UNION SELECT * FROM hackers...

Good morning everyone. Welcome to Bides Common Ground and you're going to hear from Logan Arma this morning. Let me get that right. No. And he's going to talk about some union topics for our industry and I'm not going to read the title because you can read it. But that's really interesting. So I didn't go to the one yesterday, but I saw it in all my years and I never seen those talks in in our tracks before. So I can't wait to hear from. So, we also want to thank our sponsors of Esides because that's what makes it possible. And um our diamond sponsors are Adobe and Aikido. And I presume you're v you're visiting the sponsors.

That's what they're here for and that's why they help fund our event. So, it's so inexpensive for us. And then also uh two of our gold sponsors, Drop Zone AI and Run Zero. So, that's what makes our conference possible and affordable for all of us. cell phones. It's being recorded and you can have access to the presentations after the fact, please put your cell phones on mute and if you're not aware of this, no cameras. That's the P5's policy, right? Somebody will report if you have one up. Thank you very much. If you'd like to get started. >> All right. Thank you, Debbie. Uh, so as Debbie mentioned, this is Union Select Star from hackers. why we should be

building infosc worker power through the labor movement. Uh all the slides, resources, and citations for these are all on GitHub already. Um and so hopefully you're here for the talk about the labor movement, not the talk about databases, though I think there are a lot of good databases talks uh here this week. Uh to get a sense of the room, how many people here have ever been in a labor union? Okay, three. That's about what I expected. How many here would like to be in a union if you could? Okay, awesome. That's about what I expected. Anyone who's just ambivalent or here to have something to listen to while sipping coffee. Um, okay. And anyone who's here

to hack me, get me fired, or sabotage the labor movement. That's what I thought. They're all watching on camera. Hey, Elon. Um, okay. So, for a bit of information about who I am and for some context setting, I'm going to talk a little fast, maybe get a little y. Hopefully, I'll have time for one question at the end, but I assume that a lot of questions people are going to want to ask off camera. So there's resources and um I'll be hanging around after the talk uh for a bit about me. Uh so I uh and I'm arguably worth listening to. Uh I'm not some one from big union to be an outside agitator uh and stir up

trouble where I don't belong. Cyber security is my day job. I'm a senior cyber security security specialist at a government agency. Uh exact one doesn't matter for the purposes of this talk. Uh but in my day job I'm a cloud engineer and product lead. Previously I've worked on some privacy uh incident response and some other issues. Very importantly uh the opinions and views expressed in this presentation are my own and uh my union locals and do not represent the thoughts, opinions or positions of my current employer. This is a very important point. I'm here on my own dime own time and I'm not speaking for uh any other institution. Uh as I'll get into a

second, I am a union rep at my current job. Been doing that for about 5 years representing some colleagues. Uh, and in my free time, I've built a Blinky badge, uh, do some tool development, volunteered around the community at villages and other bides. Uh, and I got my master's degree in tech law and policy, which is relevant uh, for some of the policy and law elements of this talk. I'm not a lawyer. This is not legal advice, but I did take some labor law, so I'm not speaking out of nowhere when it comes to some of these issues, specifically on the labor background and why I'm worth listening to in that degree. Uh, so I've been a union rep for

5 years and my current job, my union local is with the International Federation of Professional and Technical Engineers or IFPTE because the labor movement likes convoluted acronyms just as much as the tech industry. Uh, I represent my IT and cyber security team in our day-to-day work, but have also done uh bargaining, dispute resolution, and advocacy. And I'm a tech policy adviser for IFT at large. And then I also organize with some cool grassroots labor organizations. uh the tech workers coalition and the federal unionist network. Uh all right, the I think the most important thing about my background is that I am really just some guy. Uh I'm not that special. Uh despite what my mom may say, I have no black badges, no

CVE, no lead stories about getting domain admin or hacking uh nation states. Uh if I can do the stuff covered in this presentation, you probably can too. This can be pretty daunting work, pretty intimidating work. Uh, and it's not work that can be practiced in a home lab or a CTF or something that you can get assert for. Uh, no one really knows how to do it until they do it. And that means the only way for you to get good at it and to feel comfortable doing it is to do it. Uh so I would like to start the talk if I may by offering some thoughts on the current moment both broadly and specifically for us as a

community and a workforce compared to we were where we were a year ago. I'll then give some thoughts on what makes the hacker community particularly equipped to meet this moment and to organize our labor. After that I'll talk about unions a bit more generally and how our community and industry uh could fit into the labor movement framework. And I'll conclude with some thoughts on why we really need to organize as workers right now with some concrete next steps. So who remembers the plan? Specifically the plan for how we as hackers and infosc workers were going to build and maintain political influence so that the feds don't go back to hunting us for sport. And we're going to maintain high

