Black Hat has established its reputation as a world-famous hacker conference by drawing attention to the complex problems in cybersecurity that no one else has solved, or even noticed. For the last two decades, its packed discussions, known as briefings, have made headlines by featuring highly technical experts revealing previously unknown security vulnerabilities. In recent years, hackers have demonstrated their ingenuity in overcoming a smart gun’s protections, tampering with voting machines, and shutting down critical city infrastructure. But last week, for the first time in Black Hat’s history, the conference invited speakers to address gender discrimination, sexual assault, mental health, and substance abuse. The conference’s inaugural Community Track briefings provided a window into problems in the cybersecurity world that have long been hidden in plain sight. At the Mandala Bay Convention Center in Las Vegas, certified rape crisis counselors spoke alongside engineers and emergency physicians about some of the challenges facing hackers as people. Many leading cybersecurity conferences, such as Black Hat, Def Con, and RSA, have seemed reluctant to outgrow their beginnings as boys’ clubs, even as their attendees have become more professional and diverse. Over the last decade, journalists, hackers, and advocates have documented a range of abusive incidents at these events. Earlier this year, I spoke to two dozen women who worked in cybersecurity, many of whom had reported incidents of harassment only to be dismissed or ignored by organizers of these events. Some said that the systemic nature of sexism at these annual events felt like a feature, not a bug. In this landscape, Black Hat’s Community Track — along with an expanded range of initiatives to support working mothers, survivors of sexual assault, queer hackers, and recovering alcoholics, among others — represented a welcome step. Countering Stigma and Silence Cybersecurity is, by all accounts, an emotionally demanding field. In a briefing on burnout, depression, and suicide in the hacker community, Christian Dameff, a physician, and Jay Radcliffe, a security researcher, explained the unique stressors that often accompany jobs in the information security sector, such as social isolation and abnormal sleep schedules. They cited an Information Systems Security Association study from 2018, in which 68 percent of respondents described work-life balance as a major problem. Contributing to this, they said, was a talent shortage that increased demands on an already overworked staff. The field’s self-image of strength and toughness, Radcliffe said, could also serve to further isolate employees from seeking help. In her talk on addiction in infosec, Jamie Tomasello, an engineer at Duo Security, detailed the relationship between stress and alcoholism. She described the particular ways in which the imperative to drink overlapped with career opportunities — and an occasionally toxic conference culture. “I built rapport, trust, and respect while drinking,” she said. “I was included in conversations and projects that I wouldn’t have been in without that glass in hand.” As a recovering alcoholic, she noted, it could be difficult to attend conferences like Black Hat that were fueled by networking and afterparties at bars. She offered alternatives for managers and companies hoping to organize more inclusive events for employees struggling with alcoholism, and praised the introduction of sobriety meetings. Employee wellness programs, she stressed, needed “to extend beyond health, food, gym memberships.” In their respective talks on the importance of neurodiversity, Joe Slowik, a veteran with post-traumatic stress disorder who now works in network defense, and Rhett Greenhagen, a senior security researcher for McAfee’s Advanced Programs Group who has Asperger’s, each echoed this call for empathy. Slowik said that he had “rage-submitted” his talk, “Demystifying PTSD in Information Security,” to the conference after coming across an article that failed to distinguish between burnout, high stress, and an actual PTSD diagnosis. He pushed back against a “one-size-fits-all” approach to dealing with survivors of sexual and military trauma. Alienation, depression, and disengagement were common symptoms, he said, and he described his daily work as giving him his confidence back. “Don’t shun, ignore, or pity. Engage,” he advised those who might work with colleagues with PTSD. Greenhagen described the ways in which being a person with Asperger’s gave him an interest in pattern recognition — “It is extremely hard for us to not solve a puzzle,” he noted — and a major leg up as a network security analyst. While the evidence is chiefly anecdotal, it is suspected that there is a prevalence of hackers on the autism spectrum. But for all the pleasures of the demanding work, Greenhagen also acknowledged some serious downsides to working on a team. Sensory distractions and small talk interfered with his ability to do his job — an experience that was echoed by hackers with an autism spectrum disorder diagnosis who took part in an informal survey conducted by Stacy Thayer, a psychologist who spoke alongside Greenhagen. “I don’t think I’ll ever have a normal social interaction with other co-workers,” Greenhagen said. “Either there were people who absolutely adored me, even if they found stupid crap I did hilarious. Or there were people who couldn’t stand me. What made it livable was that it wasn’t a huge percentage. I had more people stand up for me and realize I have shortcomings.” The briefings focused on mental health were by turns moving and vexing. Some of the men emphasized soul-baring, engaging their captive audience in a personal story, at the expense of skill-building. Race was notably absent as a topic of discussion. So too were the ways in which diagnoses such as alcoholism, PTSD, burnout, and Asperger’s might differently affect people across genders and identities. Given the graphic nature of the discussions about suicide in the PTSD and burnout talks, trigger warnings would have been prudent. But it was precisely the elementary nature of some of these discussions that testified to their novelty in the community — and hence their necessity.

