Cybersecurity in The White House – with Camille Stewart Gloster
Andrew Hammond: Welcome to "SpyCast," the official podcast of the International Spy Museum. I'm your host, Dr. Andrew Hammond, the museum's historian and curator. Each week we explore some aspect of the past, present, or future of intelligence and espionage. If you enjoy the show, please consider leaving us a five star review. Coming up next on "SpyCast."
Camille Gloster: In the past cyber strategies have talked about how we respond to our adversaries and how we mitigate threats as the primary position from writing the strategy. This one instead says, if we want a digital ecosystem that is all of the things that we've been talking about, how do we get there? [ Music ]
Andrew Hammond: This week I was joined by Camille Stewart Gloster. Camille most recently served as the Deputy National Cyber Director for Technology and Ecosystem at the White House, where she was the first person to hold the role. At the White House, she worked alongside the National Cyber Director, advising the president of the United States on the most critical issues and developments within the technology field. In addition to her fascinating work within the White House and across the private sector, Camille is the co-founder of the #ShareTheMicInCyber movement and the #NextGenNatSec initiative. Both efforts that aim to grow a more diverse cyber workforce. In this episode, Camille and I discuss the intersections between technology and the law, the origins of the cyber threat, the importance of cyber education, building a diverse cyber workforce, and much more besides. The original podcast on intelligence since 2006, we are "SpyCast." Now sit back, relax, and enjoy the show. Okay. Well, thanks ever so much for joining me today. It's a pleasure to speak to you, Camille.
Camille Gloster: You as well. Thank you for the invite.
Andrew Hammond: Yeah, you bet. So I think the first most obvious question is what first drew you to cyber and technology?
Camille Gloster: Yeah, so my dad is a computer scientist. And so I grew up sitting in the back of his computer science classes. He taught at a community college. And tinkering with computers, he always had the latest and greatest at home. And so I always knew that technology would be a part of my journey. I just didn't know how, because despite his best efforts, I decided I wanted to be a lawyer. And so I spent much of my educational career trying to figure out how to marry the two. But my love for technology came from early and frequent exposure through him.
Andrew Hammond: Okay. So it's always been there. And tell us a little bit more about how that overlap took place in your most recent role at the White House. So you go on in your educational career, you studied law, but you've got this abiding interest in technology which deepens as you confront these various issues as you've just described. So, you know, for lots of people listening or for some people listening, sorry, it may seem like it's either or. You know, if you do law, then you're not doing technology, or if you're doing technology, then you can't do law. So if anybody out there is curious, like how do you make both of them work? And maybe you can use the example of your recent job.
Camille Gloster: So I had that same thought, right? Like I guess I'm kind of choosing one or the other. And at best, maybe I'll be protecting people's technology since I can't use my technical acumen if I want to be a lawyer. And I think in traditional legal paths, that's true. But now things have changed so much. When I was going through law school, you kind of got a survey of the internet law, or you were doing intellectual property. And I got recruited to a cybersecurity company after law school. And I quickly realized that to truly understand the challenges that we were facing and the opportunities and how best to wield them, how best to understand the risks and mitigate those risks, my legal background, my understanding of the law and what it's capable of, what its boundaries are, was integral to being truly successful. And so the early part of my career was kind of convincing folks that to be a lawyer in cybersecurity didn't only need to be someone with compliance- a compliance background, right? Traditionally, lawyers who work on cybersecurity kind of understand breach notifications and look at your contracts and decide if you've got any obligations, if something bad happens or if something good happens. And I was like, that's not what I want to do. There's so much law unwritten, so much policy unwritten, I want to do that. How do I bridge the gap? How do I help people understand why I should be on the security team, why I should be looking at these challenges upfront, or help design products to think about security from the beginning? And so I started that there. And I think, you know, the culmination or the most recent culmination of that is going to the White House and really thinking about these issues at a national and international level. And my portfolio is focused on emerging technologies, supply chain security, privacy, human rights in tech, and then on the other side of cyber workforce. And really how do people play into this dynamic around technology and securing it and really building a digital ecosystem that is all the things we hope it will be. And so that realization, that evolution towards understanding that being a lawyer in this space doesn't have to just be compliance. It can be a very creative endeavor that requires of you to really understand the technology and bridge the gaps on the boundaries and guide how it underpins our society and works for us, not against us.
Andrew Hammond: And I think it's quite interesting with this field because for the law as I understand it, it's not like other parts of the law, which have been worked out over hundreds of years, and there are settled patterns and processes that take place. This stuff, because it's emerging, because technology is moving on so quickly, the laws constantly trying to keep up with it. So there's this interesting interplay between technology and the law. Could you tell me a little bit more about that from your perspective?