demand for our labor so that we always had job security. Uh if you don't remember, it's probably because there wasn't much of a plan uh at least explicitly beyond some vibes and the idea that we were kind of set as an industry and a workforce. Uh to the extent that there was a plan to build and maintain political influence, especially among this community, a lot of it I think was dedicated to building dark tangents rolled the decks. Um, that might be hyperbolic, but a lot of the work that was done to build this community's political influence came down to high-profile names, building individual relationships uh with policy makers and journalists, and then using those relationships to speak on behalf

of the community without much formal accountability or direct input to or from this community uh or much material input. Essentially, we've been doing policy advocacy more or less fueled by personal brands. Uh that now that's not to say that this is inherently bad, especially compared to where we were a decade or even longer ago. I'm not going to complain that the National Cyber Director came here every year to tell us how special we were and that we were needed and that they want to listen to us. Um but that type of individual-based advocacy is very fragile when it depends on a handful of people being listened to with their individual relationships. Now, as workers, we were able to coast

on scarcity to create high demand for our labor. Uh that demand may have been dramatically overestimated, over reported and overinflated, but it kept our salaries high and our negotiating power strong. Uh essentially, we haven't really had to grapple with where our power comes from when it doesn't come from our individual relationships or our scarce skills. And we're still kind of stuck in that mindset. Uh this slide I grabbed from Monday morning's uh keynote, which was a great keynote, and I loved it. And it was all about how we need to come together and build a community and we're stronger together. And then this slide came up in the context of uh having a bad employer. And

I was like, "Yes, Bryson, he's going to talk about voting to form a union when you have a bad employer." And then it was a metaphor for voting with your feet to leave your employer. And we were so close, this is so close to hitting the nail on the head because you can literally vote in your workplace. You can literally democratically actually vote to have a union, as I'll uh touch on in some more uh later. So, if we cut to where things are today, uh I'm going to say things aren't going great. Uh that I think that's kind of a consensus here, but um this is pretty obvious in government where a new administration

has actively targeted leaders of our community for doing their jobs and doing them well. They've removed the voices in our community that were given federal government roles like DT's advisory role at SIZA. They've cut our peers jobs or pushed them to leave. uh those peers who were doing deeply important work to protect public interest systems and provide free resources to the rest of us. They barely sustained the CVE data that serves as a foundation for our industry. And they removed oversight officials. Whoop. And they removed oversight officials who stood to hold companies and other government uh agencies accountable for running insecure, immature cyber security and privacy programs. The totalitarians in government have been on a rampage

replacing competent professionals with yesmen. And this isn't just dangerous for our republic. It's especially dangerous in our industry uh where quickly and honestly reporting bad news is essential to keeping systems, data, and people safe. Um not to worry, however, the push to quash our ability to disscent, raise alarms, and have protections on the job through union representation and collective bargaining has a carveout for IT and cyber security workers. It specifically carves us out from those protections uh allegedly for national security reasons. Uh and just on Monday, a federal appeals court has affirmed that the president can essentially declare that any federal executive branch role is national security essential enough to uh be stripped of union protections, even if

that position doesn't require a clearance or is as uh routine as checking drugs at the FDA. If anything demonstrates the criticality of our work, it's that we were explicitly excluded from layoff targets at the same time that we were excluded from union protections. They know that they need us and our labor to keep the machine running. They just don't want us to be able to say anything about it or do anything other than run the machine in the way that they say. The feds are back to hunting us for sport. And it's not for DMCA or CFAA violations this time, but it's because we could possibly slow them down. As for those of us who are in

the private sector, uh our jobs may not be directly cut by the new administration, but certainly uh contracts and funding has uh gone away. Um, and our bosses, more importantly, have felt emboldened to tighten the screws. Over the past few years, layoffs have been sweeping the tech industry. And we know the job market isn't what it was a few years ago. Our bosses have been fed the narrative that AI can successfully and competently take over our work, something that those of us who have spent more than a day being forced to shape our workflow around a new AI tool know isn't true. And they think they have free reign to cut without consequence. For the second year in a

row, we should all be booing CrowdStrike. And this year, I think a lot more than last year because uh this year the harm of laying off hundreds of employees was an intentional choice made by George Curts, their CEO, and not an accident. And it's not just the uh threat of layoffs or AI initified jobs. Bosses are dragging us into the office despite every indication that we're as productive outside of the office as in it. and they're walking back already thin commitments uh to ensuring our workplaces are more diverse, equitable, inclusive, and accessible as they cave to outside pressure. The trends aren't looking good and it would be unwise to assume things will change if we don't do

