This matters more: How cyber pros are confronting racism in their own ranks, and beyond
The police killing of George Floyd in Minneapolis last week prompted Leroy Terrelonge to do something he had never done: vividly recall all of his experiences with racism since youth.
“I was surprised by how incidents that I had buried deep suddenly surged back to my memory and hurt all over again,” said Terrelonge, 34, a black cyber-risk analyst at Moody’s. “I imagined how they could have taken a wrong turn under certain circumstances and I, too, could be dead.”
Terrelonge is one of millions of black Americans experiencing Floyd’s death in visceral ways. He’s also one of many cybersecurity professionals searching for the right balance between work and advancing social justice. The daily grind of reverse-engineering malware feels trivial when police are teargassing peaceful protesters, neighborhoods are in flames and opportunists unaffiliated with black social-justice causes are violently exploiting the unrest.
“Information security is not often a matter of life or death, even for those working on critical infrastructure,” said Jackie Singh, CEO of security consulting firm Spyglass Security. “The events of the past week have brought that into sharper relief, which naturally reduces the intensity of our focus on cybersecurity.”
And so some in the industry are helping peaceful protesters, confronting their employers’ relationships with the Trump administration, or simply amplifying more marginalized voices.
‘The best place for my privilege’
After seeing a video of a police officer hitting a woman of color picking up trash at a protest in Baltimore, Emily Crose decided to contact her on Twitter. Crose, a senior industrial pentester at Maryland-based cybersecurity company Dragos, filed a Freedom of Information Act request on the woman’s behalf for the body-camera footage of the officer’s supervisor, who was standing nearby.
“I told her I’m behind her all the way … or in front of her, depending on where the police are and where she needs me to be,” said Crose, who is white. “That, to me, is the best place for my privilege to go.”
After a week in which security forces manhandled people a block from the White House, another cybersecurity professional is wrestling with how to make peace with their employer’s work with the federal government.
“It’s difficult to reconcile working with a company that is currently supporting the government in a cybersecurity role,” said one source who works at a publicly traded cybersecurity company and asked not to be identified. “I know [the company] is not implicitly or explicitly supporting police brutality or the words of our president, but it’s an aspect of it that keeps me up at night, honestly, having to reconcile working for a company whose customers include the [U.S. government] and political groups.”
Others are tired of marketing spin that ignores inequities. Andrew Morris, founder of GreyNoise Intelligence, a company that maps internet traffic, has spent the last several nights handing out water and snacks to protesters from his front porch in Washington, D.C.
His advice for people in the cybersecurity industry was to move past rhetoric and take action by supporting the black community now and in the future. “Look at your own team/company/leadership/executives/board of directors and ask yourself if the people of color are well represented,” Morris, who is white, said in an email. “Chances are ‘no.’”
“Don’t f—– make empty marketing promises [or] vague, vapid PR responses,” he added. “Donate money [to Black Lives Matter and other organizations] or GTFO.”
Some white people in the industry are acknowledging their privilege, but not nearly enough people have spoken up, said Richie Cyrus, an African-American manager at cybersecurity company SpecterOps.
“Too many people, especially in the infosec community have remained silent, possibly waiting for the story of George Floyd to ‘blow over’ or paralyzed by not knowing what to say,” Cyrus said. “Not only is this detrimental to inclusion in our industry, it further deters true progress from being made.”
Unintended consequences
Cybersecurity professionals who spoke with CyberScoop said the recent unrest, on top of the global coronavirus pandemic, has exacerbated the stress the community is under. A 2019 survey conducted by Osterman Research found that 91% of security practitioners reported moderate or high stress, with a quarter saying their job has affected their mental or physical health.
“The security community is already prone to poor handling of various psychological stressors,” Singh, who comes from a multiracial background, told CyberScoop. “Having a talent for computing does not necessarily correlate with high emotional IQ, and the fact is, these times are difficult for even the most well-adjusted person.”
Beyond mental health, some cybersecurity practitioners are reflecting on how some of the industry’s creations and cultural roots have played a part in societal fissures, whether it’s tech used for surveillance or social media weaponized for harassment.
Before the coronavirus pandemic, Crose, the pentester at Dragos, was scheduled to speak at a Minneapolis conference on what she calls the “hijacking of infosec culture” by political extremists. Years ago, young hackers would use message boards or wiki sites to taunt each other.
“When we roasted our friends and ripped each other on Encyclopedia Dramatica way back when, that was kid stuff,” said Crose, whose company has offered to bail out any employees who are jailed for protesting. “We never would have dreamed that an actual president of the United States would be elected with [those trolling tactics], and then actively use them to further a rhetorical agenda.”
An industry lawyer — who asked not to be identified so she could speak freely — said more needs to be done to ensure that minority voices are heard when companies develop tools or services, primarily to understand how they could be weaponized against people of color.
“A lot of women and people of color in this industry have repeatedly tried to get folks to embed different threat scenarios into their products,” the lawyer said. “But it’s always women and people of color who have to shoulder the burden.”
Not every reflection brought on by the protests has been grim. Terrelonge said Floyd’s killing has sparked some positive conversations at Moody’s New York City office.
“My boss made space during a team meeting for black people to talk about how we are feeling and processing this, and then opened up to the rest of the team for their input,” he said.
That kind of exchange gives Terrelonge hope.
“It feels like more people are listening,” he added. “It feels like more people believe me when I tell them about my experiences with racism.”
