These 10 exceptional women were selected as Power Players for their longstanding contributions to the IT security space. They've served as exemplary leaders in the community, ably navigating the ever-changing terrain of information security.
Ann Barron-DiCamillo, chief technology officer, Strategic Cyber Ventures
Betsy Cooper, executive director of the University of California, Berkeley Center for Long-Term Cybersecurity (CLTC )
Samantha Davison, security awareness & education program manager, Uber
Mary Hildebrand, partner, Lowenstein Sandler
Rebecca Richards, director of privacy and civil liberties, National Security Agency
Ann Barron-DiCamillo, chief technology officer, Strategic Cyber Ventures
Ann Barron-DiCamillo knows all too well how critical gaps in network security, combined with a lack of basic online hygiene, can lead to digital disaster. The former director of the Department of Homeland Security's US-CERT agency witnessed the damage herself last summer while conducting a joint investigation of the infamous U.S. Office of Personnel Management breach.
Having officially moved on from her role with the DHS, she's applying all she's learned toward her latest endeavor, Strategic Cyber Ventures (SCV), a new Washington, D.C.-based cybersecurity venture capital firm where she serves as co-founder and CTO.
Stepping into her new role last February, Barron-DiCamillo is now in a position where she can seek out and fund new, cutting-edge technologies that fill in those aforementioned security gaps that hackers strive to exploit. And if the developers behind such technologies happen to be women, all the better.
“I'm very lucky in that we have an opportunity to identify unique cybersecurity technology,” says Barron-DiCamillo, noting that all three founders of the VC firm have previous cyber operational experience – giving them an unusually keen perspective into the current threatscape, as well as solutions that could mitigate said threats.
“Obviously if it's a woman-owned business, I think that's a fabulous thing, and something I'd always encourage,” she says. But, she adds, she really is looking for best-of-breed technologies in undersaturated markets that are addressing some of these gap areas in network security.
To that end, SCV has already invested in its first technology, pumping $5 million into TrapX, a deception grid platform that in real time deploys decoy mechanisms that divert and trap online attackers, malicious insiders and APT groups. “Think about the old idea of a honeypot, where you try to bring in this adversary into a fake environment. It's taken it to the next level,” says Barron-DiCamillo, who once ran the honeypot program at the Department of Defense.
An investment from SCV is more than just an infusion of money, however. “We're not just giving them money. We want to partner and participate with them as a team,” Barron-DiCamillo says. She expects SCV's portfolio to grow to eight to 10 firms in the next couple of years.
Cybersecurity-focused VC firms are not necessarily unusual, but it is less common to find one with a woman in the CTO role. “I think both in the financial space as well as in computer science and engineering and specifically in cyber that it is more unique to have women in leadership roles,” says Barron-DiCamillo. “I would love to say I'm groundbreaking, but there are also so many amazing other women that have been there and have done it before me. So being part of that cadre of women in this space is definitely exciting to me. But I'm more of the mindset that I want to increase that and I want to create a pipeline for other women to have these opportunities as well.”
Barron-DiCamillo's shift to the VC sector put an exclamation point on a whirlwind 2015-16, which notably featured the OPM data breach attacks that exposed the private information of almost 22 million former, current and prospective federal government employees. Alongside the FBI, the US-CERT under Barron-DiCamillo jointly investigated the breaches to determine their full scope and damage. In June 2015, Barron-DiCamillo testified before the U.S. House Committee on Oversight and Government Reform to report the findings.
Reports blaming the OPM attack on the Chinese government generated tensions between China and the U.S., leading the two nations in December to conduct their first-ever “High-Level Joint Dialogue on Cybercrime and Related Issues.” Barron-Camillo attended this summit in Beijing, where China announced the arrest of several individuals supposedly responsible for the incident and claimed the incident was a criminal, not state, plot.
Ultimately, Barron-Camillo's key takeaway from the whole experience is that basic network hygiene and security fundamentals are still in dire need of improvement. “Enterprises still have to address common network hygiene, common controls,” she says. “Again and again, we see a lack of strong authentication for user credentials. We're seeing a lack of network segmentation across networks. We're seeing a lack of [patching of] operating systems as well as applications.”
Just from addressing those issues alone, “you really see a significant reduction of vulnerabilities that can be exploited by adversaries.” – Bradley Barth
Betsy Cooper, executive director of the University of California, Berkeley Center for Long-Term Cybersecurity (CLTC )
If one were to look at Betsy Cooper's long list of degrees and accomplishments, discovering she is the executive director of the University of California, Berkeley Center for Long-Term Cybersecurity (CLTC) might come as a surprise, but it shouldn't as she always had an interest in security.
Cooper's impressive academic credentials start with a law degree from Yale University, to which she adds a DPhil in politics from Oxford University, a master of science in Forced Migration, also from Oxford, and a BA in Industrial Labor Relations from Cornell University.
However, despite having these definitively non-security related degrees, Cooper said there was always, buried deep down, a little bug of interest in security issues that she herself was not much aware of until she began working at the Department of Homeland Security (DHS).
“I was supposed to work on immigration topics, but there was some turnover in my department and I was able to explore some other topic areas and I discovered that I had a nascent interest in the security space,” Cooper says.
