Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

4/9/2020
12:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Schneier on Hacking Society

How the hacker mindset and skill set could play a role in improving and securing societal systems, according to renowned security technologist Bruce Schneier.

What if security experts could take a crack at fixing the huge and unwieldy US tax code, or ensuring that legislation gets written without inadvertent or deliberate loopholes?

Renowned security technologist Bruce Schneier believes complex societal systems such as these could benefit from the mindset and skills of security experts – white hat hackers, penetration testers, application security experts – whose jobs entail finding, fixing, and preventing software vulnerabilities. With taxes, legislation, elections, and the market economy all becoming more technology-dependent, a security expert's way of thinking and problem-solving could be tapped to better "secure" them from being abused or exploited, according to Schneier, who has been researching his new big idea that he calls "hacking society."

Put another way, as the tax code, legislation, elections, and the market economy now rely more on computing technology, he says, security skill sets become more broadly applicable to societal systems. "A red team person is an obvious one" for such a role, says Schneier, who first presented the concept earlier this year during his keynote at RSA Conference 2020. "These are people whose job it is to break stuff before it's too late."

Schneier's big idea boils down to this: "Can we hack society and help secure the systems that make up society?" he explains.

One component of hacking society is what Schneier calls the public-interest cybersecurity technologist, a role for security experts that he has been advocating over the past year or so. He helped spearhead a special track at RSA Conference in 2019 that highlighted some grassroots efforts where cybersecurity experts are channeling their hacking and security skills and technology into volunteer or nonprofit work for the public-interest sector. In addition to well-known groups like the Electronic Frontier Foundation and Citizen Lab, there are also local individual efforts such as that of Matt Mitchell, the founder of CryptoHarlem, an organization that offers free security and privacy workshops and training in basic cryptography tools in the mostly African-American community.

But Schneier says he has not seen an increase in security pros answering the call to public interest work as he had hoped. "It's going much slower than I would want," he says, in part due to the ongoing global shortage of cybersecurity professionals.

Meantime, Schneier's in the process of codifying his big idea on just how security people could hack societal systems; it's the subject of his next book.

He contends that security experts' analytical mindset could be applied in some manner to a broader societal context. The hacker mindset is meant to think like an attacker about how software can be abused and how to fix it, he says. "I think there is definitely a role for more crossover" for those skills, he says.

"What I like is the mentality of security is so broadly applicable. It's a way of thinking strategically about these things," he says.

Many "hacks" of societal systems arguably can be unfair and appear more of a gaming of the system, such as gerrymandering or mass surveillance by the government. Monopolies in a market limit choice for consumers, for example, according to Schneier.

The concept of "hacking society" provides a structure for considering how people hack social systems, how "we can secure all of that," he says, and even possibly shift the balance of power.

Hacking the Pandemic?
It's no overstatement that the world has changed dramatically since Schneier first outlined this concept in late February: COVID-19 was just starting to hit the US radar screen. The now full-blown pandemic seems a natural fit for tapping more expertise for solving some of the wide range of challenges and problems this crisis has wrought. While Schneier says outside of the obvious role in helping organizations secure their new wave of work-from-home users, he doesn't currently know how or if security experts could help elsewhere with the crisis. But there may be some opportunity for it in the long term, he notes.

"Security specializes in adaptive, malicious adversaries [people]," he says. "Our expertise isn't needed to secure us from [pathogen] viruses."

In his upcoming book, Schneier is looking at hacking societal systems: common law, judicial rulings, and enforcing new laws; the market economy; and how money and misinformation in politics hacks democracy. He's also examining the cognitive side of the equation: "How terrorism hacks fear, how Facebook hacks attention, and how fake news hacks trust," he says.

Take Facebook and other social media platforms, which Schneier says have blurred the lines of media. "When you dissociate the news article from the publication like Facebook does, then other publications that are less trustworthy can masquerade more easily" as real news and journalism, he says.

Bringing security skills and thinking into societal systems could even help balance the scales a bit. "What I like about this is that it's a way to bring diverse voices in," Schneier says.

Public domain advocate Carl Malamud, an Internet pioneer who founded the Internet Multicasting Service and is currently the president and founder of the nonprofit Public.Resource.Org, says public service overall is important. "I think more people should do public service, either in government or with it. That includes people trained in security," he says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Soothing Security Products We Wish Existed."

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
4/16/2020 | 2:41:10 PM
Great article, it covers some great points
Bringing security skills and thinking into societal systems could even help balance the scales a bit. "What I like about this is that it's a way to bring diverse voices in," Schneier says.

I think he brought up good points but the problem is that individuals of power are not willing to listen to people of color or individuals who have a difference of opinion. Racist tendies are still embedded in the very fabric of our society, so it is hard for someone who is vibrant, intelligent and willing to do whatever get an opportunity to provide valuable insight into areas of technology, this could prove to be beneficial to the entire organization.


 

In addition, I do think the answers are there, but there is something else in the way - fear. Individuals who have been doing something for a period of time, they have a problem with change, they don't want to see something that is innovative and possible game-changing to get in their way (greed and unwillingness to grow).


 

So we have to address the psychological and philosophical elements of our society before making advancements because we are the ones who are holding each other back, technology has not been the problem, it is the other outside factors that cause individuals to revert back to their old way of doing things.


 Todd
Whatsgaming
100%
0%
Whatsgaming,
User Rank: Apprentice
7/6/2020 | 12:25:48 PM
Re: Great article, it covers some great points
Unfortunately hackers are everywhere they easily hack accounts, even game account. I heard a lot of bad news about some websties, that hack gamers account and they also take gamers money.

for example some website claims to sell stuffs for gamers and they take the gamer's id and password then they sell the account to another people. I work for a good website about fifa coins but I see another doing such a bad thing to accounts.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29070
PUBLISHED: 2020-11-25
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-26212
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...
CVE-2020-26243
PUBLISHED: 2020-11-25
Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded...
CVE-2020-25650
PUBLISHED: 2020-11-25
A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service fo...
CVE-2020-29071
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...