Helping Activists Operating Under a Repressive Regime

EP 132: Helping Activists Operating Under a Repressive Regime

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

May 23, 2023

How would you help political and human rights activists stay safe while using digital communications as they live under a repressive regime? One of us has been doing it for almost a year and he’ll tell you. Your hosts are Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.


Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today in episode 132 of the Cyber Risk Management Podcast?

Kip Boyle: Jake, hi. This is going to be a really exciting, but probably sober podcast because I've been doing this really interesting work lately. I would like to share this. It's pretty cool, and what I've been doing is helping activists who are doing their work under a repressive regime, that is to say in their country, they have a government that is not happy with what they're doing.

Jake Bernstein: That's interesting, Kip. And what's really interesting is when we were talking about this episode, I realized that though I can't give any details yet, I have also been involved in some very similar kind of pro bono projects relating to helping people conduct open source research about human rights violations. And it's more specific than that, but like I said, I'm not able to talk about the specifics at this point. So I know how that came to me, but the first thing I want to know from you is, well actually two things, why are you doing it, but maybe even more curiously, is how did you get into this?

Kip Boyle: Right. Yeah. Because I did not hang out any kind of an advertisement saying we'll help humanitarians for food or we'll help civil rights activists or whatever. Well, first of all, I just want to say just like you, I don't want to name the parties involved. I don't want to name who approached me, I don't want to name who we're helping because I'm concerned that that could actually undo some of the things that we're trying to do for them. So I hope everybody will forgive me as I talk around this.

But I've been working in cybersecurity for a long time now. I think I've mentioned 1992 when I was on active duty in the Air Force and my first commission involving cybersecurity was to protect data in highly classified advanced American weapons systems enhancement development projects. So air to air missiles, air superiority fighters, that's how I got into this. And it felt very purposeful that I was contributing to a very meaningful body of work. And then I left the Air Force and I'm working in the private sector and I'm helping to guard digital assets and enable online commerce and profit making and non-for-profit organizations.

And I've really felt like that has been meaningful work too because at the end of the day, it's about people's jobs, it's about being able to provide for their families because when a company, and we've covered many companies in past episodes, when they get hacked really, really bad, they can go out of business and then people lose their jobs. And I think the human cost is pretty awful. So that's been pretty meaningful. But this political rights activist, human rights activists who are working in a country where the government does not like them, it's a repressive regime.

And these activists are simply saying, "Look, we want democracy. We want to be able to speak freely." The things that Americans pretty much enjoy, things we take for granted that we can speak freely and we can move freely and we can assemble freely and so forth, and they can't do that, but they're trying to change their government. So there's politics, there's human rights. And the thing that makes this so dang meaningful for me is we're talking about people who can get arrested, tortured. There's all kinds of awful things that can happen to them if they're not careful.

And so my role over the past about nine or 10 months now is to help them do what they do and avoid being captured and oppressed. So yeah, it's really great. I'd say it's probably the most meaningful work I've ever been involved in. And I think it's really great that I get to use skills that I've honed in these other areas that I've worked in to help them make a difference. And I wish I could tell you the full story about who exactly reached out to me and all the details, but I don't think it matters in terms of just what I want to share today.

Jake Bernstein: I totally agree on that. And I'm wondering, so that's the why. Obviously you can't necessarily tell us how you got involved specifically in this instance, but let's talk about cyber risk management. What's one of the things that we always talk about is a threat model. And at the end of the day all cyber risks can be managed in roughly speaking, using the same techniques and concepts. So I think we definitely understand repressive regimes, how physically dangerous it can be. And this is one of those interesting, I don't know, deviations from what we often talk about, and what we've mentioned before on the podcast is like you've used that bank robber metaphor analogy before.

And we've talked about how one of the benefits of cyber activities is that you're not in personal danger as a criminal, right? Not in the same way that you used to be if you had to physically go in and rob a bank. Now what's so interesting to me is that here we are talking about cyber risk management where suddenly the tables are turned and it's activists who are in physical danger quite probably as a result of their activities on the internet. I mean, it's fascinating, it's humbling, it's sobering. But maybe talk a bit about what does this do to the way that you handle cyber risk management and think about these things?

Kip Boyle: Yeah. Well, thank you. That was a great setup for this information that I want to share. So first of all, I think it's important to think about their threat model. And I think you've done a pretty good job of talking about part of that, which is to say they're trying to use modern technologies to communicate and share information. The problem is that the governments have the means of control over a lot of that infrastructure, that their emails and text messages and voice phone calls travels over.