Cooper moved to Berkley in September 2015 after she wrapped up her term of service with DHS. At the time she was not sure of her path or if she wanted to remain in Washington, D.C., but in the end took the position with the Berkeley Center for Long-Term Cybersecurity as a way to expand her base of experiences and help solve problems.
“Having spent much of my career seeking to understand and resolve homeland security vulnerabilities, it is clear that the best way to tackle weaknesses in security systems is through extreme preparedness,” Cooper said in a Center press release after assuming her position. “The CLTC is uniquely positioned not only to help us better understand existing cybersecurity challenges, but to help us prepare for a future of cybersecurity we have yet to even imagine.”
The Center is part of the Berkeley School of Information and is a graduate research and education community committed to expanding access to information and to improving its usability, reliability and credibility while preserving security and privacy. Cooper's areas of focus are: homeland security; cyber and information security; long-term strategic planning; privacy and civil liberties; and law and public policy.
The Center has three primary areas of activity and Cooper's role is to oversee and grow each. The first is the Center's research efforts where it distributes grants to groups working in cybersecurity. Second, she is charged with what she called engagement or working to let the outside world know about the Center's works through the media and its own print and electronic publications.
The Center's third “prong” is education. Here Cooper and the Center have set up cybersecurity training programs for women and minorities. She notes that while the program was not challenging to get off the ground, one of the difficulties has been creating an enticing curriculum.
“We provide people with the basic training that is needed to get started – such as explaining what Tor is and the difference between HTTP and HTTPs,” Cooper says.
Before moving to Berkeley and focusing her efforts on the world of cybersecurity, Cooper worked in a variety of positions, her last at the DHS where she served as an attorney adviser to the deputy general counsel and as a policy counselor in the office of policy.
Cooper's job trail also looped through Europe where she managed projects for Atlantic Philanthropies, in Dublin; the Prime Minister's Strategy Unit in London; and the World Bank. During this period she also found the time to write more than 20 manuscripts and articles on U.S. and European immigration and refugee policy, as well as a book, Europe's Security Solution: Can Immigrant Integration Really Prevent Terrorism.
Berkeley was more than happy to have Cooper come on board. “We are excited that Betsy Cooper has joined us at CLTC,” Steve Weber, faculty director of the CLTC and professor at the UC Berkeley School of Information, said at her hiring. “She brings an outstanding record of leadership and intellectual engagement around security issues on the internet and other areas.”
One of the challenges Cooper says the cybersecurity industry and the nation must face and overcome is what she called the perceived tension that exists between those backing the need for more privacy and those looking for more security.
“We can keep something private and keep it secure, but the general feeling is these two ideas are not compatible,” she says. – Doug Olenick
Samantha Davison, security awareness & education program manager, Uber
Uber has created a roadmap for achieving a more digitally secure business and its new security awareness and education manager, Samantha Davison, is charged with making sure employees go along for the ride.
Davison joined Uber in July 2015, three months after the company's newly hired CSO Joe Sullivan initiated a major expansion of its security workforce that saw the department jump from a small core group to around 100 employees. Davison's position didn't even exist prior to her arrival, meaning she would play a critical role in developing a brand new training program that ensures Uber's global workforce adheres to best information security practices, including email, network and mobile security.
Uber's worldwide operations are comprised of more than 360 city offices in over 70 countries, employing over 7,000 full-time workers, plus contractors. Despite contending with a diverse range of cultures and geopolitical environments, Uber must achieve consistency in how employees behave digitally. That's why compared to other business environments, Uber presents “the biggest security awareness challenge, especially from an information security perspective,” Davison tells SC Magazine.
“Most security practitioners create a base of material that they try to push out to everyone, but that clearly isn't the way that we can operate here,” says Davison. “Aside from the cultural nuance in how people like to learn and interpret information, and what incentivizes them to learn or change their behavior, we also have offices where just the way that they actually operate from a security perspective is very different. Our offices in China are behind the Great Firewall so their security needs to be provisioned differently than we have here in the United States.”
Fortunately, analyzing and influencing behavior is right in Davison's wheelhouse – considering she earned her B.A. in sociology/anthropology from St. Olaf College in Minnesota. Her favorite behavioral scientist is B. J. Fogg, who was known for his insights into how computer technologies can persuade behaviors. “To summarize one of his theories: If you want people to change the way they do things, you have to give them actions that are small, easy to do, and that they're highly motivated to do. That's the way we structure our entire program,” says Davison. Employees can read an infographic or a guide, they can watch a short video, or they can attend a workshop.
Shifting from B. J. Fogg to a little B. F. Skinner, Davison's security awareness program also employs positive reinforcement tactics by awarding points to employees for completing training activities as well as for performing responsible actions like reporting spear-phishing attempts. Points ultimately earn rewards, creating an incentives program designed to engage Uber's millennial-heavy workforce.
Davison and the Uber security team are also deploying a new digital platform on which employees can more easily track reward point totals, and efficiently report security threats. Eventually, the platform will also send employees reminders to update their browsers, apps and privacy settings.
Davison, previously a security analyst at Target and The Toro Company before serving as EVP at security awareness firm Secure Mentem and director of product at workforce security company Apozy, is monitoring the success of Uber's program using four key metrics: employee knowledge, behavior (there are eight specific behaviors Uber looks for), engagement and reporting of security incidents.
