White House's Cybersecurity Guy Proud Of His Lack Of Cybersecurity Knowledge Or Skills
from the say-what-now? dept
So we were just writing about how the White House appeared to be going with a security by obscurity tactic in denying an Associated Press FOIA request concerning the security behind Healthcare.gov. Specifically, the request was denied because the White House claimed that revealing such info might help hackers. As we noted, if revealing the basic security plan you're using will help hackers, then you're not secure and chances are you've already been hacked.Of course, perhaps the reason why the cybersecurity is so awful is because the White House's "cybersecurity coordinator," Michael Daniel, not only isn't a cybersecurity expert but thinks that's a good thing. I wish I was joking. After spending a few minutes talking about all his training at Princeton and the Kennedy School at Harvard taught him to communicate well and "break down problems" he dismisses the need for actual technical knowledge.
You don't have to be a coder to really do well in this position. In fact, actually, I think being too down in the weeds at the technical level could actually be a little bit of a distraction..... You can get taken up and sort of enamored with the very detailed aspects of some of the technical solutions. And, particularly here at the White House... the real issue is to look at the broad, strategic picture and the impact that technology will have.Now there is some truth to the idea that it's important to be able to look at the bigger picture, but when you're talking about cybersecurity, part of the way that you can look at the bigger picture is to actually understand the technology. That's not "a distraction" it's part of the core and necessary knowledge to then do the job of a cybersecurity coordinator. People who don't spend much time with these things view cybersecurity and technology as a kind of "magic." But it's not. Nor is technology economics, but Daniel thinks it is:
But the other issue in my mind is that at a very fundamental level, cybersecurity isn't just about the technology but it's also about the economics of cybersecurity. Why companies choose to invest the way they invest. It's about the pscyhology of cybersecurity. You know, one of my sayings is that 'expediency trumps cybersecurity every time' meaning that people will prioritize convenience over being secure many times. So you need to have the understanding of those kinds of factors: the psychology, the economics, the broad policy, the politics with a little p, in addition to the technology. So you need to be more of a generalist than having a lot of expertise particularly in the technological side.Yes, in addition to the technology. All of those things are important, but they're mostly useless if you don't understand the underlying technology. He's then asked what are the biggest challenges and... after talking about how important it is to understand the psychology and economics (more important than the technology) he admits that he doesn't actually understand the psychology and economics. Because, apparently, he wants to make sure that he has none of the job qualifications for the job.
There are a few [challenges] that I can identify. One is that we don't actually truly understand the economics and psychology behind cybersecurity. We know that a huge number of intrusions rely on known fixable vulnerabilities... We know that intruders get in through those holes that we know about that we could fix. The question is, 'Why don't we do that?' That clearly leads me to the conclusion that we really don't understand all of those economics and psychology well enough.So there you have it folks. The White House's cybersecurity expert doesn't have the technological expertise, but insists it's okay because he's focused on the economics and psychology of the fact that people don't patch their computers -- and then admits he has no idea why that happens.
This doesn't make me feel any safer.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, cybersecurity coordinator, michael daniel, skills, white house
Reader Comments
The First Word
“Holy...
"Ignorance is bliss" should not be a campaign slogan for ineptitude and lack of transparency.Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
This seems to be typical of politics, really.
[ link to this | view in chronology ]
See it this way:
Actually, if you think rationally about it... No wait, the whole point of the War Against Drugs was not to think rationally about it.
So there.
[ link to this | view in chronology ]
Re: See it this way:
You might want someone that's an expert on real life drug effects on health and society in general running things - otherwise how do you know if what you're doing is actually effective?
Oh...well yes, right - that's not actually necessary in the "War on drugs" - which is why we're still running this war.
[ link to this | view in chronology ]
Meh, Junkies not so bad...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Expert
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Well, sure, most people have to earn a living. If they want a higher paying job they need to study a more difficult field and be knowledgeable. So how do government employees get away with being idiots with nice pay? Everyone else should be jealous, even those that get paid more in the private market, because they earn their living through being knowledgeable and intelligent and going through the hard work of learning what's needed. Government employees get nice pay for being idiots.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Holy...
[ link to this | view in chronology ]
I wish you were kidding, too
The challenges are enormous. The risks are numerous. The technology is complex. The scale is huge. All of those factors beg for someone with long, deep and broad security expertise, not for someone who's a self-pronounced newbie.
[ link to this | view in chronology ]
Re: I wish you were kidding, too
[ link to this | view in chronology ]
Re: I wish you were kidding, too
Yea, verily. But for me, the worst part is that no one in the hiring process had enough clue to realize the guy was blowing smoke up their a**es . . .
