Be a Change Agent in Cybersecurity!

Black Hat and DEFCON conferences

Cybersecurity friends,

This article about our conference cultures, scores us all very low on accountability to our human behavior at business events. We have many, very serious, life-altering problems to solve in this world and specifically in cybersecurity. This problem of poor behavior can’t remain a problem for us; we are all too smart to not solve this problem!

We can’t fight this fight without including and respecting women and millions of other people we need on the team. 

Please be the change agent we need to create environments that you would want your daughter to go to and environments where women are treated as equals.  It’s really disheartening to hear some of the stories in this article. If you see poor behavior say something please, stand up for others.

See you all in August!

– Deidre


This article was originally published June 19 2018, 4:00 a.m. on The Intercept. All rights and content belong to Ava Kofman


Author – Ava Kofman

CAMILLE TUUTTI CAN’T remember all the times she’s been harassed. A prominent information technology journalist and editor, Tuutti feels that her friendly and outgoing personality — a necessity in her line of work — has often been misinterpreted by men in her field as an invitation for inappropriate behavior, especially at top cybersecurity conferences, where binge drinking is encouraged. Drunk men have often put their arms around her and her colleagues. She has been asked out “a million times.” Someone tried to kiss her the first time she met him.

This April, at RSA, a leading cybersecurity conference held in San Francisco, she was walking the showroom with a male colleague when a male stranger asked her what she was wearing to bed. She noticed, too, that vendors at the show assumed that she didn’t know what she was talking about and that her colleague did. And despite organizers’ previous attempts to implement a dress code, many of the booths featured “booth babes” — scantily clad models hired to attract men to vendors’ wares. “It was so tone-deaf, especially in 2018 and especially in the wake of #MeToo,” Tuutti said.

The casual sexism Tuutti encountered at RSA is not atypical of big-league hacker and cybersecurity conferences. While there are no precise statistics available about harassment at these events, anecdotal reports like Tuutti’s have been widespread and documented for years.

The Intercept spoke to nearly two dozen women across the industry who recounted experiences ranging from uncomfortable to traumatic at conferences such as Def Con and Black Hat, held each year in Las Vegas, and RSA, held worldwide. The women who spoke to The Intercept had encountered a variety of offenses, from suggestive commentary and drunken come-ons to groping and assault. Some of the women, among whom are renowned journalists, CEOs, diversity advocates, and hackers, said that even if their own status had shielded them from some of the worst behavior, they had all heard troubling stories from younger colleagues, peers, and friends.

The women who spoke to The Intercept had encountered a variety of offenses, from suggestive commentary and drunken come-ons to groping and assault.

Troubling new stories surface every conference season, said Kasha Gauthier, director in residence for Community Engagement at the Advanced Cyber Security Center, and yet little seems to change. Gauthier and others see the harassment at conferences as part of a systemic problem in the field of cybersecurity. “To me, it’s just even more of what I see in a boardroom,” she said.

“I know many women who have attended Def Con and have experienced some form of harassment,” said Chenxi Wang, a leading expert in cybersecurity. “A lot of women will tell you, ‘I just brush it off and do my own thing.’ That’s fine. But the question is, should we put young women through that? Should we tell them, ‘Oh just toughen up, this is the industry?’”

Even within the field of technology, which is known for its gender bias, cybersecurity remains a particularly striking example. At companies like Google and Facebook, women make up about 30 percent of employees — and there are notably fewer of them the higher up the ranks one goes. Cybersecurity is much worse. According to the widely cited Global Information Security Workforce study, women compose around 11 percent of the industry and, at every level, earn less than their male peers. More than half of women working in cybersecurity have reported discrimination.

The major cybersecurity conferences are more than just massive parties and prankish sideshows. The events are crucial for networking, talking to recruiters, and learning new skills. Sometimes conference presentations become news events themselves. In 2015, hackers at Def Con demonstrated that they could remotely take control of a Chrysler Jeep’s transmissions, leading the company to recall 1.4 million vehicles. Last year, the conference’s report from its Voting Machine Hacking Village sparked a national dialogue on the security vulnerabilities of electronic voting.