The next phase of Davison's program may be the biggest challenge of all: Uber is now gearing up to introduce security awareness to its fleet of drivers – a massive undertaking that will seemingly have significant mobile device and app security implications (Davison was unable to elaborate further on this forthcoming development).
Outside of information security, the other four cornerstones of Uber's security program are threat operations, physical security, trust and safety (specifically for drivers) and fraud.
Davison, who at one point during her anthropology education, went to Bangladesh to study gender issues, says that she “never felt like I have been blocked for advancement within the field as a result of my gender. Every team that I've worked for has been wonderful.”
Still, there is no question that cybersecurity remains a male-dominated industry. Davison spoke like a true behavioral scientist when suggesting that one of the root causes of this trend may actually be the negative way women talk about the experience of working in cybersecurity. “Clearly there are areas of improvement…but I think it's really important to highlight the positives if we want to encourage more women to consider joining the cybersecurity field.”
She believes a lot of that boils down to framing. “If you frame being a woman in security as full of hardship and challenge and that the men aren't accepting, I think that not only impacts the women looking to join the security field, but it impacts the women who are already in the security field,” she says. – Bradley Barth
Mary Hildebrand, partner, Lowenstein Sandler
Some time during the 16 years that Mary Hildebrand worked for a regional law firm in New Jersey, computer law was born and the Duke graduate began to amass knowledge in computer and IT contract legal issues.
She continued to build on that expertise as a partner at Goodman Proctor where she handled technology transactions for private clients. But it wasn't until she joined Lowenstein Sandler as a partner 10 years ago, she says, that at the behest of clients she became interested, then immersed, in privacy and security.
“Clients began to ask questions about how they could monetize the data they were collecting,” says Hildebrand. And that raised a number of privacy issues.
At that time, the nascent privacy field was hardly even a discipline. Some sectors – like financial and healthcare – were ahead of the pack because the data they had to protect was extremely sensitive and their industries were already heavily regulated.
“It was siloed,” says Hildebrand, “but now it cuts across everything.” The field, and the questions it raised for private clients, piqued her interest and she saw “another opportunity to be a trusted adviser.” Her expertise in shepherding transactions through legal channels translated well in this emerging area of law as she helped clients build privacy into their strategic planning.
While Hildebrand says “gender hasn't influenced my decision to do this,” she acknowledges that the timing of privacy law's ascendancy couldn't have been better for women. “I started practicing law 30 years ago and for years I was the only woman in the room,” she says, “but in the privacy space there were more women, more opportunity.”
That's in keeping with the findings of an International Association of Privacy Professionals (IAPP) 2015 Privacy Professional Salary Survey that showed the two genders have reached a certain parity in the privacy arena, pulling down roughly equal salaries and experiencing similar career trajectories.
There's no shortage of work for women who decide to enter the information privacy arena. Because lawmakers have yet to craft an over-arching federal law that deals with privacy, organizations must navigate a bundle of state and local laws. While Hildebrand says that a “sectoral approach has matured,” there's an urgent need for a single federal law and common lexicon.
“I help companies understand privacy, to a large extent it's part of strategic planning,” she says. “Companies don't realize with their products and services offerings to what extent they depend on data.” They need, she explains, to be clear on “what data they're collecting, how it is used and how it will be used.”
That's where Hildebrand comes in, advising on how a company can do “privacy by design,” or launch a new business model aligned with privacy laws in all the jurisdictions where it operates. She also helps organizations do privacy impact assessments on their business models, identifying to comply with regulations and maximize benefits. “It's always a challenge.”
Hildebrand has distinguished herself as an expert on international privacy issues, expertise that is particularly valuable with the recent dismissal of Safe Harbor, the more recent fire drawn by the draft version of its replacement, the EU-U.S. Privacy Shield, as well as the adoption of Europe's General Data Protection Regulation (GDPR), set to take effect over a two-year transition period.
Keeping up with the nuances of privacy law on an international stage has taken hard work and drive, traits she picked up from her mother. “My mother was widowed early and we were very young,” says Hildebrand. “She didn't even know how to drive.”
But her mother ended up owning and running an apartment building. She was an extremely resourceful person, says Hildebrand, who instilled the idea in her children that “you can be what you want to be if you work hard,” calling her mother her first mentor. “She was also realistic.” Those are traits that helped the privacy attorney succeed and that she still values today.
Hildebrand also drew inspiration and found support from other women along the way, including Deborah Chapin-Horowitz, who for many years was a lawyer at Viacom, and provided Hildebrand with her first fair break as a client. “She was very kind to me and a good lawyer,” she says. “I learned a lot. She included me in meetings.”
Mary LoCastro, a partner at Deloitte Touche, served as another mentor. “At that time, there were not a lot of female partners in law for me to look up to,” she says. “The accounting firms had them and that's who I looked up to.”
Now that Hildebrand has had the opportunity to create her own team, it's very diverse, though she says she looks for skills rather than focusing on gender and race when hiring. That she has a diverse universe of qualified applicants to choose from shows just how far the industry has come. – Teri Robinson
Kathy Kirk, vice president of global information security, Prudential
An endless series of security challenges await those brave industry pros who toil to secure financial institutions' networks and information security. Financial institutions contain a massive trove of data about their clients, and have proven to be one of the most lucrative targets for cybercriminals.