[ link to this | view in chronology ]
Expecting them to be fired after admitting that they are clearly not qualified for the position would be nice, but probably a bit too much at this step, but public mockery and derision seems completely doable, and more certainly deserved.
Refusal to take them seriously or give them air-time would also be nice, paying attention to morons proud of their stupidity just encourages them, and makes them feel like their opinion on the subject/field is equally valid when compared to someone who actually knows what they're talking about.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
The sheer delight that so many of these people take in not knowing anything about the subject they're supposedly meant to be in charge of astonishes me.
I don't necessarily expect a Senator, say, to know everything about the technical topic of the day, but if a hearing is coming up one would think they'd take at least a little time beforehand and get familiar with the major points. (And it would be nice if they would refrain from wearing their ignorance as a badge of honor and then laughingly request some "nerds" to come in and explain it to them.)
But a department chief, and people in similar positions, really should have some practical knowledge of what their job entails.
"I'm not a doctor, but I can run this hospital."
"I'm not an engineer, but I'll manage this bridge construction project."
"I'm not a sailor, but I can command this ship."
I don't think anyone could get away with making any of those statements out in the real world. Why do we put up with it in government?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
At my current job, the boss I work for *is* the CEO. He's an engineer. Things are pretty successful here. I don't think I'd ever want to work in a technical job for a boss who's not technical.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Jesus, talk about the blind leading the blind - to try to figure out why blind people are blind.
[ link to this | view in chronology ]
Re:
Actually, people prioritise convenience over security because they usually need to get something done more than they need to stop someone else from doing something (undefined) that they're not supposed to be doing.
I'm technical (coder by profession and hobby), and I try to set up systems that are as convenient as I can justify, partially because I think that anything less convenient will also end up being less secure, because people (including me) will find ways around the security out of sheer frustration.
In that sense, there are some parallels between security/technology and economics, and Bruce Schneier regularly talks about the economics of security.
Michael Daniel, on the other hand, sounds like someone who has read one or two of Bruce Schneier's essays without actually understanding them, but thinks he does. I mean, seriously... That clearly leads me to the conclusion that we really don't understand all of those economics and psychology well enough. ... then perhaps you should check up on some of the research (or even realise that somone else is already doing the research!), and ask someone qualified to understand the results what it means. If you're willing to do (coordinate) that, then I don't care if you personally don't know what it means.
[ link to this | view in chronology ]
Re: Re:
Unfortunately trust doesn't work that way within the security space - there, "trust" is another term for "vulnerability".
You only "trust" something because you have no way to verify it. If you can verify it, there's no need to trust it. Then again, that seems like it applies just as well to governments, maybe they need a new webinar series...
[ link to this | view in chronology ]
Where does he dismiss the need for technical knowledge?
It translates to what you actually admit: focusing purely on the technology is not enough.
Can you add a quote to the article where he actually says that technical knowledge is not important?
Because in the quote above he never said that.
I am quite happy to believe that he did say that, but an actual quote would be great.
[ link to this | view in chronology ]
Re: Where does he dismiss the need for technical knowledge?
To someone who has no experience or knowledge in a given field, a brilliant, but technical idea, and a stupid, also technical idea, both sound the same.
[ link to this | view in chronology ]
Re: Re: Where does he dismiss the need for technical knowledge?
Now all we need is a link/quote that proves that the guy is really clueless and include that in the article to give a solid foundation to the arguments made. I am pretty sure that such a quote or website can be found with no problem.
[ link to this | view in chronology ]
Re: Re: Re: Where does he dismiss the need for technical knowledge?
And yeah, I'm a computer security analyst, and I've actually got video on the interweb recording me saying things like that, so there :)
Everything he said was true, except the bit at the end worries me:
"That clearly leads me to the conclusion that we really don't understand all of those economics and psychology well enough."
If by "we" he means his department, that's a problem. The NSA and CIA should be able to help him there, as that's THEIR job.
Plus, the economics and psychology are extremely well known in the field; there are presentations and papers on these topics at every major security conference. What we don't know is what the solutions to people being social animals are.
I think of (in)security as being similar to the recent discovery that the ability to become cancerous is an innate part of cellular structure -- what the cybersecurity force should be focusing on is "what makes people click those links, and what processes can we put in place to stop that?" Because it's obvious the bad actors know; it comes down to statistics at some level.
So yeah; he doesn't sound all that clueful in the selected quotes, but he also doesn't sound stupid. I'd also be interested to see what sort of people work as his advisers, as that will indicate whether he's actually clueless or not.