Camille Gloster: Yeah. Right now it's a game of cat and mouse. And some of that is by design, right? The innovation that's coming out should not be hampered by law and like strict regulations. That said, I think the thing that our broader international and domestic apparatus is really figuring out is, how do we create frameworks that protect the things that we hold dear while allowing technology to evolve? And what we've seen is when we legislate or regulate for an instantiation technology, so I'm going to regulate not just social media, but Twitter or Facebook or like picking a title manifestation of the moment, that does not stand the test of time. And so that regulation, that attempt at policy doesn't actually meet the moment. But when you say, what I'm trying to do is preserve privacy, or I am trying to preserve the exposure of truth, and you think about how you do that, how you protect that root issue, you make- it makes for better law, a better policy. And so that's the work that's being done right now, is how do we do that at scale and at speed without- I mean, you have to still have an understanding of the technology, obviously, to do that well, but without limiting technology's evolution. And so that's kind of why it moves slower, like I said, sometimes by intention- to an extent by intention. But also it was a learning process to know that you don't legislate- regulate an instantiation of a thing. You kind of look at the landscape and what you're trying to protect, and then what behaviors you want to stop and how do you create something that does that for you?
Andrew Hammond: When I take a step back and think about this stuff or think about my job as the historian at the Spy Museum, you know, it ma- it makes me think about the evolution of how human beings have used information and the volume or the amount of information that people have and the types of people that get it as an elite or is everybody. So, you know, with the Gutenberg press and Germany way back when books, that's a game changer. But it seems to me that the internet, the information revolution, this is a real game changer. So I think in many ways, we're still struggling to adapt to this new overflow of information. And all of these emerging technologies have implications for that original question that I mentioned, like how human beings use information and information, of course can sometimes become intelligence. So it's just- I guess for a lot of people this stuff is quite disorientating. What's going on? It used to be we struggled to get information, now we're drowning in it. It used to be the information that was published in, I don't know, newspapers and other outlets, it was verified by and large and, you know, there was some kind of quality control. But with the internet, anybody can set up a website or a blog or go on YouTube and say anything they want. So there's just this kind of like this brave new world that we're living in. So all of that just makes me think about- can you just help our listeners like orientate themselves a little bit? Like when did the national- like when did cyber become an issue for the US government? And then we can walk that up to the role that you had. But when- like what's going on here? So the American governments, we've got a paper trail, you know, we've got the old IBM computers and then we are where we are now. When did cyber come into the picture?
Camille Gloster: Well, first let's talk about orienting folks to the- to that issue you talked about information overload, and technology is an amplification mechanism. It makes perspectives that were once discreet and had one-to-one or in small groups, easily accessible by the masses. And it also has the opportunity to promote, you know, nuanced ideas, which normally would- might have gotten lost or taken a long time to promulgate that are beneficial for us. It can take them to the far corners of the world, but it can do that for the negative things too. And so we find ourselves in this space where, you know, there was a level of vetting when things get into the newspapers and there still is. But you could rely on that, to your point earlier. You could rely on the fact that that content in the newspaper was vetted and someone who had a background in research and writing and all of these things put that in there. We are now at a place where a lot of voices can be heard, and that is great, but that means the best and the worst of us can be heard. And that takes us back to a place where we need to think about what are the fundamental skills that allow us to navigate that information space. It's not a bad thing that there is more information at our fingertips, but we need to teach critical thinking in schools. Folks need cri- civic education. People need that research and writing backgrounds that they can discern what is the truth? How can they interpret information? Is it based on factual sources? And that, especially that critical thinking piece, I think that kind of gets lost would mean that the abundance of information that we're seeing might be a time problem, but it's not- doesn't have to be a truth problem. And so one of the big things that I worked on is, how do we ingrain that back in our education system and make sure that critical thinking is something we're all equipped with. Because that critical thinking also helps people discern that AI is a tool, not a solution, right? Like you can use it to help you get through large amounts of information, but you should not rely on it to develop things for you that you then don't have to have the background to be able to check and understand. And at the White House, like I said, one of the things I was doing was that how do we educate and equip every American to be able to navigate society? And what we realized is just like you have reading, writing, and arithmetic, there are some cyber skills that everyone needs. And that is digital literacy. Yes, turning it on and off, but it's also computational literacy, understanding what the tool can do, what turning pieces and parts of it on and off or features and functions do, and what that does for your privacy, your security, your ability to navigate the world. And then digital literacy or resilience, excuse me, which is adapting to the changing technology. Because yesterday it was social media and today it's AI. How do you bridge the gap and make sure you are proficient enough to do everything that you do day-to-day? And then even more so layering on job skills if your job requires of you to be able to use technology, which I would argue everyone's staff does. So that was one of the things we did. And then on the other side, it was really focused on how do we make the technology work for us? So the Office of the National Cyber Director for folks who are not familiar, is focused on an affirmative vision for what our digital ecosystem should look like. It should be equitable, it should be secure and resilient and defensible. And so if we are to do that, how do we do things today and in anticipation of tomorrow to make sure that it is all of those things. And so there were four deputies, one focused on the federal networks, one focused on strategies and making sure there's money aligned to the things that we prioritize, one focused on cyber operations. And then myself, who was focused on future resilience. And my portfolio said, if we are to have this affirmative vision, what are the things we need to do to make sure that the technology- the people are resilient for that future, are ready for that future. And so as I looked at emerging technologies like AI and quantum and the convergence of the two or at privacy and human rights and technology, all of those things, we did a lot of work to make sure that they are resilient, that they're easily understood that they're working in our favor, and that we understand the risks enough to mitigate them.
