Caveat 6.6.24
Ep 221 | 6.6.24

Answering the cybersecurity call.

Transcript

Camille Stewart Gloster: Cybersecurity issues tend to be nonpartisan. And so we were able to work across the aisle with our counterparts in Congress and, you know, really educate them on the work that we were doing and the places we saw needed some legislative support and legislative intervention or needed budget and resources. Not all of those things move forward or have not moved forward yet, but the conversation in the lines of communication were always open and collaborative.

Dave Bittner: Hello, everyone, and welcome to Caveat, N2K CyberWire's Privacy Surveillance Law and Policy Podcast. I'm Dave Bittner, and joining me as always is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben.

Ben Yelin: Hello, Dave.

Dave Bittner: On today's show, Ben discusses a new lawsuit in Illinois challenging automatic license plate readers. I've got the story of a proposed AI hotline between the US and China. And later in the show my conversation with Camille Stewart Gloster, former Deputy National Cyber Director at the White House. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right, Ben. Let's jump right into our stories here. Why don't you lead things off for us?

Ben Yelin: So my story comes from the Chicago Sun Times and comes from the great state of Illinois. There is a new lawsuit brought by plaintiffs in Cook County, which is the county seat of the city of Chicago. Their names are Stephanie Shaw and Frank Bednarz, and they are suing the state of Illinois. They've named a bunch of different officials, including the governor, JB Pritzker, for abusing automatic license plate readers. This stems from a couple of laws that have been passed over the preceding five years or so, increasing the use of these automatic license plate readers, particularly in the Chicago area. There was a law that passed in 2019, the Tamara Clayton Expressway Camera Act, which was named after somebody was killed, and I believe they weren't able to track down the car that ran her over. And that added basically a ton of automatic license plate readers in the Chicago area. There was a contract given out or grant money given out to the county more than $12 million to expand a vast network of high definition surveillance cameras since there had been this surge of expressway shootings. That law was expanded in 2021 beyond just Cook County. So it percolated into other areas of Chicago and it further increased the number of automatic license plate readers across the state. So these plaintiffs are challenging saying that this violates their Fourth Amendment rights. And this brings up really interesting issues about reasonable expectation of privacy in the digital age post Carpenter that I think are really unresolved and therefore to me very interesting.

Dave Bittner: Okay.

Ben Yelin: So normally you would say you don't have a reasonable expectation of privacy when you're on the road because you are in public, you know, law enforcement has long been able to track people when they're on public thoroughfares. And that's been an acceptable warrantless search because somebody is willingly exposing themselves to the public.

Dave Bittner: And you're required to have a license plate on your car.

Ben Yelin: You are required to have a license plate, although many people in the area we live in, Dave, do that very annoying thing where they shade out their license plate so that- I believe it's technically illegal.

Dave Bittner: It is, yes.

Ben Yelin: So that it cannot be read by the ALPR.

Dave Bittner: Yes.

Ben Yelin: Don't do that. It's robbing our local governments of revenue.

Dave Bittner: There you go.

Ben Yelin: So these plaintiffs are complaining that this is a violation of their Fourth Amendment rights. Like I said, you would think that you would not have reasonable expectation of privacy. I think that applies to a small set of license plate readers. If they weren't everywhere, if they were just in high traffic locations, then you might be able to say that this is clearly a Fourth Amendment violation. People should not expect that there are license plate cameras everywhere following them around. Therefore, it's not a Fourth Amendment search, therefore, a warrant is not required. But like in Carpenter, we have a situation where, because the network of cameras is so big, it does end up tracking the whole of a person's movement. So what's at least alleged in this lawsuit is that you could do long-term tracking of a person. It's held in a Motorola database for I believe 90 days. And that can be extended at any time. You could figure out where a single person has been, the therapist they go to, the religious institutions, their extramarital affairs, all through simply warrantless obtaining license plate data from this database. And the analogy is to Carpenter where the Supreme Court held that historical cell site location information was also a recitation of a person's whole- a whole of a person's movements. So it was tracking them in that case over a series of seven days, I believe, and knew the defendant's location at all times because his cell phone was pinging a local tower. I guess the question is in this case and all cases where defense attorneys or the plaintiffs in this case are trying to analogize the facts at hand to Carpenter, where do you cross that rubicon? At what point does this become a search? At what point is the network of license plate readers so ubiquitous that it really does actually capture the whole of a person's movement? The case law is completely unresolved on this. We've had some license plate reader cases. We've talked about a couple of them on this podcast, but none of them directly address this question, this threshold question of how many readers would it take where you cannot escape this real time whole of movements collection that is existing here. And that's why I'm really interested in where this case ends up. Because we finally have, I think, a very relevant set of facts here. The relevant set of facts is without any individualized suspicion, there is a vast network covering all expressways in the Chicago area, tracking the movement of various vehicles. And so my instinct would be that that might trigger the type of Fourth Amendment protection you get in Carpenter. There are some differences, however, and I'd be interested in hearing your thoughts on this, but I'd also like to kind of dive into what those differences are.

