Yesterday, I wrote about the first half of Bruce Schneier's keynote at the recent RSA Conference in San Francisco. Today, the second half, and the audience Q&A. If you work in security in any way, or just have some interest in the area, you owe it to yourself to read Bruce's plea for doing things differently in the center of the Venn diagram where technology and policy intersect.

Democracy

Right now I’m writing a series of papers looking at democracy as an information system and looks at propaganda as an attack on the system. It’s taking our world view in security and applying it to a different system.

There are organizations involved in this. The Electronic Freedom Foundation (EFF), Epic, Verified Voting, Access Now. Some academic programs are starting to blend technology and policy. There are even some technologies inside governements. In the US, there are just a few on congressional staffs. There is a position in the Federal Trade Commision (FTC) traditionally held by a security technologist.

Some of us are doing security inside organizations like Human Rights Watch and Amnesty International. But their adversaries are governments.

It might seem like a lot but it isn’t. It’s really just a little around the edges. We in this room know about it because we’re paying attention. However, there's lot more need for this kind of stuff, both people willing to do it and people wanting it done.

Public Interest Technologists

We need to scale it up and create an ecosystem where all of this is normal. I want to press for a world where there is a viable career path for public interest technologists. It’s hard to do this today, the way our industry is built now. If you are a technologist on a one-year sabbatical it is easier to go canoeing than work in public policy.

On the supply side, there isn't enough talent to tap into. We already have a talent problem for the existing jobs. But we don’t only need people with computer science degrees. We need ways for peple to do this “on the side”.

On the demand side, there are more people willing than places for them to go. We need more staff positions across government, press, NGOs. We need true technology-driven journalism.

Third, there is the marketplace where these supply and demand meet, things like RightsCon, Internet Freedom Festival.

To make all this work requires a cultural shift. What is in the best interest of corporations is not always in the best interest of society. The initial wave of public interest tech happened because President Obama embraced technological change. Major foundations like Ford and Macarthur starting to fund this.

I see a parallel with public interest law. It didn’t exist in the 1970s, and then the field was deliberately created. Fellowships got funded. This created a world where public interest law was valued. Today, if you are an attorney, you're expected to do some pro bono work. If you want to make partner you are expected to have done considerable public interest work. Today 20% of Harvard Law School graduates go into public interest law. Today there are attorneys at every level of government. That is a change in how we perceive what being an attorney means. I would like technologists to be viewed in the same way.

Implications for the Future

Technologists need to understand the policy implications of their work. There is a feeling that in silicon valley that technology is apolitical, but that’s a myth. The work we do affects the world we live in. All of us need to decide what we are willing to build. Do we want to build surveillance or liberty? Do we work on spyware?

Historically, we've built a world where programmers can code the world as they see fit. We could do that because historically it didn’t matter. How email worked, or SMS, or Facebook. Now it matters, so everything we do has a moral dimension. It’s all areas of tech but especially security since everything in security is dual-use, with both commercial and military applications.

We are responsible for the vision of the future that we espouse and build. There was a critical lesson from Snowden. He showed us that policy can subvert technology. Policy and technology need to work together.

The future is coming, faster than we think. It is coming faster than our existing policy tools can deal with. So we need to develop a new set of policy tools developed with people who understand the technology. It is bigger than computer security, of course. The examples I’ve been giving are bigger. Robots, food safety, drones, bioengineering. All are deep technology issues and where the core issues of society lie.

The defining issue of the 20th century was how much should be governed by the markets and how much by the state. That was the big difference between east and west, the big difference between political parties. Now it is how much of our lives should be governed by technology. Last century we needed economists. This century we need the same places filled with technologists.

I’m asking you to help.

Q&A

Q: What is the tipping point?

It is becoming real now in a way it hasn’t before. Fake news. Security-critical infrastructure. Medical devices, automobiles—stuff that can kill you. Policy makers will have to get involved in our industry. We need to get ahead of this or we will get some really bad policy. We’ve been lucky since we’ve been ignored for a couple of decades. Tech has been a wealth-creating machine, so policy makers haven’t wanted to touch us.

Q: We’ve struggled with how to share courses with students. Do you see where this should be? Engineering, CS, law schools?

I see a lot of joint degree programs. Policy and CS. Law and CS. Different universities do things differently. We want policy people who know tech, and technologists who know something about policy. We don’t have a single association that accredits us. There is an idea that if you are a public interest lawyer, your Mom is proud of you. We need that for public interest technologists.

Q: How does the constitution fit in all of this?

I’m not sure. A lot of countries have governing documents. But increasingly how it works depends on technology. Some of the assumptions in constitutions don’t make sense any more. We will need some rethinking on fundamental social contracts.

Q: How are different countries approaching these issues?

Today, the European Union is the regulatory superpower on the planet. GDPR is their first attempt, but at least they tried. In the US, the federal government is abdicating its responsibility. Some states like California are taking the lead. For example, IoT security law in CA mandates no default passwords. You know that when they remove them for California, they will sell the same thing to the rest of us. We live in a world where the best market will affect everyone globally. We need to watch out for a mediocre federal law trumping the good state laws.

Q: How do you see a developing country like India?

India is doing a lot of good stuff. The supreme court recognizing privacy. National ID in a country with very mixed infrastructure. Developing countries have to be leapfrogging us like we saw with cellphones. India has a big enough population that whatever laws are passed there will not get ignored. There are too many people, so the country is too powerful. It affects us in ways that most of us are not paying attention to.

Q: What about the pay gap between public and private sector?

Look to public interest law. The pay is 1/10th and the jobs do not go begging. The ACLU gets hundreds of applications for each opening. We don’t need everyone, just some of us, and I don’t think it will be a problem.

Q: You touched on automotive, which is big in California and Arizona where we have a lot of autonomous vehicles being tested on our roads. Is there a way to put industrial pressure for better security?

Automobiles are doing better than average, they are already regulated. Both for security/safety (can these cars be hacked and made to crash?) and data security (in US we live in data free-for-all). We are not doing great but it is a lot better than the doorbells, thermostats and dolls. Cars are IoT that is actually life-threatening. Governments regulate things that kill people, so as bad as it is, automotive is our success story right now. But we in US are not going to be regulating data brokers, surveillance capitalism. Nobody wants to touch it, if you want that regulated look to the EU.

Q: How do we continue when we leave this auditorium? I want to do more.

I've created a public interest tech web page. There's lots there to stay informed and get involved. But we’re at the beginning here. I’m trying to create this. 

Learn More...Or Even Do More

Start with Bruce's Public Interest Tech page.

Here's his call to action:

We all need to help. I don’t mean that we all need to quit our jobs and go work on legislative staffs; there’s a lot we can do while still maintaining our existing careers. We can advise governments and other public-interest organizations. We can agitate for the public interest inside the corporations we work for. We can speak at conferences and write opinion pieces for publication. We can teach part-time at all levels. But some of us will need to do this full-time.

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.