Camille Stewart breaks down the Office of the National Cyber Director’s whole-of-society strategy

Watch the full event

Internet lights and cables

360/StratCom 2022

December 7, 2022

The Atlantic Council’s Digital Forensic Research Lab (DFRLab) hosts a virtual version of its annual government-to-government forum, 360/StratCom.

Event transcript

Speaker

Camille Stewart Gloster
US Deputy National Cyber Director for Technology & Ecosystem, Office of the National Cyber Director

Moderator

Safa Shahwan Edwards
Deputy Director, Cyber Statecraft Initiative, Digital Forensic Research Lab, Atlantic Council

SAFA SHAHWAN EDWARDS: Camille is a cybertechnology and national-security strategist and policy leader whose career has spanned the private, public, and nonprofit sectors. She has held roles in Google, the Department of Homeland Security, Deloitte, on the Hill, and much more. She has also held cybersecurity fellowships at the Harvard Belfer Center, New America, the Foundation for Defense of Democracies, and the Atlantic Council.

Thank you so much for joining us, Camille.

CAMILLE STEWART GLOSTER: My pleasure. Thanks for having me.

SAFA SHAHWAN EDWARDS: Excellent. So much of what underpins this conversation today is about the work that remains to be done by government, industry, and civil society to demystify technology and digital challenges. This way we can more effectively broaden and understand and invest in the American tech workforce.

So if you wouldn’t mind answering first, tell us a little bit about ONCD, the Office of the National Cyber Director. What is your office’s role and responsibilities? And how does it elevate US tech leadership and capacity?

CAMILLE STEWART GLOSTER: That’s a great question. So the Office of the National Cyber Director is focused on moving us towards an affirmative vision of a thriving digital ecosystem that is secure, equitable and resilient that we all can share in.

Cybersecurity is a tool to do that, but not the only tool. So ONCD gets to look across the national-security implications, the economic implications and the human-rights implications of technology used in promulgation. And our priority areas are focusing on federal coherence. How do we mobilize the federal apparatus to best leverage the authorities and roles and responsibilities across the federal government? National coherence through public-private partnerships and our international partners, et cetera; aligning resources to aspirations. We’re trying to get rid of unfunded mandates. How do we get the money to back up the work that we say that we need to do? And then present and future resilience.

And I’d like to say that my team is focused on that future-resilience piece. How do we use the lessons from today to inform the technology and the work of tomorrow? If you think of cyberspace as people, technology, and doctrine—and doctrine is in roles and responsibilities, policy, all of that—then we get to focus on future-proofing the people and the technology, leveraging that doctrine to achieve that affirmative vision that we talked about.

So lots of work going on, lots of fun ahead. But workforce is a key component of that. When I talk about people, it’s not just people from a human-capital perspective. It is how technology shows up in our lives, the fact that people create, promulgate, use and are the malicious actors that weaponize or leverage technology. That means that we have to understand them as people. That means the broadest cross-section of skill and backgrounds creates a better understanding of the societal context, the cultural context, and all the other things about us as people that informs technology and how it shows up in the world.

And so having a highly skilled, multidisciplinary, and diverse workforce is a big component to having that level of understanding. And that’s why we push for a strong cyber workforce initiative.

SAFA SHAHWAN EDWARDS: I’m so happy that you mentioned the people component, because something we’ve always talked about is can we better protect technology if we don’t understand the exact users of technology, both, you know, the average users, but also those malicious actors as well, which brings me to my next question. What lessons have we learned in the recent years about our efforts in workforce development and in the space?

CAMILLE STEWART GLOSTER: So many lessons. I mean, the biggest one is this is a shared problem across the public sector and the private sector. So the strategy—we are endeavoring to write a cyber workforce education and digital safety awareness strategy. That is a mouthful. But it is to cover all of those things. We want to talk about the challenges in the federal workforce, the challenges across the national workforce, how those interplay with each other, how an education-and-training apparatus that is robust and thoughtful and isn’t limited to just four-year institutions but leverages also four-year institutions to educate and train our workforce is really important.

