Skip to main content

Northwestern Buffett Institute for Global Affairs

Global Cyber Security Challenges with Roland Cloutier, Global Chief Information Security Officer at TikTok

Good cybersecurity is critical to protecting people's rights to privacy and also the security of our economic markets. The companies behind popular digital platforms are critical players in this effort that is central to United Nations Sustainable Development Goal 16, which is peace, justice and strong institutions. Roland Cloutier is the global chief information security officer at TikTok. He has more than 30 years of experience in cybersecurity and law enforcement. In this episode of Breaking Boundaries, he talks about his approach to building a safe and vibrant global online community.

Roland Cloutier

It's also our responsibility to continuously improve our ability to quickly respond to evolving threats. Identifying, blocking and removing inauthentic content, inauthentic accounts, inauthentic engagement or other associated activities like botnets, that are created just to attempt to do these sorts of things. And this also includes coordinated attempts to spread mis-or-disinformation and other types of what we would call ‘influence operations’ on platform. At the end of the day we are always focused on the important areas of : prevent, defense, detect and remove every single day of the week.”

-- Roland Cloutier, Global Chief Information Security Officer at TikTok

Background reading:

Subscribe to Breaking Boundaries wherever you listen to podcasts, so you never miss an episode:

Apple: https://apple.co/3FIXuqS
Spotify: https://spoti.fi/2Xr04k4
Google Podcasts: https://bit.ly/3G03749
Amazon: https://amzn.to/3lTQYWA
Stitcher: https://bit.ly/3G1RM3F

spotify-podcast-badge-blk-wht-165x40.png en_google_podcasts_badge_2x.png us_uk_apple_podcasts_listen_badge_rgb.svg us_listenon_amazonmusic_button_white_rgb_5x.png stitcher.jpg

Read the transcript of this show below

Annelise Riles [00:00:03] Welcome to the Breaking Boundaries podcast. I'm Annelise Riles, executive director of Northwestern University's Roberta Buffett Institute for Global Affairs. The Northwestern Buffett Institute is dedicated to breaking through traditional silos of expertise in geography, culture and language to surface novel solutions to pressing global challenges. This spring, we're exploring United Nations Sustainable Development Goals 16, which is peace, justice and strong institutions, and good cybersecurity is critical to protecting people's rights to privacy and abuse, and also the security of our economic markets and the companies behind our digital platforms are critical players. Today's guest has the job of heading cybersecurity for one of the world's most popular social media platforms. TikTok Roland Cloutier is the global chief information security officer at TikTok. He has more than 30 years of experience in cybersecurity and law enforcement, and he joins us today to talk about his approach to building a safe and vibrant global online community. Welcome, Roland.

Roland Cloutier [00:01:17] Thanks so much for having me. This is great. I appreciate being on the show.

Annelise Riles [00:01:20] Explain TikTok to our listeners who are over the age of 25. How has it captured the attention of people around the world? What is so exciting about TikTok?

Roland Cloutier [00:01:30] First and foremost, we are an entertainment platform powered by our community, which is very different, obviously. The great thing about working for TikTok in general is that we're actually bringing joy to people around the world. It's actually been often referenced the last sunniest corner of the internet. It's a great place to work. First and foremost. And then next, as a chief security officer, what's very interesting about this job? Unlike platforms that employ social graphs or groups of groups, TikTok really is focused on the individual. It's developed to bring content based on our individual user's interests. We're always there to enhance our technology and our community's experience, and we're always testing new features for folks to develop their creativity and bring that to the platform to deliver that joy. And as a business, this concept of brands on TikTok have found this creative outlet to authentically connect with their audience in their potential future customers. I'm sure we'll get into this, but like the amazing new economy that's being built that we've just said, "Hey, go be your authentic self and do what you want to do."

Annelise Riles [00:02:36] Roland, you're certainly a boundary breaker. You've had experience in cybersecurity and crisis management investigations in the military. Tell us a little bit about your journey from the Air Force to the Department of Defense to Tik Tok. How did that unfold?