And I'll get to a little bit more of that in a moment, but in terms of a threat model, so what do they have to worry about? Well, they have to worry about being surveilled, they have to worry about being censored, and they have to worry about being on the receiving end of violence. So if they're surveilled and they pose a big enough threat, then the government could send out a police squad or a military squad to find you and to arrest you and to put you in prison. And God only knows what would happen to you after that. Possibly you tortured, possibly, you might die at their hands

Jake Bernstein: You just get killed.

Kip Boyle: Yeah.

Jake Bernstein: I feel like we may or I'm curious about a step that you didn't mention in that is, what about the identification step? They have to first figure out who you are, and does that even come into it? Is one of the things that we're managing here is how to keep people's identities safe and private, which is fascinating because when we normally talk about IAAA, we have a very different agenda. So it's interesting.

Kip Boyle: Yeah. So usually what we're trying to do when we're working on cybersecurity for corporations and organizations is we're trying to identify who is this person that's trying to enter our systems? Let's identify them. Let's challenge them with a multifactor authentication process. Let's make sure that they are who they claim they are. The situation that I'm working in is completely the opposite. We don't want the authorities to know who these people are, and we want to take great pains to keep them from being identified down to an individual level. But it turns out that a lot of, and this is just learning on my part, but I want to make sure people understand it.

It turns out that a lot of the political activists and human rights activists are known to the regime because these are the folks who, for example, used to be in the government before that government was overthrown or they were out outspoken people who just found that they were way more effective if their identity was known. And it's kind of like a Gandhi esque, nonviolence tactic where you stand up and you confront the regime using nonviolence and you end up in prison and house arrest and so forth.

There's plenty of news stories like that. But then you've got a lot of people who are trying to make a difference and they're not well known to the regime. And so they start with anonymity and they want to preserve that anonymity. And these are probably more the people that you might call like foot soldiers, the people who move around and get things done, organize protests, that sort of thing on behalf of the well-known outspoken activists who-

Jake Bernstein: Because if you're well-known and outspoken, you're probably being surveyed.

Kip Boyle: Oh, it's a given. It's a given that you're having to try to figure out how to communicate, knowing that you're being surveilled, knowing that you're being monitored, and really not having a lot of opportunity to guard yourself, just having small windows of opportunity to speak freely to your peeps. Anyway, so the threat model is about identification. It's about avoiding really awful consequences. And some people are going to be held in secret locations, they're not going to have access to attorneys or due process or anything like that.

Jake Bernstein: I would assume not otherwise. Just almost by definition, if you're an activist operating under repressive regime, you probably don't have right to counsel and due process.

Kip Boyle: Right. Well, and it depends on where you are in the... Because if the repressive regime still thinks that they can co-opt you and make a friend out of, you might have some rudimentary legal access. I think of in Russia, there's a fellow who is in a gulag right now, and he had pseudo legal access, but there was a lot of problems with getting a fair and impartial judiciary too to deal with is matter. But anyway, so let's focus on the people on the ground level, these so-called foot soldiers, because that's really most of the people that I've been helping, people who already have anonymity and they want to preserve their anonymity.

And they want to be able to move freely and they want to be able to organize protests, that sort of thing. Well, for them, the other thing we have to remember is unlike a corporation, they don't have a team of people that are helping them, rather, they're more like entrepreneurs is the way I think of them, because don't trying to do something big. They're trying to change the world, their world. They don't have a lot of resources. They don't have a big team behind them, they don't have a big IT infrastructure, and yet if they did, that would make them a bigger target. So they don't want that stuff.

Jake Bernstein: And they're probably not IT professionals, although some could be, but most probably are not.

Kip Boyle: A few. A few know something about technology. It's very uneven. What I've noticed is that most of them don't know anything about technology anymore than anybody else in any country. They know how to go get a mobile phone, they know how to use the mobile phone, but they don't really understand how the mobile phone works.

And so one of the things that I have to do is I have to teach them when you send a message to somebody in another country because you're trying to coordinate whatever resources or you want to get some news reports that haven't been censored, well, if you're not careful, there are all these hops along the way where your message at first it's just some data on your computer and then you use Wi-Fi, and now it's encoded in radio signal waves, and you better make sure it's encrypted, otherwise it can be intercepted as soon as it leaves your machine.