And then also how do we think about digital safety awareness so that we raise the collective level of cyber awareness across everyone that creates opportunity for everyone, but also it contributes to our security? While much of our conversation should be around how do we move the burden of security back to those best equipped, cybersecurity professionals and those in adjacent fields that have the awareness and the knowledge to combat the threats and capitalize on the opportunities, we also need to raise the collective level of understanding so that we move our society in a direction where we’ve got the workforce to meet the seven hundred thousand open cybersecurity roles, but also such that we have a populace that gets how technology changes their lives every day, how it changes the nature of privacy and security and all of the things that we hold dear.

SAFA SHAHWAN EDWARDS: That’s awesome. And I think that the Biden-Harris administration has spent a lot of time and effort focusing on workforce, which honestly, for our team over here at the Atlantic Council, is so refreshing. How do you think that this emphasis on workforce development helps us better bridge the tech policy divide? What do you think that this means for impacting core policies?

CAMILLE STEWART GLOSTER: I think a more comprehensive understanding of the work available in this space will lead to better outcomes. To your point, the broad cross-section of understanding national-security jobs and what those are inside of that, all of those things is really important.

But tech roles, technology itself underpins anything and everything we are going to do. And so understanding how that interplays in these spaces that we have identified need for an evolving workforce means that there’s more opportunity for everyone, means that we are putting our national security first, putting our domestic security first. And we have the opportunity to capitalize on the opportunities.

One of the things that’s really important for ONCD as we have these conversations about technology and how the digital ecosystem evolves is thinking not only about the threat landscape, but what are the opportunities inherent in technology? There is a reason that we started to create all of these cool things to make life more convenient or to scale and to underpin the lives that we live. So how do we do that in a way that considers all of those factors, all of the people, technology, and doctrine factors to best leverage that, in addition to making sure that we’re as secure as we can be?

SAFA SHAHWAN EDWARDS: And how have you seen—how have you seen in the past few months that ONCD has since been established, how do you see the White House planning to engage with the public sector and the private sector, as well as civil society, on these different challenges?

CAMILLE STEWART GLOSTER: Yes. One of the things that our director, Chris Inglis, charged me with was to make sure that this was a whole-of-society strategy and we are doing just that. We have been very thoughtful and intentional about how do we engage industry, academia, our civil society counterparts, our international partners, and folks who are using technology every day to inform this strategy development.

Especially with the broad array of issues that we plan to tackle, we cannot do this alone. Like I said, it’s a shared challenge space and a shared opportunity space. So how do we have holistic conversations?

So we kicked off our effort with a cyber summit—cyber workforce summit in July when we brought in a bunch of industry and academia and our state and local partners to talk about what we needed from our cyber workforce and to catalyze this strategy effort.

We’ve since released an RFI where we were trying to get the broadest cross-section of folks to interject their lessons learned, the challenges they’re seeing, the opportunities they’re seeing, the programs that work, into our body of knowledge that will inform the strategy, and we got 146 responses. I’m so proud of that engagement because some of those reflect rolled up insights that folks contributed as an industry association, and so that reaches even broader than just 146.

And then we’ve also been having a number of engagements with universities. We went to Hampton University earlier this year and had a conversation with them and their students and their staff about the work that we can do to engage student populations and to leverage universities as part of an ecosystem driver.

And then we’re going to Whatcom this week, actually. That’s why I’m not here in person. But we are going to have a conversation about how does a community college sit at the intersection of regional cyber awareness, regional technology awareness, and how does that catalyze and support the work that’s going on on a local or regional level.

So we’re trying to be very thoughtful about the ways we engage and create a number of opportunities to plug into this process.

SAFA SHAHWAN EDWARDS: And it’s really helpful to understand how you all have made a concerted effort to engage, like, civil society and academic institutions. On the other end of the spectrum, how do you see ONCD collaborating with the tech community and building that—while also building that capacity, at the same time trying to make an effort to increase the diversity of contributors in this space?

CAMILLE STEWART GLOSTER: Yeah. So the most fun thing about my portfolio is I both have cyber workforce education and training and emerging tech supply chain, the intersection of human rights and technology, privacy—all of the future-looking pieces of the technology landscape.

