres still relatively little giving back right now. Security vendors have not taken this [area] seriously yet, he notes.
The time is ripe for security to establish public-interest technologists, Schneier says. Its coming to a head with the Internet of Things [wave], he says, and elections, voting machines, network platforms, algorithmic fairness, drones, surveillance, and big data. Social and policy issues are no longer ignorable.
These issues, of course, are bigger than security, he says, but hes doubling down on his home sector of security, including in his own work as a fellow and lecturer at Harvard Universitys Kennedy School. Technology is intertwined with public policy: cybersecurity ... biotech, climate change, for example, he says. Theres value here. It helps democracy, which is great.
By working in the public-interest sector side of security, the opportunity exists to become a better company and policymaker, Schneier says.
We need a cultural change, he says. 
Related Content:
Google, Jigsaw Offer Free Cyber Protection to Election Sites
Phishing for Your Information: How Phishers Bait Their Hook
Ukraine Sees Surge in Election-Targeted Cyberattacks
Your Employees Want to Learn. How Should You Teach Them?
 
 
 
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industrys most knowledgeable IT security experts. Check out the
Interop agenda
here.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Meet the New Public-Interest Cybersecurity Technologist