But then, nobody in the computer security field prefixes anything with "cyber" -- not his fault, but "cybersecurity" ALWAYS refers to the political side of the issue, not the technical details.
[ link to this | view in chronology ]
Re: Where does he dismiss the need for technical knowledge?
[ link to this | view in chronology ]
Re: Re: Where does he dismiss the need for technical knowledge?
Was he asked about coding experience? If yes, then a "you don't have to be a coder..." answer can be appropriate.
Especially when someone is responsible for policies and not the technology.
Listening to the actual interview it seems his role is more selling the policies and solutions to budgeting people than actually figuring out what to code. His title "coordinator" and not "implementer" already hints at this.
In the meantime the question was: "How much do you have to know about the technology behind information security for this position [coordinator]?"
FULL ANSWER: "You actually have to start to develop a broad sense of the kinds of technology that's available but you don't have to be a coder"
So we are mocking a guy who is a project/resource manager for not being a deep level coder.
[ link to this | view in chronology ]
Re: Re: Re: Where does he dismiss the need for technical knowledge?
But if he doesn't know anything about what he's selling, how does he know he's selling the correct solutions?
[ link to this | view in chronology ]
Re: Re: Re: Re: Where does he dismiss the need for technical knowledge?
Or you think that one has to know everything down to the code level to know anything about something? :)
[ link to this | view in chronology ]
Re: Re: Re: Where does he dismiss the need for technical knowledge?
I'm not. I'm defending him on this point.
[ link to this | view in chronology ]
Re: Re: Re: Re: Where does he dismiss the need for technical knowledge?
[ link to this | view in chronology ]
Re: Where does he dismiss the need for technical knowledge?
His team is suppose to have that advanced, specific knowledge. His job is to make sure that the person with the right knowledge is in the right place at the right time. You don't need to know the weeds, you just need to be smart enough to listen to the people who do.
[ link to this | view in chronology ]
Re: Re: Where does he dismiss the need for technical knowledge?
There is a reason why high ranking officers in the military are called "generals".
However, not everyone who makes a high level position has this essential skill.
There is a reason for the popularity of Scott Adams' Dilbert comic strip and the Peter Principle.
[ link to this | view in chronology ]
Re: Re: Re: Where does he dismiss the need for technical knowledge?
What we do know is that he's a politician. He used a lot of words to say absolutely nothing.
[ link to this | view in chronology ]
Re: Re: Re: Re: Where does he dismiss the need for technical knowledge?
Reminds me of people working at banks.
"We made no progress" is four words, but they can talk for 15 minutes implying but never actually saying it.
"One mistake and you're out" culture does that to people.
Not holding my breath, but let's see how he will do it.
(Although, let's admit, it will be pretty tough to assess the results properly)
[ link to this | view in chronology ]
sounds like a lot of our government employees.
This why when you make a call to government offices they put you on hold for so long , so they can google the answers to your questions.
[ link to this | view in chronology ]
"see, all of your other employees are very knowledgeable and experienced and educated. This deters them from looking at the broad picture. My ignorance here helps me look at the broad picture because I don't let details and facts get in the way of my perspective."
Imagine if a doctor tried to advertise his ignorance as a way to look at the broad picture of the patient's health.
[ link to this | view in chronology ]
Re:
I've interviewed a lot of people over the years for software engineering jobs. Would it surprise you to learn that two of the interviews I remember the most were ones where the candidate made that exact argument? They didn't get the job.
[ link to this | view in chronology ]
He might be talking so much about the "economics" of cybersecurity, because he intends to get NSA/US to steal a lot of data for economic purposes.
[ link to this | view in chronology ]
The economics of security
Perfect security is literally impossible. You can throw more resources into security to require more resources to be used to subvert it, but there's a law of diminishing returns involved. Because of this, security is always subject to a cost/benefit analysis. Sometimes, that analysis indicates that the best security is relatively light, sometimes the best security is to lock everything down as tightly as possible regardless of costs.
The economics of security, at heart, don't really differ much from the economics of safety (or anything else, really).
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
I also think that the criticism isn't apt. I think that most of the people in the federal government understand very well how democracy and the Constitution work. It's just that sometimes they ignore it.
[ link to this | view in chronology ]
Typical
[ link to this | view in chronology ]
in first
Which makes him sound very much like every MBA I've ever known. That's practically part of their curriculum.
[ link to this | view in chronology ]
Re: in first
So, in child-like response: FU. Your degree and education is stupid, too. Stupid was the core of your curriculum. And many other broad, sweeping, incorrect criticisms.
There, balance is achieved.