Andrew Hammond: Okay. That's fascinating. You mentioned a number of things there that I would like to pick up on. So what are some of those skills if you, you know, could just tell me a few of them that you mentioned? It almost seems to me like, you know, trying to move the needle in the education- in any education system anywhere in the world is very, very difficult.
Camille Gloster: At first, you are right, it is tough. One of the things though that I find is that folks shy away from the long-term investments and only want to focus on the short-term. So one of the reasons we name those things is because we've got to also focus on the long-term, but there are some short-term investments to your point. Public education campaigns are a great one. So the cybersecurity and infrastructure security agency has one out now called Secure our world that is cartoon-based and just kind of talks about some of the main skills folks need. I think the biggest misperception by people is that cybersecurity is a lot of work and you have to be super technical. And the problem is bigger than me as an individual. And what that public education campaign seeks to make clear is that some small behaviors, whether as an individual or as a small business, could actually protect you from about, and this is an approximate number, but about 80% of the threats that come your way. And so multi-factor authentication, frequent software updates, all of those little things mean that you are much more secure than you would have been before. So there are efforts to kind of get those campaigns out there, get that public education out there. And one of the things we recognized is that community-based conversations, community-based learning are much stronger. So one of the other tools for that short-term investment is how do we get our universities, talking to K through 12, talking to community groups, talking to community groups that like target the elderly or target the working professionals, that target training instructors and training programs, that get families to make this a kitchen table conversation because it is also part of the education system, part of their day-to-day lives, part of their community conversations. Because I think that people miss the fact that there are a lot of really lucrative jobs in cyber. And the things that we do every day are actually pieces and parts of the problem. So how many people have a niece, nephew, child, cousin, who can like track their friends, track their family members through their phone, know where they are, what they probably did last week, because they can look at their social media and look at other, their other online footprint and determine where they've been and how they've been. That's actually a job called cyber threat intelligence, open source intelligence. That is an opportunity to not only make a lot of money, but to use these skills. And I think another part of the problem is having a conversation where people understand that they do a lot of this work every day, but honing those skills and being intentional about them and then applying them to a career means a transition from a hobby to something more concrete. And that narrative piece of making cybersecurity not seeming so overwhelming is a big part of the work as well.
Andrew Hammond: And I think that you've touched on an interesting point. There almost seems like part of the educational strategy, whether it be an educational institutions or public infra- public education, it almost seems like it should be breaking down and sort of taming the terms cyber. Because people just hear it and they just immediately think zeros and ones. I'm being a little playful here, but you know, they think about guys wearing hoodies and --
Camille Gloster: In the basement.
Andrew Hammond: -- eating ramen in their basement, that type of thing so. There's normally like three quarters of a million cyber jobs that are under- you know, that are not filled and so forth. So part of that is educating people that not all of those three quarters of a million jobs have to be people that are coding or dealing with zeros and ones and so forth.
Camille Gloster: Yes, exactly. So many of those jobs require a variety of other skills. There is training in cyber, there is marketing, there's lawyers, there are a number of different professions under that umbrella. And each of them very important. Also, one of the great things about that abundance of access to information we talked about earlier, is the fact that you can get trained up on this stuff without going to get another four-year degree or a four-year degree at all. It is an opportunity to, you know, take a training course that teaches you the direct skills you need to do the work. So you could have been a lawyer in a past life and decide you do want to be a software engineer. And there's a bootcamp for that. There is an intensive training program that will teach you how to do that without you going to get a master's degree or a bachelor's degree. I mean, you can do it that way as well, but there are other avenues and opportunities. So we're in this place where not only are there a variety of skills needed, it's a multidisciplinary space, but you also can learn anything really quickly and in ways that you couldn't learn them before.
