Despite the flap over recent comments, Michael Daniel remains focused on cybersecurity’s human factor.
Michael Daniel, the White House’s cybersecurity coordinator, courted controversy last month when he gave an interview on his role setting cyber policy for the Obama administration.
But it wasn’t his thoughts on how the government can better protect its IT systems from intrusions or how the feds should respond to cyberattacks that caused a fuss.
It was his résumé.
In an Aug. 21 interview with GovInfoSecurity, Daniel -- a 17-year veteran of the Office of Management and Budget who came to his current position two years ago largely unknown in technology circles -- was asked how much of a techie the nation’s cyber czar actually needed be.
Daniel said it was important to have a “broad sense” of the role technology plays in cyber policy, then added: “But you don’t have to be a coder in order to really do well in this position. In fact, I think being too down in the weeds at the technical level could actually be a little of a distraction in that sense.”
His remarks blew up on Twitter. Many social media commentators were perturbed that the nation’s top cybersecurity official seemed to be flaunting his lack of technical experience.
The chairman of the Joint Chiefs of Staff led an armored division in Iraq, Alex Stamos, Yahoo’s chief information security officer, pointed out on Twitter. Why shouldn’t the cyber czar be able to configure a firewall himself?
Stamos later tweeted: “The lack of respect shown to information security as a profession by the government is infuriating.”
Daniel: Cyber Not Purely a Technical Problem
When Nextgov caught up with Daniel after a speech Sept. 16 at the Billington Cybersecurity Summit in Washington, he said if he had to do it over again, he would make sure to expand on his remarks.
"The real underlying issue is the cybersecurity problem is not purely a technical problem,” he explained.
A key part of his office’s efforts, in coordination with the National Initiative for Cybersecurity Education, is to get more cyber-literate technologists trained and into government jobs, he said.
"So that was certainly not my point at all,” he added. “But [it was] that the skill set you need to bring to bear on the cybersecurity problem is very multidimensional and it has many other factors, and you can actually be very successful in this space bringing other skill sets to bear. And that's really what I was saying."
That point was clearly lost amid the wave of articles and blog posts sparked by his original comments, not least in the piece published on tech news site ReadWrite branding Daniel a “total n00b” -- gamer-speak for novice.
Daniel, who was on vacation when the interview was published, said he took the hostile reaction in stride.
“You know, it also just kind of comes with the territory of being in Washington,” he said.
Cyber Czar Wants to Understand Human Element
In his remarks at the cybersecurity summit, Daniel focused the majority of his remarks on the need to understand the human factor of cybersecurity.
"We still don't understand the psychology and economics of cyberspace," he told the audience packed into the Capital Hilton Hotel in Washington.
The majority of vulnerabilities exploited by the “bad guys” are known weak points. And many of them already have fixes, he said.
“We haven't fully confronted cybersecurity as a human behavior and motivation problem as opposed to just a technical problem,” he said. “And until we really understand the human factor and change our approaches as a result of that understanding, we will continue to fail at solving this problem."
In an address later that day at the conference, Phyllis Schneck, the chief cybersecurity official for the Department of Homeland Security, made the same basic point -- with more of a rhetorical flourish.
“If this were purely a technical problem,” said Schneck -- the former chief technology officer at security software giant McAfee -- “we'd have solved it with a pizza and a Mountain Dew for a few people a long time ago."