As the leading gatherings for key speakers and cutting-edge products, conferences set the tone for what the field can and should look like. All-male lineups of keynote speakers — which have recently been termed “manels,” rather than panels, on social media — are still a frequent occurrence, as they were this year at the RSA Conference. And even as event organizers claim that they are taking steps to address sexism and harassment, many women still perceive a general indifference to their complaints, which they say sends a message about what kind of behavior is considered appropriate.

“When it comes to conference season in Vegas, there’s all of this folklore about getting hurt and that people shouldn’t come,” said Jessy Irwin, head of security at Tendermint, a blockchain tech company. Irwin said she always goes to conferences with a pack of women and makes a point of ensuring that those who are new to the industry aren’t traveling alone.

In the months since #MeToo took off, women’s whispers about sexual harassment and abuse have been transformed into vocal demands for systemic change — in some cases, with material consequences. Not long before #MeToo began, so-called cybersecurity rock stars Jacob Appelbaum, a former developer at the Tor Project and WikiLeaks collaborator, and Morgan Marquis-Boire, a cybersecurity expert, were asked to resign from leadership positions following multiple allegations of sexual misconduct and rape. (Appelbaum has denied the allegations against him. Marquis-Boire admitted to rape and assault of multiple women in private messages with an acquaintance. Marquis-Boire was the director of security for First Look Media, The Intercept’s parent company, and sometimes a contributor at The Intercept. He left the company for unrelated reasons before the allegations against him came to light.)

Some women are hopeful that the growing legitimation of women’s experiences may pressure conference organizers to take more pointed and effective steps to address abusive behavior at their events. “I think people are more vocal after #MeToo and feel more inclined to speak up and speak out if they or somebody they know are experiencing harassment,” Wang noted.

Others, however, are more skeptical about the possibility of a culture change. “There’s been no reckoning that I’ve seen,” said Gauthier. “I think there should be, and I think women are having those discussions, but that’s not where money is and not where power is.” Some women told The Intercept that they are not willing to risk yet another season of harassment to find out whether anything feels safer. As women seem to be attending these events in decreasing numbers, there is one matter in which they are all in agreement: Change is impossible so long as the men in charge don’t step up to address the issue head-on.

Hackers examine a voting machine during Def Con, a gathering of information security professionals, in Las Vegas on July 28, 2017. Photo: Mark Ovaska/Redux

DEF CON, THE world’s largest and most famous hacker conference, started in 1993 as a goodbye party for a hacker network. It has since grown and professionalized, drawing crowds of close to 22,000 people to a Las Vegas hotel every August. Celebrated computer security experts mingle with NSA agents and civil liberties lawyers. Attendees register by paying $250 in cash at the door. There are around nine men for every woman in attendance. Other conferences, such as RSA and Black Hat, have a more corporate vibe, charging registration fees over $2,000.

Women describe an overall conference culture that promotes a “what happens in Vegas stays in Vegas” mentality, with after-parties where attendees are encouraged to drink as much as possible. They explained that there are often few networking alternatives to the alcohol-heavy after-parties.

Take Def Con’s Hacker Jeopardy in 2016. The late-night game went viral on Twitter after a cybersecurity expert posted about a request that contestants guess the size of a porn star’s penis to within half an inch. Women dressed in skimpy clothing served beers to an all-male group of contestants. In the Double Jeopardy round, they removed pieces of clothing each time a contestant got a question right. The next day, after conference organizers heard about online pushback, they changed the rules so that contestants who answered correctly could have the choice between sending a donation to the Electronic Frontier Foundation or continuing to call for a woman to undress. Progress, in other words, has felt incremental.

At Hacker Jeopardy, contestants who answered correctly could have the choice between sending a donation to the Electronic Frontier Foundation or continuing to call for a woman to undress.

Founders of these four conferences include both black-hat hackers, who work outside the industry, and sometimes outside the law, to expose flaws on their own, and white-hat hackers, who work within governments and corporations. Over the years, when faced with complaints, some organizers have responded by describing their events as harmless fun. Jeff Moss, the founder of both Def Con and Black Hat, has defended Hacker Jeopardy by appealing to tradition and the distinction, in his eyes, between “sexy” and “sexism.”

