Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/6/2019
03:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Meet the New 'Public-Interest Cybersecurity Technologist'

A grassroots movement is emerging to train high-risk groups and underrepresented communities in cybersecurity protection and skills - all for the public good.

RSA CONFERENCE 2019 - San Francisco - Matt Mitchell was working as a data journalist at The New York Times during the 2013 trial of George Zimmerman, who shot and killed unarmed teenager Trayvon Martin. The case, in which Zimmerman was ultimately acquitted after claiming self-defense, hit Mitchell, who lives in Harlem, close to home. "I needed to do something to help my community," he says.

Martin's death represented a tragic escalation in what Mitchell had seen over the years with racial profiling. He had witnessed law enforcement's targeting minorities in Harlem using electronic surveillance - automatic license-plate readers, CCTV cameras, and social media activity monitoring. He also knew underrepresented groups who lacked the technology resources needed to know how to secure themselves from online scams and other threats.

So Mitchell created CryptoHarlem, an organization that offers free workshops and training in basic cryptography tools in the mostly African-American community. It also inspired him to build a new, full-time career as a public interest cybersecurity expert. Like many pioneers in security, he had honed some white-hat hacking skills on his own as a teenager. "I was hacker since I was a kid in the late '80s. There were no jobs in cyber then: Cybercrime was the only 'job,'" he recalls.

Mitchell describes himself as "a hacker and a civil rights advocate." At his day job for a Berlin, Germany-based nonprofit called Tactical Tech, he assists and trains nonprofits, NGOs, and civil society groups in cybersecurity defenses, practices, and skills. "At the end of the day, whether you're underrepresented or marginalized because of your identity, you're going to face a lot of threats ... and digital threats," Mitchell says.

Some cybersecurity experts such as Mitchell are answering this new call in their careers to use their hacking and security skills and technology for the public-interest sector. Their work inspired a mini-track here at the RSA Conference this week on public-interest technologists, led by renowned security expert Bruce Schneier, who convinced the conference organizers to host the all-day event.

Schneier, who set up the program in conjunction with the Ford Foundation, points to the legal sector's tradition of offering pro bono work as a parallel to what cybersecurity potentially could do. "In a major law firm, you are expected to do some percentage of pro bono work. I'd love to have the same thing happen in technology," he says. "What I want to do ... is tell the security community, 'Look, there is a need. We're really trying to jump-start this movement."  

Schneier says this growing public interest tech field currently includes tech policy work for Congress and the Electronic Frontier Foundation, projects such as Tor and Signal for privacy, as well as experts who provide security for nonprofits, such as Human Rights Watch. Johnny Long, a veteran security researcher best known for his pioneering work in Google hacking, also runs a group called Hackers for Charity that donates computers and other technology equipment to underdeveloped nations. It has been in operation for several years now.

Mitchell holds his free workshops in a Harlem community center, where he also helps citizens who have fallen for phishing scams, or want to "protect my grandma" or help their friends organize without risking online harassment or surveillance. He sees his work at CryptoHarlem, funded by the nonprofit Calyx Institute, both as a way to help those most in need of online protection as well as a way to bring diversity to the traditionally white- and male-dominated cybersecurity sector: He also educates and exposes the Harlem community to cybersecurity best practices and helps budding hackers acquire the skills and key certifications for employment.

"It's not learning to code anymore; it's learning to hack," he explains. "I'm part of a community of hundreds of black hackers. You [typically] don't see them speaking at conferences or employed at corporations. Many are in nonprofits, civil service. I'm serving my community."

Mitchell, who will speak on the public-interest track this week, admits that a full-time public-interest cybersecurity expert doesn't command the same salary as a commercial position with a private-sector company or security vendor. Even so, you can make a living at it: "You can make money, but not crazy money," he says.

'Canary in a Coal Mine'
There's also the renowned Citizen Lab, based at the University of Toronto, a research operation that focuses on development, policy, and legal aspects of technology, human rights, and security. There, senior researcher John Scott-Railton studies targeted malware operations, cyber militias, and online disinformation threats to civil society. He says the cybersecurity industry's traditional approach to protecting end users in high-risk groups has been all about training and individual responsibility rather than offering platforms that better protect them.

But, he says, that's starting to shift: "[In] a decade we've come away with [what] is a strong sense that we really do need to do more to provide security to these high-risk groups," he says. It's about "the security of all users," he adds.

Scott-Railton, who with colleague Bill Marczak discovered how some nations including the United Arab Emirates and Mexico were employing the Pegasus spyware program to target their citizens, says high-risk groups often serve as a "canary in a coal mine" for the next big threats. "What happens to them is often a couple of years before the general population," he notes.

Help for these communities means providing them with security and privacy training, and investigating cases of online spying and hacking, Scott-Railton says.

Phishing, the most common first step of a cyberattack, could be thwarted with one move by the security industry, he says. "This is something that tech companies could stop tomorrow if they wanted to push out mandatory two-factor authentication at the time of creation and made it as easy to do," he says. Instead, companies steer clear of adding "friction" to the user experience or degrading performance, he says.

"So, instead, they teach them to spot bad things," like phishes, and that's a human error-prone solution, he says.

Security Vendors Get Religion
Some security vendors already offer free products and services to the public. Cisco's DuoSecurity provides a free version of its multifactor authentication application, for example. Yubikey donates its encryption keys to CryptoHarlem. Cybersecurity training platform Cybrary offers Mitchell's group access to free security courses. 

[CONTINUED ON PAGE 2]

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...
CVE-2019-18889
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.