Meet Camille Stewart, Google's head of security policy for Google Play and Android, who leads the company's cybersecurity, privacy, election integrity, and misinformation policy. Stewart is an attorney and national security and foreign policy expert who recently authored the article "Systemic Racism is a Cybersecurity Threat" for the Council on Foreign Relations. The article explores the impact of systemic racism in cybersecurity and how to dismantle it.
Stewart recently spoke with Dark Reading executive editor Kelly Jackson Higgins about how systemic racism affects security tools, users, and organizations, and what specific actions security professionals can take to help create a more diverse workplace and industry.
Here is an excerpt from that interview.
Q: Cybersecurity has long had a diversity problem with gender and race. You have written about systemic racism in cybersecurity and how diversity can't be addressed until systemic change is addressed. Would you elaborate on that?
Stewart: Systemic change is what's necessary to really eradicate racism; that won't happen in one day. That's a long-term goal, so we have to be conscious of issues of race in the work that we do every day. I think in cybersecurity, we focus mostly on the workforce issue: We recognize that we don't see people that are diverse in our industry and in our jobs, but that alone is not enough. These societal issues, these issues of import to how we operate and move as people and as a society, directly wrap into and are inextricably linked to how we develop technology, how we implement systems in an ongoing manner, and how the cybersecurity industry will evolve. To ignore them means that we are leaving ourselves vulnerable to a very big threat vector. The most obvious one I think most people can connect with is the misinformation/disinformation problem.
We saw that Russia was targeting, in particular, African-Americans in the 2016 election around misinformation/disinformation. That problem is twofold: [African-Americans] are both a target for manipulating their narratives to exacerbate racial tensions and to sow discord in a way that further pulls them out of the system: self-selecting yourself out of voting because you feel disenfranchised, disconnected, and unheard.
But it is also a tool to exacerbate the polar ends. The far left is chiming in for justice, which is directly opposed by the far right, which says this is not really an issue. That makes them more at odds around something that should be a fundamental right for all people. It politicizes and polarizes something that we should all coalesce around.
I have not seen ... any comprehensive strategy or counter-narratives or anti-narratives that really focus in on this problem. It's not exclusive to Black Americans ... but it's happening in the immigration context, to disenfranchised immigrants, to veterans, and it's happening to a number of different demographics. So the narrative of the disenfranchised is easily being manipulated and weaponized this way, but we're ignoring it because it makes us uncomfortable.
Q: How can diversity be applied to cybersecurity tools, and how can it help make the tools more effective?
Stewart: Tools that don't contemplate how different groups will actually use them and perceive them ... tend to fall flat. Not to say everything has to be targeted to everyone. But you should know who your audience is, know use cases you're targeting, and you should understand how implementation – and particularly interaction – will change based on their lived experiences.
I think understanding that the tools you're building will interact with different groups differently and that race is an important factor, gender is an important factor, lived experience is an important factor, allows you to open yourself up to the fact that this might apply differently to different groups. You can set up the infrastructure that leverages the talent you have internally – who have different backgrounds – to expand or test those assumptions. Or you hire an external consultant to help test your product.
Quite frankly, the best solution is to have diverse teams.
Q: How does a lack of diversity hurt security? How would having more diverse perspectives within enterprises make them or the tools they build more effective?
Stewart: A good example is in a critical infrastructure company. If you are contemplating how to build resilient systems internally that will then affect a diverse consumer base – your critical infrastructure, whether it's water or electricity – how that [then] affects the daily lives of people who live in predominantly white suburbia versus a black suburban area, versus an inner city with a diverse array of socioeconomic folks, [these] things will be different: The city's ability to respond. The city's ability to mobilize around whatever your mitigation is. The impact it will have on how the children in the home are able to connect to school. The ability for the family to have a generator to back them up should the electricity go out. The ability to combat food insecurity if you've lost water, or electricity, etc.