Andrew Hammond: One of the things that I find quite interesting as well is for cyber, so we've got these jobs that are not filled. I guess I'm quite interested in, is this also the case in other countries? Is this a uniquely American phenomenon or does China have the same problem? Do- does Russia have the same problem? America's, you know, competitors if you want to put it like that.
Camille Gloster: So it is a global problem. That said, there's scale differences, right? Israel has a military service requirement and they do aptitude testing to align people based on their aptitude to a branch of the military and towards a skillset. That means that part of those people, part of that population goes into cybersecurity military service and gets trained up in their cybersecurity division. They have less of an issue. Because part of their training has helped people identify those skills, train them up on those skills as part of their mandatory military service. They've also invested heavily in their innovation ecosystem. And so their desire for cybersecurity talent is a little bit different. Same thing, you know, Russia and China are different because they have kind of enabled and incentivized folks with cybersecurity skills. And I wouldn't even say cybersecurity skills because sometimes it's hacking skills, you know. It- things that fall under that bucket but may not be used to secure things. They might be used to access things. They have made some investments. In the continental of Africa, in Europe, and in the UK and the Caribbean and Latin America- there do tend to be- in the US North America, there do tend to be large gaps in cyber workforce. Traditionally, especially populations that have been in the working world quite some time, were not trained on technology, do not have the base level skills to be able to upskill and reskill easily. And people are just, to your point, overwhelmed by the prospect. And by and large that is the biggest limiting factor because actually upskilling and right skilling, it's pretty quick, pretty easy. There are a number of programs that don't require heavy investments of time that can get people the skills that they need. But that narrative problem where folks feel scared and have a cognitive dissonance to their ability to be a part of that workforce is one of the largest things to overcome. And so there's a lot of collaboration happening across the world to figure out how we create connectivity in that workforce. Because a more secure India, a more secure, you know, Europe, a more secure US means more security for all of us. And so there's a lot of collaboration going on, and if you look at cybersecurity strategies across the world and investment in cyber workforce is one of the top priorities for most countries.
Andrew Hammond: So let- let's go back to the Office of the National Cyber Director so the- at the White House. So you mentioned the four different deputy National Cyber Directors. Tell me a little bit more about just the office. When did the office come about?
Camille Gloster: The office came about in 2021. It was legislated by Congress to stand this office up as a response to there not being a lead on cyber that was required at the White House. And so the national cyber director is the principal cyber advisor for the president. And the unique thing about this office, unlike some of the cyber leadership that's say in the National Security Council or in other places in the White House, is that this office is focused not only on the national security implications, but on the economic implications, the human security applications. It's thinking about holistically how we leverage technology, how it might benefit us, what are the opportunities, but also what are the risks and the threats, and how do we make sure we move towards that affirmative initiative that I talked about, a digital ecosystem that is equitable, secure, resilient, defensible, and something that's working in our favor that's values aligned. And so the office came to be recently, but the first National Cyber Director being Chris Inglis, and then we had an acting National Cyber Director, Kemba Walden. And now the second National Cyber Director was Harry Coker. And the office is very young, and as you can imagine, there had not been a new office in the White House since the 1960s before the Office of the National Cyber Director came about. And so standing up a new office in the White House is no small thing. But the great thing about this office is it realizes all of our dreams of, you know, wielding technology in the best ways possible and wielding the authorities that exist across the interagency, across the federal government and the executive branch in a way that reduces duplication, enables money to go behind the priorities that we set out and allows us to be more efficient and effective with the time, resources and talent that is available in the federal government. And so as the office continues to mature, the hope is that what you see is a more coordinated federal government, a lot more collaboration with the private sector. You've probably seen that quite a bit. When we wrote the National Cybersecurity Strategy, we brought in hundreds of experts from the private sector, from civil society to talk about what the implications of the things that we're putting in the strategy would be on our society, on our businesses, on people's lives every day. And in the implementation of that strategy, which is a lot of the work that's going on in the Office of the National Cyber Director, you'll see a lot of collaboration. And I think the most exciting thing is not only that holistic view of cyber issues, but also the fact that it inherently provides a place for public-private collaboration or federal-non-federal collaboration. That convening point for a holistic understanding of the implication of the state local, tribal, territorial level, and at the private sector civil society level. All coming together with the federal government to create policies and frameworks that bring to bear all of the perspectives and the strengths of all of those groups.