Kathy Kirk, a longtime member of Prudential Financial's information security team, has seen her share of attempts to compromise the firm's security. Now a director of global information security at the insurance giant, she has a habit of speaking forthrightly about the tricky balance of enacting enterprisewide initiatives, and the impact of these initiatives on information security.
Like any seasoned security pro, Kirk faces has some impressive accomplishments under her belt, but doesn't rest on her laurels because another security issue is always around the corner. “I'm very proud of the role I played in the development of a vendor security assessment program before it was common place in the business world,” she says, but “one of my challenges is keeping up with emerging technology and associated threats.”
When Kirk was young, her mother told her she “could be anything, do anything as long as I set my sight on my goal and concentrated on achieving it.”
She sees “the truth of that philosophy” in the successes of the women executives who work at Prudential and in her own life and career, which started with a position “developing business continuation plans for a company in Boston.” From there she moved to a New Jersey bank, where she developed security controls for its distributed systems. “This was back when LANs were new and people didn't know how to configure them securely,” says Kirk.
After a stint at a large telecommunications company where she had “to build out the AD environment from a security perspective, roll out security awareness, and develop security policies, standards and procedures” she joined Prudential's security team “and I haven't looked back,” she says.
In the years since, a lot has changed, for security and for women. “Years ago my friends and family frequently asked my advice on how to protect their personal computers from viruses,” says Kirk, who explains when she got her start “there weren't many women in IT, so my role models tended to be men.”
She also “quickly learned that when women use the same language and posture as men, they may be perceived as aggressive, pushy or emotional.”
But, Kirk says, “fortunately, since then many more women have joined the field of IT and I've been able to learn from great women IT leaders and have served as mentors to other young women IT professionals.”
And the advice sought from friends and family now centers around different issues. “Now, they ask me about subjects like secure online banking, safeguarding their iPhones or protecting their identity from thieves,” she says, noting that security has broadened and consumers are becoming more guarded.
“Security and threats are constantly evolving and even though the bad guys are persistent, there is also a growing number of people working to protect people and systems,” she says.“As an added bonus, most consumers are learning more about security and are taking action to protect themselves.”
Kirk sees “many great opportunities for women today in everything from security architecture, network engineering, database administration, security analysis in roles ranging from developer to CIO” if they're willing to put in the effort. “ I firmly believe that through discipline and focused work, women can achieve any goal in an IT career,” she says.
She encourages young women just starting out to “not be afraid to take a risk” and to remember that “mistakes are ok,” a lesson that sometimes takes a while to learn.
“I would also tell them to always work with integrity in all that they do; have passion for the work they do – and show it; and to listen to Ted Talks on security,” says Kirk. – Teri Robinson and Jeremy Seth Davis
Susan Landau, professor of cybersecurity policy, Worcester Polytechnic Institute
One of the benefits of forging a long career in public policy is the gift of experience: policy veterans develop a natural sense of expediency by observing policy arguments made during political cycles.
Susan Landau's interest in public policy was fueled in 1993 when the Clinton administration announced the controversial Clipper chip, an encryption device that used a cryptographic algorithm developed by the National Security Agency (NSA). The device was intended to protect private communications – with the notable exception of government law enforcement authorities.
Now a professor of cybersecurity policy at Worcester Polytechnic Institute, Landau hears some of the arguments made in support of the Clipper chip over 20 years ago are again being used by law enforcement officials to propose methods to bypass end-to-end encrypted communications.
In fact, FBI Director James Comey's famous comments that terrorists are “going dark,” nearly exactly echoes comments made by former NSA Director Mike McConnell in the 1990s in favor of government backdoor access to encrypted communications. In March, Landau testified before the House Judiciary Committee, noting that “the NSA was complaining it was going deaf from encrypted calls.”
“What we need is law enforcement to developed 21st century capabilities for conducting electronic surveillance,” she said during her testimony before the committee. “Rather than asking industry to weaken protections, law enforcement must instead develop a capability for conducting sophisticated investigations themselves.”
She paved an unusual path to public policy advocacy after first notching up notable accomplishments as a mathematician and engineer – included the creation of Landau's algorithm, an set of rules that enabled the decision-making process for nested radicals.
Her first policy project involved a report on the industry's reaction to the Clipper chip, published by the Association for Computing Machinery (ACM). Landau ultimately became lead author of the report, “Codes, Keys and Conflicts: Issues in U.S. Crypto Policy.” The project brought her together with cryptography legend Whitfield Diffie and many other co-authors from disparate backgrounds – including industry groups, academics and participants from the National Security Agency and the Department of Justice.
Recalling the process of compiling all of the differing perspectives into the ACM paper, Landau says that the report “represented many different interests.” She and Diffie would later work together to expand on the information presented in the report and focus on their shared view of the dangers of the Clipper chip. This collaboration eventually grew into the 2007 book they co-authored, Privacy on the Line: The Politics of Wiretapping and Encryption. The book won the 1998 Donald McGannon Communication Policy Research Award.
In 2014, she joined Worcester Polytechnic Institute, receiving a joint appointment in the departments of social science and policy studies and computer science. Landau's transition to teaching cybersecurity and policy involved developing an understanding of the ways that people “think very differently in the policy world.” She had to learn about the political process. This meant learning that the most effective way “to introduce an issue is to the body politic.”