After Gauthier, a veteran infosec worker, heard about Hacker Jeopardy, she spoke to one of the workers at the conference for over an hour. “The answer that I got was that it was anybody’s choice to attend or not to attend, and can’t I lighten up because it’s good fun?” she said. “People don’t understand that as industry evolves, this is a professional environment, and this is not inclusive behavior.”

These problems are self-reinforcing: So long as conferences celebrate and reflect the sexist status quo of cybersecurity, expanding the ranks of women in the field will be a problem. Some conferences are reported to still feature more “booth babes” than actual female attendees. One woman remembered attending a conference with so few women that when she walked into the ladies’ room, she needed to turn the lights on. Another recalled entering the bathroom and seeing only booth babes in miniskirts and go-go boots.

And yet for years, some organizers have kicked the problem down the road. Instead of organizing the conferences to reflect a positive vision of what the field could be, they’ve defended their choices to have all-male keynotes by arguing that such talks are just a reflection of the way things are. A statement that RSA organizers released about their 2018 “manel” reads: “A diverse speaking program starts with increasing diversity within the technology sector, which needs to be addressed by the industry as a whole.”

The stakes for more inclusive representation are high. Women are leaving the technology sector in greater numbers than they are entering it. Computer science is one of the fastest-growing fields in the United States, and yet, every year since 1984, the number of women in technology in the U.S. has decreased. Attrition is typical. Forty-one percent of women quit the tech industry mid-career compared with just 11 percent of men, according to the National Center for Women & Information Technology. The cybersecurity industry has been projected to have 1.8 million unfilled jobs worldwide by 2022. To address this shortage, companies will need to recruit and retain women, the Global Information Security Workforce study found.

That may be easier said than done. When conferences exclude women speakers, they send a “clear message” that women are still not welcome in the security field, wrote Access Now, a nonprofit focused on human rights, about the keynote roster for the RSA Conference USA 2018. “This is a message that will be heard not only by the attendees but by organizers of other conferences that look to RSA Conference as a source for guidance,” the letter reads. “The bigger danger is that we could see this message — and the mindset behind it — reflected in hiring, development, and operational decisions across the sector.”

THE ABSENCE OF women at conferences only strengthens the self-serving perception for the majority-masculine field that there is a “pipeline problem” — that the reason there is a gender deficit is because there are simply no talented women to hire. It ignores the fact that talented women have already been pushed away.

Many women say the problem begins as early as recruiting. Cybersecurity classes use masculine language — militaristic talk of enemies, penetration tests. Partly emerging from army and intelligence communities, hackers can be prone to hazing and competitive one-upmanship, according to Sarah Clarke, a security adviser. “It’s a culture of just being mean to new people and needing to ‘prove yourself,’” Clarke said.

Rebecca Long, a software engineer and diversity advocate, says that it’s not a stretch to see a connection between the goals of hacking and its particular culture of harassment. “The whole idea of hacking is compromising someone’s system and having power and control over someone else’s computer or network,” she said. Some women have recommended that the field might seem more welcoming if it moved away from the adversarial language of warfare and instead, framed its goals as a matter of safety.

Women told The Intercept that the tacit norms of the industry can make it seem as though harassment is a problem of female sensitivities, rather than male behavior. The unspoken rule is that women must learn to shrug it off and accommodate themselves to inappropriate actions.

Many women interviewed said that the accumulation of minor incidents over the years leads to their dissatisfaction with — or departure from — the field. They recalled stories of inappropriate touching, lewd remarks, and business meetings leading to sexual propositions. Nearly every woman interviewed said that, at some point, they had been mistaken for a male conference-goer’s girlfriend, even if they were one of the keynote speakers. When not being singled out for sexual attention, they were ignored, dismissed, or asked where their boss was. Like many of the women who spoke to The Intercept, infosec researcher Sarah Lewis said it was not a single experience, but the buildup of small brush-offs that drove her away from industry conferences where she wasn’t being paid to speak. “Numerous times, I’ve been asked if the food is coming out. At conferences I’ve keynoted at, I’ve been asked if I was one of the student groups there. Most of the sexism I tend to see is people who mean well, but who have an assumption that I don’t have experience and I don’t belong,” she said.

