Every few months, at least, Americans are reminded -- by their bank, a major retailer and even the government -- to reset their log-ins, monitor their accounts and come up with even more inscrutable passwords for sensitive accounts.
The problem is: Too few of us actually do it.
Michael Daniel, who helps direct the Obama administration’s cybersecurity policy-making from his perch on the National Security Council, has made it his personal mission to understand the human factor in cybersecurity.
Daniel, whose official title is special assistant to the president and cybersecurity coordinator, sat down with Nextgov for National Cybersecurity Awareness Month for a wide-ranging interview.
We touched on everything from how the government can attract the best cybersecurity workers to whether revelations about the National Security Agency’s online surveillance activities have damaged the government’s efforts to encourage average Americans to improve their personal cybersecurity.
Here’s our interview, edited for length and clarity.
NG: You’ve spoken a lot about the human factor in cybersecurity. At a recent conference where I heard you speak, you said “We still don't understand the psychology and economics of cyberspace.” Could you expound on that?
MD: We clearly know that the bad guys get in oftentimes through a vulnerability that we're quite well aware of from a technical standpoint, and we even know how to fix it -- there's a patch available for it. And yet, we haven't done it. The patch hasn't been deployed or the hole hasn't been fixed for whatever reason. And it's not like anybody says, “Gosh, I want to have bad cybersecurity."
So, clearly the conclusion has to be that we don't really understand the underlying incentives to get businesses, for example, and individuals to undertake cybersecurity as effectively as they can.
We also know that you have to make cybersecurity more of the default setting, if you will. Just from a cognitive science standpoint, we have to make it as easy to use and as transparent for people as possible, or otherwise they just won't do it.
All this stuff about, “Please create a password that's 15 characters long and is not a word in the dictionary and is unlike any other password that you have” -- nobody's going to do that. It's too hard. We've got to come at this from much more of an understanding of how humans actually interact with the technology in order to be much more effective at our cybersecurity.
NG: What about the idea of automating cybersecurity? If people are the weak link, then can we take people entirely out of the process, so they can’t -- for example -- open an unsecure attachment? Or is this just wishful thinking?
MD: You're going to have to automate a lot more of the processes, and you're going to have to build it in so the security happens as much as possible in the background. And that's a true statement.
Now, you'll never take people out of the loop entirely. You're always going to need analysts and other things to look at what's going on. But I think that to the largest extent that we can make the cybersecurity just there and transparent to the users, that's the direction that we have to go.
NG: I’ve heard you speak before and liken the cyber czar position to that of chief cat herder. Who are the cats in this scenario?
MD: Good question. There are a very wide array of different functions that the federal government has to bring to deal with the cybersecurity problem, because it's not really just even a national security problem; it's also a law enforcement problem. And it's not just a law enforcement problem, it's a how-do-we-interact with our private-sector, critical infrastructure problem. Oh yes, and it also involves the regulators who work on different industries. And I should have mentioned also there's an international component and a business component to all of this.
So, most cyber issues involve not only the national security world -- Defense and the intelligence community -- but also FBI and Secret Service, in the law enforcement world, and the various parts of DHS -- the [National Cybersecurity and Communications Integration Center] and [the U.S. Computer Emergency Readiness Team] -- in the critical-infrastructure and protection area. And Treasury and Energy, for example, as sector area regulators. And the State Department, as cyber has a place in our foreign diplomatic world.
When you talk about the security of federal networks, the civilian dot-gov networks, the Office of Management and Budget has a very clear statutory lead in that. So, they're a big player. NIST, the National Institute of Standards and Technology, define the standards that federal agencies have to meet in doing their cybersecurity.
So, there are a lot of different players in this area, and they all come at it from a little bit of a different angle. That's a large part of the National Security Council staff's function -- to help coordinate across all those different agencies that have a little bit of a different interest in the cybersecurity issue.
NG: The government has struggled to hire technologists of all stripes. How can the government make sure it has the best people in cybersecurity?
MD: I think there a number of things that we have to be looking at, one of which is that the mission space inside the federal government is pretty unique. The things you get to do while working, for example, in law enforcement or in places in the intelligence community or DHS, those aren't things you get to do in the private sector.
There is a mission quality to it that I think we need to focus on in terms of the employment on the federal government side. In fact, if you look at some of the data that looks at why we are able to recruit the people that we do, it's that attractiveness of the mission.
I do think that there are number of things that we can do to make the hiring process easier. In fact, the federal government seems to work very hard at going out of its way to make it as hard as possible [to hire new employees]. So I think a lot of the efforts that the Office of Personnel Management and OMB have to do work on hiring authorities and streamlining that process across the government.
