Q&A: White House Cyber Czar on Hiring Cyber Pros, Snowden and the Internet of Things

White House Cybersecurity Coordinator Michael Daniel

White House Cybersecurity Coordinator Michael Daniel Ann Heisenfelt/AP

Michael Daniel has made it his personal mission to understand cybersecurity’s human factor.

Every few months, at least, Americans are reminded -- by their bank, a major retailer and even the government -- to reset their log-ins, monitor their accounts and come up with even more inscrutable passwords for sensitive accounts.

The problem is: Too few of us actually do it.

Michael Daniel, who helps direct the Obama administration’s cybersecurity policy-making from his perch on the National Security Council, has made it his personal mission to understand the human factor in cybersecurity.

Daniel, whose official title is special assistant to the president and cybersecurity coordinator, sat down with Nextgov for National Cybersecurity Awareness Month for a wide-ranging interview. 

We touched on everything from how the government can attract the best cybersecurity workers to whether revelations about the National Security Agency’s online surveillance activities have damaged the government’s efforts to encourage average Americans to improve their personal cybersecurity.

Here’s our interview, edited for length and clarity.

NG: You’ve spoken a lot about the human factor in cybersecurity. At a recent conference where I heard you speak, you said “We still don't understand the psychology and economics of cyberspace.” Could you expound on that?

MD: We clearly know that the bad guys get in oftentimes through a vulnerability that we're quite well aware of from a technical standpoint, and we even know how to fix it -- there's a patch available for it. And yet, we haven't done it. The patch hasn't been deployed or the hole hasn't been fixed for whatever reason. And it's not like anybody says, “Gosh, I want to have bad cybersecurity."

So, clearly the conclusion has to be that we don't really understand the underlying incentives to get businesses, for example, and individuals to undertake cybersecurity as effectively as they can.

We also know that you have to make cybersecurity more of the default setting, if you will. Just from a cognitive science standpoint, we have to make it as easy to use and as transparent for people as possible, or otherwise they just won't do it.

All this stuff about, “Please create a password that's 15 characters long and is not a word in the dictionary and is unlike any other password that you have” -- nobody's going to do that. It's too hard. We've got to come at this from much more of an understanding of how humans actually interact with the technology in order to be much more effective at our cybersecurity.

NG: What about the idea of automating cybersecurity? If people are the weak link, then can we take people entirely out of the process, so they can’t -- for example -- open an unsecure attachment? Or is this just wishful thinking?

MD: You're going to have to automate a lot more of the processes, and you're going to have to build it in so the security happens as much as possible in the background. And that's a true statement.

Now, you'll never take people out of the loop entirely. You're always going to need analysts and other things to look at what's going on. But I think that to the largest extent that we can make the cybersecurity just there and transparent to the users, that's the direction that we have to go.

NG: I’ve heard you speak before and liken the cyber czar position to that of chief cat herder. Who are the cats in this scenario?

MD: Good question. There are a very wide array of different functions that the federal government has to bring to deal with the cybersecurity problem, because it's not really just even a national security problem; it's also a law enforcement problem. And it's not just a law enforcement problem, it's a how-do-we-interact with our private-sector, critical infrastructure problem. Oh yes, and it also involves the regulators who work on different industries. And I should have mentioned also there's an international component and a business component to all of this.

So, most cyber issues involve not only the national security world -- Defense and the intelligence community -- but also FBI and Secret Service, in the law enforcement world, and the various parts of DHS -- the [National Cybersecurity and Communications Integration Center] and [the U.S. Computer Emergency Readiness Team] -- in the critical-infrastructure and protection area. And Treasury and Energy, for example, as sector area regulators. And the State Department, as cyber has a place in our foreign diplomatic world.

When you talk about the security of federal networks, the civilian dot-gov networks, the Office of Management and Budget has a very clear statutory lead in that. So, they're a big player. NIST, the National Institute of Standards and Technology, define the standards that federal agencies have to meet in doing their cybersecurity.

So, there are a lot of different players in this area, and they all come at it from a little bit of a different angle. That's a large part of the National Security Council staff's function -- to help coordinate across all those different agencies that have a little bit of a different interest in the cybersecurity issue.

NG: The government has struggled to hire technologists of all stripes. How can the government make sure it has the best people in cybersecurity?

MD: I think there a number of things that we have to be looking at, one of which is that the mission space inside the federal government is pretty unique. The things you get to do while working, for example, in law enforcement or in places in the intelligence community or DHS, those aren't things you get to do in the private sector.

There is a mission quality to it that I think we need to focus on in terms of the employment on the federal government side. In fact, if you look at some of the data that looks at why we are able to recruit the people that we do, it's that attractiveness of the mission.

I do think that there are number of things that we can do to make the hiring process easier. In fact, the federal government seems to work very hard at going out of its way to make it as hard as possible [to hire new employees]. So I think a lot of the efforts that the Office of Personnel Management and OMB have to do work on hiring authorities and streamlining that process across the government.