During her transition from an academic mathematical and engineering background to privacy and public policy, Landau says she needed to learn several new skills and materials, such as gaining an understanding of network operations.
Landau says, laughing, that she prepared in the standard academic way. "I read books, wrote papers and taught classes. There's nothing to focus your mind like having to teach a class on the subject at 8 a.m. the next day,” she says.
While Landau's transition to public policy helped her actualize new skills and abilities, it has also been a unique educational process for her students. “It's been a stretch for the students,” she says. “They are not used to thinking about engineering issues from a public policy perspective.”
Landau's next book, Surveillance or Security? The Risks Posed by New Wiretapping Technologies, won The Surveillance Studies Network annual book prize in 2012. This book articulated what would become her defining argument – the idea that government requirements for embedded surveillance in digital communications devices creates new vectors of national-security risks in the long-term.
She reiterated this idea during her testimony before the House Judiciary Committee hearing. “It would seem to be a fairly straightforward issue,” she stated, in referring to the FBI's request that Apple assist law enforcement by creating an update that would undo security aspects of its software. “But little in cyber is straightforward. Despite appearances, this is not a simple story of national security versus privacy. It is, in fact, a security versus security story although there are, of course, aspects of privacy embedded in it as well.” – Jeremy Seth Davis
Loretta Lynch, attorney general, U.S. Department of Justice
As unlikely as it might seem that the U.S.'s top prosecutor could turn out to be a significant force in shaping the future of encryption, Loretta Lynch certainly seems poised to do so.
The nation's first black female attorney general thrust her department into controversial twin frays over encryption and government overreach – by pressing Apple to unlock an iPhone 5c used by one of the San Bernardino shooters, as well as others that law enforcement authorities initially had trouble cracking on their own.
She acknowledged that getting to the information locked in the smart phones of suspected criminals and terrorists had plopped government and the private sector onto entirely new terrain, but praised the All Writs Act of 1789 – used by federal prosecutors to force tech companies, like Apple, to comply with orders to provide access to their devices – for its “wonderful elastic quality” that makes it applicable to current legal issues.
Tough, resilient, a champion of civil rights, the Greensboro, N.C.-born Lynch is the daughter of a Baptist pastor (Lorenzo) and a librarian (Lorine), who inspired her by example – among other things they participated in the Civil Rights Movement – to pursue justice and carve out a life in public service.
At the Women in the World Salon in Washington, Lynch referred to her mother as the “toughest person” in her family in a one-on-one with the event's founder Tina Brown. “She is a retired teacher and librarian. She has seen it all and she has stopped most of it,” Lynch said, attributing her preparation for a life of public service and a view that “you can do a lot for yourself if you're doing something for somebody else,” to both her mother's strength and a family steeped in preaching.
Indeed, with the exception of a couple of periods spent at law firms, the Harvard Law School grad has worked in the public sector, beginning in 1990 in the U.S. Attorney's office in the Eastern District of New York, and then as U.S. attorney for that district, appointed by President Bill Clinton, and after a short stint in private practice named once again in 2010 by President Barack Obama.
Lynch's storied and elongated confirmation process for attorney general took five months, three of those stretched out before the predominantly Republican Senate, after a relatively smoother pass through the Judiciary Committee.
Once the Senate's 56-43 vote installed her as AG, however, she got to work tackling a number of high-profile issues, including curbing human trafficking, strengthening police and community relations and, most recently, suing her home state of North Carolina for trying to ban transgender bathrooms.
“I love this job and there is so much that I want to push through and cross that goal line until the end of this administration,” the New York Times quoted her as saying to Brown.
But it was the Apple iPhone debate that put Lynch on the radar of security pros concerned that the government was pushing the tech giant to provide a backdoor into its products, compromising security and setting a very dangerous precedent.
At RSA, Lynch repeatedly stressed that the Cupertino, Calif.-based tech giant had worked with federal prosecutors in the past and expressed “surprise” over the company's resistance to orders in New York and California, the latter centered on the San Bernardino iPhone.
“This is a very different position for Apple,” Lynch said, contending the company has historically done a “good job” of protecting customer data even while using it for marketing purposes and responding to government data requests. She charged Apple “to do what it always has done and comply with law.”
Lynch reiterated the government stance that the FBI's request for Apple to build a way into the phone used by shooter Syed Rizwan Farook is a one-off – even as similar requests are pending for numerous iPhones.
The immediate issues were resolved in the San Bernardino case and another in Brooklyn that centered on a password-protected iPhone confiscated during a drug investigation when third parties came forward and cracked the phone and provided a password, respectively.
While the temperature has been turned to simmer for the time being, tech pros and analysts expect Lynch and her team at Justice to continue to hammer at the issue to get a more definitive ruling to set legal precedent.
Lynch even made an impassioned plea during a keynote to the tech crowd at the RSA Conference in Las Vegas in March to collaborate with prosecutors and law enforcement. Industry and government working together is critical in successfully combating violent extremism and the rise of the homegrown terrorist requires the collaboration of government and private industry, Lynch said, noting that going dark is a “very real threat” that tech must help thwart by preventing terrorists and criminals from finding the “safe harbor they seek within dark corners” of the internet.