“There are a lot of cases of overt hostility,” said Amie Stepanovich, who manages cybersecurity policy at Access Now. “I think what is more insidious sometimes are the less overt cases: These are conference sessions where there are people of color or women represented, but they aren’t asked many questions. Or audience questions are only accepted from men. It’s not always overt examples that drive people away. Oftentimes, it’s little things that send the message that people aren’t welcome.”

“It’s not always overt examples that drive people away. Oftentimes, it’s little things that send the message that people aren’t welcome.”

Many women don’t have the privilege of being able to choose whether to leave their jobs if and when harassment occurs. But when it comes to voluntary conferences, it’s not surprising that after years of experiencing such incidents, women have simply stopped showing up. Many told The Intercept that there were certain conferences they would never consider attending again because of their experiences there.

Yet while not showing up may be the safest and most sensible option for one’s personal well-being, it can put women at a disadvantage professionally. As the programmer and feminist activist Valerie Aurora has written, “When you say, ‘Women shouldn’t go to DEFCON if they don’t like it,’ you are saying that women shouldn’t have all of the opportunities that come with attending DEFCON: jobs, education, networking, book contracts, speaking opportunities — or else should be willing to undergo sexual harassment and assault to get access to them.”

In 2011, on the second night of Def Con, Emily Maxima, a programmer, and her wife, who does not work in infosec, were inside the Caesars Palace Hotel waiting for a DJ set, when a Def Con security guard — typically male and known as a “goon” in conference slang — asked them how their “bribe card” was going. Bribe cards are played like bingo: Attendees perform scavenger hunt favors for the goons in exchange for prizes. “I only had one hole punched in mine,” Maxima wrote on her blog years later. The goon turned to her and said: “‘We could punch ‘boobs’ for you.’ One of these volunteer security guards had literally just solicited to see my wife’s breasts right in front of me in exchange for a hole in my bribe card.” Maxima has not returned to Def Con since.

WOMEN WORKING ACROSS all sectors of technology have been fighting back against the field’s entrenched gender bias. In 2014, along with a few other female cybersecurity experts, Chenxi Wang started a social media campaign to ban booth babes. One year later, RSA instituted a dress code in response. Wang said it was a small victory: “They took a step in a positive direction, so we don’t see overt sexualized displays. Even though you still see the occasional booth babes, the overall tone of the show floor has become a lot more professional.”

brainbabe table for STEAM conference

In response to the booth babe ban, Deidre Diamond, a veteran technologist, was inspired to start a company called Brainbabe, which tackles sexism and the skills shortage in the industry at the same time by providing vendors with students from diverse backgrounds to work at booths.

Women in tech have their own gatherings — from the Grace Hopper Celebration, a long-running conference named for a pioneering programmer that draws around 18,000 people a year, 90 percent of them women, to Our Security Advocates Conference, or OURSA, founded this April in response to RSA’s sexist lineup. In 2016, women began to organize a special event known as TiaraCon, separate from Def Con’s main show, for networking, lock-picking (a popular conference extracurricular), and resume-writing. Year-round, groups like the Diana Initiative, Future Ada, and the Ada Initiative provide support for women in tech.

Leigh Honeywell, CEO of the anti-harassment technology startup Tall Poppy, has hosted a workshop in a Caesars Palace room apart from Def Con for the last four years known as “Ally Skills,” which teaches attendees how they can work to improve diversity in security. “There are folks in the field who do want to see it become a more hospitable place for underrepresented people, and I feel fortunate to be able to share tools and tactics for making that happen,” Honeywell explained in an email. The open source workshop, which was originally created by the Ada Initiative, teaches attendees the tools to call out misogyny and bias. Slides ask attendees to brainstorm how allies might respond to situations such as: “A woman you don’t know is standing near your all-male group at a conference in your field. The conference attendees are more than 90 percent men. She is alone and looks like she would rather be talking to people.”

