The US government's cybersecurity could be a lot better than it is, and President Barack Obama's cyber czar knows why it's in such rough shape.
Michael Daniel was cybersecurity coordinator during Obama's last four years in office. We caught up with him at Black Hat on Thursday, more than six months after Obama left the White House, to talk about President Donald Trump's policies on security, what attacks Americans should be looking out for and the trouble with getting people to listen.
A lot has changed for security in the six months since Trump moved into the White House on Jan. 20. Trump signed an executive order calling for an overhaul on cybersecurity, investigators continue to dig into Russian influence on the election via hacked emails and the world received a wake-up call from not one, but two massive ransomware attacks.
As for Daniel, he's now the president of the Cyber Threat Alliance, a collective of security experts and researchers dedicated to protecting the world from hacks, vulnerabilities and exploits.
This interview has been edited and condensed for our Q&A format.
Q: How is the state of cybersecurity for the average American?
Daniel: It has certainly gotten better. There is a much higher level of awareness of cybersecurity as an issue.
Unfortunately, the threat landscape continues to evolve very rapidly. We keep hooking up more and more stuff to the internet, so now it's not just your desktop or your laptop or even your mobile device, but it's also your refrigerator, your Fitbit, your car.
The frequency, scope and scale of the adversary's malicious activity has continued to grow, and we are becoming more digitally dependent. Incidents that would have been a nuisance 25 years ago are now disrupting business.
I'm old enough to remember that when the network went down, you just did something else for the day. Now if the network goes down, business comes to a halt and people just stop working. That's a very different environment.
Compared with the rest of the world, where does the US stand with its cybersecurity program?
Daniel: We're still among the most sophisticated. Some countries have got very robust sectors, and they have certain aspects that are very advanced. Take Israel for example, or Estonia or even the Netherlands.
But for the scope and scale, it's hard to match the United States.
How has the Trump administration continued some of the policies that you put in place during your time at the White House?
Daniel: If you look at the executive order that came out, most of the reports that are called for in there are related to ideas that we were pursuing toward the end of the Obama administration. So, the idea of holding senior government officials accountable for cybersecurity was policy that we were trying to pursue. Moving more toward shared services across the government.
Internationally, the Trump administration has continued to promote the development of the norms of behavior in cyberspace. There's actually been a fair amount of continuity between this administration and the Obama administration.
What are some of the differences between the Obama and Trump administrations on cybersecurity?
Daniel: Even though we're six months into the administration, I think that they're still filling out their senior positions, so it's a little difficult to tell how that's going to ultimately play out.
What do most Americans misunderstand about the US military and national cyberdefense?
Daniel: Cyber is one of those issues where it doesn't behave according to the same rule set about objects in the physical world. There's kind of this idea that we can do cyberdefense like we do missile defense. Like we can watch for malicious activity coming in and we can stop it before it gets to the United States, and that's just not how cybersecurity is going to work.
We also have this mental model that we can treat cybersecurity like a border security issue, and it's not really amenable to that. The way that cyberspace works is not amenable to treating it that way.
Will there ever be a point where the US government takes responsibility for private industries in cybersecurity? The same way that most stores have tax-paid police handle crimes instead of their own security team.
Daniel: I don't think that the government will take on sole responsibility for cybersecurity. To extend your analogy, we do expect that Walmart has security cameras, and is able to lock their doors at night.
We do expect people to lock their doors and have a basic level of protection for themselves. What we need to think about is, "How do we have a robust discussion of how we allocate responsibility between the private sector and the government?"
I think most Americans would say, "We actually don't want the federal government trying to protect us from all cyberthreats all the time." Philosophically, that's not a role that we want the government to play. But you're also correct that it is also not really realistic to expect a private company to take on a nation-state in cyberspace.
How to work out that division of responsibility is actually one of the key policy questions that we are going to face over the next three, four, five years.
If you were still the White House's cybersecurity coordinator, what would you do differently?
Daniel: Drawing on my time in that position, you've got to continue driving forward the discussion on federal cybersecurity and moving toward modernizing the federal IT systems, moving toward shared services, continuing the efforts to better protect our critical infrastructure and continuing to develop our ability to disrupt what the bad guys are doing.
We were on a pretty good trajectory when the administration came to an end. To the extent that this administration could just build on that foundation -- that's a good thing.
Why is modernizing federal IT so difficult?
Daniel: The incentive structure is all wrong. If you are a senior manager in an agency, it is fairly easy to get money to keep an old system going, and incredibly difficult to get money to buy a new system.
The incentive structure is all designed to keep old systems going, and I think that's one of the key challenges.
Are there any kind of technical issues?
Daniel: Oh, I don't think it's a technical problem at all. In some cases, there's probably some technical issues, but in general, it's more about the managerial capacities and the resources to actually manage upgrades like that.
