Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

12:50 PM
Connect Directly

Schneier on Hacking Society

How the hacker mindset and skill set could play a role in improving and securing societal systems, according to renowned security technologist Bruce Schneier.

What if security experts could take a crack at fixing the huge and unwieldy US tax code, or ensuring that legislation gets written without inadvertent or deliberate loopholes?

Renowned security technologist Bruce Schneier believes complex societal systems such as these could benefit from the mindset and skills of security experts – white hat hackers, penetration testers, application security experts – whose jobs entail finding, fixing, and preventing software vulnerabilities. With taxes, legislation, elections, and the market economy all becoming more technology-dependent, a security expert's way of thinking and problem-solving could be tapped to better "secure" them from being abused or exploited, according to Schneier, who has been researching his new big idea that he calls "hacking society."

Put another way, as the tax code, legislation, elections, and the market economy now rely more on computing technology, he says, security skill sets become more broadly applicable to societal systems. "A red team person is an obvious one" for such a role, says Schneier, who first presented the concept earlier this year during his keynote at RSA Conference 2020. "These are people whose job it is to break stuff before it's too late."

Schneier's big idea boils down to this: "Can we hack society and help secure the systems that make up society?" he explains.

One component of hacking society is what Schneier calls the public-interest cybersecurity technologist, a role for security experts that he has been advocating over the past year or so. He helped spearhead a special track at RSA Conference in 2019 that highlighted some grassroots efforts where cybersecurity experts are channeling their hacking and security skills and technology into volunteer or nonprofit work for the public-interest sector. In addition to well-known groups like the Electronic Frontier Foundation and Citizen Lab, there are also local individual efforts such as that of Matt Mitchell, the founder of CryptoHarlem, an organization that offers free security and privacy workshops and training in basic cryptography tools in the mostly African-American community.

But Schneier says he has not seen an increase in security pros answering the call to public interest work as he had hoped. "It's going much slower than I would want," he says, in part due to the ongoing global shortage of cybersecurity professionals.

Bruce Schneier 
(Photo Credit: Vivian Babuts)
Bruce Schneier
(Photo Credit: Vivian Babuts)

Meantime, Schneier's in the process of codifying his big idea on just how security people could hack societal systems; it's the subject of his next book.

He contends that security experts' analytical mindset could be applied in some manner to a broader societal context. The hacker mindset is meant to think like an attacker about how software can be abused and how to fix it, he says. "I think there is definitely a role for more crossover" for those skills, he says.

"What I like is the mentality of security is so broadly applicable. It's a way of thinking strategically about these things," he says.

Many "hacks" of societal systems arguably can be unfair and appear more of a gaming of the system, such as gerrymandering or mass surveillance by the government. Monopolies in a market limit choice for consumers, for example, according to Schneier.

The concept of "hacking society" provides a structure for considering how people hack social systems, how "we can secure all of that," he says, and even possibly shift the balance of power.

Hacking the Pandemic?
It's no overstatement that the world has changed dramatically since Schneier first outlined this concept in late February: COVID-19 was just starting to hit the US radar screen. The now full-blown pandemic seems a natural fit for tapping more expertise for solving some of the wide range of challenges and problems this crisis has wrought. While Schneier says outside of the obvious role in helping organizations secure their new wave of work-from-home users, he doesn't currently know how or if security experts could help elsewhere with the crisis. But there may be some opportunity for it in the long term, he notes.

"Security specializes in adaptive, malicious adversaries [people]," he says. "Our expertise isn't needed to secure us from [pathogen] viruses."

In his upcoming book, Schneier is looking at hacking societal systems: common law, judicial rulings, and enforcing new laws; the market economy; and how money and misinformation in politics hacks democracy. He's also examining the cognitive side of the equation: "How terrorism hacks fear, how Facebook hacks attention, and how fake news hacks trust," he says.

Take Facebook and other social media platforms, which Schneier says have blurred the lines of media. "When you dissociate the news article from the publication like Facebook does, then other publications that are less trustworthy can masquerade more easily" as real news and journalism, he says.

Bringing security skills and thinking into societal systems could even help balance the scales a bit. "What I like about this is that it's a way to bring diverse voices in," Schneier says.

Public domain advocate Carl Malamud, an Internet pioneer who founded the Internet Multicasting Service and is currently the president and founder of the nonprofit Public.Resource.Org, says public service overall is important. "I think more people should do public service, either in government or with it. That includes people trained in security," he says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Soothing Security Products We Wish Existed."

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/6/2020 | 12:25:48 PM
Re: Great article, it covers some great points
Unfortunately hackers are everywhere they easily hack accounts, even game account. I heard a lot of bad news about some websties, that hack gamers account and they also take gamers money.

for example some website claims to sell stuffs for gamers and they take the gamer's id and password then they sell the account to another people. I work for a good website about fifa coins but I see another doing such a bad thing to accounts.
User Rank: Ninja
4/16/2020 | 2:41:10 PM
Great article, it covers some great points
Bringing security skills and thinking into societal systems could even help balance the scales a bit. "What I like about this is that it's a way to bring diverse voices in," Schneier says.

I think he brought up good points but the problem is that individuals of power are not willing to listen to people of color or individuals who have a difference of opinion. Racist tendies are still embedded in the very fabric of our society, so it is hard for someone who is vibrant, intelligent and willing to do whatever get an opportunity to provide valuable insight into areas of technology, this could prove to be beneficial to the entire organization.


In addition, I do think the answers are there, but there is something else in the way - fear. Individuals who have been doing something for a period of time, they have a problem with change, they don't want to see something that is innovative and possible game-changing to get in their way (greed and unwillingness to grow).


So we have to address the psychological and philosophical elements of our society before making advancements because we are the ones who are holding each other back, technology has not been the problem, it is the other outside factors that cause individuals to revert back to their old way of doing things.

7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/ action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.