something about it. Fortunately, I think that we have the values and the skills that are necessary to meet the moment and protect what makes this community amazing and our labor valuable. Uh coincidentally, those values and skills translate very well into successful labor organizing. First of all, we can self-organize. Literally, look around us. The beauty of Hacker Summer Camp, uh not counting Black Hat, which I don't, uh comes from a practically all volunteer effort to organize four conferences where we defer to each other based on reputation, expertise, and commitment to getting stuff done. As a community, we've bought into these models of self-governance and volunteer expertise, especially in the leadership of Bides and many of the

villages at Defcon. Not because we had to, but because we're practitioners who recognize skill when we see it and can and will and will call BS when that skill isn't there. Similar models of practitioner-driven self-governance uh with deference to trusted community leaders can be found in open source foundations and projects that serve as cornerstones for much of our work. And that's all without a CEO or shareholders making us do it for a paycheck or stock equity. uh we're organizing ourselves as volunteers to provide our skills and labor with mutual aid efforts uh as to the parts of our broader communities that need it most through initiatives like the cyber resilience corps and defcon Franklin. Then we also know how

to organize ourselves into kick butt affinity groups that support each other and build sub communities that make the overall cyber security community bigger, stronger, and more inclusive. And again, we've done all of that on our own and for each other. We know how to advocate. We know how to advocate outside of our community without waiting for someone to swoop in and do it for us. Hackers on the Hill organizes hackers every year to meet with members of Congress and their staff. I am the Calvary is downstairs right now building connections between our community and critical infrastructure communities. Uh and then advocating for critical infrastructure to get the security resources and incentives that it needs. Going back to

the 2000s, we've been self-organizing to advocate for policy changes that would let us do public interest work without fear of criminal penalties from section 1201 of the DMCA. As far as our values go, we are an outspoken and autonomous bunch. We are certainly not afraid to tell those in power what we think or to call BS when we smell it. Since the '9s, we've been telling politicians that they don't know what they're doing to their face and ensuring the hacker voice is heard by policy makers. We also love our autonomy. We're certainly not afraid to stand out from the crowd. And we put a lot of work into building uh and supporting systems like tour and signal

that let us privately communicate and maintain our autonomy in the face of government and corporate surveillance. Since the hacker manifesto, I would argue we've explicitly recognized that our ability to challenge entrenched systems comes from individual thinking and crucially that we must work together to preserve our ability to act as individuals. So that may be all fine and dandy, but what does that have to do with union things? Glad you asked. uh legally uh formally in the United States, this is what a union or technically a labor organization uh is. In its most basic form, a union is any organization outside of your employer's control that you and your colleagues elect to represent you in negotiations

with your employer. The law spells out uh uh some stereotypical bargaining categories like grievances, pay, hours, benefits. Uh, but I want to draw attention to the conditions of work clause at the very end there and encourage you to think creatively about what bargaining over our conditions of work might look like for our industry. Now, as if not more importantly are your legal rights as an employee. In addition to being able to form, join, or assist a union without reprisal from your employer, you have labor rights with or without a union. Specifically, you have the right to engage in other concerted activities for mutual aid or protection, uh, which I'll get into more detail in a

few slides. Now, unfortunately, United States labor law uh, kind of sucks in a lot of ways, and it does exclude managers and independent contractors from having any of those rights. So, if you're in the private sector and you're interested in forming a union, here's a very simplified overview of what that process looks like. If you've ever organized a standing interestbased group within our community, like a village, this shouldn't feel too unfamiliar. First, a majority of workers organized decide to form a union, and what structure that union will take. This can include deciding who you want to be included in the scope of your union, like a single team, an office location, or your entire company. Which

larger union you want to affiliate with, or if you want to start your own, and which colleagues you want running the union, bargaining on your behalf, and representing you in conflicts with your employer. If you can run a nonprofit, manage a CFP, and run a village or conference in the mayhem of the Las Vegas Heat, you can probably do this. And if you're here participating in it, then you're probably familiar with structures that abide by similar principles. Now, after the union is recognized, which is a big, long, often times contentious process that is very hard to do, uh, but if you just skim over all of that, you get recognized. Yay. Uh, you bargain a contract that covers everyone

in that union, regardless of if they voted for the union or if they're do a duespaying member or not. Bargaining is where your boss is legally required to reach an agreement with you and your dedicated representatives. It's where you can tell your CIO, your HR department, and every other leader visited by the good idea fairy or some useless management consultant that their ideas are as workable as an Intel executable on a new Mac, and that it's uh not something that you're going to agree to. Uh speaking from personal experience, it can be a great feeling uh to tell someone who doesn't know how you to do your job that their new idea is flatly unworkable. Um, the form of this