That allows for some very interesting and, frankly, forward-looking collaboration that can inform that work. So not only writing a strategy that is informed by things like quantum, like Web3, space, and how we’re thinking about what security needs to look like as those things change what the internet looks like today.

And so that is a way to engage the technology community. But we’re not stopping there. We don’t want to engage the same players exclusively. Yes, the big players must be a part of the conversation, but we want to make sure civil society, academia, the small players, the innovators.

What the internet and what technology looks like tomorrow is informed by the person who has an idea, creates a thing, and creates a business, or is an innovator within their organization, and we want to make sure that they are a well-integrated part of the conversation.

How does venture capital play into that? How does philanthropy play into that? So we want to have a more holistic and fulsome conversation.

And so having those two sides of the portfolio really allows for a broader conversation on those things, and as we take on initiatives on the technology security side of the portfolio we also will pull that into what does this line of effort mean for our education and training aspirations? What does it mean for our digital safety awareness aspirations? And is this a place to have a conversation that engages more people?

I mean, if we’re having a conversation about quantum, there is a class of people who want to understand what that means for their lives in the next five to ten years, and that’s a great awareness-building opportunity. Same thing for crypto and Web3. There are a lot of opportunities to engage in a meaningful conversation.

And, you know, how do we move conversations that are happening today like open source to Web3? How do we make sure that we’re thinking about it in that context?

And so the technology community will be highly integrated on both sides of the portfolio and that coming together under the technology and ecosystem umbrella really allows for a lot of collaboration and cross-pollination.

SAFA SHAHWAN EDWARDS: I like how you mentioned that—essentially, that throughline of individuals, when they are students or when they are innovators, at these different companies, and figuring out what that throughline is and how do you engage them regardless of where they are on that path. Which reminds me of how, like, you’ve had this very impressive career in both—you know, in and out of government. This is a little bit more about your throughline. What have your last few years in the private sector and the launch of hashtag #ShareTheMicInCyber—how has this approach informed your approach to this current role and moment?

CAMILLE STEWART GLOSTER: Yeah. So the nice thing about my work at Google is I was very connected to the individual user. All of our work kind of stemmed back to, how does this show up for our user? How are we thinking about protecting them? Yes, there are enterprise clients and others as well, but like, really down to the user. And that mindset, coupled with share the mic in cyber, which was an initiative to give voice to Black cyber professionals in the industry and leverage that kind of platform sharing that can happen when allies create space and create opportunities to engage a new audience, to catalyze action and catalyze effort.

So a lot of folks felt really limited or hamstrung or in-equipped to have a conversation, a meaningful conversation, about diversity and systemic inequality and how they can play a role in that. They felt like it was an organizational challenge, or an industry challenge, or a government challenge. And to an extent, it is. But there is a lot of opportunity to catalyze collective action through individual action. An individual manager, an individual employee can start a conversation, can create space for their peers across a number of different diverse attributes that open up the industry in a way that drives towards a more collective and meaningful action.

And that’s what we saw in share the mic in cyber. So taking the observation, the realization, that individual action can really catalyze something big, and coupling that with that focus on the individual and understanding that in technology you really do have to individualize the narrative for it to resonate with people, those things are really informing the work that we’re doing in technology and ecosystem security and ONCD writ large.

SAFA SHAHWAN EDWARDS: It’s crazy how when we talk about systemic inequality a lot of people maybe feel a little hamstrung or they’re not really sure how to move forward, because it can be such a daunting task to take on. When in reality, it’s just—moving forward is just about taking little baby steps and little, itty bitty actions that make a huge difference for our entire community. And I think, speaking of, like, small actions or small things that we can move forward, is what is one partnership or policy action that you think could have an outsized impact on our ability to foster a technically literate workforce?

CAMILLE STEWART GLOSTER: Oh, a tech literate workforce is really key. Honestly, I want everyone to feel ownership with the strategy that’s going to come out. And so our goal is doing this work is to think about how we draft a strategy that connects to every stakeholder, so that you feel a call to action, your call to action is clear, it is well-articulated, and we can incentivize that call to action that we give you in a way that pushes you, or drags you along if your peers are leading, to do this work because, quite frankly, the market is changing. Technology is not going anywhere. So we all need to understand it.