Microwave relay towers, fiber optics, copper cables, national gateways. I mean, there's all kinds of places, telecommunications, where your message can get intercepted by the regime because they control the infrastructure. And so I have to explain to them in a way that they can understand why this is so dangerous. And so a lot of the skills that I use to talk with non-technical senior decision makers in Western countries to help them understand what the risks are actually are broadly applicable in this situation as well.

So it's been very easy for me to pivot because my audience is similarly very interested and engaged with all of these technologies, but they really don't understand how they work at the bits and the bites level. And the real issue here is that, again, it's not just digital surveillance, but it's physical surveillance. So I have to teach them about triangulation and I have to teach them about how your hardware, like your mobile phone has a number burnt into its chips.

And your SIM card has a number that tells the telco that you're authorized to use the service for voice and for data, and that all that stuff can be used to identify you and to track you and the value of burner phones and the value of not bringing smartphones with you when you go to protests or you're going to go do meetups and at a secret location and you're going to talk to your fellow activists. And what happens if you're rated? What if you're home and the military, the police just suddenly shows up on your door and your smartphone's sitting right there and you've been organizing work with your smartphone, what do you do? You've got 30 seconds. What do you do? These are some of the problems that I've been helping them with.

Jake Bernstein: Interesting. Sounds like to some degree they're crash course in trade craft.

Kip Boyle: It is.

Jake Bernstein: Okay. So I mean, we've talked about a bunch of different concepts here. How exactly have you been able to help them, and what is your goal and role with them?

Kip Boyle: Right. Yeah. So my goal has been to create that awareness, "Hey, your mobile phone is a wonderful asset, but it's also potentially the seeds of your own destruction." Because you need to understand how the regime can monitor you. And if they really want to monitor you and you become somebody known to the regime, then they could put something like Pegasus on your handset, on your smartphone. And Pegasus is a very high end method technology for completely compromising your phone. So even if you use end-to-end encryption, which is one of the things that I teach them, Pegasus is going to be able to watch what you type before it ever gets encrypted.

So some of this stuff is extremely nefarious. And so helping them understand, "Hey, you've got some cyber risks here." And then from that springboarding and saying, "Okay, now that you've got cyber risks, let's get some plans pulled together." So for example, what do you do if the military bangs on your door and you've got 30 seconds to do something with your smartphone? What do you do? What's your plan? And then education. How exactly does a message to your patron in the United States, for example, wind its way through all of this infrastructure? And so yeah, plans and education. And ultimately what I'm trying to do is figure out a way for them to use all of this digital communications technology, but to do it safe.

Jake Bernstein: Very good. So you mentioned a few things, but what are some of the other things that you've come up for them to use? And I'm curious too, is how many of these things are really even unique to this use case? I'm betting that a lot of what you're about to say is actually widely applicable.

Kip Boyle: It is, and it's another reason why it's so gratifying that I can participate in this because I'm bringing so much of what I do anyway into this situation. So it's actually not a heavy lift for me except-

Jake Bernstein: I mean, I'm reading these this list and I'm like, "Wait a second, these are all very familiar to me."

Kip Boyle: Now the heavy lift for me is that sometimes I have to teach in the middle of the night.

Jake Bernstein: Like to see that. Yeah.

Kip Boyle: So I go to bed, I wake up at 1:00 in the morning, I teach for two hours and I go back to bed. So there's a-

Jake Bernstein: Okay, I have a question, I just realize something. By any chance, did they find you through LinkedIn learning courses?

Kip Boyle: I can neither confirm nor deny that. Sorry.

Jake Bernstein: Oh very good. Okay.

Kip Boyle: But I am a high profile person, it's not that hard.

Jake Bernstein: I was going to say it's not exactly... When you said teaching it's pretty clear that you've got these courses, people should check them out, free plug, but inaudible.

Kip Boyle: On LinkedIn, learning on Udemy. Yes.

Jake Bernstein: Yes. Okay. So we've got that. So you're teaching and this first one here is one that I'm very familiar with. Let's talk about that. Secure messaging app, that's important.

Kip Boyle: Oh my gosh, it's so important because if you just use text messages you're doomed because text messages have no security whatever. And if you are a regime and you've got total control over the telecommunications infrastructure, then you can monitor anybody, everybody. All you need is the technology to handle the scale of the communications. So this is not all that different from the kinds of systems that the US government put in place that Edward Snowden told us about when he released all his information. And so it just becomes a matter of data management at that point.