Roland Cloutier [00:02:53] Well, I'll tell you first, thank you. It's an honor to be included as a boundary breaker. I've had an amazing career through the guidance in education from so many amazing people in what I do. My start in cyber actually started when I was a federal police detective doing diversion and pharmaceutical crimes and a bunch of other things. Everything happened on computers. So a friend of mine who I kept going to ask for work, actually said to me, "You know, maybe you should go back to school." And I did. I was a criminal justice major previously, and I went back for computer science and learn those computer skills. But what's interesting is that the relationship between how to protect the world, right, anti-terrorism, nuclear defense, aerospace, defense, all the things I learned in the government and how to layer protection programs, deal with is and and move forward. All came together with the computer side of how to build good teams, how to train great practitioners in how to deliver services. Once I left the military government space and dipped my toe into the dark commercial world, I got the experience of how to build companies of how to deliver services. I was now going on 20 years out of the government. I was looking at my potential dream job, the one that I had said I always wanted. A friend of mine had it for 20 years. He was leaving. I got the opportunity. You know what? I realized it wasn't my dream job. The recruiters came back to me and talked about what was important, and it was about creating a very specific mission, learning and continuing to learn and actually being part of, you know, something that would change the world slightly tongue in cheek when I was talking to them. They came back to me two weeks later and said, How about TikTok? I get to get up and protect the last sunniest corner of the internet every day. It's really the best job in the world. It's really a lifetime opportunity to build that scale to protect the fastest growing technology company in the world right now. And having that shared commitment from the company to achieve really what no other company has achieved before. It's an awesome responsibility, but it's great fun too.

Annelise Riles [00:04:53] Tik Tok now has over one billion with a B billion monthly users from over 140 countries. Who use about 40 different languages. I mean, let that sink in, folks. This is incredible. So you must face really special problems here dealing with such a vast range of users from so many different parts of the world. How do you ensure that TikTok remains safe and secure and immune from hacks in so many different corners of the planet?

Roland Cloutier [00:05:28] Our technologies and controls prevent it. Our systems detect and be able to process that into our fusion centers, who then monitor respond across a multitude of different teams from a threat or threat led defense teams to our critical incident response teams, to our forensics groups and everybody in between even our partners and trust and safety all operate under the umbrella of a fusion center that gives us 24 by seven operations across the globe.

Annelise Riles [00:05:55] Let's talk about the current conflict in Ukraine a little bit. The New Yorker magazine said last month that we're witnessing quote the world's first TikTok war. I think they mean that so much of what's happening is being recorded and witnessed through the platform. I imagine that from a cybersecurity point of view, that's kind of a big responsibility. How are you addressing on the platform?