[ link to this | view in chronology ]
Re: in first
[ link to this | view in chronology ]
Hm...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Act like they know what they are doing and intimidate anyone that exposes their cluelessness
[ link to this | view in chronology ]
Re:
Hillary Clinton thinks she is the victim of Benghazi.
The IRS can't find its emails.
The attorney general is being persecuted.
These are the kinds of excuses you would expect to hear from children in the 7th or 8th grade.
I don't like George Bush but atleast he knew to shut up and let his generals fight a war.
[ link to this | view in chronology ]
Cyber!
[ link to this | view in chronology ]
Re: Cyber!
Just a few months ago, a woman with a bone growth condition that caused her skull to thicken out of control, putting horrible pressure on her brain, had her entire skull surgically removed and replaced with a 3D-printed prosthesis. The prosthesis is inert and not robotic, but... just think about that. There is a woman alive today, walking around as a functioning member of society, with an artificial skull!
Just five years ago, that would have been considered "something from a William Gibson novel." Today it's reality.
For decades now we've had people who are only alive because they have had an artificial heart or a cybernetic heart-control implant (pacemaker) added into their body. Now they're making pacemakers that run on software. What is a person bearing that if not a cyborg? That's reality today.
Heeeeeeeey, welcome to the future! Somehow it went and arrived on us while we were all busy in the present.
[ link to this | view in chronology ]
Re: Re: Cyber!
https://www.youtube.com/watch?v=Y0Yg9wjctRw
[ link to this | view in chronology ]
Re: Cyber!
Well, this dystopian future we're running into sounds very much like a William Gibson novel.
[ link to this | view in chronology ]
Think different
If there was real danger they would put someone competent in charge.
So this is actually proof there is no danger - so you should feel safer!
[ link to this | view in chronology ]
Re: Think different
You have more faith in our government than I do.
[ link to this | view in chronology ]
I dunno. As a programmer, I spend my days creating and fine-tuning arcane formulae composed of complex, often bizarre symbols, ordered according to cryptic rules and priorities that would drive a mere mortal mad to think about too deeply (or at least really, really confuse them) in order to produce incantations that, once invoked, perform effects that alter the world.
What am I if not a modern-day mage?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Source: http://dfns.dyalog.com/c_life.htm
[ link to this | view in chronology ]
At least he is consistent...
[ link to this | view in chronology ]
War by Deception
It's dis-information.
You going to tell me the NSA doesn't do this?
This dude is a FACE on a coverup.
What the hell is "cyber" anyway? Did you mean computer and electronics security? why not just say that?
If he truly doesn't have any tech under the belt, then he's condemned to a leadership roll and playing by the new socialist utopia agenda and silver bullet failures, meanwhile publicly talking about vision, or the future while using fear and rolling it out with un-accountable, un-auditable (fuck sounds like voting machines again) sub-contractors
It's a hidden invisible disaster essentially rolling in slow and fast motion
[ link to this | view in chronology ]
Re: War by Deception
Where is that dialog? On Coast to Coast AM? give me a break....
This war on whatever is all BS.
[ link to this | view in chronology ]
Re: War by Deception
That's the term for people who punch through the firewall and hack the mainframe so that they can open a port, which lets them break the encryption of the command codes.
[ link to this | view in chronology ]
Re: War by Deception
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Politician=Technogeek?
To anyone that knows much about OS's, Programming, hardware, hardware coding, Servers, and in all that, vulnerabilities and restrictions of ALL of the above..
There are things that hardware can do, and things Programming can do, and Something that can be done on both sides..
Being able to BUILD a computer and install an OS, is nothing to the knowledge needed for this job.
[ link to this | view in chronology ]
US Cyberguru and Canada Cyberguru - Dumb and dumber
.
Heck... even Al Qaeda and ISIS (ISIL) have people in their cyber-operations units that know more about cybersecurity then the fools allegedly trying to protect North America.
[ link to this | view in chronology ]
Re: US Cyberguru and Canada Cyberguru - Dumb and dumber
It seems that the skill level to lead the US (anything) needs only to know how to smooze around the cocktail circuit in Washington.
[ link to this | view in chronology ]
Bullshit Jobs and Clueless Lawmakers
http://strikemag.org/bullshit-jobs/
This here too:
http://www.psmag.com/navigation/politics-and-law/sopa-debate-highlights-congresss-ignorance-38666/
As are recent phenomena like "creationism".
There's a culture developing, where knowledge, science and craft are de-valued.
[ link to this | view in chronology ]
Re: Bullshit Jobs and Clueless Lawmakers
It's called "anti-intellectualism". It's pernicious and terrible, but it's been around in the US for a VERY long time.
[ link to this | view in chronology ]
[ link to this | view in chronology ]