Dave Bittner: Well, so clarify for me here. So lots of information is being collected. Is that information accessible to law enforcement without a warrant?

Ben Yelin: Yes.

Dave Bittner: Okay.

Ben Yelin: It's stored in a database. Law enforcement can and has obtained data from that database without having to obtain a warrant.

Dave Bittner: Okay.

Ben Yelin: This is warrantless collection. As I said, it's kept as a matter of course, for 90 days, but you can ask them to maintain data on particular license plates, and they have not said no.

Dave Bittner: See, I guess where I'm maybe trying to split pairs here is I guess I don't have so much of trouble with the collection as long as there's a warrant for review.

Ben Yelin: Right. I mean, the issue here is the warrantless nature of the collection.

Dave Bittner: Right.

Ben Yelin: And as it is in all these cases, now, it was the case in Carpenter that was warrantless, and that's why that was a live issue.

Dave Bittner: Yeah.

Ben Yelin: Obviously, it would be great if law enforcement were able to obtain a warrant, then we wouldn't have to worry about warrantless collection. Law enforcement would say, we have a lot of criminal suspects in Chicago. We don't always have probable cause to obtain a warrant. So this is an easy way to figure out if a particular car was in a particular location at a particular time without having to go through the cumbersome warrant process. Now, I know law enforcement agencies always say it's really hard to obtain a warrant. I think sometimes they're correct and sometimes those allegations are a little bit exaggerated. But at least that's the justification you would hear from law enforcement.

Dave Bittner: Interesting. What is the harm that these folks are claiming?

Ben Yelin: Just that it violates the reasonable expectation of privacy. I mean, it's the standard harm you would claim for any Fourth Amendment violation. You can establish standing if you can establish that your Fourth Amendment or any constitutional rights have been violated, even if the harm isn't necessarily concrete. So what they're asking for is an injunction to enjoin the operation of this database and to prevent the Illinois State government from adding to this network of automatic license plate readers. There are a couple of reasons why I think this is different from Carpenter, and I'm curious to see to hear your thoughts on this.

Dave Bittner: Okay.

Ben Yelin: One is that it is limited to when you're in your car. So I always have my cell phone on me whether I'm walking, whether I'm taking public transportation, whether I'm driving. When we're talking about license plate readers, even if the network is extensive, it's only applies when you're driving.

Dave Bittner: Yeah.

Ben Yelin: A lot of people in Cook County take public transportation. So it's not as all-encompassing to me as it would be with the use of the cell phone. The other thing is that the Fourth Amendment and all Fourth Amendment jurisprudence has this emphasis on people's privacy within their own homes. With cell, say location information, you at least can know whether somebody is in their own house at a particular time, which I think is somewhat relevant. You wouldn't necessarily know that with an automatic license plate readers. My understanding is these aren't put on random cul-de-sacs and, you know, Juliet in Chicago, or whatever suburb, the North Shore, whatever suburb you can think of in Chicago. I think it's on major thoroughfares, which yes, to drive, you're going to- to really get anywhere in the Chicago area, you're going to have to traverse these thoroughfares. But to the extent that it's not all encompassing, I think you could make it through a day or a weekend without sharing the whole of your movements in a way that you couldn't do if we were talking about historical cell site location information.

