This piece was co-authored by Catherine Cronquist Browing, assistant dean of academic programs and of equity and inclusion at UC Berkeley's School of Information.
As part of the Scholar Strike of September 2020, responding to continued police killings of Black people in the United States and grappling with how academia and the tech industry can engage in meaningful anti-racist action, we are sharing our thoughts on the intersection of cybersecurity and racism, incorporating resources suggested by the I School community.
Representation in Cybersecurity
One of the first things many people think of when they think of anti-racism in an industry is hiring, promoting, and supporting Black, Latinx/Chicanx, and Native American/Alaska Native people.
According to a 2018 (ISC)2 workforce study , reported representation of Black, Latino, and Native cybersecurity workforce professionals is significantly lower than general labor force representation and general US population representation (1). Additionally, members self-identifying in these groups are concentrated in non-management positions despite educational attainment. “Minorities who have advanced into leadership roles often hold higher degrees of academic education than their Caucasian peers who occupy similar positions.” Further, “women who identify as Black, Hispanic, Asian or of Native American descent, report the highest numbers of discrimination.” Clearly much more work is urgently needed, not only to increase representation, but also to change the structures, systems, and culture that create these power imbalances in the cybersecurity workforce.
We highly recommend Camille Stewart’s analysis of the underrepresentation of Black people in cybersecurity, particularly at decision-making levels, for its enumeration of many detrimental consequences of failing to account for systemic racism’s role in cybersecurity.
We encourage cybersecurity professionals from all backgrounds to learn more about the excellent groups working to diversify the field, including the International Consortium of Minority Cybersecurity Professionals (ICMCP) and Secure Diversity . If you are a prospective or current student or budding professional considering cybersecurity, these groups can support you. If you’re a hiring manager looking to find a cybersecurity professional, these groups are excellent resources!
Who Benefits from Cybersecurity?
Beyond representation of Black, Latinx, and Native professionals in the field, how are the specific tools and techniques of cybersecurity used or abused to either abet racism or help dismantle it? Cybersecurity practitioners have the expertise to do either — intentionally or unintentionally.
In his “ Crypto for the People ” talk at Crypto 2020, Professor Seny Kamara examines who benefits from cryptography (spoiler: corporations and governments) and disputes the idea that those benefits “trickle down” to people in marginalized groups. He describes Operation Vula , a covert, secure communication channel developed in the 1980s — not by the cryptographic community, but by the African National Congress (ANC) when it was banned by the apartheid South African government.
Asserting that the science of cryptology is not much better aligned to the needs of activists today than it was for the ANC, Kamara asks, “Should activists, protesters, marginalized groups be solving their own crypto problems? Should they be designing their own systems? Or is it something we [cryptographers] should be doing?” His answer is that we need new research agendas and technologies to address problems experienced by marginalized groups, through consultation with experts from those marginalized groups. (Read more about Kamara’s talk in his interview with WIRED .)
Cybersecurity Abuse, Race, and Surveillance
While the ANC faced challenges of communicating covertly at a time when the use of computers and encryption would attract attention and suspicion, today’s social justice activists are conversely challenged by the ubiquity of computing devices and computing power, and the digital surveillance that they enable. Inevitably, populations that experience the brunt of systematic racism, inequality, and bias also become targets of invasive and unwarranted surveillance — for example, Black Lives Matter activists and the Muslim community .
Resonant with Kamara’s appeal, MediaJustice’s # ProtectBlackDissent and Defend our Movements campaigns call for “digital security tools by and for communities of color that actually keep us safe” and help protect targeted individuals from intrusion. The public-interest cybersecurity movement similarly uses the cybersecurity tools and skills more often amassed by well-funded institutions toward defending civil society against digital attack.
Because cybersecurity practices gather significant quantities of data about individuals and their digital activities, it is also our duty as cybersecurity professionals to guard against the abuse of cybersecurity infrastructure for monitoring that is unrelated to protecting systems and data from information security threats. It is not acceptable to claim that abuse of our systems is beyond our control. A balancing analysis policy requiring conscientious consideration of the intended utility, possible abuse, privacy risks, and privacy risk mitigations for any proposed monitoring practice is a meaningful and necessary step in responsibly deploying cybersecurity tools.
Anti-Racism and Diversity
We are very conscious that conversations about supporting the Black community and about anti-racism often get diluted and generalized into broad discussions of diversity, inclusion, and equity. In this piece, we’ve attempted to focus particularly on the intersection of anti-Black racism with cybersecurity.
However, we recognize that anti-racist work is part of a larger context of equity work, and we believe that supporting the Black community requires recognizing the economic, health, political and educational inequities caused by systemic racism, and also necessitates underscoring the experiences of Black women, Black trans* individuals, Black men, Black people with disabilities, and other intersections of marginalized identities. Cybersecurity plays a role in these conversations as well. Does stronger security and privacy cost more (free vs subscription software, device/hardware/computational costs)? How can cybersecurity help prevent online harassment and intimate partner violence ? What are the disparate impacts of digital identification as well as the many topics raised in Stewart’s article (referenced above)?
We must all work to address the repercussions of racism in cybersecurity, particularly racism against Black people in the United States, and expose the negative consequences racism has on everyone. We must also pursue overall equity in the field.
Connecting Ethics to Action
We call on our cybersecurity community to foreground the needs of marginalized and vulnerable people — particularly, as this historical moment reminds us, people experiencing anti-Black racism — in each threat analysis, implementation project, security review, and tool design, as we consider what is being secured, from whom, and for whom, and how it could be abused or weaponized. If you’re looking to take action and ready for a place to start, we suggest Black in Computing’s list of action items alongside Stewart and Kamara’s charges and other voices highlighted in this piece.
We hope we’ve helped amplify some of the links between cybersecurity as a field and anti-racism and look forward to learning more from the I School and wider cybersecurity community in the comments.
Cross-posted from the I School's Medium blog