So as we think about how technology underpins each of our lives every day, and we keep having that conversation, that needs to translate to how you think about work and life and how that moves through that. And actually, work and technology moving through your work is actually a great way to get people to think about technology broadly, right, and how it changes their privacy, how it changes their security, how it changes their lives, the tradeoffs they’re making.

And so I don’t know that I could call out any one group, but I think the thing that will make this different and is essential to its success is every stakeholder group feeling some connection, because it really, really will take industry, academia, state, local, tribal, international, individual—like, everybody’s partnership, education institutions, training deliverers. I mean, it really will take everyone to see this through. And so I think that’s actually what makes this very unique, is you cannot look at one place on the cyber workforce life cycle, or the tech workforce lifecycle. We often see initiatives that focus on pipeline, or focus on senior leadership.

And truthfully, to make meaningful progress, you have to focus on the entire lifecycle, because new entrants see middle and senior folks that look like them thriving in the industry, and that drives them to do more work. Broader conversations about technology and cyber means there’s more opportunity for more communities because they’re aware of it. And there’s just this feeding funnel that happens. And so I don’t know that I could pick one group; I just need to go find all of you…

SAFA SHAHWAN EDWARDS: I like how you talk about that, though, because it’s—we always talk about a talent pipeline, when in reality it’s more like a flywheel or like a pinwheel, where it’s like it’s a continuous cycle of engaging people at different stages in their career. Every single organization or person is engaging with a different part of that community or part of that cycle, and that’s OK, but it’s just a matter of trying to extend that so that we’re better reinforcing one another’s efforts.

CAMILLE STEWART GLOSTER: Exactly.

SAFA SHAHWAN EDWARDS: So your team just wrapped up a sprint on apprenticeships recently. Are there any insights that you can share with us on that recent sprint and lessons learned?

CAMILLE STEWART GLOSTER: I’m so glad you brought that up. So as part of the Cyber Workforce Summit, we launched in partnership with the Department of Labor and Department of Commerce a 120-day cybersecurity apprenticeships sprint. That is an important tool to getting diverse participants into the cybersecurity industry. We’re seeing a lot of pickup on apprenticeships bringing new voices, new communities into different careers, and so having one focus on the cybersecurity space was really important. We saw over seven thousand apprentices getting hired, over a thousand of whom were from the private sector; 42 percent were people of color and 32 percent female of those private sector apprentices. That’s huge. Part of the sprint—27 percent of all cybersecurity apprentices were people of color and 28 percent women. So it really reflects the impact that this sprint can have and how public-private partnerships, working together to really drive community-based organizations to engage diverse populations, can help us in achieving our desired outcomes.

Over two thousand organizations and career seekers expressed interest in learning more about registered apprenticeships, so the work doesn’t stop here. The DOD endeavored to build the biggest apprenticeship program of all of our participants and so what we’ve seen out of the DOD is huge and I think there will be a lot more work for folks to get into the Department of Defense through apprenticeships. And so we’re really just heartened to see how engaged our private sector partners have been in this initial launch, how much opportunity there is through apprenticeships. And it’s a great tool. It should not be the only tool, by any stretch of the imagination. As you can hear from our strategy, we recognize that this has to be a multifaceted engagement model and we’ll need to leverage a multitude of different tools, but apprenticeships has shown itself to be a really strong one for engaging diverse communities and for bridging that training gap that we’ve seen, right?

So much of the conversation around tech and cyber roles is that we want folks to have security clearances and certifications that are well—that have requirements well beyond entry-level years of experience. You need five years of experience to get a [Certified Information Systems Security Professional (CISSP)], and it’s an entry-level requirement. It’s not—that’s not feasible for anyone entering into the market. And so apprenticeships is a great way to help reorient the market to understand what their needs really are based on skillset and move us more towards skills-based hiring. So we’re excited by the results and the engagement and the interest in apprenticeships and we anticipate seeing a lot more of that as we continue to move towards an actual strategy and then how we implement that.