So yeah, I've been talking to them about Signal, I think signal's the best choice right now because even though there's WhatsApp and there's other choices, what we know about Signal is that first of all it's end-to-end encrypted. And we also know that they hardly log anything. And we know this because there's been subpoenas served to them in the United States seeking to get information for criminal investigative purposes and that sort of thing. Law enforcement's trying to find out who owns a signal account and Signal says, "Oh, look, hey, all we've got is here's the information that this person used when they signed up and I can tell you the last time that they interacted with a server, but that's it. I don't have anything else for you." And that's really important.

Jake Bernstein: It is. And I'm going to take a small detour here just to I guess philosophies a little bit about how... I'm almost positive that we have listeners on both sides of the fence on these types of issues. Some who might think that services like Signal are a problem because they allow criminals and potential terrorists to do the same thing. And it's just interesting to me how everything really depends on your point of view. Where do you stand? Where do you sit? And I think I would revise that viewpoint and just say, if you believe in privacy. Period.

And it doesn't even matter about what or and where, and you are principled about it, there is no privacy if it's, oh, privacy only if you're not a criminal. I mean, look nobody has to like criminal behavior, but you cannot consistently believe in privacy, but only depending upon your actions and depending upon the point of view of the authorities in any given moment. So I think that apps Signal are important. I think communication, freedom and privacy are important. It's the cost of freedom to some degree. Anywhere in the world, well, it's what we say before on the podcast is you can have security which is independent from privacy.

Kip Boyle: But you can't have it the other way.

Jake Bernstein: But you can't have it the other way. And not only that, but you can probably choose to have better security the less privacy you allow. I would say that's a true statement, isn't it?

Kip Boyle: Yeah. I think so.

Jake Bernstein: I'm just thinking through the complications there, so-

Kip Boyle: Yeah. The more security, the less known you are to people who want to surveil you. And so it's interesting because as I tell these political activists, I say, "Look, even as an American living in the United States, I'm surveilled all the time. The difference is that I'm being surveilled by people who want to sell me stuff."

Jake Bernstein: Surveillance capitalism.

Kip Boyle: But

Kip Boyle: It's the same technologies.

Jake Bernstein: It is. It is the same technology.

Kip Boyle: It's the same paradigm. It's the same concepts. I'm an entity using a digital network, and somebody out there wants to identify who I am so that they can do something, whether it's try to give me a targeted ad or whether it's trying to discover just how much of a threat I pose to their illegal government or whatever. So that's why these cyber hygiene practices are so portable is because of this. And it begins with things like end-to-end encryption, and then it continues on with things like virtual private networks which have to be attack resistant because there's so many junky, so-called free VPNs out there, consumer grade free VPNs that are awful in terms of privacy.

Yeah, they'll let you pretend that you are in the UK when you're really in South America because you want to watch a show that you can't get unless you're in the UK. That's fine. That's not about privacy, that's not about not wanting to be surveilled so that you aren't shown targeted ads or anything like that. That's just about accessing geofenced content, which is what a lot of people use VPNs for. And I don't have a problem with that. But if you try to use one of those junky consumer VPNs to actually protect your privacy or to stay safe when you could be arrested and thrown in jail because you are political activist, that's a completely different situation. And I have to explain this to them because it's not just about having a data breach here in the United States.

If I use the wrong VPN maybe I have a data breach and maybe my data gets compromised and it's annoying as hell, but for them it's life and death, potentially it. It's just so much more serious. So we have to get the VPN correct. We have to understand how to choose one. And I have to teach them how to use plugins in their browsers to be able to check how trackable they are when they use a particular browser and how much tracking cookies and that sort of thing. So if you are a privacy activist in the United States, this stuff is all going to resonate with you although it's for a different purpose. Using strong passphrases. You were going to say something? I was just going to keep rumbling on.

Jake Bernstein: No I was going to say I'm not sure that it's all that... I mean, all these issues and concepts are really just as old as government, which really just means it's as old as the first true human civilizations that are not just small groups of people trying to subsistence farm and hunt and gather. So these are issues that are thousands of years old and we're just facing them in a context of modern technology.

Kip Boyle: We've digitized old issues and because we've digitized them, they now have different properties and characteristics that we don't really understand because it's all very abstract and ethereal.

