White House Cybersecurity Coordinator Michael Daniel at a news conference in 2013.

White House Cybersecurity Coordinator Michael Daniel at a news conference in 2013. Ann Heisenfelt/AP

Threats

We Have 'Very Robust Defenses': An Exit Interview with Obama's Top Cyber Official

Cybersecurity Coordinator Michael Daniel defended the White House's legacy, pointing to new policies and cyber détente with China.

Joseph Marks

|
Joseph Marks
By Joseph Marks
Senior Correspondent

When Michael Daniel became White House cybersecurity coordinator near the end of President Barack Obama’s first term, he spent a fair amount of time convincing government and industry officials that cybersecurity was worth spending time and money on.

After four years that included major breaches at the Office of Personnel Management and other federal agencies, a destructive hack at Sony Pictures Entertainment and Russian cyber meddling in the 2016 presidential election, Daniel no longer faces that problem, he told Nextgov this week.

That’s one plus.

On the other side of the ledger, cybersecurity has become ever more complex during Daniel’s tenure as new threat actors and old adversaries use cyberspace to poke at U.S. institutions and as the internet itself becomes increasingly complex though no more secure.

Nextgov spoke with Daniel about the Obama administration’s cyber legacy as he began his final week in the White House. The transcript below has been edited for length and clarity.

Joseph Marks: President-elect Trump has said ‘we have no defenses’ in cyberspace. What do you make of that?

Michael Daniel: I must say I don’t think that’s a fair representation of where things stand. We do have very robust defenses. [In cases where there are insufficient defenses], we actually know what a lot of those defenses need to be. We know what we need to do, but the challenge is getting people to do it and getting organizations to do it. It’s not a simple technological challenge. It’s an organizational challenge. It’s a human behavioral challenge. It’s an economic incentives challenge. It’s all of those things rolled up together.

I don’t think it’s right to say we have no defenses. We’ve significantly increased our defenses, both in the government and in chunks of the private sector. But we’ve still got to do more work on understanding how to get organizations to manage their organizational risk more effectively.

Marks: Cybersecurity used to be a largely nonpartisan issue. Has that consensus been damaged?

Daniel: Once some of the dust settles, I actually think a lot of that [consensus] will return. I just don’t think that protecting our critical infrastructure and protecting consumers and protecting the government and our information is ultimately going to be a partisan issue. It’s really a national security, a national economic, a public health and safety issue.

I think there are going to be differences when you start talking about cyber as a tool of statecraft: how it is deployed against us and how we use cyber as a tool of statecraft to achieve our goals. Then, you’re probably going to see some greater partisan divides because there are partisan divides about how we employ our uses of statecraft. I think you have to separate that from the issue of how to protect our information. That will continue to be a very strong non-partisan issue.

Marks: What are the Obama administration’s most important cyber accomplishments during the past eight years?

Daniel: Developing the [National Institute of Standards and Technology] cybersecurity framework [for the private sector] is a huge milestone. I would say the promulgation of cyber norms and the work we’ve done internationally to promote those is another one.

There’s also the development of a framework of policy documents that helped guide the way that we think about cybersecurity. That includes [Presidential Policy Directive] 20 on cyber operations, PPD 41 on cyber incident response and the executive order that provides the authority for cyber sanctions.

I’d also say the [no commercial hacking] agreement we reached with the Chinese was a big milestone and getting through cybersecurity [information sharing] legislation with the Congress.

More subtly, the conversation has matured substantially. I feel like we’re really leaving the government in a better place with its own cybersecurity. We have more robust relationships with the private sector. We have more tools to undertake our [cyber] deterrence and disruption mission and we’ve gotten a lot of practice, unfortunately, at doing cyber incident response. We’re much better at it.

Marks: What are your greatest disappointments with what the administration accomplished?

Daniel: Obviously, I wish we had gotten fewer opportunities to practice with some of the cyber incidents we’ve had. Also, we are still struggling on how to get the government better organized. I don’t think we’ve made quite as much progress on the systemic barriers inside the federal government that makes doing cybersecurity hard. This is still a really hard problem and we’re still learning how to think about it and how to manage it from a risk management perspective.

On balance, I feel like we have really accomplished almost all of the major goals I had when I got this job and I do think we’ve really pushed the ball very far down the field.

Marks: Are we safer in cyberspace now than we were eight years ago?