Lynch has also been known to sing the praises of women. In June, as a keynote speaker at the 20th annual Women's Economic Opportunity Forum at Vermont Technical College, hosted by Sen. Patrick Leahy (D-Vt.), Lynch sang the praises of women and their contributions. “The prosperity and well-being of America is increasingly tied to the prosperity and well-being of Vermont women. In fact, we are the bedrock of the economy,” she said, according to VTDigger.org, paying tribute to “bold and fearless women, undaunted by opposition and obstruction.”
She urged the women in attendance to stand strong as role models for their daughters and granddaughters. “We need the contributions of all of you. We need your support, your energy, we need your active engagement,” she said. “We need people like you who are literally here on the ground.” Given her own path and accomplishments, that's advice that Lynch most certainly is qualified to dispense. – Teri Robinson
Angela McKay, director of government security policy and strategy in the corporate, external and legal affairs department, Microsoft
It's her long-range perspective, her insight into envisioning the big picture many years out, that enables Angela McKay to stay ahead of bad actors corrupting the integrity of the internet.
With more than 15 years of experience in the computing ecosystem, Angela began working at Microsoft in 2008. She served three years as a senior security strategist before attaining her current position as director of government security policy and strategy in the corporate, external and legal affairs department at Microsoft. In this capacity, she leads Microsoft's public policy work on cybersecurity, cloud security and norms, and on public sector use of cloud. “I work with an incredibly inspiring team of four professionals, and collaborate with Microsoft's teams across Africa, parts of Asia, as well as Europe, Latin America, and the U.S.,” she tells SC.
Much of her work in the last two years has been outside the U.S., she explains, “because governments recognize their dependence on cyberspace and are proposing strategies and legislative initiatives that seek to realize the benefits of digital transformation while also addressing risks to themselves, their economies and critical infrastructures, and their citizens.”
Angela, who holds a bachelor's of industrial and systems engineering from the Georgia Institute of Technology, has a keen sense of how different sets of policies and regulations in one country affects the landscape of international commerce. Values upheld in one nation are not necessarily prioritized in another, she says. For example, while the U.S. and Canada honor the guarding of intellectual property, France has less stringent regulations.
But these contrasts are all fodder for negotiation. “The idea of where there are agreements about what's acceptable or unacceptable highlights area for collaboration,” she says.
In that capacity, she partners with security and government affairs leads in Microsoft subsidiaries around the world, and engages directly with other governments, industries, civil society and academia in meetings, conferences and multi-lateral fora, she says.
For example, on a recent visit to Japan, she met with and held workshops for Japanese government officials and participated in and spoke at three conferences – engaging with Japanese business leaders, legal professionals and diplomats on efforts to protect government and critical infrastructure systems, to grow the cyber workforce in Japan, and to use and manage security and privacy for cloud and the Internet of Things as part of the Tokyo 2020 Olympics.
“In my experience, work both domestically and internationally is more successful when we have a clear idea about what we are partnering to accomplish – whether that's collaborating with industry and governments to takedown botnets, or convening to discuss the roles of states in conflict in cyberspace, having a clear purpose helps to drive us collectively towards meaningful outcomes,” she says.
McKay – a frequent speaker at tech events and chosen by Nextgov in 2015 as one of “The Top 10 Women Cyber Guardians You Should Know About” – has also been vocal about the need for IT security to move from its niche among techies to a vital presence in the corner offices and boardroom. It's the outcome that matters, she says. That means deciding in advance who needs to know what and what data should be exchanged.
She points to the work – called secure development – she is doing at Microsoft, which tries to ensure that software reaches market without vulnerabilities, complying with industry standards – such as ISO 27034-1, for example, which specifies how to create a complete application with controls that can be modified and managed.
She and her team not only advocate on specific security public policies, but also contribute to a variety of capacity building efforts, including engaging with the International Telecommunications Union Development Sector to help countries build national cybersecurity strategies, with the Organization of American States to help countries better protect their critical infrastructures, and with the Global Forum on Cybersecurity Expertise to help promote coordinated disclosure of vulnerabilities, she explains.
“Realizing the benefits of industry 4.0, powered by cloud, IoT and machine learning, requires security and trust,” McKay says, “so we engage with public policy makers on a very wide range of topics, which can generally be grouped into a couple of broad themes.”
Whether policy makers are focused on securing government or enterprise systems, common themes in the discussions, she says, include public-private partnerships, cyber risk management, information sharing and incident reporting, data security and access, software assurance and supply chain risk management, and cloud assurance and certification.
And, as far as being a woman in a field in which men make up the majority? “Sometimes I hear about the difficulties of being a woman in cybersecurity, but in my experience, it's been both an advantage and disadvantage,” she says. “On a positive note, women in a male-dominated field are often more easily recognizable – we stand out in the crowd – and when we are thoughtful and add value, contributions may occasionally be more memorable.”
That said, sometimes, she points out, it can be difficult to know when and how to engage. “I've observed men and women take different approaches,” she says. “What I've learned is to work to be a little more assertive, to push myself, and ultimately to be more comfortable being a little uncomfortable," she says. "Even then, it's quite important to be thoughtful about what is right at a particular time – being aware of the environment helps. I also apply this thinking as a manager for the people I am helping to grow and develop.”
But that's not to say the path was without obstacles. Early in her career while working at another company, she had two excellent, inspiring male managers and worked with many great people, she says, but a subset of the male staff made inappropriate remarks, sometimes about her appearance and sometimes about why she was taking work from “men who needed to provide for their families.”
