What if security experts could take a crack at fixing the huge and unwieldy US tax code, or ensuring that legislation gets written without inadvertent or deliberate loopholes?

Renowned security technologist Bruce Schneier believes complex societal systems such as these could benefit from the mindset and skills of security experts – white hat hackers, penetration testers, application security experts – whose jobs entail finding, fixing, and preventing software vulnerabilities. With taxes, legislation, elections, and the market economy all becoming more technology-dependent, a security expert's way of thinking and problem-solving could be tapped to better "secure" them from being abused or exploited, according to Schneier, who has been researching his new big idea that he calls "hacking society."

Put another way, as the tax code, legislation, elections, and the market economy now rely more on computing technology, he says, security skill sets become more broadly applicable to societal systems. "A red team person is an obvious one" for such a role, says Schneier, who first presented the concept earlier this year during his keynote at RSA Conference 2020. "These are people whose job it is to break stuff before it's too late."

Schneier's big idea boils down to this: "Can we hack society and help secure the systems that make up society?" he explains.

One component of hacking society is what Schneier calls the public-interest cybersecurity technologist, a role for security experts that he has been advocating over the past year or so. He helped spearhead a special track at RSA Conference in 2019 that highlighted some grassroots efforts where cybersecurity experts are channeling their hacking and security skills and technology into volunteer or nonprofit work for the public-interest sector. In addition to well-known groups like the Electronic Frontier Foundation and Citizen Lab, there are also local individual efforts such as that of Matt Mitchell, the founder of CryptoHarlem, an organization that offers free security and privacy workshops and training in basic cryptography tools in the mostly African-American community.

But Schneier says he has not seen an increase in security pros answering the call to public interest work as he had hoped. "It's going much slower than I would want," he says, in part due to the ongoing global shortage of cybersecurity professionals.

Meantime, Schneier's in the process of codifying his big idea on just how security people could hack societal systems; it's the subject of his next book.

He contends that security experts' analytical mindset could be applied in some manner to a broader societal context. The hacker mindset is meant to think like an attacker about how software can be abused and how to fix it, he says. "I think there is definitely a role for more crossover" for those skills, he says.

"What I like is the mentality of security is so broadly applicable. It's a way of thinking strategically about these things," he says.

Many "hacks" of societal systems arguably can be unfair and appear more of a gaming of the system, such as gerrymandering or mass surveillance by the government. Monopolies in a market limit choice for consumers, for example, according to Schneier.

The concept of "hacking society" provides a structure for considering how people hack social systems, how "we can secure all of that," he says, and even possibly shift the balance of power.

Hacking the Pandemic?
It's no overstatement that the world has changed dramatically since Schneier first outlined this concept in late February: COVID-19 was just starting to hit the US radar screen. The now full-blown pandemic seems a natural fit for tapping more expertise for solving some of the wide range of challenges and problems this crisis has wrought. While Schneier says outside of the obvious role in helping organizations secure their new wave of work-from-home users, he doesn't currently know how or if security experts could help elsewhere with the crisis. But there may be some opportunity for it in the long term, he notes.

"Security specializes in adaptive, malicious adversaries [people]," he says. "Our expertise isn't needed to secure us from [pathogen] viruses."

In his upcoming book, Schneier is looking at hacking societal systems: common law, judicial rulings, and enforcing new laws; the market economy; and how money and misinformation in politics hacks democracy. He's also examining the cognitive side of the equation: "How terrorism hacks fear, how Facebook hacks attention, and how fake news hacks trust," he says.

Take Facebook and other social media platforms, which Schneier says have blurred the lines of media. "When you dissociate the news article from the publication like Facebook does, then other publications that are less trustworthy can masquerade more easily" as real news and journalism, he says.

Bringing security skills and thinking into societal systems could even help balance the scales a bit. "What I like about this is that it's a way to bring diverse voices in," Schneier says.

Public domain advocate Carl Malamud, an Internet pioneer who founded the Internet Multicasting Service and is currently the president and founder of the nonprofit Public.Resource.Org, says public service overall is important. "I think more people should do public service, either in government or with it. That includes people trained in security," he says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Soothing Security Products We Wish Existed."

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19.