News / September 2019

Kristin Berdan Joins CLTC as Fellow

Kristin Berdan
Kristin Berdan

Former lead cybersecurity counsel for Google will advise Citizen Clinic

The Center for Long-Term Cybersecurity is pleased to announce that Kristin Berdan will be joining our team as a Fellow. Kristin most recently served as lead cybersecurity counsel at Google; over the course of 15 years, she helped Google transform from a startup with no data centers of its own into a multi-billion dollar company with scores of data centers and the world’s largest and most advanced global computing network, operating in compliance with laws and regulations worldwide. Prior to her time at Google, Kristin held legal positions at Sun Microsystems and Lawrence Berkeley National Laboratory. She specializes in assisting high-growth technology companies to develop strategies to manage global cybersecurity risk and internet infrastructure-related regulatory challenges, and she currently co-chairs the advisory board of an internet infrastructure start-up company. Kristin received her BA in Peace and Conflict Studies at UC Berkeley and her law degree from UC Davis.

As a CLTC Fellow, Kristin will bring her rich experience to CLTC’s Citizen Clinic, which trains UC Berkeley students to help politically targeted organizations defend themselves against online threats. We asked her a few questions about her past work and her goals in working with CLTC. [Note that responses have been lightly edited.]

What will you be doing for Citizen Clinic?

I’ll be part of a cohort of mentors, people who are coming from outside the organization to help mentor the student teams as they work with the partner organizations. And I’ll be helping to scale and grow the program. It has had great initial success, and now needs to think about how to sustainably grow at Berkeley and have more impact globally.

How would you describe the work you did at Google?

I was a lawyer serving the engineering teams responsible for Google’s production infrastructure, including the data centers and the network connecting the data centers. Because of that, I also got to do a lot of interesting associated projects, like supporting Google’s quantum computing team. Over the past five years, I focused on information security. In that capacity, I was product agnostic, helping product teams that had security questions (whether encryption, surveillance, etc.). I was also dealing with Google’s own internal policies, as well as advising our public policy team in areas where regulation touched on cybersecurity.

What attracts you to the concept of Citizen Clinic?

What I find most appealing about Citizen Clinic is that it is a practical application of security principles and practices, and it gives attention to organizations that otherwise can’t get this kind of expertise and assistance over a sustained period—as opposed to just coming in saying, here’s the things you should do, and then leaving. The approach the Clinic has is pretty novel, especially compared to standard industry management consulting. It’s a very different perspective, and I want to help out where I can, leveraging my own expertise and network and general enthusiasm for jumping in and doing whatever needs to be done.

In what ways does the law apply to cybersecurity?

Cybersecurity and the law have a common foundation in risk assessment. For Citizen Clinic, you need to understand what the legal landscape is, and you have to do risk assessment to understand, where are the areas where the law might provide protection? Where are the areas where the law might actually impede one’s security? There are all kinds of interactions between the law and security that are sometimes not particularly obvious.

Security is often thought of as a technical practice, but there is an enormous policy component and an enormous human component. At their core, most security issues really end up at the human level, whether you’re talking about practice or policy, and those things are not purely technical. They are, how are you going to apply this technology? When are you going to apply it, and when are you not going to apply it? Is the technology that you’re hoping to apply even legal in this situation? There are multiple components to security that are not merely technical; there’s also the human factor and the policy side, which is there the lawyers come in.

What role can an institution like UC Berkeley play in tackling the cybersecurity challenge?

UC Berkeley is the ideal place for an organization like this because of all the resources the university has to offer. On the technical side, you have one of the top engineering and computer science schools in the country, and you have highly ranked policy and law schools that the CLTC can also leverage. Berkeley’s emphasis on interdisciplinary programs is also important. I think it’s a pretty unique combination that I’m not sure a lot of other schools can match.