By donating their security expertise, infosec professionals are supporting non-profits, advocacy groups, and communities in-need.
Victims of abusive relationships are all-too-familiar with stalkerware — spyware sometimes used by abusers to track their victims' conversations and locations. Eva Galperin, who heads the Threat Labs at the Electronic Frontier Foundation (EFF) has been pressing antivirus companies to treat stalkerware as a serious problem for some time.
Now she's finally seeing progress. Last week, EFF and nine other organizations united to launch the new Coalition Against Stalkerware, which aims to spread awareness and help affected victims.
"Our goal is to have a definition, standards for detection, and to get AV companies to change the norms of how this software is treated," says Galperin.
This is just one of the ways Galperin has used her security knowledge to assist vulnerable populations. She is an outspoken advocate for using security for altruistic purposes. To put it simply: hacking for the greater good.
"Hacking is curiosity," she says. "It is the act of taking things apart and seeing how they work. Ideally this is followed by putting something back together so it can work better. [That] can apply to a product – but it can also apply to societal issues. It does not need to be confined to an office."
Security professionals are needed and should feel called on to use their experience to help others and impact larger societal issues — especially now, she says. This is essential, she says, due to the ubiquity of technology in nearly every aspect of our lives.
"These are particularly interesting political times," says Galperin. "Everyone reads the paper and gets upset about some kind of news involving technology. Digital technology is at the center of our lives. Almost every issue now has some sort of information component."
Galperin has been giving regular presentations on the topic of security for the greater good at events like Black Hat with security luminary Bruce Schneier, who describes himself as a "public-interest technologist, working at the intersection of security, technology, and people." Their goal is to spread a message on the need for more involvement from technology and security professionals in charitable work, as well as more influence on policy development.
Policy Development, Not Just Product Development
Schneier cites stalkerware as an example of this need. Currently, product design in a vacuum does not consider broader implications that can ultimately lead to harm.
"If your software developers are all white men, you might not get a product that reflects the rest of the population," he says. "It goes very deep. They are just building tech toys, not systems with social implications."
As Schneier pointed out in a recent essay, technologists and policymakers largely inhabit two separate worlds, and bridging that gap is essential for the future as almost everything is now based on technology in some way.
"You can no longer separate technology from policy," says Schneier. "You can no longer work on food security or climate change without understanding technology. You get the technology wrong, you get the policy wrong."
And the stakes are high if technologists and security professionals fail to involve themselves at the policy level, argues Schneier. Take artificial intelligence (AI): AI has the potential to offer productivity gains to organizations, yet it can also, as he wrote, "entrench bias and codify inequity, and to act in ways that are unexplainable and undesirable." It is an example of a technology that requires development with an intricate understanding of "both the policy tools available to modern society and the technologies of AI," according to Schneier.
But despite the rallying cry, Schneier also notes that actually putting technologists to work on policy and charitable causes is easier said than done.
When he speaks at public events about the issue, Schneier says he is often approached by attendees who want to do more to help, but there aren't any clear paths forward. "They say 'OK, you've convinced me.' But I've got nothing for them," says Schneier. "There aren’t enough [relevant] positions at federal agencies, at NGOs. That’s the immediate problem."
Plus, when salaries may be substantially higher at an enterprise or technology company, trained technology professionals might be less likely to take a full-time position at a non-profit.
But in other fields, such as law, Schneier notes there is an active movement to encourage practitioners to spend a block of time on volunteering or sabbatical. This is not yet a common part of a computer science careers, and that needs to change, he says.
"Find a cause you believe in and a group that does it and get involved," he says. "You can take a sabbatical. Or teach. But you have to find your own path."
Galperin suggests starting local.
"Everyone has a population that they care about," she says. "It could be a school or church. Increasingly those groups are under threat or face risks they don't understand. This is a great opportunity for trained professionals to come in and do what they do. To spread better security hygiene in a way that works for them."