Dave Bittner: So a couple things come to mind here. First of all, you made me think of the kind of issue with red light cameras, right? Where if I am driving along in my car and I run a red light, and a police officer sees me do that, and the police officer pulls me over, that's a moving violation. But if I'm driving along in my car and I run through a red light and a camera sees me do it, that's a ticket.

Ben Yelin: Right.

Dave Bittner: Right? So it just depends on? And the reason is that a ticket you can apply to the vehicle, a moving violation you must apply to the driver. So the notion is that the automation has no way of proving who's actually driving the car. So we will ticket the vehicle, not the driver.

Ben Yelin: And I think that's the justification here. But here we're talking about potential criminal investigations. And if you're in the preliminary stages of an investigation, it's certainly compelling that that car was on the road. It might not be per se evidence that the individual was there, but oh, that's Dave's registered vehicle. Dave's registered vehicle was at the site of this crime. What a good, convenient place to start our investigation, right?

Dave Bittner: Yeah. Yeah.

Ben Yelin: So, you know, it might protect you in a limited sense. There's that kind of plausible deniability. But they could use that to obtain further evidence. Okay. Well, we have evidence that Dave's car, you know, his license plate reader was red at this particular toll booth or this particular intersection.

Dave Bittner: Right.

Ben Yelin: All right. Well, now maybe we have probable cause to obtain his cell phone data so we can get a warrant, go to the cell phone company, and see if he himself was actually there. That's kind of the fear you would have here.

Dave Bittner: Right. And again, it's the ubiquity of the automation. Because if, you know, some guys standing by the side of the road and he sees, he says, "Hey. There was, you know, a red Buick drove by." And they, they say, "Who drives a red Buick? Oh, that's Dave, you know." Right. So that's different than- it's the scale at which this is happening that makes it problematic. Same with Carpenter. Right?

Ben Yelin: Yeah. I mean, I think that's the argument here is it's the scale. I still go back to this line drying problem though. At what point was there a single installation that tipped it over from, well, this network isn't very big, there are a lot of ways to avoid it, to now this triggers Fourth Amendment protection because you can't get anywhere without having your vehicle tracked by this automatic license plate reader system. And if there isn't a proper place to draw the line, it's really hard to make this justiciable. I mean, Congress wants to find rule or Congress. The courts want to find rules that are consistent, that are easy for people to comply with, and that are easy for lower courts to adjudicate. So they don't want kind of a wishy-washy test. They would like to have some type of bright line rule. And I'm kind of racking my brain to figure out what that bright line rule would be. At what point does the fact that this network is so large become decisive in a case at rendering Fourth Amendment protection? I don't know where you draw that line.

Dave Bittner: So here's another element that I think about with this, and that is data brokers. So couple things. I was at my local mall recently, which for our listeners who live near us, that's the mall in Columbia. And I'm there, you know, minding my own business, doing my shopping, doing my thing, and I see the mall security vehicle drive by, which is great. You know, nice to see they're out there patrolling the lots and keeping things safe. But I also noticed on the mall patrol vehicle is license plate readers. And this leaves me scratching my head because I'm going, well, okay, the mall has free parking. Why do they need to be reading license plates? Right? So I'm trying to think of, all right, let me give them the benefit of the doubt. Like what's the good reasons that they could be reading license plate? It could be that they have a policy for mall employees where they want them to park in the farther away parking spaces than the people who- than the customers. So this is a way to enforce that. Okay. That's possible. The less charitable interpretation would be that I know in some of the reporting I've done for this show and over on the CyberWire, that there are data brokers who will pay people for their license plate reader information. So what --

Ben Yelin: It's very valuable, isn't it?

Dave Bittner: Right. So what I wonder is, and this is totally hypothetical on my part, but I think it's plausible that the data broker says to mall security, "Hey. Good news. We're going to provide you with a free license plate reader for your mall security vehicle, right? You get the benefit of being able to keep track of who's in your parking lot. And if you have problems with folks, you can look for patterns and so on and so forth. And exchange, we get all this data as well. Everybody wins, right?"

Ben Yelin: A win-win-win situation.

Dave Bittner: Yeah.

Ben Yelin: Yeah.