Andrew Hammond: And for anyone listening overseas or even in the US who are maybe a little bit rusty on government and political science and so forth, what does that actually mean to have an office in the White House? So, you know, we hear about these various offices and so forth, just with- tell the listeners what that means. Does that mean that this office provides the principal advisor to the president on a particular issue or it's liaising with people on Capitol Hill or it's lobbying or like what kind of functions does an office take on?
Camille Gloster: Yes. So it's the principal advisor to the president, but also the principal coordinator across all of the executive branch agencies, department of Homeland Security, department of Commerce, department of State, all of the agencies and cabinet heads that report into the president coordinate through this office on that issue. So on any cyber technology issues. And so each agency under the federal government has a role or responsibility around technology, around a number of things, but around technology and cyber. And so this office on behalf of the president helps wield those responsibilities. So the cyber security and infrastructure security agency has a very operational focus. How do we hands on the ground- hands on keyboards, boots on the ground, help accompany a state, an organization, make their networks more resilient? So how do we make sure those authorities are used well? Department of Commerce enables the money to run and helps enable businesses like, have you heard of the CHIPS Act? Where we're investing money into semiconductors, they are leading a lot of that work. How do we make sure that is done well? So it's an- it's a coordination function in addition to rolling up all of the insights and expertise from across the federal government and advising the president day-to-day.
Andrew Hammond: So a department would more be a standalone entity with its own building and its own staffing, but an office would be part of a more closer White House staff. Is that correct?
Camille Gloster: Yes, exactly. So an office in the White House works at the White House book departments.
Andrew Hammond: And was the office of the National Cyber Director, was that like in the executive office building or was it in the White House or?
Camille Gloster: Yes, in the executive office building. Most people who work at the White House work in the executive office building.
Andrew Hammond: Work there. Yeah. Well, I think that it could be interesting now just to talk about your particular role a little bit more. So future resilience and so forth. So what would your day-to-day look like? Like I know that this is not a fair question because it depended on the day, but just ballpark, an approximation.
Camille Gloster: Yeah. So the fact that no day looked the same is actually one of my favorite parts. But it could be convening international partners to host a discussion- an action-oriented discussion around some of the issues that I mentioned. It might be convening with public or private sector partners. I hosted a number of events to get commitments. One of the things that I was very committed to was action behind the conversations that we were having. It is one thing to identify the problems, identify potential solutions, but I wanted to make sure that the things we identified would actually get implemented. So you'll see from the National Cybersecurity Strategy, but especially from the National Cyber Workforce and Education Strategy, which I was the primary architect of, and my team led the drafting and competition of, there were a lot of action-oriented events, action-oriented convening. So when we launched the strategy, a bunch of companies and a bunch of states made commitments to invest money or to hire people or to develop educational programs. Also it might be sitting in a deputies committee meeting for the president. One of the ways that the president makes decisions is that executive orders, policy, issues for consideration move up through a layered tier of decision-making. So it starts with the working level and the sneeze, and then it moves up to leadership, and then there's a deputies meeting, and then a principal's meeting before it goes to the president for final decisions. And that principal's meeting is like secretaries, cabinet-level, deputies of the deputy to the cabinet level. So like a Deputy Secretary of Homeland Security, and this needs to meet that. And so I was part of those deputy committee meetings and focused on making decisions from the perspective of being the cyber national- the Deputy National Cyber Director. The other things we might be doing is writing policy, getting my team to pull together either themselves, other folks around policy issues, a lot of meetings, a lot of travel to represent the president and the US government on these issues, speaking about these issues so that people understood the work that was going on in the White House on their behalf and to protect them, that kind of thing.
Andrew Hammond: What was your first day like?
Camille Gloster: Oh my gosh, my first day was a little embarrassing. [ Laughter ]
Andrew Hammond: Why?
Camille Gloster: So it was great. You show up, they get you all your badges and you get read into things. You get sworn into your position. Lots of great things. Some things that are very normal, like HR briefings and orientation. Why I say it was embarrassing is I went to one of the offices and tried to exit out the wrong door. And as you can imagine, some kind of alarm started going off. And I just knew I was going to get tackled by Secret Service. Thankfully, I did not. I'm assuming it's happened to many people before. But I was mortified because I thought I was going to get tackled by a Secret Service agent on my first day.