contract and bargaining can vary depending on how you decided to structure your union in that first step. It can be a very specific group of employees within your organization. Maybe the sock team organized to get better pay schedules on call treatment and AI protections and now they're negotiating a contract that just covers the sock team. Uh for example, code CWA's uh alphabet workers united organized some Accenture workers uh that uh contract for Google's content team into uh a union. The CWA has also organized quality assurance workers at Blizzard to reach agreements that just cover those specific teams. It could also be all employees at your employer. Uh this is more typical in small to medium-sized businesses. Uh and in white

collar employers, this is where everyone joins the same union regardless of their team or position. Uh these uh industrial unions are pretty powerful because it allows you to bargain along your employer's entire line of operations and not as easily lose to like divide and conquer strategies that employers will frequently use uh among different parts of your workforce. So this could be everyone at your small pentest company deciding to unionize to get guaranteed training opportunities and a clear salary scale. Now, finally, there are craft unions or guild unions that negotiate master contracts with multiple employers. Uh, these are pretty rare in new unions and are mainly in the building trades or occasionally in the uh arts trades like the writer guild,

screen actors guild, um, things like that. Um, they're pretty hard to build and establish over time, especially because it kind of requires there to be employer concentration. Uh, but I think it's worth thinking about. The Sky talk yesterday proposed uh a guild model and while they do take time to build given the fastmoving nature of our industry and bringing the same skills to multiple employers rotating quickly I think it is uh a model that's worth pondering on and thinking about if it's something that we want to build towards. Um, after you have your contract, your union represents you if your employer violates that contract uh or other laws that protect you at work and then they

advocate for your interests beyond the workplace, which again I'll touch on in a few more slides. So, back to those uh rights that I mentioned earlier. If you don't have a union but still want to improve your workplace, which I think covers a lot of people who raised their hands here, uh that's where those rights that you have still come in. Your right to engage in concerted activity for mutual aid and protection lets you put those skills that you've gained heckling NSA directors to legally protected use as long as you're doing it with or for a friend and it's related to your status as employees. Uh I I'll say that this area of labor law has a lot of gray

lines, fuzzy areas, and important caveats. So definitely talk with someone who knows more about this before doing anything too risky. But in general, if you're advocating to improve your working conditions with one other person, your boss is legally not allowed to do anything to retaliate against you. Um, so for example, of what some of those protections can look like, you can uh uh talk about your wages and working conditions. Uh that is categorically protected. It is uh legal for your employer to have a policy for be forbidding a discussion about your wages and your pay. uh as well as forbidding you from talking about the union as long as they let you talk about literally any

other nonwork activity on the job. You have the right to confive uh collectively confront your boss about your work. Your boss can set up Zoom meetings with HR to ambush you. You and your colleagues have the right to do the same to your boss. Uh and you can strike without a union. You and your co-workers can agree not to work, including when you're needed most, to pressure your boss over an egregious working condition. If you're working 18-hour incident response shifts, you and your colleagues can refuse to work the next one until your boss agrees to provide some safe staffing levels. And then if and when your rights are violated by your employer, you can file a complaint

with the National Labor Relations Board who provides an attorney to prosecute the case for you. So what about the public sector? For my fellow feds, there are unfortunately some uh key differences between uh public sector union rights and private sector rights. Uh however that that first slide about forming a union uh and having a contract and having that contract be enforced that's all broadly the same. Um the the first thing is that we don't get uh that mutual aid uh protections to be able to creatively organize when we don't have a union and we're also categorically forbidden from legally striking. Uh however we do get some more vigorous whistleblower protections for our individual concerns and these rights extend to managers too.

Private sector also has whistleblowing protections but I am not an expert in them so I'm not really going to talk about them cuz I don't know them super well. Um as feds we usually don't bargain over pay and benefits. Certainly not if you're on the GS scale though there are some smaller independent agencies that do uh bargain pay directly with their agency. uh but instead unions provide that institutional lobbying voice to lobby Congress and the president over pay setting and maintaining solid benefits as we recently did uh with the big beautiful bill and got a lot of stuff that would have destroyed federal benefits out of there through the the power of unions uh sticking together and advocating on the