Roland Cloutier [00:06:20] We could talk about Ukraine, we can talk about the US elections and we can talk about the Olympics. We can we can talk about just about anything that's going on in the world at any given time, because I think it's important to understand when our focus is on the trust and safety, the platform that's ubiquitous across any geo, across any place. Our platform operates first and foremost, understanding the problem. Second to that is applying people process technology to be able to execute against a defensive mechanism to keep it off platform and discover it. And I'll give you, for example, actually, a lot of people don't know this. It's about 96 percent of violitive videos are actually removed before they ever make the platform. So if you think about the billions of videos that are uploaded daily weekly, what have you, that 90 percent, 96 percent of those that violate content or community guidelines actually removed automatically through A.I. and through it and through ML. And whether that's looking at video, whether it's looking at texture of listening to audio in multiple languages around the globe, it's an it's important point is first, you have to clear the decks of all this stuff so you can really go focus on the bad things. I think the second thing is understanding what is real and not. And then in this gets back to your amazing defense capabilities, but generally talking about bots. So how do you instrument a platform to be able to look at account sign ups, authentication locations of of folks on platform likes follows all the things that can possibly happen. That just doesn't magically happen. That is through deep machine learning capabilities to understand what a normal person can or cannot do, what a normal influx, for instance. And there's there's thousands of these. But if something goes viral in 17 minutes on platform, it's probably not right. Right? Like, there's probably a reason for that. So how do how does that? How does that get identified and stop? From a security perspective, the application of this is really looking at automation defense, stopping it before it gets on platform and when on platform and looking at it from a normalized way. How does it how is it interacting with other technology on platform? So we use deep computer skills to be able to create technology, to be able then to get if it's misinformation, disinformation. But we partner with external third parties to validate what I may say in Boston, New England kid from up north, is very different than what's probably acceptable in parts of the Middle East. And so understanding culture, context, language skills is really, really important in these. So we partner with external entities, education programs, local social organizations to really understand how we should apply these these technologies. And then, of course, back find right, making sure that we use globally recognized fact organizations to understand misinformation and disinformation. Our focus again and influence operation is understanding how people interact with other technology videos, people on platform. I'm fortunate in my job where we're not a social graph organization. I mean, we don't have groups of groups you either consume it or you post. We predominantly that's how our platform works. So it gives you a limited view that we have to we have to work on. But still, in that context, it's important to understand how individuals or technology is interacting with technology. And so we use deep math skills within our technology subsets to do that. And it's an everyday thing, anti-terrorism and national security. But there's a lot of other things. There is illicit crimes and intellectual property. And crimes against children and things of that nature that we have do it all just as good in each one of those areas on a daily basis to make sure it doesn't get on a platform. And if it's virtually does, be able to remove it and then turn that back into technology to detect it again.

Annelise Riles [00:10:19] One of the things I think many people have been surprised about is how good the connectivity has remained in Ukraine through this conflict. Do you have any thoughts about that? Why have the Ukrainians been so successful in keeping the lights on on the internet?

Roland Cloutier [00:10:33] Ukraine doesn't own the internet, even though it flows into their environment, so you get to think about the big companies, six major players that own the internet. Those aren't Russia. And so they have that ability to see upstream and downstream really, really clearly when they have eight weeks to prepare and know that the TTP or the techniques in that military Russia militaristic cyber operations will most probably use, they can gear up pretty quick to kill that stuff pretty quick. So I think one of the reasons we've seen is is just like everything else in Ukraine, there's been a big upswell in support globally from these multinationals, from around the world that quote unquote own the internet and are able to stop it as it's coming through their platforms. And they just drop it into the bitbucket.

Annelise Riles [00:11:22] When you have an eight week leeway, like the current conflict in Ukraine. How are you addressing this?

Roland Cloutier [00:11:29] We hire folks that come from operational experiences and in law enforcement and other large tech groups.And we know how to respond to critical incident. And so we have a normalized process that basically we can establish a quorum really quickly around the globe. We're in the process of updating and building our fusion center. So fusion center, actually government can be kind of a government context, but we call.

Annelise Riles [00:11:54] What's the fusion center?

