Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/6/2019
03:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Meet the New 'Public-Interest Cybersecurity Technologist'

A grassroots movement is emerging to train high-risk groups and underrepresented communities in cybersecurity protection and skills - all for the public good.

RSA CONFERENCE 2019 - San Francisco - Matt Mitchell was working as a data journalist at The New York Times during the 2013 trial of George Zimmerman, who shot and killed unarmed teenager Trayvon Martin. The case, in which Zimmerman was ultimately acquitted after claiming self-defense, hit Mitchell, who lives in Harlem, close to home. "I needed to do something to help my community," he says.

Martin's death represented a tragic escalation in what Mitchell had seen over the years with racial profiling. He had witnessed law enforcement's targeting minorities in Harlem using electronic surveillance - automatic license-plate readers, CCTV cameras, and social media activity monitoring. He also knew underrepresented groups who lacked the technology resources needed to know how to secure themselves from online scams and other threats.

So Mitchell created CryptoHarlem, an organization that offers free workshops and training in basic cryptography tools in the mostly African-American community. It also inspired him to build a new, full-time career as a public interest cybersecurity expert. Like many pioneers in security, he had honed some white-hat hacking skills on his own as a teenager. "I was hacker since I was a kid in the late '80s. There were no jobs in cyber then: Cybercrime was the only 'job,'" he recalls.

Mitchell describes himself as "a hacker and a civil rights advocate." At his day job for a Berlin, Germany-based nonprofit called Tactical Tech, he assists and trains nonprofits, NGOs, and civil society groups in cybersecurity defenses, practices, and skills. "At the end of the day, whether you're underrepresented or marginalized because of your identity, you're going to face a lot of threats ... and digital threats," Mitchell says.

Some cybersecurity experts such as Mitchell are answering this new call in their careers to use their hacking and security skills and technology for the public-interest sector. Their work inspired a mini-track here at the RSA Conference this week on public-interest technologists, led by renowned security expert Bruce Schneier, who convinced the conference organizers to host the all-day event.

Schneier, who set up the program in conjunction with the Ford Foundation, points to the legal sector's tradition of offering pro bono work as a parallel to what cybersecurity potentially could do. "In a major law firm, you are expected to do some percentage of pro bono work. I'd love to have the same thing happen in technology," he says. "What I want to do ... is tell the security community, 'Look, there is a need. We're really trying to jump-start this movement."  

Schneier says this growing public interest tech field currently includes tech policy work for Congress and the Electronic Frontier Foundation, projects such as Tor and Signal for privacy, as well as experts who provide security for nonprofits, such as Human Rights Watch. Johnny Long, a veteran security researcher best known for his pioneering work in Google hacking, also runs a group called Hackers for Charity that donates computers and other technology equipment to underdeveloped nations. It has been in operation for several years now.

Mitchell holds his free workshops in a Harlem community center, where he also helps citizens who have fallen for phishing scams, or want to "protect my grandma" or help their friends organize without risking online harassment or surveillance. He sees his work at CryptoHarlem, funded by the nonprofit Calyx Institute, both as a way to help those most in need of online protection as well as a way to bring diversity to the traditionally white- and male-dominated cybersecurity sector: He also educates and exposes the Harlem community to cybersecurity best practices and helps budding hackers acquire the skills and key certifications for employment.

"It's not learning to code anymore; it's learning to hack," he explains. "I'm part of a community of hundreds of black hackers. You [typically] don't see them speaking at conferences or employed at corporations. Many are in nonprofits, civil service. I'm serving my community."

Mitchell, who will speak on the public-interest track this week, admits that a full-time public-interest cybersecurity expert doesn't command the same salary as a commercial position with a private-sector company or security vendor. Even so, you can make a living at it: "You can make money, but not crazy money," he says.

'Canary in a Coal Mine'
There's also the renowned Citizen Lab, based at the University of Toronto, a research operation that focuses on development, policy, and legal aspects of technology, human rights, and security. There, senior researcher John Scott-Railton studies targeted malware operations, cyber militias, and online disinformation threats to civil society. He says the cybersecurity industry's traditional approach to protecting end users in high-risk groups has been all about training and individual responsibility rather than offering platforms that better protect them.

But, he says, that's starting to shift: "[In] a decade we've come away with [what] is a strong sense that we really do need to do more to provide security to these high-risk groups," he says. It's about "the security of all users," he adds.

Scott-Railton, who with colleague Bill Marczak discovered how some nations including the United Arab Emirates and Mexico were employing the Pegasus spyware program to target their citizens, says high-risk groups often serve as a "canary in a coal mine" for the next big threats. "What happens to them is often a couple of years before the general population," he notes.

Help for these communities means providing them with security and privacy training, and investigating cases of online spying and hacking, Scott-Railton says.

Phishing, the most common first step of a cyberattack, could be thwarted with one move by the security industry, he says. "This is something that tech companies could stop tomorrow if they wanted to push out mandatory two-factor authentication at the time of creation and made it as easy to do," he says. Instead, companies steer clear of adding "friction" to the user experience or degrading performance, he says.

"So, instead, they teach them to spot bad things," like phishes, and that's a human error-prone solution, he says.

Security Vendors Get Religion
Some security vendors already offer free products and services to the public. Cisco's DuoSecurity provides a free version of its multifactor authentication application, for example. Yubikey donates its encryption keys to CryptoHarlem. Cybersecurity training platform Cybrary offers Mitchell's group access to free security courses. 

[CONTINUED ON PAGE 2]

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
'Unkillable' Android Malware App Continues to Infect Devices Worldwide
Jai Vijayan, Contributing Writer,  4/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18375
PUBLISHED: 2020-04-10
The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability. A remote attacker, with access to the appliance management interface, can hijack the session of a currently logged-in user and access the management console.
CVE-2019-18376
PUBLISHED: 2020-04-10
A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated Management Center (MC) user's web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC.
CVE-2019-7305
PUBLISHED: 2020-04-10
Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. Introduced in the Makefile patch file debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch, this can lead to data leakage, information di...
CVE-2020-8832
PUBLISHED: 2020-04-10
The fix for the Linux kernel in Ubuntu 18.04 LTS for CVE-2019-14615 ("The Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors.") was discovered to be incomplete, meaning that in versions of the kernel before 4.15.0-91.92, an attacke...
CVE-2020-1633
PUBLISHED: 2020-04-09
Due to a new NDP proxy feature for EVPN leaf nodes introduced in Junos OS 17.4, crafted NDPv6 packets could transit a Junos device configured as a Broadband Network Gateway (BNG) and reach the EVPN leaf node, causing a stale MAC address entry. This could cause legitimate traffic to be discarded, lea...