Ahead of his 2019 Black Hat USA talk, cybersecurity luminary Bruce Schneier explains why it's so important for tech experts to be actively involved in setting public policy.

Veteran security researcher, cryptographer, and author Bruce Schneier is one of the many cybersecurity experts who will be speaking at Black Hat USA in Las Vegas this August.

He's presenting Information Security in the Public Interest, a 50-minute Briefing about why it's so important for public policy discussions to include technologists with practical understanding of how today's tech can be used and abused.

Schneier has become a vocal advocate for more public-minded technologists, noting in a recent interview with Dark Reading that "in a major law firm, you are expected to do some percentage of pro bono work. I'd love to have the same thing happen in technology."

He recently took time to chat with us via email about what he's hoping to accomplish at Black Hat USA this year, and why he thinks Black Hat attendees are well-suited to serving the greater good as public-interest technologists.

Q. Hey Bruce, thanks for taking the time to chat. Can you tell us a bit about your recent work?

A. I'm a security technologist. I write, speak, work, and teach at the intersection of security, technology, and people. My latest book is about the security implications of physically capable computers, with the arresting title of Click Here to Kill Everybody. It's a book about technology, but it's also a book about public policy; the last two-thirds discusses policy solutions to the technical problems of an Internet-connected world.

I'm not optimistic about the solutions, though. I spend four chapters laying out the different government interventions that can improve cybersecurity in the face of some pretty severe market failures. They're complex, and involve laws, regulations, international agreements, and judicial action. The subsequent chapter is titled "Plan B," because I know that nothing in those four chapters will happen anytime soon. And I don't even think my Plan B ideas will come to pass.

There are a lot of reasons for this, but I think the primary one is that technologists and policy makers don't understand each other. For the most part, they can't understand each other. They speak different languages. They make different assumptions. They approach problem solving differently. Give technologists a problem, and they'll try the best solution they can think of with the idea that if it doesn't work they'll try another — failure is how you learn. Explain that to a policy maker, and they'll freak. Failure is how you never get to try again.

Solving this requires a fundamental change in how we view tech policy. It requires public-interest technologists. So that's what I have been evangelizing. I wrote about it for IEEE Security & Privacy magazine. I spoke about it at the RSA Conference in March, and I also hosted a one-day mini-track where I invited eighteen other public-interest technologists to talk about what they do. I maintain a public-interest tech resources page that lists what other people are writing -- and doing -- in this space.

Q. You've written that having a computer science degree is not a requirement to be an effective public-interest technologist, so what is?

Public-interest tech is the intersection of technology and public policy. It's technologists working in public policy, either in or outside government. It's technologists working on projects that serve the public interest: working at an NGO, or working on socially minded tech tools. And while it requires an understanding of both tech and public policy, everyone doesn't need to have the same balance of those two disciplines — and everyone certainly doesn't need a CS degree. What's required is an ability to bridge the two worlds: to understand the policy implications of technology, and the technological implications of policy.

I've met public-interest technologists who are hard-core hackers, either degreed or not. But I've also met public-interest technologists who come from a public policy background, or from a social science background. Since effectiveness requires blending expertise from different areas, it matters less which one came first.

Q. Why is Black Hat a place you've chosen to speak about this, and what do you hope to accomplish?

One place where public-interest technologists are needed is security. Networked computers are pervasive in our lives, and the security implications of that are profound. The problems that result require public policy solutions. And just as we can't expect the government to effectively regulate social media when it can't even understand how Facebook makes money, we can't expect the government to effectively navigate the complex socio-technical problems resulting from poor cybersecurity. The Black Hat community is uniquely qualified to learn, understand, and then advocate for effective cybersecurity policy. They're cybersecurity experts, but they have a hacker mindset. My goal is to show people that they are not only qualified to do this, but that there are paths for them to do it effectively.

Q: Power in the tech industry appears to concentrate along lines of money and privilege, as it does in politics. If we do see more people working as public-interest technologists in some capacity, what should be done to ensure they advocate for policies and solutions which benefit the public at large, without overlooking vulnerable or marginalized groups?

Ha — welcome to politics. Preventing the already wealthy and powerful from accreting even more wealth and power is one of the oldest problems we have, and it's one of those foundational problems that underlies everything else. Technology actually seems to exacerbate this sort of inequality, allowing corporations to amass extraordinary wealth and power at the expense of everyone else. I don't have a solution, but I know that society needs to figure out a solution. And that the solution will involve understanding the technologies involved, and how they can be shaped to decrease inequity across a wide variety of dimensions.

Take algorithmic decision making as an example. Here is a technology that, if deployed correctly, can result in systems that are fair and equitable. But deployed incorrectly, it can both magnify existing bias and create new ones. There has been an enormous amount written about this, both in understanding current harms and in preventing future ones. Figuring out proper government policy around these technologies will require people who understand those technologies.

Q: Can you share a recent example how public interest technologists might be able to help with a policy problem?

Right now, I'm thinking a lot about social media and propaganda. It's clear that the same technologies that enable free expression and the rapid exchange of ideas can be weaponized in ways that harm democracy.

I think there is value in thinking of democracy as an information system, and using information-security techniques to model attacks and defenses. It doesn't lead to an obvious solution — that would be too easy — but it's a new way to conceptualize the problem and create a taxonomy of countermeasures. Clearly we can't let surveillance capitalism destroy democracy — and it's up to people who understand both technology and public policy to figure out a way forward.

It's like that across the board. All the major problems of the 21st century are technological at their core, and will require solutions that blend technology and public policy: climate change, synthetic biology, artificial intelligence and robotics, the future of work. These are our problems to solve; we need to get on with it.

For more information about Schneier's Briefing and other talks, see the Black Hat USA Briefings page, which is regularly updated with new content.

Black Hat USA will return to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what's happening at the event and how to register, visit the Black Hat website.





Sign up to receive information about upcoming Black Hat events including Briefings, Trainings, speakers, and important event updates.


Sustaining Partners

Accenture Carbon Black Cisco CrowdStrike Qualys Rapid7 Recorded Future SecurityScorecard ServiceNow Tenable