Dave Bittner: Now, the other part of that this makes me think of is that reading license plates has become table stakes for run of the mill security cameras these days, certainly industrial level security cameras. So if you've got a security camera for your small business and you are checking through the list of possible options you can buy from your security Cloud service provider, license plate reading is one of the things that's readily available. And again, people want to buy that data from you. So your notion that people aren't using this, you know, for coming in and out of your neighborhood, I'm not so sure how true that is anymore, because I have seen stories about condo associations keeping track of who's allowed to park in their neighborhood, who's authorized to park in their neighborhood. And one of the ways they can do it is by using license plate readers. They're cheap and they're easy.

Ben Yelin: So I guess the difference is the license plate reader system set up in Cook County is set up by the state of Illinois.

Dave Bittner: Right.

Ben Yelin: So it's the government, they know where this data lies, they have direct access to it. It's not as cumbersome as having to go to a bunch of different houses and say, "Hey. Can we obtain your security footage?" Even if they ultimately would be able to obtain it, I think for Fourth Amendment purposes, it's more of a burden on the government than we set up this vast network where we can figure out where your car was at any time in any particular time period. So I do think that that is a distinction here. Again, I don't think that gives us any clarity as to precisely where the line is. And that's my criticism of Carpenter as a case. I mean, Carpenter didn't draw a line as it related directly to the collection of historical cell, say location formation. They said, what we have here is around seven days' worth of it, and that does qualify for Fourth Amendment protection. But they didn't say whether two days would qualify for Fourth Amendment protection or six days for that matter. So we just have that real lack of clarity. It's been a problem at the lower court level and some enterprising legal scholar, hopefully, maybe it'll be me, Dave, should write a compelling law review article on how to draw a bright line rule here to just make cases like this a little bit more justiciable.

Dave Bittner: Yeah.

Ben Yelin: But this is an opportunity for some line drawing. And we're at the preliminary stages of this case. It was just filed. So far there's been no comment from any of the named defendants but we'll see how this proceeds through the Illinois or through the federal courts, rather. This is a federal case. Since they're challenging a federal constitutional provision they do have a ticket into federal court.

Dave Bittner: What do you think their chances are of this getting any traction?

Ben Yelin: It's so hard to know. I mean, there has never been a case like this. The previous cases we've had with automatic license plate readers have just been for much smaller scale violations. And so they haven't had to decide the kind of macro question here about what happens when you have explicitly a vast network. In other cases, it was like, there are a lot of automatic license plate readers here. It's like, okay, we have this purposeful program to make license plate readers ubiquitous on public thoroughfares. So I usually don't like to say this. I like to at least make some sort of prediction, but I'm completely in the dark here on how this federal court is going to rule. So maybe that'll up the suspense a little bit.

Dave Bittner: Yeah. By the way the software that reads license plates can also tell the make and model of your car.

Ben Yelin: Interesting.

Dave Bittner: Yeah. So yeah.

Ben Yelin: They can embarrass me for the outdated make and model of-

Dave Bittner: Right.

Ben Yelin: - at least one of my cars, which is no longer in production.

Dave Bittner: Right. Your cinnamon brown, 1982, Hugo will get tagged instantaneously.

Ben Yelin: Yep. Yeah. And they'll laugh at you behind the desk. They're at Motorola headquarters.

Dave Bittner: Right. Right. Exactly. Exactly. All right. Interesting stuff. That's another one to keep an eye on, huh?

Ben Yelin: Absolutely. I feel like we're following so many cases. We really should make a database somewhere so that like- and maybe we can actually do this.

Dave Bittner: No. We just need a big pinboard with red thread and, you know, connecting the dots and our little-

Ben Yelin: Yeah.

Dave Bittner: - chart.

Ben Yelin: Like we're investigators. And this is the wire or something.

Dave Bittner: That's right. That's right. Yeah. All right. Well, my story this week comes from the folks over at Lawfare and this is about the need for the US and China to have an AI incidence hotline. Evidently there was an AI safety summit in Seoul a couple weeks ago, and the US and China recently met in Geneva to discuss AI safety. In fact, President Biden and President Xi from China have discussed this. What's interesting is how much this parallels the old days of the Cold War. This article talks about how back in the Cold War after the Cuban missile crisis, that's really what prompted this idea of a red phone, you know, between Washington, DC and Moscow.

Ben Yelin: Right. Let's prevent this mutually assured destruction.

