By Andy Bui
On April 16th, 2024, the Center for Long-Term Cybersecurity (CLTC) hosted a talk by Matt Mitchell, Senior Cyber Security Program Manager at the Ford Foundation.
Mitchell’s presentation, “A Day in the Life of a Public Interest Hacktivist,” was the final event in the Spring 2024 CyberMetis Speaker Series, a series of programs co-sponsored by CLTC and the Future of Cybersecurity Working Group to connect UC Berkeley students with cybersecurity experts and practitioners.
“In each of his roles — hacker developer, operational security trainer, security researcher, and data journalist — Matt is committed to using his digital skills for good,” said CLTC Executive Director Ann Cleaveland. “I think Matt has one of the most interesting jobs in cybersecurity.”
Mitchell introduced his talk by noting that he served on the advisory board for Citizen Clinic, UC Berkeley’s public interest cybersecurity clinic, when it first launched in 2018. “We got together to advise this scrappy program,” which “takes students and instills them with the skills necessary to… help small businesses, nonprofit organizations, and civil society groups,” he said, adding that Citizen Clinic is now “under a completely different team that’s really rocking it, that’s really doing things that we couldn’t even have imagined in 2018…. Part of why I’m here is to celebrate their victories. So congratulations to that team.”
A Day in the Life: Public Interest Activism
Mitchell provided an overview of his career evolution into the field of public interest cybersecurity, explaining that he today “focuses on folks who are marginalized and ostracized and pushed by centrifugal force,” including “queer folks around the world, trans folks around the world, sex workers, and ethnic minorities, depending on where you are, and what that might look like.”
He said that he found his motivation to join the public interest cyber field while working as a data journalist at The New York Times. During the dark times of extrajudicial killings of African American citizens, Mitchell realized he wanted to work in activism or activist-adjacent paths. He found himself in Harlem at a community center on the corner of Malcolm X and Martin Luther King Boulevards, where he proposed holding a meeting on how to use hacking to protect the local community — a workshop that evolved into CryptoHarlem, which provides workshops on cybersecurity to a predominantly African American community in Upper Manhattan.
Mitchell later went on to direct a cybersecurity training program at Tactical Tech, an NGO in Berlin, where he worked with small businesses and nonprofit organizations to bolster their cybersecurity. “I’m disrupting America, and I also have a day job where I work at the Ford Foundation,” he said. “Our mission is to fight inequality wherever it is on the globe.”
Later, Mitchell explained, he successfully applied to a competitive a fellowship program sponsored by the Mozilla and Ford Foundations, where he fully committed to working for the public interest. He recalled thinking, “If they pick me, I will commit my entire life to this public sector. But if they don’t pick me, I’ll make sure I donate some money and do nights and weekend work to help people out.”
Today, at the Ford Foundation, he works with civil society organizations, non-governmental institutions, and grantees, among others. “What I do is I look at the cybersecurity and safety of all our grantee partners,” Mitchell explained.
He said that he and other hacktivists have to approach cybersecurity with a different mindset than corporate cybersecurity professionals. For corporate cybersecurity, “it’s measuring it by dollars, because a business or corporation loses money when there’s a cyber attack. But in the civil society space, it’s not money, it’s actually human life.”
Mitchell emphasized that as hacktivists, the more you learn about cybersecurity, the more you realize that “there is a whole rich history of activism that is lost when you’re looking through that lens of cyber war or commercial protection” and that “hacktivists have the power to be millions of people as one person.”
Making Positive Change
The focus of cybersecurity must shift to implementation, not just theory, Mitchell said, and at the Ford Foundation, he works with grantees and nonprofit organizations to provide access to cybersecurity clinics and funding. Mitchell encouraged attendees to work toward achieving positive change through cybersecurity. He spoke of one of the tools he uses, the Ford Foundation’s Cybersecurity Assessment Tool (2024 version Beta; direct link here), which gauges an organization’s level of risk and provides recommendations for improvement.
“A lot of people don’t realize that they’re just sitting around in a house where the gas is on and they’re playing with matches,” he said. “It’s a matter of time before you need an emergency response. So we give you all that stuff — the smoke detectors, the extinguishers, the monitoring — and teach you how to avoid those big fires.”
He noted that the Ford Foundation helped create the public interest law field as far back as 1975, and began its public interest cybersecurity work in 2019. “We realized that the best and brightest minds, the kind of people who are in this room, are getting pulled away by a massive brain drain to giant corporations that can give you golden handcuffs in the form of vested shares and big salaries. But it wasn’t necessarily work that impacted the world in a better way.”
Mitchell also emphasized the need for accessibility in cybersecurity, pointing out that the Ford Foundation’s grant application is just two pages long and very straightforward. “I know all kinds of hackers, and there are very few of us who are actually focused on making the world better for people who are dealing with the rest of the world pushing down on their necks,” Mitchell said.
The Need for Self-Care
Mitchell drew contrasts between corporate and public interest cybersecurity. “Modern corporate cybersecurity, to me, is about getting a job where you’re a lifeguard for a pool of Olympic swimmers, so it’s not the most needed thing,” he said. “No disrespect to cybersecurity pros, but a lot of times, you’re babysitting some kind of basic AI or automated system, and nothing really happens. If you ask anyone who makes six figures plus in cybersecurity, when’s the last time you dealt with a real, credible threat? They’ll say, I’ve never actually dealt with a real credible threat.”
By contrast, Mitchell explained, the ‘pool’ in which civil society organizations swim “get amazingly complicated threats every day — threats that most people who work in corporate cybersecurity would love to be exposed to, but definitely do not want to have to deal with on a daily basis. And it requires a lot of energy, because… in the civil society world, we’re chasing after charging elephants.”
Mitchell stressed the importance of taking care of one’s self to manage the stress of protecting public interest clients. “It’s really important for us to be there for them, but as human beings, you’re going to take on a lot,” he said. “Have a positive self-care routine, or you’re not going to last long in this business. In the commercial world, it may be that we don’t talk about that. But in the hacktivist world, and in the world of helping civil society, it’s really important.”
“This job takes all of you,” he said. “Take a vacation, hang up the phone. Even though it is life-saving work, it’s not worth losing yourself.”