A Google VP has ignited a fierce debate in the cybersecurity industry over the use of potentially discriminatory language after withdrawing from the upcoming Black Hat USA virtual event in protest.
David Kleidermacher, who is VP of Android security and privacy, thanked the organizers of the long-running security conference but said it was time to change.
“Black hat and white hat are terms that need to change. This has nothing to do with their original meaning, and it’s not about race alone – we also need sensible gender-neutral changes like PITM versus MITM,” he argued on Twitter.
“These changes remove harmful associations, promote inclusion and help us break down walls of unconscious bias. Not everyone agrees which terms to change, but I feel strongly our language needs to (this one in particular).”
Many leapt to his defense: noted researcher Kevin Beaumont argued that more speakers and attendees should boycott Black Hat until the organizers change the name.
However, Kleidermacher’s comments also brought out a significant number of industry professionals who disagreed.
Many focused on the fact that the term itself is not derived from a notion of things that are “black” inherently being malign, but of the fact that the villains in old cowboy movies used to wear black hats while the heroes wore white hats.
However, Kleidermacher argued that the issue goes beyond this narrow interpretation.
“To reiterate – the need for language change has nothing to do with the origins of the term black hat in infosec. Those who focus on that are missing the point. Black hat/white hat and blacklist/whitelist perpetuate harmful associations of black = bad, white = good,” he said.
That didn’t deter some industry commentators who described the stance as “performative” and “virtue signalling.” Others argued that industry efforts would be better spent on more practical ways to make the sector more diverse.
“The companies at the forefront of changing these tech terminologies hardly have black professionals at the decision table and their top leadership, that’s the change we ask, not sidelining us by making a lingua change no reasonable person asked for,” argued @0xSkywalker.
Back in May, the UK’s National Cyber Security Center (NCSC) updated terminology on its website, replacing “blacklist” and “whitelist” with “deny list” and “allow list,” after being contacted by a concerned customer.