hill and as I mentioned earlier the president can exclude agencies components or positions from collective bargaining uh for national security reasons the president can declare essentially without any checks as the courts have affirmed on Monday that any position is too national security critical to have a union and tell an agency to no longer collectively bargain or respect existing contracts. Uh even when you know CBP can have a union, they're not national security critical uh too much to lose their union rights, but uh FDA health inspectors and forest service people are. um it's blatant pretext to uh strike back against the institutions that have been pushing back against this current administration's agenda and winning in a lot of cases. Um

but nonetheless, the courts are kind of compromised if you haven't noticed and uh will let the president by fiat declare that people don't have rights. Um and also this the whole point of that law is to prevent like spook unions. Uh, so if you're in the NSA or FBI, you're probably not going to get get a union and you probably shouldn't have one. Uh, and then for uh, state and local workers, it really differs uh, by state and goes from no rights to all the rights. Uh, if you work for a state or local government, uh, check with your state and local law, it varies kind of by political breakdown exactly how you would expect. Uh, as I alluded to

earlier, unions don't just exist in the workplace. They are advocacy organizations that yes advocate through legally binding contracts that cover a job, but also advocate for broader policy change and political power that benefits their members and working people. As good as we hackers may be getting at advocacy, we simply don't have the numbers that you get from building a coalition with working people across the country. Unions membership numbers and genuine ability to mobilize their members make them an institutionally recognized force at levels of politics. uh all up and down the spectrum and create an effective leverage point to push policy positions. Larger unions or groups and coalitions of unions are generally happy to carry water for niche interests among their

members, especially when they don't conflict with their other members interests. So in other terms, unions have a pretty robust policy command and control infrastructure that we could reuse to deliver our messages and our political uh policy payloads. We can dramatically improve our leverage by making things like critical infrastructure protection, right to repair, robust cyber security and privacy requirements, and DMCA reform workers issues, not just hackers issues. To move from some abstract details to successes in or near our industry, the Alphabet Workers Union has won significant changes at Google without an exclusive union or exclusive bargaining rights. They formed what's called a pre-majority union. So, they haven't had an election to become the exclusive representative of Google or other

Alphabet workers. Um, that and Alphabet isn't required to bargain with them. Instead, they're organizing across Google's uh employees, contractors, and vendors to pressure and win concessions from Google. They've gotten the National Labor Relations Board to overturn a gag order on employees discussing Google's current antitrust cases, affirming the inherent legal right that everyone has to discuss their working conditions. even if your employer has a policy saying that you can't discuss it. And yes, the antitrust status of your work is a working condition. Um they've pressured Google to use voluntary buyouts instead of layoffs during the recent tech industry wave uh industry layoff wave. They've gotten Google to extend the deadline for its return to office policy, allowing workers uh more

flexibility to change the living situation or find a new job. And you know, as I briefly mentioned earlier, they did win one uh exclusive uh bargaining unit with Accenture Workers contracted for Google's content team to help win protections for those folks there uh and do some actually exclusive legally binding bargaining. There's also this small relatively unheard of nonprofit around here called the Electronic Frontier Foundation. I don't know if anyone's heard of them. Uh they formed a union about 2 years ago and got their first contract in October. From what I've told, the EFF staff organized not in response to any particularly bad working conditions or a specific threat, but also they organized to take the good conditions that they

already had and just take it out of their leadership's complete and total discretion and put it into a legally binding contract that staff and leadership negotiated over. Um, in typical EFF fashion, they are fantastic and posted their entire contract online so anyone can go and look up the wins that they got. Uh these include guaranteed remote work, uh employee and management engagement in DEI initiatives, clear pay scales and raise structures, anti-bossware guarantees, uh and rental assistance for employees in the Bay Area. So many kudos to Sydney Cohen and the EFF leadership team for walking the talk on their professed values. And many more kudos to the EFF staff who took the brave step to organize and win a robust uh contract.

It's stuff like this that makes me proud to be a monthly EFF donor and member. >> What was that? >> Uh I'll I'll cover questions at the end. Um just cuz I'm trying to make sure I I cover time, but I I will lock that one down. Uh basically not being spied on by your boss and and monitoring when it isn't needed. Uh so at my organization, we had a more typical Union origin story many many years ago, long before I started there. uh we organized when a new leader came in and started making unilateral unpopular changes that prompted employees to form a union so that uh that boss couldn't make additional unpopular changes without

having to bargain or at least without a fight from workers. Since then, we've also won remote and flexible work as a contractual guarantee and are fighting to ensure that what is still a legally valid contract is fully enforced. Uh we've bargained over technology rollouts including AI to ensure they benefited uh how we actually got our work done and weren't to hairrained management disruption onto how we actually do our jobs. Uh and while security is still a management right, we get to bargain how security controls are implemented when they affect working conditions. It's in discussions like these where the power of having a multid-disiplinary union across an organization really shines through. So I as a cyberc person can dig

