When Michael Daniel became White House cybersecurity coordinator near the end of President Barack Obama’s first term, he spent a fair amount of time convincing government and industry officials that cybersecurity was worth spending time and money on.
After four years that included major breaches at the Office of Personnel Management and other federal agencies, a destructive hack at Sony Pictures Entertainment and Russian cyber meddling in the 2016 presidential election, Daniel no longer faces that problem, he told Nextgov this week.
That’s one plus.
On the other side of the ledger, cybersecurity has become ever more complex during Daniel’s tenure as new threat actors and old adversaries use cyberspace to poke at U.S. institutions and as the internet itself becomes increasingly complex though no more secure.
Nextgov spoke with Daniel about the Obama administration’s cyber legacy as he began his final week in the White House. The transcript below has been edited for length and clarity.
Joseph Marks: President-elect Trump has said ‘we have no defenses’ in cyberspace. What do you make of that?
Michael Daniel: I must say I don’t think that’s a fair representation of where things stand. We do have very robust defenses. [In cases where there are insufficient defenses], we actually know what a lot of those defenses need to be. We know what we need to do, but the challenge is getting people to do it and getting organizations to do it. It’s not a simple technological challenge. It’s an organizational challenge. It’s a human behavioral challenge. It’s an economic incentives challenge. It’s all of those things rolled up together.
I don’t think it’s right to say we have no defenses. We’ve significantly increased our defenses, both in the government and in chunks of the private sector. But we’ve still got to do more work on understanding how to get organizations to manage their organizational risk more effectively.
Marks: Cybersecurity used to be a largely nonpartisan issue. Has that consensus been damaged?
Daniel: Once some of the dust settles, I actually think a lot of that [consensus] will return. I just don’t think that protecting our critical infrastructure and protecting consumers and protecting the government and our information is ultimately going to be a partisan issue. It’s really a national security, a national economic, a public health and safety issue.
I think there are going to be differences when you start talking about cyber as a tool of statecraft: how it is deployed against us and how we use cyber as a tool of statecraft to achieve our goals. Then, you’re probably going to see some greater partisan divides because there are partisan divides about how we employ our uses of statecraft. I think you have to separate that from the issue of how to protect our information. That will continue to be a very strong non-partisan issue.
Marks: What are the Obama administration’s most important cyber accomplishments during the past eight years?
Daniel: Developing the [National Institute of Standards and Technology] cybersecurity framework [for the private sector] is a huge milestone. I would say the promulgation of cyber norms and the work we’ve done internationally to promote those is another one.
There’s also the development of a framework of policy documents that helped guide the way that we think about cybersecurity. That includes [Presidential Policy Directive] 20 on cyber operations, PPD 41 on cyber incident response and the executive order that provides the authority for cyber sanctions.
More subtly, the conversation has matured substantially. I feel like we’re really leaving the government in a better place with its own cybersecurity. We have more robust relationships with the private sector. We have more tools to undertake our [cyber] deterrence and disruption mission and we’ve gotten a lot of practice, unfortunately, at doing cyber incident response. We’re much better at it.
Marks: What are your greatest disappointments with what the administration accomplished?
Daniel: Obviously, I wish we had gotten fewer opportunities to practice with some of the cyber incidents we’ve had. Also, we are still struggling on how to get the government better organized. I don’t think we’ve made quite as much progress on the systemic barriers inside the federal government that makes doing cybersecurity hard. This is still a really hard problem and we’re still learning how to think about it and how to manage it from a risk management perspective.
On balance, I feel like we have really accomplished almost all of the major goals I had when I got this job and I do think we’ve really pushed the ball very far down the field.
Marks: Are we safer in cyberspace now than we were eight years ago?
Daniel: I think we’re clearly more capable. In many ways, we are more aware and we are safer in many ways. But, our vulnerability has continued to advance as well. We are at the dawn of the age of what we’re now calling the internet of things, which pretty soon we’ll just call the internet. We’ve got actors who are now figuring out that they can use cyberspace to pursue their goals. You have players that are willing to be destructive in ways that, eight years ago, they weren’t. Clearly the landscape is more serious and more dangerous. I think that if we’re really going to get ahead of the trends, we’re going to need to accelerate our efforts.