Sen. John McCain has been heavy on calling the Russian meddling in our election an "act of war," or at the very least, determining to what degree a cyberattack counts as one. In your eyes, when does a cyberattack become an act of war?
Daniel: It's very difficult to answer. Even in the physical world, the definition of what constitutes an act of war is also influenced by politics and policy. There were incidents that occurred during the Cold War that under different circumstances might be considered an act of war.
If you look at the long history of international law, it very clearly starts to tie to the level of destructiveness that is involved, and how much disruption, economic disruption, loss of life, actually occurred.
Would you consider hacking into the Democratic National Committee an act of war?
Daniel: No. By itself, that's called espionage. Now, how that information gets used is a different question. But even that's a very murky area.
We're less than two weeks from the deadline for President Trump's executive order on cybersecurity. What are your thoughts on his executive order?
Daniel: One of the limitations of an executive order is that the president can only order federal agencies to do things that they already have the authority to do anyway.
In many cases, an executive order is really an expression of policy. I think that it was really consistent with the approaches that we had been taking.
It'll be interesting to see if they can get their reports across the finish line on time, given that they have been slower than they probably would have liked to have been in terms of getting policy people on board.
If this executive order was essentially a continuation of what the Obama administration had been pushing, why didn't Obama just sign a cybersecurity executive order himself?
Daniel: You always have more policy goals and ideas than you can achieve in whatever time you have while an administration is in office. I feel we pushed the ball forward in many of those areas, and some of what you're seeing, we had already started putting in motion.
It's a natural outgrowth of that work.
What are some systemic problems in cybersecurity that you think will take more than one or two presidential terms to fix?
Daniel: The overall division of labor that we were just talking about is going to have to evolve over time. That's going to require some trial and error as we figure out what works and what doesn't work.
We have to change how we think about cybersecurity. It's not just a technical issue. It's more than a technical issue. It's also a human psychology issue, it's a business-economics issue, it's a national security issue.
We need to move from trying to just find technical solutions that will solve the problems to having a much more holistic risk management approach to cybersecurity, and that's going to take a while to make that cultural change.
What are some risks in cybersecurity that Americans will have to watch for in the future?
Daniel: As you move into this era where medical devices, transportation and other things are even more digitally dependent, the risk that an event could also cause a loss of life becomes that much greater. And I think that that's a concern that everybody should have.
I think people at a personal level need to be cognizant of their cybersecurity and making steps to make sure that they're protecting themselves. One of the things that we did as part of the Obama administration was promote the use of two-factor authentication. Turning on your Google two-factor, those are the kinds of things that individuals should be doing.
You know, John Podesta didn't really listen to that.
Daniel: It's one that more people should listen to. And it would have an impact, and it would markedly improve people's security, just doing simple steps like that.
What is the Obama administration's legacy in cybersecurity?
Daniel: As a whole, we put the policy foundation in place to enable the government to think more holistically about cybersecurity as an issue and be more effective at going after the bad guys, and being more effective at responding to incidents when they occur.
We worked through a lot of the bureaucratic issues needed to get the government into a better place to tackle those issues and to create a policy foundation that is very solid and can be built on by Trump's and subsequent administrations.
A security researcher invited to speak at Black Hat couldn't come because he was denied entry into the US. There is a lot of talent that can't work in the US because of travel bans. How do Trump's policies affect the US' cybersecurity?
Daniel: Cybersecurity is one of those issues where it doesn't tend to respect the arbitrary international boundaries that we've set up in the physical world.
Cyber is one of those issues that we cannot solve in the United States just by ourselves. The organization that I'm heading up now, we have international members. We have Israeli, South Korean, Spanish companies. It's very important from my perspective that we keep a global view on cybersecurity because it's a global problem.
Obama has been heavily criticized for not acting sooner against Russia despite reports that he was aware of its attacks as early as 2015. Does that tarnish Obama's legacy in cybersecurity?
Daniel: In hindsight, you can always find ways that things could have been done differently. I think that overall, the administration worked very hard to make substantial gains in cybersecurity.
If you look across the board, the NIST cybersecurity framework, the ability to impose economic sanctions on malicious cyberactors, the presidential policy directive 41 on how to respond to cyberincidents, I think all of those are going to have a much longer-lasting impact on our ability to carry out effective cybersecurity.
Intolerance on the Internet: Online abuse is as old as the internet and it's only getting worse. It exacts a very real toll.
It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.
Black Hat Defcon 2018
reading•Obama cybersecurity czar: We gave Trump a head start
Aug 17•Black Hat and Defcon cybersecurity experts share tips on how to protect yourself
Aug 15•Defcon hacking challenge swings a sledgehammer at unlucky computers
Aug 14•I got beaten up at Black Hat in the name of cybersecurity
Aug 13•Teddy Ruxpin learns some new words after a quick hack