Neurodiversity in Cybersecurity: How People with ADHD and Asperger's Find a Home
My nonverbal communication can be so awkward that I've often thought I had Asperger's syndrome. I never bothered to get "diagnosed". After all, what does it matter to get such a label when you have a fulfilling life and a loving family?
I'm also successful career-wise. That's not an accident. I'm sure from my experience that information security is an adequate career path for people with mild autism and generally neurodivergent. This is my anecdotal point of view, but numbers back them up. According to Bug Crowd, 13% of bug bounty hunters identify as neurodiverse, with attention deficit hyperactivity disorder (ADHD). As a comparison, surveys estimate that over 30% of neurodivergent people are unemployed.
Let's find out:
- why cybersecurity professions favour some traits of people on the autism spectrum or with ADHD;
- the dangers that this population faces in security-related activities.
If you or a loved one is an adult with Asperger's or ADHD, I hope this article will give you the confidence to make information security your home.
How some positive traits of Asperger's and ADHD give you an edge in InfoSec
If you were to believe TV shows, people with Asperger's would all be insufferable geniuses or child prodigies. In reality, they're mostly kind and empathetic people who struggle with everyday social interactions.
That said, some attributes remain true. Asperger's tendency towards specific interests can serve them well if they focus on computers, programming, or hacking. After all, scientists believe Alan Turing, founder of modern computer sciences, renowned mathematician and cryptographer, met all the Asperger criteria.
Reverse engineering is a methodical process that involves careful deconstruction of opaque programs. Discovering the inner workings of a satellite circuit or a piece of malware requires a unique capacity to defer any reward for an unknown amount of time. It may seem obvious in retrospect, but the researchers who discovered vulnerabilities in WinRAR or understood the Stuxnet worm had no prior idea that they would find anything!
Specific interests that are often grounded in logic will make these individuals stand out in security research. The same ability to observe patterns can also make one proficient in defensive techniques such as forensics or threat hunting.
An interesting side effect of ADHD, in a similar manner, is the ability to become "hyperfocused" on ideas that seem interesting. The hyperfocus lends itself well to problems in technology. Plus...
This field makes the negative feel less burdensome
Let's explain why the ability to concentrate on computing problems is such a big deal. Computers are abstract. I don't care about what anyone (including myself) says about "people skills" being so important in the field of security. At the end of the day, the subject of your whole workday is a complex system built on abstractions, electric circuits, and silicon chips. You are not nursing someone back to health or educating kids. You're dealing with weird math patterns and non-ambiguous instructions being fed to machines and sub-machines to virtual memory to registers to... whatever.
The point is, computer science, and security in general, is logical. Asperger's works well with logic. Likewise, people with ADHD can focus on puzzles if this stimulates them. This is more treasure hunt than routine tasks.
What about Aspergers' difficulties to communicate? What about the restlessness of ADHD? Communication happens within sets of "written rules" and "etiquette". It's easy to write reports and assessments because they follow clear patterns.
Now, I'm the first one to say that security is a matter of selling. That an organization's security posture relies on leadership, influence, understanding, business sense, storytelling, communication... This is my statement of belief in an optimistic security mindset, more than a guide on specific social skills per se.
All this to say that cybersecurity jobs offer an environment that is constrained with clear boundaries and yet allows a certain degree of "artistic freedom" to explore various problems if you are bored. Plus, most tech roles allow people to keep a flexible work environment. Nobody frowns if a colleague just decides to get out randomly for 10 minutes.
But this is not all sunshine and rainbows...
The dark side can be so close
In 2021 and 2022, the Lapsus$ cyber criminal group carried audacious social engineering attacks against high-profile targets such as Okta, Nvidia, Ubisoft, T-Mobile, Microsoft, and, more notoriously, Rockstar Games. The British Court has found guilty the two masterminds of the group: 17 and 18-year-old teenagers with autism.
Marcus Hutchins, who became famous after stopping the Mirai botnet, began his hacking career in his mom's basement. He developed banking trojans for cybercriminals. His profile in Wired magazine links his ADHD to his computer proficiency and to his social isolation which led him to a dark path.
Kevin Mitnick, one of the world's most famous hackers, was diagnosed with Asperger's (though he disputed that fact in a subsequent interview). Mitnick, like Hutchkins, began as a self-taught teenager who was led astray.
These are all anecdotes, but they do paint an interesting picture. It's easy to get lost in computers and online social interactions, especially as a neurodivergent teenager. People with ADHD feel restless. Aspergers get exhausted with social interactions. Both situations can lead to increased solitude and vulnerability. Behind a keyboard, it can be hard to distinguish trustworthy people from shady "friends", especially at a young age.
Organizations that seek out non-traditional talent such as neurodivergent individuals not only benefit from their unique attributes, but they also benefit the community: steering many of these kids in the right direction is a loss to our enemies, the cybercriminals.