‘Technology is remaking the world, and we will never get the policy right if policymakers get the tech wrong’

Bruce Schneier opened up the 2020 (ISC)2 Security Congress on Monday with an impassioned call for information security professionals to become more involved in policy making as “public-interest technologists”.

The noted author and security guru argued that technology increasingly affects all aspects of society, and unless technologically knowledgeable people get involved in helping to inform and shape policy then bad decisions will inevitably be made.

Schneier is not advocating that policymakers need to be technologists, but rather that infosec professionals need to step up to the plate and help guide how technology is changing society.

“Technology is remaking the world, and we will never get the policy right if policymakers get the tech wrong,” Schneier said. “Policies are forever trying to catch up with technology.”

Speaking tech to power

Election security, surveillance, IoT safety, data privacy, 5G rollouts, and protecting the critical national infrastructure are all important public policy issues that have become intertwined with internet security prerogatives.

Some understanding of the technologies involved is needed to have any hope of crafting good policy, but despite this there is currently little involvement of technologists in these areas.

Schneier argued that insufficient attention to the technical dimension of policy issues had already led to mistakes in areas including net neutrality, copyright, cybersecurity, and algorithmic decision making.

RELATED Coronavirus contact-tracing apps are worse than useless – Schneier

The Harvard Kennedy School fellow and Electronic Frontier Foundation board member said this lack of involvement is no longer sustainable, and that technologists need to get involved in “speaking tech to power”.

“Technology is deeply intertwined with society,” Schneier said. “It's literally creating our world. And it is no longer sustainable for technology and policy to be in different worlds.”

Technology is no longer simply a set of “tools”, but something that is deeply embedded in society, according to Schneier.

“Historically, programmers have been given an inherent right to code the world as they saw fit because historically it didn't matter. But now it does, and that privilege needs to end,” he said.

Bruce Schneier provided the keynote for the 2020 (ISC)2 Security Congress

Fact checks and legal advice

How social media platforms handle disinformation and fact check politicians has risen to the top of the political agenda because of issues around the US election and a potential development of an effective vaccine for coronavirus. This is the shape of things to come, according to Schneier.

“Technology has become de facto policy,” Schneier said. “Companies have effective control over free speech and censorship regardless of what national laws are. Companies can set limits on personal freedoms regardless of what national laws are.”

As well as helping to advise lawmakers and policymakers in crafting policy, public-interest technologists would work inside private companies, at NGOs, and teaching at universities.

Read more of the latest security policy and legislation news

These technologists might be embedded within tech development teams in a similar way to how Google already embeds lawyers in its own product teams, so that they are able to provide advice throughout the development process.

There would also be a role for public-interest technologists in providing security advice to agencies and groups working in the broader public interest.

In the same way that partners in law firms do a certain percentage of pro-bono work, technologists should step up and do something similar, according to Schneier.

Hack society

According to Schneier, expertise about hacking and securing against hacks for broader social systems, such as reforming the tax code.

In order to explain this concept, Schneier went on to draw parallels between the tax code and computer code:

The tax code is code. It’s a series of rules. It’s an algorithm that takes a bunch of financial information and outputs the amount of tax owed. It’s code that has vulnerabilities.

We call them tax loopholes. It’s code that has exploits. We call them tax avoidance strategies. And there are even black hat hackers who look for vulnerabilities to exploit. We call them tax attorneys.

“I think the hack framework is a useful way to understand and maybe solve problems in these broader social systems,” he said.

Schneier – who has been developing his ideas and speaking about public-interest technologists for the last year or so – has set up a decided website with resources on the subject at public-interest-tech.com.

Advancing the ‘game plan’

Opening the (ISC)2 security conference yesterday (November 16), incoming CEO Clar Rosso said she wanted to become a “tireless advocate” for the security certification organization’s 150,000 members and “our collective vision of inspiring a safe and secure cyber world”.

Rosso went on to speak about the three key pillars of the (ISC)2 board’s “game plan”:

  • Advocate for the advancement of (ISC)2 certifications

  • Delivering member value by offering professional development and learning opportunities

  • Grow (ISC)2’s membership and the wider cybersecurity workforce

“Attracting a broader and more diverse pool of candidates is critical to expanding our work force,” Rosso concluded.

RECOMMENDED ethicsFIRST: Maintaining ethical behavior across the cybersecurity industry