The Cipher Brief spoke with former Special Assistant to President Obama and Cyber Security Coordinator on the National Security Council, Michael Daniel about the need for a new National Cyber Director.
Daniel makes the case that the role he once held wouldn’t be enough to address today’s needs and that we need to reimagine the position in a way that would make coordinating cyber issues among government agencies and the private sector much easier.
Daniel currently serves as President and CEO of Cyber Threat Alliance, a non-profit that is working to enable cyber threat information sharing among companies and organizations. Our conversation has been lightly edited for length and clarity.
The Cipher Brief: You are making the case for a position that is different from the one you held at The White House. How would it be different?
Daniel: It’s going to require us to build some new ways of interacting between the government and the private sector that are not traditional. It’s not the government buying goods or services. It’s not the government regulating, it’s the government working with the private sector in much more of a peer-to-peer relationship, and that’s not a normal way for governments to interact. There’s a lot of work we have to do to build that. We’ve started down that path, but there’s a lot more that we need to do to make that really workable.
The Cipher Brief: Why the variation and why at The White House level?
Daniel: The threats coming at us through cyberspace are going to be a permanent part of the landscape for the foreseeable future. There is a strong need to have a regular, institutionalized voice inside The White House that can bring expertise to the senior levels of decision-making on this problem. I think that’s really important. We need to make a clear, long-term commitment that this is going to be a priority for the United States.
The Cipher Brief: Do you think government priorities have shifted when it comes to cyber?
Daniel: I actually don’t think things have shifted all that much. This is one of the interesting policy areas where there has been a fair amount of continuity between the Obama administration and the Trump administration, actually. A lot of what we were focused on was how we improve the security of federal networks, which they’ve continued to invest in. How do we work with our critical infrastructure owners and operators to improve the level of cyber security across our digital ecosystem? How do we think about disrupting what the bad guys are trying to do to us? And how do we get better at responding to and recovering from bad days in cyberspace when they inevitably happen? Those were the kinds of priorities that we had. I actually think overall, if you talk to Chris Krebs or folks over in the Justice Department or other places in government, they would use different words, but you would get largely the same picture.
The Cipher Brief: How would your recommendation for a national cyber director be different from what CISA is doing at DHS and Director Krebs’ efforts to coordinate with not only government, but the private sector as well and his current mandate to protect government entities from cyberattack?
Daniel: I really see the position as being more about how you bring all of the elements of national power together to address this problem. This position needs to have some interaction with the private sector, but it’s not meant to replace what DHS or any of the agencies are doing. This is not meant to be operational, but rather to operate at that strategic level. So, how do you coordinate policy across the entire government so that it has a coherent structure and that the priorities are clearly articulated? How do you coordinate across all the different elements of national power that you can bring to bear on a problem – diplomatic, economic intelligence, military law enforcement – to address what the bad guys are doing? It’s very much operating in those spaces where you need a coordinating function at The White House level, so that you can deal with what I always refer to as the classic bureaucratic problem of, “You’re not the boss of me.” If you’ve worked in government, then you understand that problem.
Serving in The White House, the focus of this position would be to make sure that policy issues, as they come in to the very highest levels of the executive branch – cybersecurity issues – are surfaced and are included in the decision-making process, which doesn’t always mean that you will come down on the side of cybersecurity. You may choose to take another course of action because of other costs and benefits, but you want to make sure that decision is informed by the potential impact on our country’s cybersecurity and not made blindly. That’s the other reason to have this position in The White House.
Another big piece is the relationship with similarly situated positions in other governments. The similar positions in our Five Eyes partners and Israel, Singapore, Japan, all those places where we’re trying to achieve that high-level of coordination. Those are some of the outreach parts that I see.
The Cipher Brief: You’ve said that because of the global pandemic, the federal government’s cybersecurity capabilities really need to keep pace, because more people will be working from home for a longer period of time.
Talk to me just a little bit about what your concern is when over the next, say, 12 to 18 months when everyone’s still very much impacted by COVID-19, when employees are working remotely, there are all sorts of advanced phishing attacks out there trying to go after them at home, get them to click on things. What are some of the things you’re seeing over the next 12 months that you want to keep high on your radar?
Daniel: COVID-19 has accelerated trends that have already been occurring, but it’s really just put them in overdrive. The workforce is even more distributed than it was probably already going to be. What we now have is things that would have been annoying 20 years ago are now going to be organizationally and, potentially socially, catastrophic. When I first joined the federal government back in the mid 1990s, my standing joke was that if the network went down, we just did something else for the day. We worked on our non-network computers. We actually called people on the phone. We wrote on whiteboards. We had actual face-to-face meetings.
Now, if your network goes down, you’re almost dead in the water and you literally can’t do anything as an organization. That is starting to be true at the social level as well. We’ve gotten ourselves into a place where our digital dependence is so high that these disruptions and interruptions can be very damaging. From that perspective, I think the federal government needs to continue to accelerate its efforts to get better at solving some of the conundrums that we face.
There’s a fundamental structural problem that we have, which is that our mental models for how the world works don’t map very well into cyberspace because cyberspace is not like the physical world. It’s not a continuous geographic space. It’s a nodal network that operates at light speed, and unless we’re really willing to make some radical changes, unless we want the great firewall of the United States, like what China has tried to do, unless we want to go down that road, there is no way for the federal government to be in between a company or an organization or an individual and the bad guys. That’s what the structure of cyberspace means. As a result, the way that we’ve organized ourselves for hundreds of years, in terms of how we do security, border security and internal security and national security, doesn’t completely work in cyberspace because you can’t put the federal government in that intermediary role. At the same time, it is also equally ridiculous to expect your average company or organization to go up against the Russians or the Chinese or the Iranians or any other nation-state actor, or even a high-level criminal actor, all by themselves. That’s crazy, so how do you square that circle? How do you resolve those two tensions that I was just talking about?
The Cipher Brief: What about the psychological fear over cybersecurity? Just the word intimidates a lot of people. How do you address that?
Daniel: One of my standard opening sequences that I go through when I engage with a company that has talked to me about cybersecurity is, if you think that cybersecurity is primarily a technical problem, we need to broaden the aperture. Yes, it is a technical problem, but it’s way more than that. It is a psychology problem.
What are the bad guys doing with phishing emails? That’s a con game. That’s psychology. They’re playing on human psychology the same way that swindlers and con artists have done for thousands of years. They’re just doing it through cyberspace. I think that we have, unfortunately, treated cybersecurity as if it were purely a technical problem that we could try to relegate to that geek in the basement that we really hope we don’t have to talk to.
That’s just not going to work. We need those people who understand the code and how the internet works at a very fundamental technical level. It’s absolutely crucial, but we need more than that. We’ve got to broaden our thinking to incorporate more than just the technical aspect of cybersecurity. That’s the first point.
The second one I will make is that while it is not possible to solve your cybersecurity problem and get 100% security, that is not the same as saying there is nothing you can do. There’s almost this learned helplessness that is starting to occur, that I very much want to fight against. You can take steps to improve your cybersecurity.
If you do some of those basic things, both as an individual and as an organization, you can dramatically improve your cybersecurity. You can really frustrate 99.5% of the bad guys out there. There is a lot that people can do to improve their cybersecurity and make themselves a lot better off.
Read more expert-driven national security insight, perspective and analysis in The Cipher Brief
Find out more about our network of experts here