Andrew Hammond: Wow. and I guess like, just to bring it back to the focus of your job. So cyber future resilience and so forth. So that leads on the question, how is America positioned technologically for the future? And especially I think for competition with China, which is something we hear a lot about these days. So put America in perspective for us.
Camille Gloster: Yeah. I mean, America is the home of innovation. There is a lot of investment in that and a lot of opportunity for technological enhancement, which we are doing. And a lot of the investment that President Biden and the Biden-Harris Administration are making to make sure that a lot of the components of that technological innovation happened on our shores is really important, right? The CHIPS Act, investing in bringing home chips manufacturing to the US, the data security, the executive order that came out a few months back, really gives the authorities to make sure that our supply chain is more transparent and gives some authorities to limit foreign investment in that supply chain. And so a lot of the work that's happened in this administration, past administrations as well, but in this administration to build more resilience and transparency in our supply chain will help that innovation continue to grow. Now, China is making heavy investments, and they're being very strategic by not only investing domestically, they're investing across the world, right? They're building infrastructure in the global south and providing resources and access that will help shape their perspectives as nations. And when they show up in multinational bodies, that will impact their perspective. And China is promoting a world order and a perspective on technology that is authoritarian and different from that of the west, of the US, UK, Europe. And so while we are doing well, their ability to continue to make those investments and to develop allies and to invest in other nations will help them become stronger, will help promote their perspective on technology governance. And so as the US continues its international strategy, its collaboration with partners, it'll be very important for them to think globally and holistically, not just about what's happening domestically. And a lot of that work is already going on. Recently, Kenya was here for the first state- like official state visit of a country from Africa in the last 16 years, I believe. But the commitments that came out of that were amazing as well as out of that US-Africa summit a few years ago. And so, you know, there is investment happening in the continent of Africa and Latin America that will help those nations become more resilient, get a better understanding of technology, understand how technology is evolving in the US and allow us to learn from them in return. And the more we do things like that, the better positioned we will be to combat nations like China that are making really heavy investments globally.
Andrew Hammond: We came across a paper that you wrote on inclusive cybersecurity. Could you tell me a little bit more about?
Camille Gloster: Yes, it's the recognition that technology lives in context. And so often in security, we want to focus on just the technology. What are the technological mitigations to a threat that we have identified or a risk that we have identified? And in actuality, cybersecurity is technology people and process or policy against the backdrop of an adversary. And if that is truly the landscape in which we operate, we cannot only identify mitigations that live in the technology bucket or in the technology and the policy slash process buckets. We also have to think about the people. Because any intended use, whether the original purpose of a technology or how you mitigate a threat can be changed by the data put into it by the people that wield that data, that bring that data to it, that operate the technology, and ultimately manipulate the technology. And so that paper kind of outlines a framework. We're thinking about how you build a security program that contemplates bias, that contemplates the human factors of technology and the context in which it is used.
Andrew Hammond: And you co-founded the #ShareTheMicInCyber movement and the NextGen NatSec initiative. Can you tell us a little bit more about both of them, please?
Camille Gloster: Sure. So both of those are kind of manifestations of what I was just talking about. I- #ShareTheMicInCyber came about after the murders of George Floyd, Ahmaud Arbery, and others. And the cyber community really wanted to help. They wanted to do something. They wanted to understand diversity and representation in the cyber field. And I wanted to create a way that folks could recognize their power to make a change in how their colleagues were seen and heard. And so the campaign came about when I met Lauren Zabierek on Twitter, and we decided to create #ShareTheMicInCyber. And really it was a online campaign to elevate voices. So cyber allies gave their platforms to diverse cyber practitioners, and they tweeted about them for a day. And it bred not only conversations about their experiences in cyber and their thoughts on the work and just gave them a platform to elevate their professional experiences and expertise. It also started scholarship funds and fellowships and things like that. And then the NextGen NatSec effort was a response to the executive order after the Obama administration, which I worked in at the Department of Homeland Security, where he wrote an executive order talking about the diversity in the national security space and how vital it is and how diversity in national security is an imperative. And in response to that, I said, gosh, man, there are so many talented junior, and especially mid-career national security professionals across a number of different disciplines that just don't have the visibility and the pipeline to leadership is opaque at best, and if not fraught with hurdles. And so a colleague and I, Laura Kupe, we decided let's just elevate people who are doing the work and at a very high level. And so we started to highlight folks with New America Foundation, a think tank in Washington DC. We started to highlight practitioners in the space with diverse backgrounds.