A Black Hat tech associate works in the network operating center during the Black Hat information security conference at Mandalay Bay on July 26, 2017, in Las Vegas. Photo: Richard Brian/Las Vegas Review-Journal via AP

Remedying the Pipeline Problem The Community Track’s strongest talks focused on gender. As several of the speakers noted, cybersecurity companies still have a long way to go in cultivating diverse talent, centering the experiences of marginalized employees, and preventing their burnout. Attrition is common for talented women programmers, especially as one looks up the ladder. The lack of women at Black Hat has long served as a striking reminder of the lack of women in cybersecurity, a field in which women make up around 11 percent of the workforce. But a robust analysis of the reasons for their absence was, for the first time, part of the event’s main programming. One of the most crowded sessions on the Community Track was dedicated to the problem of hiring — and keeping — women in cybersecurity. Ashley Holtz, a programmer at Crowd Strike and diversity advocate, drew on several empirical studies to document the myriad gaps between men and women in the industry — from degrees awarded to positions to salaries to retention. Three decades after earning their undergraduate degrees, just 19 percent of women stayed in the engineering industry compared with 39 percent of men. The future doesn’t look much brighter. According to a National Center for Women in Technology study, even while three quarters of women report loving their work, over half leave mid-career — twice the quit rate for men. The top barriers in the workplace cited by women include a lack of mentors, lack of role models, gender bias, unequal growth opportunities compared to men, and unequal pay for the same skills. “If unequal pay is the only problem you have in your organization,” Holtz noted, “you’re very, very lucky.” Changing a number, she pointed out, was easier than changing an entire culture. Hostile male behavior creates a negative feedback loop: Companies and conferences become less diverse as they acquire a reputation for being hostile to diversity. Some women, she said, were less likely to join teams in which they would once again be the only woman. So what to do? Holtz broke down the three main areas through which women might be blocked from staying or coming into an organization: hiring, retention, and promotion. “When you’re trying to get people you don’t usually have, you have to try a little harder to target those people,” Holtz said. She emphasized the importance of using inclusive language in job descriptions, sending recruiters to college groups and meetups, and building the company’s track record. A lot of the time, she said, women accepted job offers not just because of the salary on offer but also because of how they were treated during recruitment. Holtz hears from women who felt mistreated or condescended to in the interview process by men more eager to show off their own skills than assess those of the candidate. At the conference’s informal meetups and affinity groups for women in cybersecurity, some of which were established well before the introduction of the Community Track, women confirmed the wisdom of many of Holtz’s recommendations. The majority of women I spoke with had encountered some female colleagues in sales or in administrative jobs, but had never worked with another woman on their technical team. Many traded stories about the lack of mentorship at their jobs — often because their male colleagues networked without them over late-night drinks, what one called “a buddy thing with guys.” Others said that viable male mentors ignored them because they were afraid of any one-on-one mentorship meetings appearing inappropriate. The wide range of ages and experiences present at these meetings was striking. Senior engineers sat alongside teenage MIT sophomores: What brought them together was a desire for comrades. At the Women in Security and Privacy meeting, Eugenia Barkova, a Russian-born engineer who had worked only with men, said she was there “to find people who know the industry well enough who can help. I spend a lot of time on research I wouldn’t have to do if I just knew someone I could get a coffee with who could explain it,” she said of her work. “And I don’t like to waste my time.” A woman from Bellingham, Washington, told a story about working on a team of all men at her previous job. “They kept addressing the team ‘you guys’ in official communications, and I wanted to know, ‘Does this mean me?’” At the Executive Women’s Forum meetup, I spoke to Sondra Schneider, the CEO of a cybersecurity certification school who had been attending Black Hat since its founding in 1997. She said that even as the number of attendees has grown over the last two decades — to nearly 19,000 people — the proportion of women has continued to hover around 10 percent. She had never been to a networking event before but came to finally meet what she called the “young women of cyber.” Allison Taylor, the CEO of Thought Marketing, agreed. “In the past, I admit, I was kind of a snob,” she said of the idea of women’s networking. But she, like Schneider, had been pleasantly surprised. “I feel like it’s really different with these events. You get to actually help people and it’s not a drain.”

Hackers are let loose on a series of computerized voting machines during an event at Def Con in Las Vegas, July 28, 2017. Photo: Mark Ovaska/The New York Times/Redux