RSA CONFERENCE 2019 - San Francisco - Matt Mitchell was working as a data journalist at The New York Times during the 2013 trial of George Zimmerman, who shot and killed unarmed teenager Trayvon Martin. The case, in which Zimmerman was ultimately acquitted after claiming self-defense, hit Mitchell, who lives in Harlem, close to home. "I needed to do something to help my community," he says.
Martin's death represented a tragic escalation in what Mitchell had seen over the years with racial profiling. He had witnessed law enforcement's targeting minorities in Harlem using electronic surveillance - automatic license-plate readers, CCTV cameras, and social media activity monitoring. He also knew underrepresented groups who lacked the technology resources needed to know how to secure themselves from online scams and other threats.
So Mitchell created CryptoHarlem, an organization that offers free workshops and training in basic cryptography tools in the mostly African-American community. It also inspired him to build a new, full-time career as a public interest cybersecurity expert. Like many pioneers in security, he had honed some white-hat hacking skills on his own as a teenager. "I was hacker since I was a kid in the late '80s. There were no jobs in cyber then: Cybercrime was the only 'job,'" he recalls.
Mitchell describes himself as "a hacker and a civil rights advocate." At his day job for a Berlin, Germany-based nonprofit called Tactical Tech, he assists and trains nonprofits, NGOs, and civil society groups in cybersecurity defenses, practices, and skills. "At the end of the day, whether you're underrepresented or marginalized because of your identity, you're going to face a lot of threats ... and digital threats," Mitchell says.
Some cybersecurity experts such as Mitchell are answering this new call in their careers to use their hacking and security skills and technology for the public-interest sector. Their work inspired a mini-track here at the RSA Conference this week on public-interest technologists, led by renowned security expert Bruce Schneier, who convinced the conference organizers to host the all-day event.
Schneier, who set up the program in conjunction with the Ford Foundation, points to the legal sector's tradition of offering pro bono work as a parallel to what cybersecurity potentially could do. "In a major law firm, you are expected to do some percentage of pro bono work. I'd love to have the same thing happen in technology," he says. "What I want to do ... is tell the security community, 'Look, there is a need. We're really trying to jump-start this movement."
Schneier says this growing public interest tech field currently includes tech policy work for Congress and the Electronic Frontier Foundation, projects such as Tor and Signal for privacy, as well as experts who provide security for nonprofits, such as Human Rights Watch. Johnny Long, a veteran security researcher best known for his pioneering work in Google hacking, also runs a group called Hackers for Charity that donates computers and other technology equipment to underdeveloped nations. It has been in operation for several years now.
Mitchell holds his free workshops in a Harlem community center, where he also helps citizens who have fallen for phishing scams, or want to "protect my grandma" or help their friends organize without risking online harassment or surveillance. He sees his work at CryptoHarlem, funded by the nonprofit Calyx Institute, both as a way to help those most in need of online protection as well as a way to bring diversity to the traditionally white- and male-dominated cybersecurity sector: He also educates and exposes the Harlem community to cybersecurity best practices and helps budding hackers acquire the skills and key certifications for employment.
"It's not learning to code anymore; it's learning to hack," he explains. "I'm part of a community of hundreds of black hackers. You [typically] don't see them speaking at conferences or employed at corporations. Many are in nonprofits, civil service. I'm serving my community."
Mitchell, who will speak on the public-interest track this week, admits that a full-time public-interest cybersecurity expert doesn't command the same salary as a commercial position with a private-sector company or security vendor. Even so, you can make a living at it: "You can make money, but not crazy money," he says.
'Canary in a Coal Mine'
There's also the renowned Citizen Lab, based at the University of Toronto, a research operation that focuses on development, policy, and legal aspects of technology, human rights, and security. There, senior researcher John Scott-Railton studies targeted malware operations, cyber militias, and online disinformation threats to civil society. He says the cybersecurity industry's traditional approach to protecting end users in high-risk groups has been all about training and individual responsibility rather than offering platforms that better protect them.