Andrew Hammond: I would like to come back to the national cybersecurity strategy. So I think the first thing could- just in like a few sentences, could you just summarize what this document is for people that haven't heard of it or that have heard of it, but don't really understand its significance?
Camille Gloster: In 2023, the president released his national cybersecurity strategy, which outlines much like the office of the National Cyber Director of affirmative vision for what our digital ecosystem should look like. In the past, cyber strategies have talked about how we respond to our adversary- adversaries and how we mitigate threats as the primary position from writing the strategy. This one instead says, if we want a digital ecosystem that is all of the things that we've been talking about, how do we get there? And some of that will be combating our adversaries and understanding nation state threats and, you know, combating ransomware, but that won't be the position we look at them from. They will be a response to achieving this vision. And so the strategy has two primary shifts that it seeks to make. One is focusing on shifting the burden from the small players to the large players. So rather than the burden being on individuals and small businesses and small governments, we'll shift it to big providers, large companies, the federal government, organizations with the power to bear it. Like your cloud provider should provide security features for you as a small business rather than a small business maintaining the burden for much of the security work. Right? And then the other shift was using market forces to shift away from a first-to-market goal in innovation to a secure by design, secure by default. So you're considering security upfront. So what market forces do we use to shift the way our economy and the market thinks about how market- how products go to market? And so the strategy was really innovative and a first of its kind in that it was thinking more about the affirmative vision and less about how we thwart direct threats. And to our earlier point in the conversation when we were talking about how we make good policy by thinking about the root issues we seek to solve rather than the technology at the moment, the strategy is that, right? It's technology agnostic. It really thinks about how do we achieve this goal in whatever the environment may be.
Andrew Hammond: It was interesting when you were talking there about the people that are able to do so stepping up because I think we've had a guest on the podcast a couple of years ago, a former CIA case officer who went on to become a cyber person. And he said that his solution is for every data breach, the company should be fined a dollar per day for every person whose data has been breached. And pretty soon you would find that the system corrected itself because at the minute, there's no- at the minute it's set up to privatize gains and collectivize losses. So they keep your information, they monetize the user, but then when it all gets leaked, it's like, you know, it's like in the cartons. They pull their pockets inside out and shrug and go, you know, sorry, what are you going to do?
Camille Gloster: I mean, it's a bit of a delicate balance because in reality you have an adversary who adapts to any changes that you make. And so to think that any organization will be so resilient that they would not be subject to some kind of breach or attack is inaccurate. And sets us up for a false premise on which to build out a solution. That said, though, there are organizations who have the capacity and capability, both from a resource perspective, whether that's financial or intellectual, and from a positioning perspective to scale their ability to provide security and resilience. Resilience is that ability to bounce back if something happens. And so we are very focused as a nation, and when I was in the Office of the National Cyber Director on figuring out how to enable that better, and so a dollar for every person, I mean, that could be it, right? Fines and things tend to be one of the tools that governments use. But things like federal backstop to cyber insurance. So thinking about software liability, and if you think about the most atomic units, the technology we use, it's the hardware, it's the software, it's the compiler, you know, those things. How do we make those more resilient? So software liability is a tool to make the software more resilient because we're seeing a lot of attacks there. Those are opportunities, in my opinion, to shift the mentality, the market to respond better to the demand for a secure technology upfront, but also that will mean some regulation and some fix as opposed to carrots that, you know, push folks. And so maybe that is fines. But I think we could be really creative about the, what. It's just the fact that those things do need to happen. There does need to be accountability for these big players. And you've seen some of that. The Cyber Safety Review board put out a report about an incident involving Microsoft and the security features that they had enabled. And it has caused quite a flurry of conversation about monoculture and having one provider in the government and, you know, a big provider like that's ability to be secure and resilient and to provide security upfront. And so those conversations I think are really important and the direct implementation of some kind of regulation or limitations is going to be what will get us there.
Andrew Hammond: Yeah. I hear what you're saying. Complete 100% securities and impossibility. We're running out of time. So just two final questions. So just on the national cybersecurity strategy. So in the past when I've done research in Washington, I've interviewed people that have written various strategies. So I interviewed some people that wrote a national security strategy and they said, contrary to what a lot of people think, this actually has teeth. Like I've held this up in a meeting and said, this is what the president has signed off on. The president went through this and edited it. This is like the president's like vision for this. This is not, you know, just some document. But then I've also, and I'm not going to mention any names, I've spoken to someone else who wrote another sort of important national document and they were like, yeah, it's just a pain in the butt for my office. We have to do it to keep everybody happy. And then we just move on and do, you know, what we were doing anyway, it's just a paper exercise basically. So I'm just wondering where the national cybersecurity strategist would fall in that kind of spectrum.
