Meet the New 'Public-Interest Cybersecurity Technologist'
A grassroots movement is emerging to train high-risk groups and underrepresented communities in cybersecurity protection and skills - all for the public good.
RSA CONFERENCE 2019 - San Francisco - Matt Mitchell was working as a data journalist at The New York Times during the 2013 trial of George Zimmerman, who shot and killed unarmed teenager Trayvon Martin. The case, in which Zimmerman was ultimately acquitted after claiming self-defense, hit Mitchell, who lives in Harlem, close to home. "I needed to do something to help my community," he says.
Martin's death represented a tragic escalation in what Mitchell had seen over the years with racial profiling. He had witnessed law enforcement's targeting minorities in Harlem using electronic surveillance - automatic license-plate readers, CCTV cameras, and social media activity monitoring. He also knew underrepresented groups who lacked the technology resources needed to know how to secure themselves from online scams and other threats.
So Mitchell created CryptoHarlem, an organization that offers free workshops and training in basic cryptography tools in the mostly African-American community. It also inspired him to build a new, full-time career as a public interest cybersecurity expert. Like many pioneers in security, he had honed some white-hat hacking skills on his own as a teenager. "I was hacker since I was a kid in the late '80s. There were no jobs in cyber then: Cybercrime was the only 'job,'" he recalls.
Mitchell describes himself as "a hacker and a civil rights advocate." At his day job for a Berlin, Germany-based nonprofit called Tactical Tech, he assists and trains nonprofits, NGOs, and civil society groups in cybersecurity defenses, practices, and skills. "At the end of the day, whether you're underrepresented or marginalized because of your identity, you're going to face a lot of threats ... and digital threats," Mitchell says.
Some cybersecurity experts such as Mitchell are answering this new call in their careers to use their hacking and security skills and technology for the public-interest sector. Their work inspired a mini-track here at the RSA Conference this week on public-interest technologists, led by renowned security expert Bruce Schneier, who convinced the conference organizers to host the all-day event.
Schneier, who set up the program in conjunction with the Ford Foundation, points to the legal sector's tradition of offering pro bono work as a parallel to what cybersecurity potentially could do. "In a major law firm, you are expected to do some percentage of pro bono work. I'd love to have the same thing happen in technology," he says. "What I want to do ... is tell the security community, 'Look, there is a need. We're really trying to jump-start this movement."
Schneier says this growing public interest tech field currently includes tech policy work for Congress and the Electronic Frontier Foundation, projects such as Tor and Signal for privacy, as well as experts who provide security for nonprofits, such as Human Rights Watch. Johnny Long, a veteran security researcher best known for his pioneering work in Google hacking, also runs a group called Hackers for Charity that donates computers and other technology equipment to underdeveloped nations. It has been in operation for several years now.
Mitchell holds his free workshops in a Harlem community center, where he also helps citizens who have fallen for phishing scams, or want to "protect my grandma" or help their friends organize without risking online harassment or surveillance. He sees his work at CryptoHarlem, funded by the nonprofit Calyx Institute, both as a way to help those most in need of online protection as well as a way to bring diversity to the traditionally white- and male-dominated cybersecurity sector: He also educates and exposes the Harlem community to cybersecurity best practices and helps budding hackers acquire the skills and key certifications for employment.
"It's not learning to code anymore; it's learning to hack," he explains. "I'm part of a community of hundreds of black hackers. You [typically] don't see them speaking at conferences or employed at corporations. Many are in nonprofits, civil service. I'm serving my community."
Mitchell, who will speak on the public-interest track this week, admits that a full-time public-interest cybersecurity expert doesn't command the same salary as a commercial position with a private-sector company or security vendor. Even so, you can make a living at it: "You can make money, but not crazy money," he says.
'Canary in a Coal Mine'
There's also the renowned Citizen Lab, based at the University of Toronto, a research operation that focuses on development, policy, and legal aspects of technology, human rights, and security. There, senior researcher John Scott-Railton studies targeted malware operations, cyber militias, and online disinformation threats to civil society. He says the cybersecurity industry's traditional approach to protecting end users in high-risk groups has been all about training and individual responsibility rather than offering platforms that better protect them.
But, he says, that's starting to shift: "[In] a decade we've come away with [what] is a strong sense that we really do need to do more to provide security to these high-risk groups," he says. It's about "the security of all users," he adds.
Scott-Railton, who with colleague Bill Marczak discovered how some nations including the United Arab Emirates and Mexico were employing the Pegasus spyware program to target their citizens, says high-risk groups often serve as a "canary in a coal mine" for the next big threats. "What happens to them is often a couple of years before the general population," he notes.
Help for these communities means providing them with security and privacy training, and investigating cases of online spying and hacking, Scott-Railton says.
Phishing, the most common first step of a cyberattack, could be thwarted with one move by the security industry, he says. "This is something that tech companies could stop tomorrow if they wanted to push out mandatory two-factor authentication at the time of creation and made it as easy to do," he says. Instead, companies steer clear of adding "friction" to the user experience or degrading performance, he says.
"So, instead, they teach them to spot bad things," like phishes, and that's a human error-prone solution, he says.
Security Vendors Get Religion
Some security vendors already offer free products and services to the public. Cisco's DuoSecurity provides a free version of its multifactor authentication application, for example. Yubikey donates its encryption keys to CryptoHarlem. Cybersecurity training platform Cybrary offers Mitchell's group access to free security courses.