The other thing that I’ll say that’s related because I mentioned implementation but is not directly related to apprenticeships is in the strategy development effort, a big part of what we want to do is focus on having a strong implementation mechanism. So often you see great initiatives fall because there is no apparatus for accountability, for driving it forward so that it outlives whoever is sitting in the seat. And that will be a key piece of this work is figuring out what an appropriate and long-term implementation model is, such that this work continues on as things evolve.

SAFA SHAHWAN EDWARDS: I’m so happy you explained this some more because it’s something we talked about. While I work with post-secondary students in academic institutions, that’s not the only way to start a career in cybersecurity, and it’s so exciting to see the attention and resources being devoted to trying to ensure that we meet talent where they are and that we try to figure out where we could put them into that pipeline to get them into these critical roles.

But like you mentioned earlier, you have a really fun job where you are dual hatted in a way, where you handle a lot of the tech ecosystem work but also the workforce development. On the other side of the house, on the tech and security side, what’s going on there? What are some exciting things coming down the pipe?

CAMILLE STEWART GLOSTER: Yeah, so we are on the cusp of a lot of really cool things. My first few months have been focused on hiring. I need smart people in deep to do this work. We have had some great hires recently, and so I’m excited to really dive into the fullness of some of the work that is on our plate. We will be focused on the intersection of space and cybersecurity. We have an open-source software security initiative that we began earlier this year—that the first phase of it is wrapping up.

We were really focused on, what is the federal government’s role in helping drive open-source software security. And now that we’ve kind of gotten a lay of the land and the opportunities present for the federal government, how do we also continue to drive that forward and, from our perspective, really future-proof that conversation? How do we make sure that we’re having the conversation in contexts that matter?

I think earlier I mentioned how do we think about open-source software security in the context of Web3? How do we think about the evolution of that, right? Web3 is going to continue to be designed by this collective contribution model that is open source. And so are we thinking about that proactively?

We’ll be working on climate and EVs and the security implications there. We’ll be working on quantum. There’s lots of work there. Quantum internet means a lot of great threats, and opportunities. So what are we doing to make sure that we’re prepared and that we’re leveraging all of the opportunities inherent in what quantum computing can do for how we predict vaccines and predict threat models and all of these things? There’s a lot of good work that can come out of that. So how do we both prepare for the threats and the opportunities?

SAFA SHAHWAN EDWARDS: I have so many more questions about all the cool work that ONCD has underway, but we are coming up on time here. And I’d like to ask one last question.

So earlier today we had a panel on the Freedom Online Coalition. Can you tell us a little bit about the connections between your work and these conversations on how democracies can collaborate globally to keep the internet free, open, secure, and interoperable in the face of mounting threats?

CAMILLE STEWART GLOSTER: Yeah, so I think I mentioned earlier that thinking about equity and human rights issues in the context of technology is a priority for us as well, and Freedom Online Coalition is a great tool and vehicle to do that—to collaborate with our partners to really think about what democracy looks like now and in the future, and how technology underpins that.

I attended the meetings on the margins of the Group of Seven to talk about that very thing, and one of the things that we’re seeing is there’s a real need for that federal coherence to then inform that international dialogue. The ONCD will really be thinking about and driving how we all come together as a federal ecosystem—bring in the private sector perspectives to inform that work on democracy in the context of the internet and technology and how it’ll evolve over time.

So there will definitely be work in partnership with State Department and other interagency partners to think about what are the national-security implications, the economic implications, and the human rights implications that should inform democracy in the future.

SAFA SHAHWAN EDWARDS: Excellent. Thank you so much, again, Camille, for joining us today and especially for lending your expertise and insights at this year’s 360/StratCom.

CAMILLE STEWART GLOSTER: My pleasure. Thank you for having me, and I’m looking forward to the next opportunity to engage.

Further reading

Report

Dec 6, 2022

An introduction to the Freedom Online Coalition

By Rose Jackson, Leah Fiddler, Jacqueline Malaret

The Freedom Online Coalition (FOC) is comprised of thirty-four member countries committed to advancing Internet freedom and human rights online.

Digital Policy International Organizations

Image: Mathieu Thomasset / Hans Lucas via Reuters