This article is part of the series "[Podcast] Cyber & Tech Attorney Camille Stewart". Check out the rest:
Leave a review for our podcast & we'll send you a pack of infosec cards.
Get the Free Pen Testing Active Directory Environments EBook
Many want the law to keep pace with technology, but what’s taking so long?
A simple search online and you’ll find a multitude of reasons why the law is slow to catch up with technology – lawyers are risk averse, the legal world is intentionally slow and also late adopters of technology. Can this all be true? Or simply heresy?
I wanted to hear from an expert who has experience in the private and public sector. That’s why I sought out the expertise of Camille Stewart, a cyber and technology attorney.
In part one of our interview, we talk about the tension between law and tech. And as it turns out, laws are built in the same way a lot of technologies are built: in the form of a framework. That way, it leaves room and flexibility so that technology can continue to evolve.
Frameworks Reign in Law and Tech
Hi, I am Camille Stewart. I’m a cyber and technology attorney. I’m currently at Deloitte working on cyber risk and innovation issues, so identifying emerging technologies for the firm to work with. Prior to that, I was a Senior Policy Advisor at the Department of Homeland Security working on cyber infrastructure, and foreign policy in the office of policy. I was an appointee of the Obama administration. And then prior to that, I was in-house at a cybersecurity company. I worked in both the public sector and the private sector on cyber issues.
Today, we’re gonna be talking about the tension between law and technology, where a law takes a lot of time and inquiry to create something that makes sense and hopefully is impactful for years to come, whereas technology, it’s really about ideation and creating and bringing product and service to market as quickly as possible.
Tech people, they want law to catch up with technology. Lawyers wished tech people would understand the law a little bit more. And some have even criticized that the law doesn’t move as quickly as technology, and you have a lot of experience both as a cybersecurity attorney in Washington and in the private sector.
And I’m wondering if there’s a deeper divide between the two entities, and I’m wondering if you can share your experience with us in working with lawmakers as well as your experience in the private sector.
Yeah, so, I mean, I think one misconception is you don’t want the law to keep pace with innovation. There’s no way for you to legislate for future occurrences and for the ideation and innovation we’ve talked about.
You want the law to leave room and flexibility so that technology can continue to evolve. And so that’s kind of what has to happen. It’s frustrating that there are no legal recourses when an issue comes up, but you almost have to test those boundaries to figure out a framework to fit your bill to address issues that are coming.
So even the laws that we do build tend to be framework because we need to leave room for that innovation and ideation. And part of the tension between technology communities and lawyers and technology communities and the general public or the government is trust. So technologists don’t trust the government with the information that they have, and the government wants to build that trust desperately so that we can leverage the resources that are at the disposal of both.
You know, the government has a lot of insight and intelligence that they can layer over the tools and capabilities in the private sector, and if they came together, it’s great, but there’s this base level of trust and understanding of what each is trying to do that if we could bridge that gap, so much more could be done.
Is there a think tank or a non-profit or some kind of institution that can bridge that gap that you’ve seen develop over the past few years?
Yeah, so there are a number that are working on this, whether it’s issue-specific, right, “So let’s talk about surveillance and bringing people together around that.” “Let’s talk about a given issue and discuss that.” Also the government is trying that.
Organizations like DHS that work with the private sector quite a bit are trying to build those bridges and find ways to share information in a way that’s valuable to both the private sector and the government through things like AIS, the Automated Indicator Sharing system. And it’s gonna be a slow process.
Those trusts are bolted tight.
Private sector has coalesced together to build trust circles with their peers and people that they know doing work that they understand, and they’re sharing information that way. And those mechanisms have become pretty robust and helpful, but the government has to be able to be a part of that for us to really complete the picture, and that’s the work that’s being done, some through non-profit organizations, NGOs, but also through the government and the private sector starting to get into a room.
And then, as people move back and forth across lines, right, traditionally people were govies for life, or they were in the private sector. Now there’s more movement back and forth, and that’ll help build the trust as well.
Bridging the Gap between Law and Tech
What would you say to lawyers who need to understand technology and technologists that need to understand the law?
I would say at a base level, do the work to understand the content. Lawyers need to take the time to understand the technology, to ask the questions, understand what the end goal is, and understanding what the technologist is building and for what end user. And the nice thing is that a lawyer is likely the end user of many of the products that they’re speaking to understand, so they can easily understand that perspective. And then do the to work to understand how we got there, how the technologists built that.
And then technologists, on the other hand, need to be willing to have those conversations and those explanations and understand that lawyering of the past, there was the perception that lawyers were just gonna say no. Right? They’re risk averse, they aren’t gonna let you ideate and innovate, they’re just gonna shut it down. And that’s not really true.
My job as a lawyer and the jobs of lawyers at companies today, especially if they deal with technology and cyber issues, is to lay out the risk, understand the organization’s risk calculus, and to put the information in front of leadership so that they can make an informed decision and then help to build a cast-forward that calculates those risks, that mitigates those risks to the best of their ability and be ready to support the company in what they’ve done.
So, with that base level understanding and the willingness to do the work to understand, lawyers can be great assets to technologists because they can be translators, different communities, as well as the company builds out and understands what the risk posture is. It’s important to have all key stakeholders as part of that discussion, and lawyers are definitely part of that group.
So you talk about trust and doing your homework having a baseline knowledge of the other’s concepts and principles. What have you seen in your work that has worked that you’ve seen others reach over the aisle, and are you able to provide an example? And also, what doesn’t work?
I think the biggest catalyst for change is that things happen, right? So, a breach occurs, and you watch this organization scramble to figure out how to right itself after this big occurrence and realizing that the stakeholders that you were encouraged to have in the room initially were essential when this thing exploded.
And had you accounted for more perspective on the front end in a proactive way, it would have mitigated some of the risk on the back end or you would have been able to right yourself more quickly.
And so I think watching that occur has started a number of organizations and built a number of frameworks to help organizations get the right people in the room and encourage people to do the work to figure out where different players fall in the conversations that they’re having as an organization about how the security is evolving and how technology will be used and integrated in the organization. But I think that outside factors in this area of law and cyberspace evolving has done a lot of the work to encourage the collaboration that’s needed.