Third, I think there are some policies that we would really like to look at to try to make life easier for the technologists once they're in the government, to enable them to bring in the kind of tools and have the kind of functionality that they really want to have and to be able to interact with other technology folks in a way that really is what spurs a lot of the attractiveness of the private sector.

And lastly, just sort of in general, we actually want to not only increase the pipeline for the government but for the private sector as a whole. So, we're looking at various ways under the National Initiative for Cybersecurity Education that we can scale up some of the programs that we already have, such as the Cyber Centers of Excellence at the college and university level and expand the number of scholarships that are available so that we can work on expanding the pipeline in general.

NG: How does the government view the Internet of Things from a cyber perspective? Is the proliferation of devices that previously weren't connected just a problem of scale or does it introduce new problems of a different kind?

MD: It definitely introduces new problems of a different kind. In 2014, we crossed the threshold where the percentage of Internet traffic that was machine-to-machine exceeded human communication. And that trend is only going to continue.

For all of the differences between, for example, the Mac operating system and the Windows operating system, when you're talking about wired desktops, that was pretty much a homogeneous environment in many ways -- even though we didn't see it that way at the time.

But now, you're going to connect all of these wildly different devices with wildly different functionality with just really incredibly varying functions and software and capabilities. So, we've not only scaled up the problem; we've made it incredibly much more diverse. We've really made it much more heterogeneous. And so that is going to pose us even greater problems in the cybersecurity area, because it's just going to introduce a level of complexity that we've never really experienced before.

Now, I should say, it also offers us some interesting opportunities as well, because you can imagine ways that you can start to use this incredibly fast sensor network -- which is really what you're talking about with the Internet of Things -- to actually help do early indications and warning of emerging problems in malware and other things.

We understand the issues surrounding the necessity of cybersecurity in a much different way than we did when we were originally building the Internet and the World Wide Web. And so, I do think that people will be more cognizant of -- and hopefully we can push some policies that can help support -- building security in from the beginning of a lot of the Internet of Things and make it better to start with.

NG: Do you think the revelations over NSA surveillance have made members of the public distrustful of the government as a source of information on how to protect themselves online?

MD: I think if you actually look back over a very long stretch of history, Americans, in general, have a very interesting relationship with their government, particularly the federal government. And there's always been these strains of both distrust of the federal government, along with trust of what the federal government can do. And so I think that that mixture has always been there and was there pre-[Edward] Snowden and some pieces of it may have been heightened after the Snowden disclosures.

But I really think that my interaction with the private sector and others has really been still very much in the positive phase of: We want to figure out how to partner effectively with the government. We want to figure out a way for the government to be able to provide value-added information, for example, in cybersecurity.

And many private companies still very much look to the government to help, for example, with cyber investigations. So, I personally think that what we're working on right now is really deepening a lot of those partnerships and trying to develop them in new ways to fit the problem that we're facing.

NG: When you talk about the government's relationship with companies and businesses, they haven’t always seen eye-to-eye on regulation. There’s a feeling the recent NIST cyber framework does strike a balance that both sides can live with. But what do you see as the remaining sticking points?

MD: I think the framework has really helped address a lot of the issues. We wanted the framework, for example, to be industry-developed and driven. And we didn't just say that. We actually worked through NIST to make that true. The framework was built and developed by industry. And you can tell in the way that it's structured and I think we're very much continuing to support that.

A lot of what we're trying to do is work with the industry is to figure out what the barriers are, for example, to greater information sharing. What are the barriers to broader adoption of cybersecurity best practices and standards that are already out there, and then figure out how we overcome those barriers.

So, for example, one thing we did last spring after we had released the framework in February was we worked with the Department of Justice and the Federal Trade Commission to issue updated guidance that specifically indicated that if you are sharing information for cybersecurity purposes -- cybersecurity defensive information -- that is not going to be considered a violation of antitrust statutes, which is a common concern that we heard a lot from industry. And so we addressed that one head-on.

We're continuing to look for where there are areas that we can take similar action that will address some of the key impediments, for example, to information sharing.

NG: What about the global aspect? Are you taking lessons from other countries when it comes to formulating the U.S. approach to industry? There’s a draft law in Germany, for example, that seems it would go much further on information sharing and reporting hacks of critical infrastructure to the government.

MD: We are always on the lookout for lessons that we can learn from our national partners, in particular, I have had lots of different conversations with my British counterpart on their efforts to build cooperation with their critical infrastructure sectors. I've been to Germany a couple of times. So, we are certainly always very interested in that.

I'm always searching to try to build cooperation in that area. I will say that most of the time we find that, with a very few exceptions, we still seem to be at the vanguard of sort of the thinking of critical infrastructure protection, which is both scary at one level and kind of reassuring that we're trying to provide leadership in this space.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.