“This instilled in me a commitment to recognizing people as individuals, appreciating differences instead of seeing them as barriers, and focusing on what and how people contribute,” she says. “It also reminded me to have a bit of grace and to try to demonstrate the value of diversity through experience in addition to speaking about it.”
McKay served in two official capacities as an adviser to President Obama: as a Point of Contact for Microsoft for the President's National Security Telecommunications Advisory Committee (NSTAC), which provides the President with advice and expertise to help the U.S. maintain reliable, secure and resilient national communications; and as chair and vice chair of the Information Technology Sector Coordinating Council (IT SCC), which focuses on critical infrastructure protection and cybersecurity.
In addition to official roles, helping develop the Cybersecurity Framework and advancing cybersecurity norms are two initiatives she worked on that were particularly impactful. “Working with different stakeholders in government and industry and from various sectors to develop the Framework was invigorating,” she says. “Een more rewarding is that it is being used by many companies, including Microsoft, domestically and internationally, and in different sectors, as a basis for conversations, investments and action to improve cybersecurity.
She adds that she is also proud to be part of the team at Microsoft engaged on cybersecurity norms, “engaging with governments, industry and civil society to ensure that conflict in cyberspace doesn't escalate to a point that could undermine the value of our globally interconnected society.”
And, as far as advice to future women leaders? McKay says she is incredibly appreciative of the opportunities she's had to engage on the development of the future cyber workforce, and to encourage and foster diversity as part of that – gender, age, ethic, experience, and educational diversity are all important.
“For a long time, I didn't consciously realize certain decisions I was making as I was over-investing in my career and underinvesting in my personal development,” she says. “Being more self-aware and more intentional about the application of my time has helped me feel more fulfilled and happier. For women, in particular, I think it can be hard to focus on or recognize our needs versus the needs of others – our organizations', our teams', our families', or our children's. So I encourage women, at all ages, not to lose themselves and to develop greater self-awareness, really exploring and learning what our priorities are, and refining those over time. We can then more consciously structure our lives, our careers, our jobs, and our time to advance those priorities, whether those are professional priorities or personal ones,” she says.
The other thing she encourages is for people to embrace their individuality. “I have found that when people take ownership and are proud of their uniqueness, they are more confident, and confidence is a powerful force.” – Greg Masters
Rebecca Richards, director of privacy and civil liberties, National Security Agency
Rebecca “Becky” Richards is all about privacy and civil liberties, but mainly privacy.
Richards is the first director of civil liberties and privacy for the National Security Agency (NSA), a role she took on in 2014. Her primary job is advising the NSA director on these issues while overseeing and developing new methods to improve the agency's privacy and civil liberties activities. In addition, this past April Richards was named the NSA's first transparency officer, a role she will handle concurrently with her other duties.
While Richards has more than 10 years of experience working in these fields, she started out along a different path. She has a master's degree in business administration from George Washington University and began her federal career in the Department of Commerce. However, it was while working here as an international trade specialist that she began to make her mark in the privacy field by providing input into the U.S.-EU Safe Harbor Accord.
Richards then moved into the private sector, acting as director of policy and compliance at TRUSTe, a global data privacy management company, but she soon came back in government service working for 10 years in the Department of Homeland Security (DHS) in a variety of privacy-related positions, including acting deputy chief privacy officer and then senior director for privacy compliance. Here she was responsible for leading the privacy compliance process for DHS and its 220,000 employees.
Richard's primary position was created in the wake of the Edward Snowden leaks and she is tasked with the mission of protecting privacy and civil liberties along with allowing for as much transparency as is possible.
“My goal is to be as transparent with the public as possible,” Richards said in an interview with DODLive, the official Department of Defense science blog a few weeks after her appointment. “Now, obviously there's a push and pull associated with that in the intelligence community, but I am committed to making as much information as transparent as possible. And also to make it transparent in a way that is accessible to the average person.”
To say her roles are complicated would be a massive understatement. As the NSA's watchdog for civil liberties and privacy she must ensure that the agency does not have its hands tied while trying to ferret out enemy communications, all the while making certain American citizens' privacy is not infringed upon.
Richard's complex job can best be seen in statements she made earlier this year during a briefing hosted by the Brennan Center for Justice. “Our employees are trained not to look for U.S. persons,” she noted at the conference. She was referring to Executive Order 12333, which allows U.S. intelligence agencies to collect information on foreign nationals. However, during this process the NSA can sometimes “incidentally” find itself handling information on Americans if their communications extend to someone in another country.
Richards' ability to parse this tricky environment is one of the reasons she was chosen for the job. “I've selected an expert whose background will bring additional perspectives and insight to our foreign intelligence activities,” said retired General Keith Alexander – former Commander, U.S. Cyber Command and NSA director, when Richards was first ushered into her post. “I'm confident that Ms. Richards is the right person with the right experience for the job. She will report directly to me and will advise me and our senior leadership team to ensure privacy and civil liberties considerations remain a vital driver for all our strategic decisions, particularly in the areas of technology and processes.” – Doug Olenick
Parisa Tabriz, security princess, Google
Her official title at Google might be Chrome security engineering manager, but her business card reads Security Princess.