But, he says, that's starting to shift: "[In] a decade we've come away with [what] is a strong sense that we really do need to do more to provide security to these high-risk groups," he says. It's about "the security of all users," he adds.
Scott-Railton, who with colleague Bill Marczak discovered how some nations including the United Arab Emirates and Mexico were employing the Pegasus spyware program to target their citizens, says high-risk groups often serve as a "canary in a coal mine" for the next big threats. "What happens to them is often a couple of years before the general population," he notes.
Help for these communities means providing them with security and privacy training, and investigating cases of online spying and hacking, Scott-Railton says.
Phishing, the most common first step of a cyberattack, could be thwarted with one move by the security industry, he says. "This is something that tech companies could stop tomorrow if they wanted to push out mandatory two-factor authentication at the time of creation and made it as easy to do," he says. Instead, companies steer clear of adding "friction" to the user experience or degrading performance, he says.
"So, instead, they teach them to spot bad things," like phishes, and that's a human error-prone solution, he says.
Security Vendors Get Religion
Some security vendors already offer free products and services to the public. Cisco's DuoSecurity provides a free version of its multifactor authentication application, for example. Yubikey donates its encryption keys to CryptoHarlem. Cybersecurity training platform Cybrary offers Mitchell's group access to free security courses.
A glimpse of what security vendors could do for the greater good of society and democracy came in the run-up to the 2018 US midterm elections, when a wave of firms – including big names such as Alphabet unit Jigsaw, CloudFlare, Microsoft, and McAfee – all offered free security services and products to state attorneys general, local election jurisdictions, and campaigns to help them secure their websites, end users, data, and communications.
The catch in some cases, though, was that many of the free services – everything from user account protection, DDoS mitigation, email security, and malware detection – were offered gratis only for a period of time before, during, and after the election. Critics said those temporary freebies were more about a new business opportunity than a full-on philanthropic effort.
But not Jigsaw, whose mission is to assist vulnerable communities around the globe. Dan Keyserling, chief operating officer at Jigsaw, which spun out of Google's Alphabet, says the organization's free cloud-based security service, Protect Your Election, also was recently deployed in Ukraine during the elections in that nation, and a team from Jigsaw was on-site assisting. The service includes DDoS mitigation, password manager, password compromise alert, and personalized security recommendations, for candidates, campaigns, publishers, journalists, NGOs, and election-monitoring sites.
"We operate in extreme circumstances with high-risk users. We often operate in countries where there's systemic oppression," Keyserling says. "They are on the frontlines and need access to information and to share it with people who need it. They're journalists, activists, policymakers ... people interested in overcoming barriers to get access to information."
Keyserling says he sees more tech companies beginning to help assist the most vulnerable users. "We're really encouraged by our friends at other tech companies who are really showing an interest in these groups of people and making sure they have the tools they need and increased their deep knowledge of security," he says.
While the security industry will always have a for-profit model, he says, there's room to contribute to the most at-risk and needy communities, he notes. That starts with having a public conversation about the issues of public-interest security risks and needs, according to Keyserling.
Schneier says while the freebie election security offerings from security vendors were a good example of what the industry could be doing to serve the greater good, there's still relatively little giving back right now. "Security vendors have not taken this [area] seriously yet," he notes.
The time is ripe for security to establish public-interest technologists, Schneier says. "It's coming to a head with the Internet of Things [wave]," he says, "and elections, voting machines, network platforms, algorithmic fairness, drones, surveillance, and big data. Social and policy issues are no longer ignorable."
These issues, of course, are bigger than security, he says, but he's doubling down on his home sector of security, including in his own work as a fellow and lecturer at Harvard University's Kennedy School. "Technology is intertwined with public policy: cybersecurity ... biotech, climate change," for example, he says. "There's value here. It helps democracy, which is great."
By working in the public-interest sector side of security, the opportunity exists to become a better company and policymaker, Schneier says.
"We need a cultural change," he says.