But some women say that separate events, while valuable, do not force the main conference organizers to directly address gender bias. In fact, some say that such events reinforce the message that harassment is a problem for women to deal with on their own. Events that are separate cannot, by their very nature, be equal, Irwin said. While she is glad to have a focus on diversity, she said, “I don’t want the ‘girls’ version.’ I want the big stuff we do for everybody to already have diversity in it.”

“What I want to see is men calling out other men.”

Several women emphasized that until conference management puts the kind of allyship promoted by Honeywell and others at the center of their programming, it will be difficult to effect change. Men need to step up too, Diamond argued: “I tell men this all the time: They’re the ones who are going to solve the problem. There are nearly 90 percent of them. What I want to see is men calling out other men.”

One of the most successful and effective initiatives undertaken to change conference culture has been the development and implementation of written policies that explicitly ban harassment. As the Ada Initiative explains, the most effective policies publicly specify what kinds of behaviors are not acceptable, establish a reporting procedure with contact information for violations, and document how the staff will respond to reports.

In the last several years, responding in part to the organizing work of feminist technologists like those at the Ada Initiative, Def ConRSA, and Black Hat have each instituted clear codes of conduct that prohibit harassment and reserve the right to expel and banish attendees engaging in unacceptable behavior. The latter two have the most detailed of the four conferences’ policies, spelling out the nature and scope of harassment prohibited.

Last year, Def Con became the first hacker con to provide a transparency report of incidents, which it posted online this month. According to the report, at the 2017 event, there were “7 harassment events,” including two people “banned for life for harassing women.” The report also noted that Appelbaum and Marquis-Boire were banned. (Even in its transparency report, the conference kept things a little tongue-in-cheek, noting that there were also “3 adorable dog reports.”)

Experts on anti-harassment policies say that the policies are still insufficient: They do not specify channels for anonymous reporting of incidents, give a deadline for how quickly the conference will respond to reports, or explain what happens if someone in the group charged with enforcement is accused of harassment.

It is also not clear whether the code of conducts’ enforcement mechanisms prioritize the safety of those who have experienced abuse. “It’s been my personal experience that event staff are simply not equipped or qualified to be first responders on these issues,” explained Melanie Ensign, a press lead for Def Con and director of security at Uber, in an email. Outside of her official capacity at the conference, she has been working with experts in the community to expand resources available to survivors of assault.

Black Hat general manager Steve Wylie told The Intercept that the conference’s policy was developed in 2014 and continues to be a “live document.”

“Clearly our industry has some issues, and we’ve developed programs to highlight the issue,” Wylie said. The conference has been attempting to recruit and encourage more women to apply to speak; new diversity initiatives include partnerships with Queercon, a scholarship program for women, peer-to-peer mentoring, and a series of presentations that address human (rather than technical) issues.

RSA declined to respond to detailed questions for this story and sent a link to a blog post addressing this year’s controversy regarding speaker diversity. Def Con, which has not updated its code of conduct since 2015, wrote in an emailed statement: “We are committed to being proactive rather than reactive in the areas of representation and safety. This includes being available to hear all concerns, making it easy for attendees to share those concerns, and having a clearly defined, ongoing process for addressing those concerns. We’ve invested in a reorganization of our volunteer staff, new training, and the creation of an independent department for reporting incidents. … We will continue to do what hackers do — make changes, see what gets better, and iterate on the results.” For this year’s conference, the statement said, Def Con will be introducing a dedicated crisis support line that attendees could access by phone, text, or chat.

Jessy Irwin of Tendermint often feels surprise that in an industry that prides itself on finding patterns and addressing vulnerabilities, the response to decades of harassment has been slow-going. “How the hell can we claim to be good at our jobs at work when we can’t get any of the people in our communities to follow our best practices of knowledge?” she asked. “I want to see the response process get better. I don’t know how we can call ourselves experts at security if we can solve problems with code, but we can’t do it when it comes to people.”


Thank you friends, together we will create change!