Roland Cloutier [00:11:55] The fusion center is an operating center. Like, think of it now ..  Like you're inside the mountain people behind screens and big screens up to the wall, that sort of thing. But what's what's the important thing about fusion centers are the people in the people that come together are from cyber defense of operations. Critical Incident Response Intel Group comes from our trust and safety teams, comes from our mission management teams, come from our legal team. And so they're all sitting in the same room or virtually in some in some areas right now. But so we have these three centers of excellence here in D.C., in the United States, one in Dublin, Ireland that's being built in one in Singapore for four APJ. And they're all interconnected. They're all connected to the same platforms and systems, so they have access to the information we can operate around the clock. And you can carve out a portion of of professional individuals that understand a specific issue. Maybe it's a war. Maybe it's elections. Maybe it's a public venue event that we're protecting, where we have to set up operations using global standards on how to handle crises and then they can prepare. What are the potential threats to the to the event, the issue of the platform with the potential actors? What are the potential implications cyber defenses that we have and how do you protect an entire continuum? You put plans in place for all of those and then execute across different teams through a fusion center. So that's that's really how that operates. And what's interesting from my perspective, is how you also give that capability back to your community. And this is the first job I've been able to do that and it's really cool because we create platform. So you say that's a violative video because it's maybe it's against our community guidelines for sexual material. Click, we get notified. It gets automatically sent into a queue. It's identified through email and then put to the right team. Maybe it's intellectual property theft. That's inappropriate use of brand music, you name it. Or maybe it's a privacy issue. We put that capability into the billion monthly active users on the platform to have them help us police the community and have them be responsible for their privacy and give them those tools on the platform. It's a very exciting way to engage your community and ensure that not only are we doing the right thing, we're allowing the community to participate in that.

Annelise Riles [00:14:14] Well, it sounds like you're constantly having to innovate because the other side is innovating. Tell us a little bit about how that works.

Roland Cloutier [00:14:20] The world isn't static, people aren't static. The problems aren't static. I'll use the Chicago P.D. The gangs that were there five years ago or 10 years ago are very different than the gangs that are in town. This month, this year in the gang symbols are different. Right? So part of this is a technology issue. Part of it is an intelligence issue. When I left government years ago, I never saw it that one of the largest parts of my organization would be over the horizon. Threat analysis teams looked working with experts in violent extremism and crimes against children and people in all these different areas. But it's it's kind of how the world works. The use of part. In this area to identify how these things work and introduce that information into the technology stream so we can continually update it and identify it, I think those are the important thing and have really good training and technology for those things that fall in the middle. As we would say, our partners over in the trust and safety do yeoman's work on a daily basis. Really amazing to watch these. These professionals across the globe understand what they're looking for and how they're looking for it. It's it's as important for the feedback loop, which is another important of our machine learning NRAI of how we get new confirmed data back into that cycle so we can quickly protect against. We like to call it moving the cheats, right? Like we understand where the threats coming from, what the threat is and then be able to move our controls capability to defend against that. So I mean, that's that's where the rubber hits the road, right? That's the difference between creating technology and operate that now. So our focus is we have the most amazing engineers in the world across the globe that design these things very quickly and app and at the speed that the platform operates on. But we also have operational organizations that understand the impact in how to understand and interpret that at the human level and be able touse that back life.

Annelise Riles [00:16:22] So many TikTok users are, of course, young people, teens, young adults. I imagine that must raise some special security challenges. I notice that my own teenage son is much less uptight about passwords and all of that stuff than I am. So what do you do about that? How do you handle that sort of cultural difference between generations? Or is it there?

Roland Cloutier [00:16:47] TikTok is a platform for multi-generations for families to enjoy, not just teens and young adults. I'm on it. My mom's on it. We have creators at all ages and obviously teenagers as well. Security and safety go hand in hand. So focusing on education around online hygiene and how we get messages out to our users and videos, you know, we see you've been on for scrolling for quite a while. Maybe it's time to take a break. Tools like that. Even more importantly, we have introduced some of these privacy features that are really focused on teens aged 13 to 17 that are enhancing proactive protections to video views, direct messaging and things of that nature. Our TikTok guardian guide gives a overview of an app education to parents and caregivers to to make sure they they can oversee their child's online experience. And as important is actually the family app that allows the, we call it, the family pairing tool. It's an app that allows parents to be involved in what their kids can see and what they're watching and viewing and who they're connecting with. We're doing things like continuously updating our security and privacy hubs with tips and resources for our community at all levels. We have outside individuals that help us think about things like our Content Advisory Council from academia, safety institutes connect safely and all of these things around the globe. And quite frankly, we're always looking for ways to continually build trust with a diverse stakeholder and audience group through all of these means. So it's a it's an awesome responsibility, but it's one we've taken on and I think we're delivering on.