Dave Bittner: Right.

Ben Yelin: Let's stay on the line to make sure, like we control the world's nuclear arsenal. Here it's we control the world's largest networks and software and computer systems.

Dave Bittner: Yeah.

Ben Yelin: So let's work together to make sure this doesn't go to hell. We can resume our rivalry right after our phone call is over. And we can still be geopolitical rivals. We can hate each other. We can demagogue one another to the public, but yeah, let's keep that line of dialogue open.

Dave Bittner: Yeah. I mean, they talked about how during the Cuban missile crisis, they talked to one of the former ambassadors I believe, or someone who worked in the embassy anyway, at the Soviet Embassy. And they were saying that, you know, their communications went with runners to Western Union. So if they had to get a message quickly back to Moscow, they hoped that the runner didn't stop to, you know, talk to an attractive person on the way to slow it down. You know, that was the speed at which information was traveling. And so that's when they decided to put in these direct telephone links, these hotlines between the two nations. And what they're saying is now that AI presents a similar sort of peril where because of AI, especially if you have military systems posed up to AI, that things can spin out of control very quickly. And so-

Ben Yelin: You talked about some of the catastrophic risks here, including battlefield, singularity and hyper war. Do you know what hyper war is?

Dave Bittner: Go on.

Ben Yelin: No, I don't. I was actually- I was literally wondering if you knew what that was.

Dave Bittner: So I think battlefield singularity and hyper war, they're describing the same thing. I think the Chinese use the term battlefield singularity, and we use the term hyper war. Thanks. You know, because we like to brand everything.

Ben Yelin: Right. Good old-fashioned American branding.

Dave Bittner: Yeah. But it's basically just- it's things operating with a velocity beyond the human rate. So this, it's sort of- it's like the Terminator, right? The system takes over and decides to launch, launch, launch, and that it decides that the safest thing to do is to take the humans out of the equation because they're too slow. And, you know, it's all those kind of sci-fi sorts of things that we're trying to avoid here. So it sounds like a simple thing. Like, and I guess you would think that this already exists. Right. And I suppose to a certain degree it does. In today's modern world, you have to have these lines of communication, but to actually formalize it and to put protocols in place, diplomatic protocols in place for AI eventualities and to think about this ahead of time, to have folks thinking about the possibilities of what could happen, it seems pretty smart to me.

Ben Yelin: I think so too. What I worry about is when we get like a major stress test when there's a diplomatic incident between the two countries that strains our relationship further than it is now. I'm thinking of the worst case scenario, I guess not the worst case scenario, but a bad scenario of an invasion of Taiwan where we provide military support and China has the incentive to say let's cut off this collaboration we have on AI. We don't want to share any of our secrets.

Dave Bittner: Right.

Ben Yelin: That I would worry about. But I think the steps being taken now are absolutely correct. It might seem counterintuitive to establish these lines of communications with our geopolitical rival, but I think the historical analog to the Cold War is so apt because this is real politique. This is a way to prevent harm. It's maintaining these lines of communication. And you know what? They're giving us pandas back. So they should be rewarded with some collaboration on AI.

Dave Bittner: We are getting our pandas back.

Ben Yelin: We had to give our DC pandas to the Chinese government last year.

Dave Bittner: Right. Oh.

Ben Yelin: Trips to the DC zoo became much more boring.

Dave Bittner: Yeah. Humiliating to lose our pandas.

Ben Yelin: And now we're getting them back.

Dave Bittner: You'd think we'd be able to get ourselves some black market pandas, but I guess it's harder than you think, you know.

Ben Yelin: I mean, it's just unfortunate that they're the world's cutest animal and their natural habitat is only in China. Correct?

Dave Bittner: That is true. They're bumbling little balls of cuteness.

Ben Yelin: They are. And so there's no way we could just like breed pandas and increase the panda population in our own country. It just wouldn't work.

Dave Bittner: Yeah.