Jake Bernstein: Well, and it just hit me, and I'm going to take this moment to remind people because I do it often and I do whatever I can, but GDPR, Kip, the origin story of GDPR all I have to say is what if the Nazi regime had all of the technology that we have today. And I mean, that's a sobering thought and it should be. You should think about that, you should realize it's not meant in any kind of jokey sense at all.

Kip Boyle: Yeah. You're not being glib.

Jake Bernstein: No, I'm not being glib. This is a serious, serious thought. GDPR exists because of the European experience with Nazi Germany and truly the first big data processing activities. Yes, they were on paper and note cards and highly, highly organized and sophisticated systems, but it was big data processing just the same.

Kip Boyle: It was manual, it was laborious, it was Pen and Inc, but the goal for whether it was Nazis or whether it was the Stasi, the state secret police in eastern Germany, which some might say is something of a successor, but it was all about oppressing enemies of the regime. And so the Europeans learned the hard way that allowing data collection at scale by government opens up the opportunity for abuse and so they won't put up with it. And that's the origin.

Jake Bernstein: It really is. And I think that remembering that, certainly when your business and you're like, "Ah, why do I need to get these standard contractual clauses in place in order to transfer data?"

Kip Boyle: What a pain in the ass.

Jake Bernstein: It can be frustrating. It is a pain, but I mean honestly, I've really just done a 180 on this in the last probably five years overall in my career doing privacy is, it really is important and it really is critical to understand the history. So really like this is the same thing

Kip Boyle: I think it is. I think it's conceptually the same thing, we're just live living in a different age, but it's the nature of people, as you say, and government and power, that's all still in play. We're just doing it in a digital medium. Let me talk about some of the other things, and I won't belabor them, but some of the other things that I'm teaching, these political activists and human rights activists, strong passphrases to protect their online accounts, two-factor authentication to protect their accounts, using disposable email addresses and email addresses that don't have identifying information to preserve their anonymity or to provide pseudo anonymity.

And to be able to walk away from those accounts in a disposable way whenever they need to. Here's one of my favorites, avoid using public Wi-Fi, which is when I tell Americans and Europeans and just stay away from it if you're doing anything at all, because you have no idea. There's just no way to know if it's safe or not safe. The only thing you can do and be sure that you're okay it's just say no, just don't use it. Social media, oh my gosh, you have to be super cautious. There's a person on my team, and I'm not going to name names, but there's a person on my team who's very savvy at this.

And this person helps me prepare the plans and the materials and to make sure that I've got everything dialed in correctly. And this team member of mine has a lot of experience organizing using social media and has seen firsthand what happens when law enforcement is actually monitoring activists as they talk to each other on social media. And so you get things like the activists will say, "Well, we're going to have a protest on this day at this time, at this location."{ And when they show up to start the protest, the police are already there waiting for them. And they don't understand. "What? How did that happen? That's a crazy coincidence." No. No, it's not.

Jake Bernstein: No, it's not.

Kip Boyle: So there's some things you got to do on social media to be careful. And then like I said before, contingencies in case you are outed by the government, what if you need to go into hiding at a moment's notice? What do you do? How do you roll up shop digitally speaking? And then how do you resume your activities? How do you know that you can resume your activities if you're in hiding? What does that look like? And then, do you have to change the way you use these technologies now that you're known, but you've not been apprehended and you want to keep it that way?

And then the last thing that I'll just mention right now is just doing regular security audits to identify any new vulnerabilities, either because the state has developed new methods of tracking you or technology has changed and it's opened up a vulnerability. I mean, we talk about how important it is to patch our servers and all we're doing is just trying to sell stuff over the internet, but if you're a human's rights activist and you're not patching your systems, oh my, that could turn really bad.

Jake Bernstein: And as we wrap up this episode, my last question for you is how have you been training them? It's not like we can't just do our standard, "Hey, everybody's signed into this Zoom call." With everything in the open, et cetera. So obviously I assume you're using something like Zoom, but it's not that simple, right?

Kip Boyle: Correct. These trainings have to be done in secret. They have to be done in a way that where we don't have somebody from the regime participating somehow. And that's easier than you think if you're not careful because if we're using Zoom or Teams or whatever it is, there's lots of different choices, but they all kind of work the same. You create a meeting, you've got a passcode, you've got call details. Okay, well now you need to get these into the hands of the people who you want to attend.