Marks: What effect will Russia’s election meddling have on the administration’s cyber legacy?
Daniel: When you step back from it and some of it settles down, I don’t think it will have that much of an impact. The reason I say that is the Russian influence operation goes well beyond cybersecurity. It is about what the Russians are doing in the world as a geostrategic player. They are using social media, using influence operations and using cyber capability to augment those. But none of this is new Russian behavior. I could draw you some parallels going back to the pre-Soviet, czarist days in terms of how the Russian government has used influence operations.
I think it will reinforce the fact that cybersecurity is something that permeates every bit of our society now. We have tended to focus on critical infrastructure, but there’s also our critical democratic processes that also now have to be thought of with cybersecurity in mind.
Ultimately, I think that our record is going to be very strong and people recognize the work that we’ve done. We’ve still got a huge amount of work to do. That’s why the president called for the Commission [on Enhancing National Cybersecurity]. But we have made a lot of progress.
Marks: How can we prevent future election meddling like what happened in 2016 or blunt the effect of it?
Daniel: There’s an element of deterrence in there, making sure we are clear that when we discover those kinds of influence operations we will expose them and we will push back against them.
There’s an element of education for the American public. We’re going to have to get much smarter as a society about how we consume information. When I was growing up, information was still hard to find. Now, it’s not. You’re swimming in information every day.
The thing we need to think through is how we consume information and how we separate correct information from false information. Those are skill sets we’re going to have to develop much more keenly as a society. We can do that. That’s not an impossible goal.
Lastly, on the international stage, we need to develop coalitions of countries saying, ‘we don’t find this sort of surreptitious influence operation to be acceptable behavior, and we’ll push back on that’ and embed that in all the tools of statecraft and the geopolitical relations that we have.
Marks: What advice would you give to Trump’s cyber officials?
Daniel: I’d say continue to build on what we have done. Continue, on the government side, to tackle systemic problems in cybersecurity. And you’re probably going to have to go big in some areas and change how we manage IT.
Marks: What does going big mean?
Daniel: We need to break the stack. The model we’ve used is that [each agency] has to provide all of its IT services from top to bottom. Where I think we can reach some balance point is to say that you will have a more centralized provision of networking services at the networking layer and the transport layer and therefore the cybersecurity layer. Then, the agencies are responsible for developing the applications that ride on that network, the specialized applications that they need for their mission.
That’s a huge change in how we do business as a federal government. But that’s the kind of change that, if you really want to move the needle on federal cybersecurity in a big way, that’s the approach you’re going to have to take.
Marks: What does that mean for cyber acquisition?
Daniel: That’s one of the clear things that comes out in our FY17 budget with the IT modernization fund. One of the systemic problems we discovered is that, from a budgeting and resources standpoint, agencies are heavily incentivized to continue spending money on old legacy IT systems because it is relatively easier to get operation and maintenance money for sustainment and much harder to get procurement money for new acquisitions.
So, the result is we keep legacy IT systems around much longer than the private sector would. That’s why things like the IT modernization fund are so important.
Marks: The cyber commission focused on private-sector incentives for cybersecurity rather than regulation and the Obama administration has generally taken an incentives route. Given the number and seriousness of breaches, isn’t regulation warranted?
Daniel: I don’t think we’ve fully played out what market incentives can do if we structure them properly. If you look at the commission report, what they’re actually saying in several places is ‘industry should do X or Y within 24 months and, if they don’t, then the government should consider regulation.’ I’ve talked with the commissioners about this and they’ve said, ‘yes, we believe the voluntary approaches can work, but in some cases, the government may need to have that stick of regulation to get industry to move along the voluntary path.’
I believe we still need to do more work on what the voluntary approach can get us. And we’re still trying to figure out how we can do regulation smartly because you can do regulation really dumbly and that can actually set you back. So, if we ever need to use that tool, we need to know how to employ it to get the outcome we want.