Ben Yelin: This article talks about some of the existing crisis communication channels that are publicly known. And it does point out that one of the big problems or challenges with this is that so much of this is classified. Right. If the communications happen, chances are you and I will never hear about it. But there's a, I guess you'd call it a rumored event that happened. They talk about that the Beijing Washington hotline was established in 1998, and a direct telephone link was added in 2008 for military communications. And legend has it that the direct telephone link was used during the 2020 war scare when US defense officials- I'm quoting the article here. When US defense officials learned that the PLA was genuinely worried about a possible October surprise attack, and Chairman of the Joint Chiefs of Staff General Mark Milley allegedly told his counterpart that, "If we're going to attack, I'm going to call you ahead of time. It's not going to be a surprise."

Dave Bittner: Well, that's nice of General Milley.

Ben Yelin: Isn't it?

Dave Bittner: I got to say, though, this all does make me feel better. I mean, we've been assured by members of the Biden administration that we have back channels to the Russian government to prevent the worst possible outcomes of that conflict. I just think it's the wise thing to do. AI is going to get- as it becomes more widely adopted, the dangers are going to increase. And before it escalates into something kinetic and super dangerous threatening to civilization, it would be really nice to maintain that dialogue.

Ben Yelin: Yeah. And I guess also you think about the context of things like deep fakes, you know, to be able to pick up the phone and say, listen, did your leader actually say that or was that AI?

Dave Bittner: Totally.

Ben Yelin: Yeah.

Dave Bittner: Right. And we've already seen how effective deep fakes are. We had a lot of people in New Hampshire believing that President Biden called them and instructed them not to vote in the primary. What happens if there's a video out there spreading on social media that's popular in China, purportedly to be from Joe Biden saying, we're getting ready to attack Beijing.

Ben Yelin: Right. Right.

Dave Bittner: Or we are escalating-

Ben Yelin: Up the missile silos.

Dave Bittner: Exactly. We're escalating conflict in this South China Sea. The bombing starts at midnight or whatever.

Ben Yelin: Right.

Dave Bittner: Yeah. I think that's another very important reason to maintain that line of communication. Something I didn't even think about, but the deep fakes is certainly extremely relevant to this context.

Ben Yelin: Yeah. And like you say, you know, something you don't think about. I guess to me, part of what makes this article interesting is that you assume that these back channels are here. You hope that they are certainly at this level when you're talking about the world's great superpowers. And yet, this article points out that those channels still need regular care and feeding.

Dave Bittner: Right. You know, they need to be used. It's fine if the channels exist, but we have to know that they have to actually be used when there's some potential harm out there. We have to have an instinct among both countries to go to these channels to prevent conflict.

Ben Yelin: Yeah.

Dave Bittner: I think that's how it works right now. But there's no guarantee that that's how it's going to work in the future.

Ben Yelin: Right. Right.

Dave Bittner: So you can establish these lines of communications, but they're not very good if they're not used.

Ben Yelin: Yeah. That's interesting. All right. Well, we will have a link to that story in the show notes. And again, we would love to hear from you. If there's something you'd like us to consider for our show, you can email us. It's caveat@n2k.com. [ Music ]

Dave Bittner: Ben, I recently had the pleasure of speaking with Camille Stewart Gloster. She is former Deputy National Cyber Director at the White House, also one of my favorite people to interview. It's always time well spent when I get to chat with Camille Gloster. Here's our conversation. [ Music ] Well, let's start off by talking about the journey that you had becoming the Deputy National Cyber Director at the White House. I mean, how did you initially get the call to see if this was something you might be interested in?

Camille Stewart Gloster: So that journey began before the office was even stood up. I had started a mentorship program in collaboration with West Exec during the pandemic. So everyone was locked up at home through an organization I started called NextGen NatSec. And in organizing I also participated and was paired with Chris Englis. And over the course of about six months, we had a number of conversations around cybersecurity and national security in our careers. And it was a very fruitful conversation. But one of the things that we discussed was the need for an office of the National Cyber Director. He had been a part of the Cyber Solarium Commission, and I had been writing articles about passing this in the NDAA and getting it stood up and the importance of the office. And so he had a number of conversations about what it should look like and why it was important and how essential it was to get the office stood up as soon as possible. And when Chris got nominated to be the first national cyber director, I was really excited because I knew from firsthand conversations that he had put a lot of thought and energy into what the office should look like. But I guess he also knew the same about me. And so he approached me to lead a part of the organization focused on future resilience. And he said my background on supply chain security issues and in emerging technology spaces, and then my personal passion for people and empowering people in these spaces and national security spaces and cybersecurity spaces led him to think that I should lead a team focused on future resilience. And the journey started there.