And now you got to figure out how to keep people you don't want from getting in there. And during the COVID pandemic, we talked about Zoom bombing. So people who would just force their way into a Zoom call and start harassing the participants. Well, of course what's going to happen here is that someone's going to force their way into the call and they're not going to say anything. They're just going to record, take notes. They're going to try to figure out who everybody is. And so when people come into these training sessions, they're coming in pseudonymously, which is to say no video turned on, their typewritten identifier is something that has nothing to do with their name.

Sometimes they won't talk because they don't want their voice to be recognizable and so all they can do is type. And then we're not working in the English language primarily. We've got people who are, again, these people on the ground, these foot soldiers, and their English is not expert enough. So we have to have a real-time translation. All the training materials have to be translated in advance. And so there's a lot of logistics that go into this.

If somebody's participating in the training and they get a knock on the door, they have to jump out of the training. And then the question is, well, when can they come back in? Can they come back in? So there's a lot of rules, a lot of nitpicky kind of procedurals that have to be sorted out in advance. Code words, that sort of thing. So those are all the different things that we do. And I just got to tell you the air kind of crackles with anxiety when we do this.

Jake Bernstein: I bet. Okay. Sorry, I lied. I have one more question as we truly, truly wrap up, is in some ways this is a lot I might imagine red team exercises in a vague sense. I guess, and my question for you is really doing this training from this perspective is that are you learning anything that you can apply to our more typical work, our standard virtual CSO services and advice that you might think about now to give our clients that you wouldn't have without having this experience?

Kip Boyle: Well, I think-

Jake Bernstein: I know that is not in the script, ladies and gentlemen. That is not even a softball, that was a decent pitch, Kip right in the middle of the podcast.

Kip Boyle: No, and that's fine. I don't have any problem with that, but I got to find my words. Actually what I've learned the most and how I can use it to serve our commercial customers better, our B2B customers, is that it's just not as serious for them. I mean, yeah, they could lose a lot of money. There could be a data breach, it could cost a lot. Money, money, money, I get it. And nobody wants that.

But after you've spent months of time helping people avoid torture and prison and awfulness by using these techniques, you really realize that the stakes are just not as high when you're helping a bank, when you're helping a insurance company, healthcare, beverage cup manufacturer or agriculture. I mean, it's not to say that it's unimportant, but it just really keeps me from going too far in terms of being a zealot in front of my private industry customers. Does that make sense? It kind of attenuates their mind.

Jake Bernstein: It does. And I'm trying to figure out, and lawyers in particular, we talk about zealous advocacy. And there are some schools of thought where is that really actually what you should be doing in the.... Is that really the best interest of the client? You can go too far if you're too zealot, if you have too much of a zealous streak in your representation. And I guess what I'm hearing from you is that I think, and this has always been true, but I think that security departments and security leaders who push too much, who start to get into that, what we might call category nine and 10 of just too much security.

Kip Boyle: They're over securing everything,

Jake Bernstein: They're over securing. And I think or do you think that having this perspective helps you to not be tempted to push too far and ultimately get ignored?

Kip Boyle: Yeah, I think that's right. I think you've said it in a more eloquent way, what I was trying to say, but I've already been attuned to it. But I guess I didn't really know just how far I should go when it's not life and death. And now that I've been working in a situation where it is life and death, I've got a much better sense of how far I should push things in a non-life or death situation. And yes, I really like they way you-

Jake Bernstein: And I'll tell you why that's important, is that your job is to keep your head, right? You have to maintain a little bit of distance so that you can maintain the rationality and the somewhat detached abilities that they need you for, right?

Kip Boyle: Yep.

Jake Bernstein: And I liken it to, I mean honestly, this is a thing that lawyers face all the time. Maybe you're defending death row cases. If you're a lawyer and you get too caught up in a death row case where you start to be too emotional and miss the legal aspects and the issues and figure that out, you're not doing your client the service that they need. No, that's a weird example because that is life and death, but if you pull back from that a little in particular, oftentimes we as lawyers need to be the calmer ones in the room, and that's one of our functions. So I think it's similar. I think this has been a really interesting different episode for us. And let's go ahead and wrap it up.

Kip Boyle: Absolutely. Thank you, Jake, for helping to get this material out of me and to put words on it and to ask the insightful questions. Appreciate that. But it does wrap up this episode of the Cyber Risk Management Podcast. And today we talked about how I'm helping activists who are operating under a repressive regime so that they don't become the victims of repression. And I'm so happy to be doing this work. It's so fulfilling, it's so purposeful. And having said that, we'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).


Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.