into the technical specifics of what managers are proposing and communicate the importance of having robust security and privacy protections to my co-workers but my colleagues who work more on the mission or business side of things uh can provide feedback on how that control will actually affect their work and when it will probably disrupt their ability to get their work done. um for management technical bargaining uh like this and impact rollouts. It's essentially a free uh consultancy user feedback session and uh we get to fix a lot of the stuff that uh they didn't think about because this may surprise you but management doesn't talk to each other across organizational lines in uh once you get above a medium-sized

organization. uh but workers do and so we can actually talk and work something out between us as cyber security workers with our users and business side workers that make usable security controls actually be implemented and meet the organization's needs. So despite some of these success stories I know that there are a lot of reservations and counterarguments about unions. There's certainly a lot of propaganda that gets funded uh to provide some anti-UN talking points uh especially in some of the highpaying, high-skilled or more technical work. Uh so let's walk through some of those common ones. Um the one that these rights that I'm talking about uh don't matter because employers violate them all the time. And

yes, it is true that employers violate uh the law for pretty much every one of the rights that I have talked about so far. As I said earlier, the president has decided that he thinks he can just take them away and private sector employers will do a lot to ignore the law. Uh it could take years for a complaint to be processed by the National Labor Relations Board and the remedy is essentially a slap on the wrist for employers. In the meantime, employers frequently use the time a case is processing the NLRB to shut down union organizing or or fire active employees. That said, those rights are still your rights. And while they may be

a pain in the butt to enforce, the only way to ensure that they get used at all and aren't effectively meaningless is to use them. Uh, more importantly, the power that we have as workers has never come from the law. The law has been a convenient backs stop. It's great to have those institutions and resources there and the worst case abuses, but the unions didn't come from the law. The law came from unions. Unions were organizing in the private and the public sectors decades before anyone said it was legal to do so. And our ability to uh use the labor that is necessary to create value wherever we work uh and to leverage that labor is always going to be the source

of our power. In addition, when you and your co-workers come together with allies, you can identify the other stakeholders and institutions that uh have leverage over your employee, whether that's their public relations, their investors, their supply chains. uh research those and leverage those pain points to make it easier for your employer to work with you than to fight you. Uh there's the argument that unionizing leads to being outsourced or being fired. So again, it is illegal for your employer to retaliate against unionization efforts uh with, you know, threats of outsourcing or offshoring. Um you know, but as I just said, just because it's illegal doesn't mean your employer won't do it. Um and and again it comes back to the point

where our power comes from being well organized and to being ready to fight these threats, not necessarily from having the law ready to back us up because the law occasionally will will fall short unfortunately. Uh though if your employer has decided that it's cheaper to offshore you than uh to respect you, then they're probably going to eventually offshore or outsource you anyways. They might do it slower uh where it's harder to organize against because there's no one single flash point to organize against. Uh but if your boss is feeling the pressure to make cuts uh and cut costs, then keeping your head down probably won't protect you. Uh organizing and making it painful for them to make cuts will protect you

much more than keeping your head down will. There's the concern that unions are corrupt or ineffective. And yes, some unions were historically corrupt and some of the larger unions have not been as effective in organizing as I personally would like. They are ultimately democracies. The smaller and closer to workers a union structure is, the more responsive it will be to your concerns. And you can always run against an ineffective leader or just organize around them or even vote to be represented by a different union. You cannot outvote your boss. You can outvote the union that you were a democratic member of. Uh there's a concern that unions are lites. So first of all, don't knock the

lites. Uh read blood in the machine for some historical perspective on workers fight to control their work in a hyper exploitative conditions. Most unions want to make their members jobs easier. Um and will happily embrace technology that does that and that they control to the extent that technology threatens their members existing jobs or work. Unions can serve as a democratic forum for technologists and impacted workers to hash out an ideal alignment with a fair transition and clear pathways for workers. Um, as I mentioned earlier, I get to do this very frequently at my organization where we represent both the technologists developing the technology and the users who are going to use it. And it's great to be able to come

together and reach an agreement that works for all of us. Uh, unions will uh take and waste my dues money. So your D's money is more than going to pay for itself in pay and benefit increases. That money also goes to organizing more workers, which makes the labor market even more competitive when more workers are organized. D's money also goes to help unions advocate for issues that raise uh the wage floors. Uh rising tide lifts all boats, even if it's not something that you feel immediately or see on your payub. Uh and then finally, especially I think for this crowd, there's the concern that unions will take your autonomy by eliminating privileges for high performers and destroying our