Dave Bittner: And what was that transition like to go into public service? Was that a bit of a culture shock for you?

Camille Stewart Gloster: No. This is not my first tour of duty as I say in government. In the Obama administration, I was at the Department of Homeland Security and I helped stand up the office of Cyber Infrastructure and Resilience Policy. And so coming back to government felt like coming home in some ways. It was definitely a shift in many others because I was coming from Google. And there's kind of a change of perspective that you have to flip the switch on when you transition between government and the private sector. But I find that I was often thinking about how government could take the ball further than I could in the private sector, then usually vice versa when I switched roles. And so by the time I was coming back into government and moving into the White House, I was excited about all of the areas where I saw opportunity for the federal government to really lean in and to sit in the seat where I really had the power to drive that kind of change.

Dave Bittner: And what was the day-to-day like? What sort of problem solving were you actively involved with?

Camille Stewart Gloster: So much. I mean, first was just the standing up of the office of the National Cyber Director. There was one person and a half on my team when I arrived. And so envisioning what this broad mandate to think about future resilience and emerging technology and cyber workforce, what did that really mean in practice? And who were the experts and thought leaders that should be a part of that team? What would the connectivity to the interagency look like? What structures would we need to set up? I did a lot of thinking about what was the vision and mission of this part of the organization and how did we realize that affirmative vision that we were starting to build out in the national cybersecurity strategy and verse and eventually instantiated in that. And so a lot of work was there, but also with the day-to-day policy writing, the sitting in deputies committee meetings, making decisions about national security policy as a whole, particularly where it intersects with the issues that I was leading. It was engaging with the private sector. I think one of the hallmarks of the office of the National Cyber Director is truly collaborating with the private sector with non-federal entities to get a holistic and complete understanding of the cyber threat landscape and the opportunity landscape. And so a lot of my work was that kind of engagement with our non-federal partners, with our international partners, and then building out action oriented ways to achieve those goals. How do we not only think through these things, but then deliver on the priorities that we set as a federal government, but also collectively as a nation or as a global society?

Dave Bittner: How did you and your colleagues there measure success?

Camille Stewart Gloster: Oh, it depended on the initiative. On the cyber workforce side, I think a lot of the initiatives that we had that called upon non-federal entities to commit time, talent, resources really demonstrated the forward motion and the cyber workforce face. You know, the federal only government only has a small piece of the work. And so every time we got a company, or a state government, or an academic institution, or a training provider to commit to delivering more cyber training to commit to training up more people or delivering more programs that were relevant, that really demonstrated success. And then on some of these emerging technology issues and supply chain issues, some of the success was coordination. Quite frankly, there are a lot of authorities that can be brought to bear throughout the executive branch and one entity really looking at not only the national security implications, but the economic implications, the human security implications, and be able to provide that holistic perspective, prioritize de-conflict, that kind of work. Living in ONCD was really added benefit. And so I think we moved better as a federal government. It was clearer who was doing what. I mean, I think that's obvious in things like the implementation plan from the national cybersecurity strategy. We were able to deliver on things like the AIEO, which was a whole of government effort and led at the White House. And I think the fact that security is right at the top to really demonstrates how ONCD poured into that process and really helped deliver. So it's obvious in the number of different things. A lot of the collaborative policy efforts you see, implementation of the strategies we delivered, the novel policy conversations that we're having, the exposure of private sector to some information that could help guide how they move. Like we had all of these conversations on things like space cybersecurity and climate and cybersecurity that really kind of infuse cybersecurity as parts of broader conversations that were already outgoing.

Dave Bittner: You know, government, well certainly Congress is sort of, you know, famously dysfunctional these days. And I'm curious, you know, to what degree were you and your colleagues in your office able to kind of stay above that partisan fray? I mean, it strikes me that cybersecurity is one of the areas that seems to get broad bipartisan support these days.