Third, I think there are some policies that we would really like to look at to try to make life easier for the technologists once they're in the government, to enable them to bring in the kind of tools and have the kind of functionality that they really want to have and to be able to interact with other technology folks in a way that really is what spurs a lot of the attractiveness of the private sector.
And lastly, just sort of in general, we actually want to not only increase the pipeline for the government but for the private sector as a whole. So, we're looking at various ways under the National Initiative for Cybersecurity Education that we can scale up some of the programs that we already have, such as the Cyber Centers of Excellence at the college and university level and expand the number of scholarships that are available so that we can work on expanding the pipeline in general.
NG: How does the government view the Internet of Things from a cyber perspective? Is the proliferation of devices that previously weren't connected just a problem of scale or does it introduce new problems of a different kind?
MD: It definitely introduces new problems of a different kind. In 2014, we crossed the threshold where the percentage of Internet traffic that was machine-to-machine exceeded human communication. And that trend is only going to continue.
For all of the differences between, for example, the Mac operating system and the Windows operating system, when you're talking about wired desktops, that was pretty much a homogeneous environment in many ways -- even though we didn't see it that way at the time.
But now, you're going to connect all of these wildly different devices with wildly different functionality with just really incredibly varying functions and software and capabilities. So, we've not only scaled up the problem; we've made it incredibly much more diverse. We've really made it much more heterogeneous. And so that is going to pose us even greater problems in the cybersecurity area, because it's just going to introduce a level of complexity that we've never really experienced before.
Now, I should say, it also offers us some interesting opportunities as well, because you can imagine ways that you can start to use this incredibly fast sensor network -- which is really what you're talking about with the Internet of Things -- to actually help do early indications and warning of emerging problems in malware and other things.
We understand the issues surrounding the necessity of cybersecurity in a much different way than we did when we were originally building the Internet and the World Wide Web. And so, I do think that people will be more cognizant of -- and hopefully we can push some policies that can help support -- building security in from the beginning of a lot of the Internet of Things and make it better to start with.
NG: Do you think the revelations over NSA surveillance have made members of the public distrustful of the government as a source of information on how to protect themselves online?
MD: I think if you actually look back over a very long stretch of history, Americans, in general, have a very interesting relationship with their government, particularly the federal government. And there's always been these strains of both distrust of the federal government, along with trust of what the federal government can do. And so I think that that mixture has always been there and was there pre-[Edward] Snowden and some pieces of it may have been heightened after the Snowden disclosures.
But I really think that my interaction with the private sector and others has really been still very much in the positive phase of: We want to figure out how to partner effectively with the government. We want to figure out a way for the government to be able to provide value-added information, for example, in cybersecurity.
And many private companies still very much look to the government to help, for example, with cyber investigations. So, I personally think that what we're working on right now is really deepening a lot of those partnerships and trying to develop them in new ways to fit the problem that we're facing.
NG: When you talk about the government's relationship with companies and businesses, they haven’t always seen eye-to-eye on regulation. There’s a feeling the recent NIST cyber framework does strike a balance that both sides can live with. But what do you see as the remaining sticking points?
MD: I think the framework has really helped address a lot of the issues. We wanted the framework, for example, to be industry-developed and driven. And we didn't just say that. We actually worked through NIST to make that true. The framework was built and developed by industry. And you can tell in the way that it's structured and I think we're very much continuing to support that.
A lot of what we're trying to do is work with the industry is to figure out what the barriers are, for example, to greater information sharing. What are the barriers to broader adoption of cybersecurity best practices and standards that are already out there, and then figure out how we overcome those barriers.
So, for example, one thing we did last spring after we had released the framework in February was we worked with the Department of Justice and the Federal Trade Commission to issue updated guidance that specifically indicated that if you are sharing information for cybersecurity purposes -- cybersecurity defensive information -- that is not going to be considered a violation of antitrust statutes, which is a common concern that we heard a lot from industry. And so we addressed that one head-on.
We're continuing to look for where there are areas that we can take similar action that will address some of the key impediments, for example, to information sharing.
NG: What about the global aspect? Are you taking lessons from other countries when it comes to formulating the U.S. approach to industry? There’s a draft law in Germany, for example, that seems it would go much further on information sharing and reporting hacks of critical infrastructure to the government.
MD: We are always on the lookout for lessons that we can learn from our national partners, in particular, I have had lots of different conversations with my British counterpart on their efforts to build cooperation with their critical infrastructure sectors. I've been to Germany a couple of times. So, we are certainly always very interested in that.
I'm always searching to try to build cooperation in that area. I will say that most of the time we find that, with a very few exceptions, we still seem to be at the vanguard of sort of the thinking of critical infrastructure protection, which is both scary at one level and kind of reassuring that we're trying to provide leadership in this space.