Daniel: I think we’re clearly more capable. In many ways, we are more aware and we are safer in many ways. But, our vulnerability has continued to advance as well. We are at the dawn of the age of what we’re now calling the internet of things, which pretty soon we’ll just call the internet. We’ve got actors who are now figuring out that they can use cyberspace to pursue their goals. You have players that are willing to be destructive in ways that, eight years ago, they weren’t. Clearly the landscape is more serious and more dangerous. I think that if we’re really going to get ahead of the trends, we’re going to need to accelerate our efforts.

Marks: What effect will Russia’s election meddling have on the administration’s cyber legacy?

Daniel: When you step back from it and some of it settles down, I don’t think it will have that much of an impact. The reason I say that is the Russian influence operation goes well beyond cybersecurity. It is about what the Russians are doing in the world as a geostrategic player. They are using social media, using influence operations and using cyber capability to augment those. But none of this is new Russian behavior. I could draw you some parallels going back to the pre-Soviet, czarist days in terms of how the Russian government has used influence operations.

I think it will reinforce the fact that cybersecurity is something that permeates every bit of our society now. We have tended to focus on critical infrastructure, but there’s also our critical democratic processes that also now have to be thought of with cybersecurity in mind.

Ultimately, I think that our record is going to be very strong and people recognize the work that we’ve done. We’ve still got a huge amount of work to do. That’s why the president called for the Commission [on Enhancing National Cybersecurity]. But we have made a lot of progress.

Marks: How can we prevent future election meddling like what happened in 2016 or blunt the effect of it?

Daniel: There’s an element of deterrence in there, making sure we are clear that when we discover those kinds of influence operations we will expose them and we will push back against them.

There’s an element of education for the American public. We’re going to have to get much smarter as a society about how we consume information. When I was growing up, information was still hard to find. Now, it’s not. You’re swimming in information every day.

The thing we need to think through is how we consume information and how we separate correct information from false information. Those are skill sets we’re going to have to develop much more keenly as a society. We can do that. That’s not an impossible goal.

Lastly, on the international stage, we need to develop coalitions of countries saying, ‘we don’t find this sort of surreptitious influence operation to be acceptable behavior, and we’ll push back on that’ and embed that in all the tools of statecraft and the geopolitical relations that we have.

Marks: What advice would you give to Trump’s cyber officials?

Daniel: I’d say continue to build on what we have done. Continue, on the government side, to tackle systemic problems in cybersecurity. And you’re probably going to have to go big in some areas and change how we manage IT.

Marks: What does going big mean?

Daniel: We need to break the stack. The model we’ve used is that [each agency] has to provide all of its IT services from top to bottom. Where I think we can reach some balance point is to say that you will have a more centralized provision of networking services at the networking layer and the transport layer and therefore the cybersecurity layer. Then, the agencies are responsible for developing the applications that ride on that network, the specialized applications that they need for their mission.

That’s a huge change in how we do business as a federal government. But that’s the kind of change that, if you really want to move the needle on federal cybersecurity in a big way, that’s the approach you’re going to have to take.

Marks: What does that mean for cyber acquisition?

Daniel: That’s one of the clear things that comes out in our FY17 budget with the IT modernization fund. One of the systemic problems we discovered is that, from a budgeting and resources standpoint, agencies are heavily incentivized to continue spending money on old legacy IT systems because it is relatively easier to get operation and maintenance money for sustainment and much harder to get procurement money for new acquisitions.

So, the result is we keep legacy IT systems around much longer than the private sector would. That’s why things like the IT modernization fund are so important.

Marks: The cyber commission focused on private-sector incentives for cybersecurity rather than regulation and the Obama administration has generally taken an incentives route. Given the number and seriousness of breaches, isn’t regulation warranted?

Daniel: I don’t think we’ve fully played out what market incentives can do if we structure them properly. If you look at the commission report, what they’re actually saying in several places is ‘industry should do X or Y within 24 months and, if they don’t, then the government should consider regulation.’ I’ve talked with the commissioners about this and they’ve said, ‘yes, we believe the voluntary approaches can work, but in some cases, the government may need to have that stick of regulation to get industry to move along the voluntary path.’

I believe we still need to do more work on what the voluntary approach can get us. And we’re still trying to figure out how we can do regulation smartly because you can do regulation really dumbly and that can actually set you back. So, if we ever need to use that tool, we need to know how to employ it to get the outcome we want.

NEXT STORY: Trump’s ISIS war plans are in the works; The determination of Russian hackers; Manning and Cartwright get early release; Gabbard goes to Syria; And a bit more.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.