Camille Stewart Gloster: Yes. That is one of the things that is most encouraging is that cybersecurity issues tend to be nonpartisan. And so we were able to work across the aisle with our counterparts and Congress and, you know, really educate them on the work that we were doing and the places we saw needed some legislative support and legislative intervention or needed budget and resources. Not all of those things move forward or have not moved forward yet but the conversation and the lines of communication were always open and collaborative. And we also took it upon ourselves to do as much as we could within the executive branch because that's our niche, and Congress has a lot of things to balance day to day. But I don't think there have been any real impediments to having an open dialogue about where we should be going as a nation and some broad alignment on, you know, the outcomes we seek. That's that Congress does have a quite the agenda to deliver against, and so their prioritization doesn't always look the same as ours in the executive branch.

Dave Bittner: When you joined the organization, did you have any sort of time range in mind for, you know, how long you felt like this was going to be the place for you?

Camille Stewart Gloster: No. I usually let impact drive tenure, and so I was committed to staying as long as the opportunity for impact was great. And I think a lot of work was done to instantiate the office of the National Cyber Director to deliver on the things that I really came there to do, like work on AI, like work on supply chain security, like work on cyber workforce. And so having achieved those things and feeling like maybe it was time that I could do a little bit more from the outside that I could do from the inside was kind of the catalyst for that decision. But, you know, people usually only last in the White House about 12 to 18 months. So I made it just about two years. So I'm proud of that.

Dave Bittner: Did you ever have kind of, you know, pinch yourself moments where you looked around and you said to yourself, I'm in the White House?

Camille Stewart Gloster: All the time. I feel like if you don't, then you're not paying attention.

Dave Bittner: Yeah.

Camille Stewart Gloster: There's so much history and, you know, so much about who we are as a nation and who we are as people has been impacted by the decisions made in those halls and by the people who choose to get- dedicate their lives to service. And, you know, whether it be the structures like walking through the White House and the executive office building, or if you thinking about the impact of the work that you're doing and the urgency of the things that make it to your table because they are national security imperatives or economic security imperatives, I hope that everybody in these seats can stop to reflect routinely. But yes, it hit me quite often.

Dave Bittner: Yeah. Where do you suppose that we're headed here? I mean, when it comes to cyber policy, having had that insider's view, I mean, are you optimistic that we are in a good place as a nation in terms of developing good, meaningful, actionable policy?

Camille Stewart Gloster: I think we are pointed in the right direction, but have lots of work to do. And the federal government is a big ship to turn. And so a two-year, two-and-a-half year, almost three-year-old organization cannot make all the changes that would need to be made in a moment nor can a series of those, right? CDP is a new organization within state. I think we've identified some of the apparatuses that we need to make effective cyber policy and to make that values aligned and designed to achieve our desired goals rather than organizing ourselves around combating the threat, right? Like, let that be a feature of achieving the desired goal rather than the way we orient ourselves. So I think we have started to put the structures in place, but there's work to be done to make sure that those are strong and healthy and continue to drive towards actionable policy that really addresses the root issue we seek to fix or the value we seek to preserve. And I'm excited to see that work continue.

Dave Bittner: Before I let you go, any words of wisdom for folks who might be considering a career in public service?

Camille Stewart Gloster: Please do it. The federal government, the international and national cyber ecosystem in general will benefit from your experience in the private sector or in civil society. There is a richness of perspective that comes from moving in and out of government from seeing these issues from all sectors and different industries. So please make your career one that allows you to move from organization to organization and include the federal government in that. [ Music ]

Dave Bittner: Ben, what do you think?

Ben Yelin: Really a great get for our podcast. She is on her way out.

Dave Bittner: Yep.

Ben Yelin: And it's just great to get that insight as to what the cybersecurity brass is thinking at the White House especially during these very challenging times. So it's just great to hear her perspective and big get for our podcast, Dave.

Dave Bittner: Yeah. She's just an impressive lady and has really been doing some great work there at the White House, and I wish her well in all her future endeavors.

Ben Yelin: Yes. I think the White House is going to miss her.

Dave Bittner: That's for sure. That's for sure. [ Music ] All right. Well, that is Caveat brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to caveat@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Trey Hester. Our executive editor is Brandon Karp. Peter Kilpe is our publisher. I'm Dave Bittner.

Ben Yelin: And I'm Ben Yelin.

Dave Bittner: Thanks for listening. [ Music ]