At RSA: Focus on Cyber in the Public Interest

Congress, non profits and government agencies could all use technology and cyber security expertise. The RSA Conference is pondering what it will take to foster cyber security pros to work in the public interest.

---

Anyone who has been a part of the community for any period of time would tell you that altruism is part and parcel of information security. Generosity is died in the wool of hackers, independent researchers and other security pros. After all: security teams within- and across industries regularly share information about threats and attacks. Anti virus firms have long worked collaboratively to analyze and understand new malicious software, even while competing vigorously in the marketplace. And, long before you could become a millionaire by discovering software vulnerabilities, white and gray hat hackers routinely did it for no money, little or no recognition, and significant risk of being sued by the very firms they were trying to help.

Still, formal roles for hacking “in the public interest” are rare. Unlike professions like law or public safety, there are few outlets for cyber security professionals interested in hopping off a career track and devoting some time and energy to helping non profits, the underserved or governments address information security risk.

That may soon be changing, however. A special, day-long program to talks at the RSA Conference in San Francisco this week has experts from the information security industry, the non-profit sector, government and academia discussing the issue of public interest “cyber.” Bridging the Gap: Cybersecurity + Public Interest Tech will explore how to make it easier for skilled cybersecurity professionals to give back.

Bruce Schneier of IBM, a Fellow and Lecturer at Harvard’s Kennedy School, helped put the program together with the help of The Ford Foundation. In an interview with The Security Ledger, Schneier said the work was a direct outgrowth of his recent work at both The Kennedy School and Harvard Law School, as well as his work on his last book, Click Here to Kill Everybody, which made a strong case for the need for more engagement between the cyber security industry and public policy and governmental organizations. (Check out my interview with Bruce about the book on Episode #111 of Security Ledger Podcast.)

The need is acute, he said. “Right now there are almost no technologists on congressional staffs,” he notes. “That’s because nobody knows they need them.”

Schneier said the mandate for public interest cyber is broad. It encompasses everything from placing technologists within government agencies, to fostering joint degree programs at universities that combine computer science with disciplines like law or public policy, to collaborating with the work of non governmental organizations like The Electronic Frontier Foundation. The need is clear, Schneier said. Civil society and non governmental organizations like Human Rights Watch, Amnesty International and Greenpeace may have a chief security officer position on staff, but such organizations often find themselves “fighting nation states with the budget of a public charity,” he said.

“We know from our industry that if you get the tech wrong you’ll never get the policy right,” he said, noting the raging policy debate around encryption, “going dark” and requests by law enforcement for so-called “back doors” in data encryption algorithms. “There’s a real, legitimate policy debate there,” Schneier said. “Do we want the security that comes from devices that can’t be broken or do we want the security that comes from being able to break devices?”

In the absence of technologists and accurate information, however, technology policy debates often center on how to achieve impossible outcomes. For example: the debate about law enforcement “going dark” turns on the idea that there can be data encryption schemes with back doors that allow law enforcement (or other “good guys”) in without also allowing malicious actors to subvert security features. But no such solution exists, Schneier notes.

The situation in high tech and information security today is similar to that in the legal profession 50 or 60 years ago, said Michael Brennan, the Program Officer for Technology and Society at The Ford Foundation.

“Back then you had the ACLU, but you didn’t have the wealth of legal clinics and pro bono practices and degrees for human rights law and non profit law. We see a parallel with public interest technology,” Brennan said.

“We understand that technology…is a foundational piece that touches everything. If we’re going to be successful in our mission we believe we need technologists who are working on the side of justice in all these areas.”

Schneier said a similar model might work in technology, with leading technologists expected to devote a percentage of their professional life to public interest technology. “Today at Harvard Law School, 20 percent of the graduating class goes into public interest law,” he said. “The ACLU, when they post a job opening paying one half- to one third- of what you make in private practice, they get hundreds of applications.”

The event on Thursday will feature six panels that look at different aspects of public interest tech including work going on in government, the university and academia as well as in non-governmental organizations and the work that private firms are doing. Speakers include Mitchell Baker, the Chairwoman of Mozilla Corporation, EFF head Cindy Cohn and Shannon Vallor, an AI Ethicist and visiting researcher at Google.

There’s lots of work to be done. “Right now there’s not a lot of supply – in other words: engineers who want to do this.” Still, Schneier notes: there’s more supply than demand. “There are more engineers looking to do this than there are places for them to go…There needs to be demand.”