In a rapidly developing field where it seems the protagonists are getting younger and younger, one rising star is already making her mark on the cybersecurity landscape as a renowned white-hat, or ethical, hacker.
Bianca Lewis first hit the headlines at age 11, when she helped to hack a simulated election-reporting system at the DEF CON annual ethical hacking conference in the US. Less than five years on, she has her own non-profit organization – and some big plans to change the way women are perceived in her industry.
Still a few months shy of her sixteenth birthday, Bianca sat down to talk to Cybernews about her Secure Open Vote project – a tool she hopes will help shore up voters’ faith in democracy in an era of online disinformation – and Girls Who Hack, an educational platform that allows others to follow in her footsteps and hone their skills.
The following article is a transcripted version of an original Cybernews YouTube interview.
You obviously got into this at quite a young age. In your own words, tell us how it started for you: what was the plot point that led you down this path?
When I was in Kindergarten, or first grade, my dad had me start programming in a language called Scratch, which is a Block-based programming language, easy for kids and beginners to use. I fell in love with it. My parents took me to my very first cybersecurity conference, it was besides Delaware, I believe. I had tons and tons of fun. The people and the community were great, everyone was so inviting, and I wanted to start doing talks: to do what all these cool people were doing. And that's how it all began.
Tell us more about learning hacker skills, the tricks and techniques – one question we often see come up on Google is “Do Hackers Ever Sleep?” Was it really difficult for you, or did you find it came quite naturally?
I never sleep! I just stay in the basement hacking all night long! No, I wish...! Still a growing child, I need my sleep… The thing about hacking is it's almost like cooking, in a way. You can't just go off and say: "How do I hack?" It's like asking: "How do I cook?" There are so many different types of cuisines, endless amounts of ingredients, there's a big history to it.
Just like with hacking – are we talking website hacking, network hacking? There are so many different types, so if you really want to get started in the field you need to look around, find out the different types, see what you want to learn – and learn about that. There is no way to know everything about hacking.
I imagine many young girls, and boys, were inspired to learn about it as a result of your success. Any tips and tricks for them to get started?
There are endless resources and websites – including Girls Who Hack – where you can go on and start learning about cybersecurity at a beginner's level. As for coding, it's good to start with an easier programming language – Scratch, even though it's super-easy, just to understand the concepts. Then go on to Python.
What helps is being able to hack or program something that you can actually see. Adafruit Industries is run by an amazing woman, Ladyada, she's one of my friends. She makes a bunch of different products that are also for beginners to learn programming concepts, with all different types of LEDs and cool badges that you can make.
You mentioned Girls Who Hack – we wanted to ask you about that. You've said previously girls are not taken seriously enough in cybersecurity. Can you tell us a bit more?
Like many fields, tech is one where women aren't as prominent. And I think it starts from a young age, because tech can be super-intimidating. It's a huge field. Once you start a class and go online, a question pops up. So you wikipedia it. And then: oh, what's this? Wikipedia. Oh, what's this word? And it's just this endless black hole, and nothing seems to click in your head. That's why I created Girls Who Hack, which is a safe space for girls to learn with girls their age, so that they don't feel like, “I’m the only girl in the room,” which tends to happen in cybersecurity. Our motto is: “Teaching girls the skills of hacking so that they can change the future.”
And do you have a subscription system? Do you get a lot of people signing up?
I do online and physical classes for Girls Who Hack. My online classes you can find at girlswhohack.com – everything's completely free. I also do in-person classes cybersecurity conferences. You can also follow my Twitter, just to see what I'm doing and where. And some exciting news – as of recently, Girls Who Hack is now officially a non-for-profit organization!
Wonderful! So what did that entail – you're registered on the books now, I take it? Tell us a bit more...
It's completely official. I wanted to make this a real company with something behind it, because I want this to become a big thing, as big as Cyberjutsu Girls Academy and all these other organizations I work with, and maybe even host my own personal classes. So this allows me to have more freedom.
Tell us more about other events you've got coming up.
In two weeks, I'm going to Romania – I’m half Romanian – to DefCamp, which is like DEF CON but the European version. I'm very excited, I'm doing a talk and bringing my Secure Open Vote system there. So not only will it be tested here in the US, it's going to be tested internationally! I went two years ago, pre-COVID, and I had tons of fun, it's my home country and I got to speak internationally for the first time.
That must have been quite a thrill. Do you speak Romanian?
Yeah, I speak Romanian! I do English for my talks, but if I'm meeting someone at the conference and they speak Romanian and they're more comfortable with that, I'll speak it. I learned both languages when I was young – so I'm fluent in both, I believe!
I don't doubt you! So tell us more about Secure Open Vote. Because you first came to prominence when you were part of a group that ran a simulated hacking experiment of the electoral system. Obviously, we have the midterms coming up in the US, and people are worried about the implications technology could have for the voting system, and therefore democracy.
If you had told me when I was ten years old that I was going to make my own election system, I would have told you: “What! Why?” Like most kids, I was never really interested in politics, because it's grown-up stuff – they're all fighting at the Thanksgiving table, and the whole spiel.
But the R00tz Asylum, which is the kids' track of DEF CON, held a mock election-reporting system that us kids got to try to hack. They gave us a little packet where we read up about how the system works and things we could do to try to change the vote count. And us kids – I was 11 at the time – were able to change the vote count in 10-15 minutes. Kids…!
Scary! And this could theoretically have been done in a real election?
This system was made to be hacked, so it was definitely easier – but if a kid could hack it in ten minutes without any experience, even if it was flawed, imagine what an entire government could do with endless money, resources, and trained professionals. And you might be saying: “Oh, that's the reporting system! It's not like changing the actual votes...” But that causes mistrust in the system, because if you saw Bob the Builder got more votes than Pinky Pie and then it changes out of nowhere, you're like, what!? You're not going to trust the system any more. It's that lack of trust that makes hacking the reporting system a powerful tool.
And of course that's huge, because of the last general election with the so-called ‘stop the steal’ campaign, which was based on creating mistrust in the voting system. So when do you see this tool being developed – has the government shown any interest in the project yet?
While [we were] hacking the voting-reporting system, there was a bunch of different interviewers interviewing us kids. Congresswoman Mikie Sherrill of New Jersey invited me to go to a hearing on election security after seeing my work. That was a huge eye-opening experience: I got to see what all these congressmen and women had questions about, what parts of the system they didn't understand and thought were flawed, and how I could make a system better than the one they have.
That's when I started Secure Open Vote, which is an end-to-end election system: so far I've made the reporting system, because that's the first thing I hacked. I brought it to DEFCON one year: people tried, but no one was able to change the vote count. So far, it's unhackable!
So I imagine you'll continue to develop that for a number of years?
Definitely. I want to make the full system, from start to finish. And then I want to test it out, keep going at it, and maybe in the future have it implemented. Because, as of now, in the US, there are only two corporations that run all the election machines and everything you see – and they're even in relation to each other, which is not that great. So I want to wiggle my way in!
There’s already more than enough power concentrated into too few hands as it is – so I certainly would agree with you there, and wish you success with that. Just in closing: imagine you have two million young students listening to you, what would you tell them in just a couple of sentences?
Don't be afraid to reach out for help! I have so many friends in the cybersecurity field I have met at different conferences and events – put yourself out there and ask questions to all these people who work in the field that you want to work in.
More from Cybernews:
Subscribe to our newsletter