Systemic Racism Is a Cybersecurity Threat
By Camille Stewart
Council on Foreign Relations
For years there have been well documented discussions about the need to expand gender and racial diversity in cybersecurity. People have argued that if we address social and systemic issues separately, we will get the technology right. However, the social and the technological are mutually constitutive. Bringing in new points of view is crucial to cybersecurity, but we also have to change the systems in which technology is embedded and review technology against the backdrop of larger systemic issues to reduce vulnerabilities.
Technical and policy mitigations in cybersecurity need to account for the weaknesses of our society, systems, and institutions in their implementations. The places where democracy breaks down and the ugliness of our past sins are laid bare and unaddressed are where we are most vulnerable. Technical and policy mitigations to cybersecurity challenges will never reach their full potential until systemic racism is addressed and diverse voices are reflected among our ranks at all levels.
The spread of disinformation that capitalizes on racial tensions in the United States, by both foreign and domestic actors, is an important but classic reminder of the need to address race. The narratives of the disenfranchised are the best tool and target for disinformation operations designed to incite the majority and further alienate minority groups. Crucially, exploiting the narratives of disenfranchised groups, especially Black Americans [PDF], is a powerful tactic used to radicalize minorities, one we have seen Iran and other countries use. Addressing inequality and systemic racism reduces if not eliminates the efficacy of this tactic.
Also, misinformation and disinformation move through immigrant and diaspora communities differently because of cultural norms. This has implications for the encryption debate and content moderation by tech companies because immigrant communities are heavy users of encrypted platforms like WhatsApp. Building teams composed of diverse viewpoints and conscious of race issues can help elevate those nuances, identify new tactics, techniques, and procedures, and adapt detection to relevant environments. This ultimately will better enable the United States to combat disinformation and misinformation at home and abroad. For example, deeper analysis of Russia’s outsourcing of information operations to Ghana and Nigeria could show that this is more than just an obfuscation tactic and tool to inflame racial tensions but also an effective mechanism for targeting African diaspora communities by exploiting their connections back to the continent.
Cyber diplomacy and international cyber capacity building are better served by having diverse representation that understands the cultural nuances that determine how technology will move through a society. For example, China is heavily investing in digital infrastructure in Africa and the Caribbean and playing a larger role in regional and multilateral bodies, shifting influence away from Europe and the United States. Lack of consistent U.S. investment and engagement in these areas is at its core a race-based decision that is an impediment to creating cyber norms and other global mechanisms to protect ourselves and our allies.
Understanding the cultural nuances of technology use and access is integral to building policies and technical solutions that secure systems and serve people. As countries around the world explore online and mobile voting, efficacy and adoption will differ across cultures, communities, and socioeconomic status. The issue of voter identity authentication [PDF] will be especially challenging. Understanding the differences within our communities and lived experiences domestically and abroad will help build resilience into mobile voting and any other policy and technical cybersecurity solution we seek to implement.
Racism breeds distrust in systems and institutions. This undermines initiatives that require broad civic engagement, such as public health awareness campaigns, voter turnout, and counterterror efforts such as “see something, say something.” Technology can often exacerbate this problem, even unintentionally, and further engrain systemic racism into our institutions and organizations. For example, racial bias in U.S. Customs and Border Protection's (CPB) facial recognition technology has further diminished trust in the agency and the Department of Homeland Security (DHS), its parent organization, which has an expanding cybersecurity mission.
Cybersecurity professionals also need to understand how communities of color are disproportionately affected by cyberattacks that target critical infrastructure. This is because emergency response capabilities [PDF], resilience to climate change, and public health security are comparatively lower in minority and low-income communities. This should inform strategic responses, mitigation, and continuity of operations efforts. Moreover, while communities of color could be the worst impacted, the interdependence of our systems means the vulnerability of their communities will affect everyone.
The lack of diversity in the cybersecurity industry at all levels exacerbates these challenges by making the United States less equipped to identify and address threats, innovate, and meaningfully cooperate with partners. We also have a shortage of cybersecurity practitioners. Engaging diverse communities and fostering their voice and growth in the cyber field would help address this problem. The immediate-hire career fairs DHS started in 2016 were a creative strategy to improve diversity hiring that proved to be successful, resulting in 150 job offers during the first event alone. These efforts should be redoubled and expanded upon across the industry. After all, a representative workforce allows us to harness the collective intellect and experiences of the entire population and be more agile.
The cybersecurity industry needs to create a pipeline for diverse talent representative of the lived experiences of all Americans. Cybersecurity practitioners also need to educate themselves on systemic racism and other forms of hatred, make room for diverse and new perspectives in the industry, and apply this understanding to technology and policy development and application.
Just as the burden cannot be carried by Black Americans in lobbying and protesting, the burden of dismantling systemic racism requires practitioners of every race, sector, and discipline. We need to find ways to build anti-racism and diversity into technology policy, software development, and cybersecurity tool deployment, similar to how diversity and inclusion are now being built into product development.
Understanding how systemic racism intersects with and influences cybersecurity is integral to protecting the American people, deterring our adversaries, and defending American businesses as we seek to return to our position of international leadership.