relationships with our bosses that might be pretty cordial or, you know, working out pretty well. The current level of autonomy that you feel is because your boss has decided to grant it to you and they can take it away or threaten it when they decide that they no longer need to offer it to you. By making a small sacrifice for a small amount of your autonomy for a collective contract, you build a shield that guarantees protections for you and your ability to act autonomously in the workplace. You also have the autonomy within a union democracy to campaign against agreements that you disagree with and try to get your colleagues to vote them down. So to tie things back to the current

moment, we are in a unique position as information security workers to protect each other and our communities. and we will only get there if each one of us decides to do something about it. It is a lovely paradox where our individual actions won't save us but will only build sufficient collective action if we take action as individuals. Thankfully, there are movements with the infrastructure and community to support us and we don't have to do it alone. For us specifically as information security workers, we are uniquely positioned because everything is in fact computer. Computers are how policy is turned into material material reality, how payments reach our neighbors, and how social interactions are mediated. As I argued at the top of the talk, the

current form of fascism realized this and really wants complete and total control over the computers with no ability for us to use our labor to descent. They do not have enough people with the combination of competence and loyalty required for them to meet their objectives by themselves. So, they want us to get in line and be afraid of them. If computers are the spinal cord of government uh and really in most organizations, infosc is the bones protecting it and ensuring that the nerves stay in place. Given our positions of control over these systems, we can either rapidly allow bad actors uh to get in or we can enforce the guard rails that we know should be in place.

If we try to protect it as individuals, no matter how elite we are, how many black badges or, you know, how many talks we've given, they'll just fire us and replace us with the next person who will do what they want. If we organize our response, they have to spend time fighting us that they'd rather spend uh using what we built and protect to screw over our neighbors. As infosc workers, we're also uniquely positioned to force concessions from our bosses. By the time we're being hired, our bosses either have highly valuable assets that they want to protect or burdensome and, you know, costly compliance regulations that they're trying to be in line with. The marginal losses from losing those assets

from an incident or from a heavy fine um are dramatically higher than the uh cost of what we're normally asking for. uh that gives us a lot more leverage than say the typical tech worker who's building a new product that hasn't yet been integrated into an organization's value stream. Uh if we look to Corey Doctoro's causal theory of initification and shitification is prevented by strong competition regulation interoperability, and worker power. I'm not going to count on any antitrust enforcement over the next 3 and 1/2 years. And while we might maybe see some regulations on tech issues, maybe some right to repair laws and interoperability requirements come down at the state level, I'm personally not going to be super invested in state

legislatores or any legislature taking robust action to meet the current moment. My confidence in those institutions isn't super strong. Um, our leverage as workers is the only systemic lever that we can count on not being captured and we are the only ones who are able to pull it. So our rights uh you know are not something that you just have to take from me. Take the word of Daniel Buruis, a cyber security professional at the National Labor Relations Board who blew the whistle on suspicious activity in their Azure environment. He and maybe one or two other people were the only ones with the visibility into these systems. No one else could have flagged this or saved the day. In his words,

you're not alone and you have rights that empower you and there is a community that is here to support you. Your rights to speak out about your workplace conditions and leg or legally blow the whistle uh as both Google workers and Dan have shown us carry more weight than your NDA or corporate policy. Our bosses may want us to feel like atomized individuals but we are not. There is a community that has each other's backs when we step up. And that community isn't really waiting for us either. The labor movement has recognized that privacy rights are workers rights. Unions with the help of community allies like EFF have been leading the legal fight against Doge's

invasions into our privacy. Unions have also been leading the way into bargaining fair AI use into their contracts and advocating for policy restraints on AI controlling and surveilling us at work instead of the other way around. When ransomware incident strikes, other unions have been creatively showing what it looks like to demand an effective and transparent response and ensure a properly resourced cyber security program to protect their working conditions. And now I grabbed this slide because I was at Cyber Medcon a year ago and um uh Dena uh whose last name I'm blanking on from uh OPIU Local 40 representing nurses in Eastern Michigan around Detroit came in and because their union was being very vocal

after the Asenture ransomware attack that took out 140 hospitals and they were going on the news and advocating for like we weren't prepared for this organization has might have an IT incident response plan but we as nurses are completely swimming upstream when it comes to running a hospital in a ransomware incident. And so now, you know, Dina came here yesterday and was here at the I am the Calvary track and they're are getting a ransomware clause into their contract. They are making sure that they have the protections in place uh to be able to respond to those incidents. Now, whoops. Uh there are large swats of workers in every field who are ready and willing to be in