That's because Parisa Tabriz thought her own designation would communicate better than the more conventional title with the colleagues she swapped cards with at trade shows and in office meetings.
When she started at Google, her official job title was information security engineer, which she thought “was a bit boring and not really meaningful,” she once told CNN.
So she changed it to Security Princess, a title she thought tongue-in-cheek at the time. “I've never been exceptionally girly or fit the stereotype of a princess, so it was a bit ironic for me to go by that name – and then it stuck!”
But no princess before has managed a team of engineers at Google who are charged with finding weaknesses in Google Chrome, the globe's most used web browser. “I've been at Google for almost 10 years, so even though I've kept the same self-appointed job title, my day-to-day work has changed a lot over that time,” she tells SC. She started as a software engineer in a team of what she terms hired hackers. “We had the broad remit of doing whatever we could to make Google's products more secure, which ended up being a mix of engineering, security audits, bug finding and fixing, and teaching other engineers about common security problems.”
Today, she manages 30 information security engineers that work to make Chrome the safest way to browse the web and push security on the internet forward, she says. “We collaborate heavily with a lot of other security teams at Google too, sharing technology and best practices wherever possible.”
The work varies tremendously, she adds, but usually includes staring at bug trackers, helping engineers get their work done, facilitating or making technical decisions and churning through lots of email and meetings. “It's been a long time since I've actually hacked ‘The Gibson,'” she says. (The Gibson was a supercomputer in the 1995 movie Hackers.)
Chrome has engineering presence in more than 20 international offices, so even Tabriz's day-to-day job requires working with people spread around the world. A lot of work happens over email, chat, video conferencing and other collaboration tools, she says. “Since Chrome is based on an open source project (Chromium), a fair amount of work happens on our public mailing lists, wiki and issue tracker.”
She also points to Google's desire to be good citizens in the internet community, so, she says, her team is committed to working with standards bodies (e.g., IETC, W3C) to push security forward for the whole web platform, independent of what user agent people are using.
“Working with so many different people, from so many different organizations, and from so many parts of the world definitely presents challenges, but the benefits of being open and having the opportunity to collaborate with people in and out of Google far outweigh them,” she says.
The point, she says, is she wants to make the internet more secure and reliable to use, whether users are creating or consuming content and whether they are accessing it via a laptop, phone or internet-enabled toaster.
“With Chrome, we're always trying to lead the industry when it comes to software security,” she says. “I believe we've done this via advances in Chrome's architecture and sandboxing, automatic updates and engagement with researchers via vulnerability reward programs. These were all things that were pretty controversial when Chrome launched them, but are now considered industry best practice.”
Plus, Google is doing a lot of things today to help the migration process to HTTPS for more sites on the internet, she says. This includes adding features to Chrome dev tools to help website owners debug their own SSL configuration, bringing more transparency to the current state of HTTPS on the web (via Google's HTTPS Transparency Report Card), as well as working directly with sites to understand the hurdles they're facing, and then helping to remove those. “In parallel, we're also trying to make SSL ecosystem more secure, via projects like Certificate Transparency,” she adds.
Her role at Google today could not have been envisioned as she grew up in the suburbs of Chicago, where she has said she had little exposure to computers. In fact, she would not immerse herself in the computing field until her first year at the University of Illinois, where she at first intended to study engineering but soon found herself drawn to computer science. After matriculating with undergraduate and graduate degrees, and prompted by attacks on her personal website, she began research into wireless networking security and sought out privacy-enhancing technologies. A summer internship program with Google's security team while still a student, evolved into a job offer once she completed her studies in 2007.
A co-author of several papers on such topics as privacy-enhancing technologies, audit frameworks and network attacks, she's been profiled in Elle and, in 2012, Forbes included her in its list of “Top 30 People Under 30 To Watch in the Technology Industry.”
Firmly established in the field, she relishes her position as a platform from which to promote hacking as a positive endeavor. Sharing her passion with teenagers at DEFCON, an annual science conference in Las Vegas, is just one way she does this. Girls are encouraged to take part and Tabriz encourages them to follow their dreams. The field is not just for males who are typically thought of as computer literate from a young age, she once told them.
“Security is an extremely interdisciplinary and applied field,” Tabriz tells SC. “We need all types of experience and perspectives to be working on the problem of making technology safe and trustworthy, so there isn't any single path to start working in the field. Of course we need a lot more technologists, but we also relish expertise from the humanities, law, policy and public communication. The sooner someone can start working on ways to make real software safer, the better, so I'd encourage young people to think about how they might improve the security of the technology they're already using, and go from there.”
In addition to her role as Google's “security princess,” in 2014, Tabriz worked on a few independent consulting projects with the U.S. Digital Service, a startup within the Executive Office of the President which aims to improve the usefulness and reliability of the country's most important digital services. During her first engagement, she advised on industry best practices for networking at the White House that the President and his staff use. “On top of technical advice, but just as importantly, I advocated for increased transparency, collaboration and agility in decision-making,” she says. “Security isn't just about computers, but people and the processes they create and use to work together. I tried to highlight some of the cultural barriers I witnessed in government that end up having a direct impact on efforts to secure technology.”
The Telegraph quoted a 16-year-old girl who Tabriz had mentored at DEFCON: “Parisa is a good role model, because of her I'd like to be a hacker,” she said. – Greg Masters