Hacking in the public interest
Photo: Wodicka/ullstein bild via Getty Images
There is a critical shortage of cybersecurity experts working in public interest roles, including advising at-risk charitable groups, lawmakers and advocacy organizations.
Why it matters: We've written before about difficulties legislators have finding experienced advisers for tech issues and the detrimental effect that can have on policy debates.
- This is all according to security expert Bruce Schneier, who will host the first symposium on the subject at March's RSA conference ("Bridging the Gap: Cybersecurity + Public Interest Tech").
- "But it's not just a policy problem," Schneier told Axios' Codebook newsletter. "Civil groups need cybersecurity professionals for protection."
The big picture: There's plenty of need for hackers to serve in public interest roles — but groups are unaware they need the help, and there is little infrastructure to guide civic minded security pros to those groups.
- This isn't an abstract problem. We've recently seen nations target outmatched nongovernmental groups that antagonize them in even trivial ways. Mexico appears to have spied on advocates of a soda tax in 2017 with militarized spyware that's only sold to governments.
Schneier sees the gap as two solvable problems: "There's a supply problem and a demand problem," he noted.
- Qualified professionals don't currently know they are needed. And when they do, they often don't know how to get involved.
- Advocacy, governmental and charitable groups will never be able to pay as much as the private sector.
- But, said Schneier, that hasn't stopped these groups from being able to employ other traditionally highly paid workers at steep discounts. "I don't know how to solve the salary issue," he said, noting that volunteering and rotating in and out of public service jobs might be an option. "But I do know that the ACLU can only pay a fraction of what a law firm can, but that every time there is an opening they get 100 applicants."
The demand problem can be especially complicated for protection positions.
- Many public interest groups don't realize they are targeted by governments. Those that do might still decide they'd prefer to use their limited resources on their actual mission rather than on cybersecurity protection.
- But the problem has grown big enough that the University of Toronto's Citizen Lab has built an international reputation by investigating nation state breaches of public service groups.
- "High risk groups have resource constraints all over the place," said Citizen Lab's John Scott-Railton, who will appear at the RSA symposium. "A top flight researcher is going to go to an NGO and discover they haven’t set their printer up correctly."
Between the lines: Security tech doesn't work without a qualified person to run it, said Scott-Railton. This isn't a problem that can be solved without funneling new bodies into the sector.
- RSA is a high profile conference attracting much of the field's talent. It's also a particularly business-focused event, making this a unique place to launch this initiative. Schneier said he doesn't know what size crowd to expect. But sometimes, he said, just getting the conversation started is enough.