Annelise Riles [00:18:26] So I want to ask you about misinformation or content that is harmful to people's reputations. So we had a project here at the Buffett Institute in our Meridian 180 network, which was focused on gendered abuse online, especially in Asia, where a lot of female politicians and activists and corporate leaders found themselves victims of sort of online misinformation that was misogynistic or harmful to women as reputations in particular. How do you approach those kinds of issues of mitigating the spread of potentially harmful content or information and in particular, being such a global platform? I imagine it's challenging because the very speech that's protected in some countries is banned in others. So how do you how do you manage this.

Roland Cloutier [00:19:16] Specific to harmful content, community guidelines are important. So as explained in our community guidelines, we do not allow content that is gratuitously shocking, graphic, sadistic, gruesome or anything that promotes or normalizes or glorifies extreme violence or suffering on our platform. We just don't allow it when there is a threat to public safety. We suspend or ban the account and when warranted, we actually will report it to relevant legal authorities and the relationships we have across the globe, not just here in the United States, but our partners in Europol, Interpol, in countries around the world. And we make exceptions under circumstances, circumstances such as documentary content. This kind of content may be ineligible for recommendation for the For You feed. There may be a. And for educational, but Mr. Disinformation, which is another whole topic area that we could spend like a day on. Media manipulation is, you know, continually evolving in combatting automation of space and other attempts to spread disinformation requires an industry wide, multidisciplinary approach. My job is not to let it on platform, it's to stop bad guys from getting it on platform. And if it does get on platform, how do we find it and remove it as fast as we can? But our job has to be informed, and it has to be included in how we think about it from the governments in the jurisdictions that we operate, civil societies, academia. As I mentioned, we have partners that help us look at this. Stakeholders in different parts of the world working together in really good faith to develop this robust and long term solution across the industry. We've invested in a massive and growing team of safety, security and privacy experts. We talked about the air A.I. around automation, technology and defenses. That means having the platform do the work for people and then going after the harder to detect things and then creating these comprehensive policies on a continuous basis. Like it's not one policy, it's a policy that has to be reviewed as the world changes is our platform change to stay of the ever evolving tactics of people in organizations who mislead or want to harm others. It's also our responsibility right to continuously improve our ability to quickly respond to evolving threats. Identifying, blocking and removing inauthentic content. Inauthentic accounts in authentic engagement or other associate activities like botnets that are created just to attempt to do these sort of things. And this also includes coordinated attempts to spread mis or disinformation and other types of what we would call influence operations on platform. At the end, they were always focused on the important areas of defense or prevent defense, detect and remove every single day of the week.

Annelise Riles [00:22:01] One of the other interesting things about TikTok is that, unlike many other major social media platforms, it is not U.S. it's owned by a Beijing based company called ByteDance. How does that change? Or does it change in any way the way that the platform makes decisions about cybersecurity?

Roland Cloutier [00:22:23] The answer is it doesn't change anything. ByteDance is a privately owned company. And the reality is four of the five seats on our board are held by major Western investors. It's not a Chinese state owned entity. TikTok isn't even available in China. I don't have security practitioners in China are U.S. leadership is based here in the U.S. and in Singapore. TikTok user data is stored only in the U.S. with a backup in Singapore, and our leaders come from major U.S. law enforcement, U.S. diplomatic corps and on and on, and we're focused on building the best secure platform we possibly can through the use of standards. And this is what's important. This is, I think, where people get it wrong. So for instance, last year we did four ISO certifications across the globe. This year we're doing many more in SoC 2s. These are industry standard type certifications to show and to prove our capabilities of adhering to global standards around security risk and privacy efforts and then releasing those to the public. We also built the first transparency and accountability centers, first in the U.S., now in Ireland and then others to come soon, where government regulators, academia and customers can come in and actually touch and feel the infrastructure, the code and the things that we are doing and understand at a deep level. And of course, we do. Accountability, trust and accountability reports out to the public on a frequent basis that show exactly what we're moving off platform, what we're blocking, why we're blocking it. And all of these things show our capabilities, our responsibilities and that the programs are working.