solidarity with us. And again, kind of speaking personally from a moment, like I love cyber security work. I love getting root. I love finding the thing that makes things better. I love it when my code runs and compiles. That sense of dopamine is great. It's what got me into this industry. Nothing makes me feel better at night or is as nourishing for the soul or makes me feel like I have neighbors in the community than doing this labor work from enforcing my contract, getting a simple term, joining a picket line with food service workers who are fighting for better contracts at their jobs, standing with other federal workers who are trying to save civil services right now. That's the type of

stuff that can be exhausting. It can be draining. But the relationships that you build doing this work, uh, it can be scary, but it is the most rewarding work I have done in my entire life. Um, the way that we win, what we do next is first of all, build relationships. That's the theme I've heard throughout all of Bides in multiple contexts. Relationships are how we win. If you're a manager, um, basically be chill about it. I I think there's a lot of if you're here, you're I'm going to assume you're a good manager. If your employees try to unionize, it's not because they hate you specifically or it's a personal attack. Like the folks at EFF, they might just

want to get their good conditions enshrined into a contract. Um, but basically, when you let your employees unionize, you also get like a dedicated workforce who will give you honest feedback and not become an insider threat because they feel like they, you know, are respected at their work. And that's pretty cool, too. They'll also, you know, give you some better ideas and um not have turnover. So, that's nice. Uh and then there are other things that you can do uh outside in uh civil society. And then for the rest of us, I think these are some great organizations that are here to help you. If you don't have a union, if it's just you and

you're looking to get started, uh I'm going to call out the top, the Tech Workers Coalition, which I'm a part of. I've got some friends here who are with me. We'll be here to answer questions. Please join. Uh and then once you join and get added to the Slack, come to the cyber security channel. We're there. We're waiting for you to have a conversation, to provide you resources, to answer what comes next or what can you do to chat, give you whatever advice that we can. This isn't, you know, go out and and be great in with in vague terms. There are concrete resources for you. The QR code, I promise, is safe. It's just the GitHub that has all of

these resources and the slides, as well as many, many, many more resources like this fantastic book, You Deserve a Tech Union, if you're looking for some reading material. Uh there are some unions that uh represent tech workers. So there's code CWA which includes the alphabet workers union. They're also organizing at Microsoft. OPIU Local 1010 uh is doing some work as well. Uh organizing mostly smaller tech companies. Um and if I've got to shout out my own union, they don't really dedic focus on organizing tech workers as much. They mostly organize STEM uh workplaces and nonprofits that tend to include tech workers. But both me and EFF are represented by IFPTE. So I've got to give them a shout out. I really

enjoy uh the representation that they provide. So, and and yes, uh this is a pitch for tools that will help you in your workplace, but this is also a cry for help and an ask for solidarity. My working conditions are tied to our industry's working conditions, and our industry working working conditions only improve if we all do something about it. There's a community and a movement that's ready and excited to support you, but no one can do it for you. So, my ask is to go out there, organize, hack your working conditions, and win. Thank you very much for listening, and don't forget to tip your bartenders and cleaning service. And I [applause] and I think I've got time for like one

question possibly. I don't know where the mic is. I can if someone wants to yell something out and I can repeat it. >> Um, I'll also be out after. >> So, you said that um that regardless go to cheaper anyways. You think that it's a problem for the previous foreign workers visas. Do you see that as a threat to it or is that helping the industry? >> Oh, so like comment was on like H-1B visas and like tech workers who who come in from other uh yeah countries. So yeah, I think that a internationalism is really important and the idea that our working conditions are inherently tied together extends beyond like geographic borders. Like it is inherently a global

industry. Um I think that like to the H-1B visa point like I'm very glad that you know there's good tech jobs in the United States that other people have access to. I also think that the H-1B visa program in particular is incredibly exploitative um because it ties your ability to stay in the United States to having a job. And so if you say wanted to speak out about your working conditions or improve them um and your boss fires you, you know, even if it's illegal, that doesn't matter because then you've got to leave the country. So you're um much more tied down and it makes it harder for you to be in solidarity, for you to fight against

your boss when you're on those visa conditions. So I think there's definitely a need for reform there in the protections that come with those visa programs. I I think once workers start seeing other workers, you know, as threats based on their countries of origin, again, that destroys those that community destroys those relationships and that's how we start to lose. Um, and I'm at Logan Arma um pretty much everywhere. Uh, full government name. Uh, come fire me Elon or whomever uh you send your way. And I'm getting the stop sign, so I'm going to come hang out. I've got other people who have also done this work who are here to give present uh to answer questions. We got a handful

of stickers on the table. Uh, come say hi. [applause]