Camille Gloster: Yeah, I mean I think that's just like any other company. The things that are- have leadership buy-in and come from the top or supported by the top, get the leg room, get the room to run, and then the things that just kind of are check the box exercises, somebody really pays attention to. The national cybersecurity strategy, I would say is definitely the former. You'll have seen it in a lot of the implementation work that's going on across the federal government. This is the first time the implementation plan has been externalized so people can see what items from the strategy have been prioritized year over year. And so I definitely think the cybersecurity strategy and have seen the cybersecurity strategy be a document that is used to shut things down or to guide priorities or to guide investments, which is the biggest thing. Because you know, money is what matters. And so when the budget aligns to things that are in the strategy, it's a huge indicator that it is aligned to the priorities of the president and just aligned to the priorities of the nation because congress control of a lot of the budgeting.
Andrew Hammond: The final question is the relationship between the government and the private sector. So I'm just thinking about this specifically through the lens of cyber. Because it seems to me that maybe in the industrial age you could go into government and the technology maybe would evolve at a slow enough level that even if you stayed in government, you would still be, I guess, current in what was happening outside of government. But it seems that technology is moving so rapidly that if you work for- if you just join government and stay there, you're maybe not- unless you make a conscious effort, your thinking is not being oxygenated with what's happening in the private sector. You're living in a, to some extent, in a little bit of an epistemic bubble. So you're not really up to date with everything that's going on. So I just wonder if you could tell me a little bit more about that. You know, just looking at your career at Google, Deloitte, Homeland Security, Office of the National Cyber Director tell me about how you conceptualize or think about that open door between the private sector and government. What are the pluses, what are the negatives and, you know, is there something particular with cyber that makes that relationship especially interesting?
Camille Gloster: Yeah, I think it's a must. I actually encourage more people to take a spin in a lot of the other sectors. Because to truly get a holistic understanding of the issues, you do have to understand the other side. Whether you're an industry and you're thinking about the dollars and cents of it or how it impacts your organization, to come in the government and understand the international implications of national security implications uniquely from that lens, to see the kind of data that flows through the government, right? There's the kinds of classified information that enriches the viewpoint and a lens is just completely different versus being on the front lines of things in a different way at a company. So I have intentionally moved back and forth and think that my perspective is richer for it. I'm very encouraged that the place we're at in the evolution of our understanding of cyber and how we organize ourselves as a government in this moment, there is the JCDC that gives information to the cyber infrastructure- cybersecurity and infrastructure security agency. Their NSA has their own advisory body of private sector, Office of the National Cyber Director works very closely with the private sector because in the past there was this understanding of public-private partnerships, which tended to be just kind of throwing information over the fence from one side to the other. But true collaboration means you actually get to understand how the policy you're developing might impact a business. And a business can understand how these national and international policies or priorities of these nations will influence the trajectory of their organization. And understanding both of those things back and forth, sharing the data that is unique to both of those sectors and those viewpoints makes us stronger in our ability to combat malicious actors. And so I would say do it as much as you can, particularly in cyber and tech spaces, but quite frankly, I can't imagine there's an industry where you wouldn't benefit from seeing both sides. It can be hard because people tend to like being in federal service if they're in the federal government or like being in the private sector if in the private sector. But there are many opportunities to do one or two year stints in either or. And so I encourage people to explore them.
Andrew Hammond: Okay. Well, this has been really fascinating. I've really enjoyed speaking to you. Thanks ever so much for your time, Camille.
Camille Gloster: My pleasure. This was a lot of fun. Thank you. [ Music ]
Andrew Hammond: Thanks for listening to this episode of "SpyCast." Please follow us on Apple, Spotify, or wherever you get your podcast. If you enjoy the show, please tell your friends and loved ones. Please also consider leaving us a five star review. If you have feedback, you can reach us by email at spycast@spymuseum.org or on X @IntlSpyCast. If you go to our page at the cyberwire.com/podcast/spycast, you can find links to further resources, detailed show notes, and fill transcripts. I'm your host, Andrew Hammond, and my podcast content partner is Aaron Dietrich. The rest of the team involved in the show is Mike Mincey, Memphis Vaughn III, Emily Colletta, Emily Renz, Afua Anokwa, Ariel Samuel, Elliot Peltzman, Trey Hester, and Jen Eiben. This show is brought to you from the home of the world's prominent collection of intelligence and espionage-related artifacts, the International Spy Museum. [ Music ]