Annelise Riles [00:24:04] What advice would you give to the northwestern students listening to this? Who think, my goodness, I just want to be heard on? How do I what what? What advice would you have for them?

Roland Cloutier [00:24:15] First and foremost, they're probably going to be my next boss coming out kind of northwestern. Think about it. Just some amazing CEOs and leaders that have come from the university. So I think what I would tell them is know that you're going into a world that your business is a digital ecosystem and in your business is going to depend on that. So understand how it works. Maybe you're not a technologist. Maybe you're just a straight MBA, but you have to be a digital MBA, so learn about it, and your leadership will depend on your understanding of how to secure it. That gets right to get to really know your organization and your business. We talk about Michael Porter's value chain from a security perspective, not an MBA perspective we talk about doing. Value chain risk assessments to know exactly how we adapt, how we build projects, how we sell and market him, how we make revenue and how we support those and then recognize revenue all the way around in that lifecycle so I can understand how my business operate, what systems manage it, and then I can protect it in the most effective way that supports the business. So you got to get to know your organization. A security practitioner can't come in and say, Yes, everybody needs a firewall and everyone needs to do this. They have to say this is what our business needs and they have to understand the business. Next thing, if I can give a word advice, get a mentor. Learn from leaders or organizations that have succeeded or failed before. This is one of the greatest things in my career. Having coaches or mentors at different levels through the years that have taken the time out to say, "Hey, hey Roland, do not do that. That is not how you want to look at this." Or, "Hey, go take this course. Think about this. Let's work on this presentation style together." Whatever it may be. Get a mentor to learn about what you want to do in your career. Speak to C-suite or board members in a way they understand and appreciate. So, for instance, I don't go in and talk about how many rules my firewall dropped. Look at me cross-eyed. I go in and I talk about the effectiveness of the controls we put in across the critical infrastructure that supports the finance program. I give them my metrics that almost look like their financial metrics, right? You know, you have to speak in a way that they can understand, and you have to educate your leaders on security, on crisis management. Some of the best the the best things that have happened in my career during crisis is where the entire leadership team and the board of directors are on the same page. Why? Because we've trained together. We've done tabletop exercises. We work through really hard things together as a team. And when the crisis comes, we work together at an amazing level. When you can do that,.when you can educate and be, that it becomes an amazing partnership with the rest of the leadership team. I want to be a security guy. If I didn't say this, built your products and services with security in mind, you know, security and privacy by design. We like to call it, but make it a goal for your organization and company to have security as a component of your secure or your quality measure. And then consider how you can innovate in your own role to make the industry better. Go change the industry, just not your company.

Annelise Riles [00:27:28] So I want to end by asking you the question that I ask all of our guests, which is as you think about the near future, what are you most worried about and what are you most hopeful for?

Roland Cloutier [00:27:41] That's a great question. You know, as someone who's served others their entire career and as you as a veteran, you know, especially recently, the thing I'm most worried about is for peace. It is a tough world out there right now for for our kids. Peace is important to me. I think beyond that, cyber threats have been mentioned as a part of the current equation, and I hope we can all continue coming together around the world to combat these threats, to lean in locally, support nonprofits that focus on supporting the global economic ecosystem that helps drive economies around the world. And it makes countries better no matter where they come from or why.

Annelise Riles [00:28:18] Well, listen, you're an inspiration, Roland. Hopefully, we can talk more about how we build peace together between the academy and the business sector. So thank you so much for your time today.

Roland Cloutier [00:28:28] Thanks for the opportunity.

Annelise Riles [00:28:32] For more information on this episode and on the Northwestern Buffett Institute for Global Affairs, visit us at buffett.northwestern.edu.