All of those things change based on things like race and socioeconomic status. And if your mitigations don't contemplate for the diversity of your consumer base, you have a problem.
How citizens trust or don't trust the institution that provides them that common function is a big part of how they then interact with those tools and what permissions they give you, and how they elect to provide data and provide feedback to you. ... If you don't contemplate how folks will interact with you as an entity – but also with that tool and mitigation specifically – there will always be a gap.
Q: What can the cybersecurity industry do to foster a more diverse and inclusive space that attracts and welcomes diverse job candidates – and retains them?
Stewart: We need to be better at having hard conversations, and people need to be open to the difficult to the uncomfortable, because at the core of all of this it is about how we relate to each other and our willingness to stand in the gap for each other. I recognize that there are a lot of people who have a heart for these issues, so they are very empathetic and passionate and see that there is a gap and would love to see something happen. But not a lot of people have the stomach to do the work that it takes to bridge that gap and to create a more inclusive industry.
That requires your being willing to stand in the gap on an individual level and speak up when your co-worker is underleveled. or looked over in a meeting, or not included in something, or not given credit for some work that was done. That is holding your leadership accountable with incentives or structures that will empower them or encourage them to meet a target around making sure there are more women, black people, women of color ... in a given space in the company, or [that] the company as a whole is pulling in diverse voices.
We need to be individually active stewards of being antiracist and eradicating discrimination within our industry. I think a lot of people have a lot of empathy, but they're like, "I don't know what I can do," so they kind of separate themselves from the solution and say, "I hope it comes" rather than diving in every way they can, from the individual interaction, to what they demand of their company, to standing with a co-worker when they make demands of their company – even if they don't quite understand it.
When you hear people of color, women, any disenfranchised group, call out for a change or call out some kind of discrimination, that is not an easy thing to do. It doesn't bode well for them to call that out. Even if you don't quite understand it, stand with them because they are putting themselves out there in a way that does not benefit them by saying it. So putting out there your support for them is a big help and encouragement when they are standing alone in the middle of an industry that doesn't look like them and has not make space for them, and they are trying to call out for space.
Q: How do you effect change policy-wise?
Stewart: There are definitely things we can do from the pipeline, with more recruiting events.
[But] just focusing on the early pipeline, I think, we also do ourselves a disservice. If you do not have people midcareer and senior level who are visible for folks to see and who also have good stories to tell, all that work at the beginning of the pipeline is for naught.
You have to also focus on elevating and improving the experiences of our midcareer and senior career professionals who have stayed in the industry. These things from a policy perspective and in our current political climate that might be hard hold people to task to make those companies look more like their consumer base and look like the country they're in. Let it be more reflective.
We can have funders and investors and all the infrastructure that we used to drive change in the industry as a whole: Use those things to encourage that kind of change. As a funder, you should be asking for folks to have a representative staff at all levels, and as an investor you should be doing the same. There are a number of ways we can hold each other accountable.
Q: How has the COVID-19 pandemic affected diversity and systemic racism in cybersecurity? Does the shift to working from home provide an opportunity to move the needle?
Stewart: I think it's an opportunity for people. All of us being locked in our homes meant that we felt the murders of George Floyd, Ahmaud Arbery, and Breonna Taylor ... in a way that [pre-pandemic] we were moving through our lives, flying around, engaging with people – we were able to kind of feel in the moment and then we were able to dissociate ourselves from it.
That in and of itself is an opportunity ... the deep feeling of it.
Companies are also having to completely rethink their working models.
Now we have options to allow us to be sensitive to the fact that some of the places that we are asking people to live and work are not conducive to them thriving as individuals, and what you want is a workforce that feels comfortable where they live so they can bring their whole selves to work.
Stewart will lead a discussion session at Black Hat USA Virtual on "Taking Steps to Break Down Systemic Racism in Cybersecurity," in the event's Community track, on Thursday, Aug. 6, at 10 a.m. PT.
Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.