Wednesday, August 27, 2014

It Does Matter That The White House Cybersecurity Czar Lacks Technical Chops

POST WRITTEN BYRobert M. Lee
Robert Lee is an active-duty Air Force Cyber Warfare Operations Officer and a cofounder of Dragos Security.
Michael Daniel, the White House cyber security coordinator or “cyber czar”, made comments recently that being a coder or “being too down in the weeds at the technical level could actually be a little bit of a distraction.” This statement raised concerns in the cybersecurity community. A quick examination of his background elevated those concerns. Mr. Daniel has never been involved with cyber security before; he has a strong background in policy and budgeting but nothing in even the basics of cyber security. This seems to be a problem just for the government cyber security community, but it has farther reaching impacts.
Is Technical Understanding Required?
People do not often become exposed to concerns outside of their own communities. When people are introduced to issues in the modern world we generally see hashtag campaigns on Twitter or some temporary coverage in the news before moving on. It’s understood that issues in one community are not necessarily priority issues in another. But people generally take solace in knowing that there are people in charge in each community who have the experience and understanding to cover the issues. You may not care how a plane works but when you board a flight you sure hope the pilot does. Likewise, the airline safety manager might not be a pilot but you would demand that person knows how planes work. It is reasonable to want the nation’s cyber security coordinator to have experience in cyber security. It is also understandable that technical fields should require technical leaders. I would be a hypocrite to pretend that I speak for the entirety of the cyber security community in critiquing Mr. Daniel’s comments. However, I want to share my perspectives from my experience on why his statement is so damaging and why he is not the actual problem.
Michael Daniel, White House cybersecurity policy coordinator
Michael Daniel, White House cybersecurity policy coordinator
U.S. Military
I am an active-duty United States Air Force Cyber Warfare Operations Officer. It’s a long title to state that I care about cyberspace. I especially care about its defense and denying adversaries its use. It would be illegal and immoral for me to pretend that my comments speak for the US government or military in any way, they are mine alone. However, my perspective from the cyber security community in the military is one of a struggling group trying to retain talent and tackle complex issues. It is well documented and a prime concern for our military leaders that we are losing talent fast. Especially in the technical fields. Military members can often make significantly more money in the private sector than leveraging their skills in defense of the nation. Yet, most military members would forgo the money for a sense of service. The problem is that job satisfaction and career growth generally aren’t there as the military struggles with the concept of cyberspace. So when my fellow officers and my enlisted troops strive to fight the system and consider staying in for upwards of 30 years to reach the top to impact change – it is demotivating to see national level leaders charged with this domain that have zero experience in it. We quickly realize that even if we rise to the top as military leaders we will likely not be able to get a seat at the bureaucratic table to address the real issues. We will spend more time defining and arguing over terms on PowerPoint slides than defending anything. So why bother?
U.S. Intelligence Community
In my previous job I was a U.S. Intelligence Community cyberspace intelligence analyst where I led two national level teams. There’s not much I wish to say here about the job itself except that I am proud of my work and was privileged to be on those teams. And that’s hard to say publicly these days as the Intelligence Community gets a lot of bad press in the post-Snowden era. Non-technical leaders interpret technical information and sometimes focus on the wrong issues. But most people fail to realize that even organizations like the National Security Agency (NSA) do not come up with requirements themselves. National level intelligence agencies are operated at the command of national level leaders. When non-technical leaders make demands on the Intelligence Community those demands are met, even the “collect it all” approach, which non-technical leaders often incorrectly justify under the veil of cyber security. Security and privacy can complement each other and not necessarily conflict, but the non-technical leaders do not understand the technical details and thus the consequences of their requests. Regardless of your opinion of the intelligence community I would hope we could all agree that less experienced and less knowledgeable leaders are not what we want.
Academia, Education, and Training
I am also a PhD student at Kings College London researching cyber conflict, an adjunct lecturer teaching in a masters in Cyber security program at a college in the Northeast, and an instructor at the world’s largest and most respected cyber security training company. When I hear Michael Daniel’s comments they bother me. Part of my job is trying to keep students motivated during the rigors of cyber security training. Technical fields can be challenging and frustrating. It makes my job researching, educating, and training much harder when I have to convince people that gaining these skills is important in the first place. I have had more than a handful of students ask me why it even matters when people in charge do not possess these skills. Students often see it as more beneficial to earn a business degree and try to impact change from that route. The background experience and comments from Michael Daniel and other leaders provides an argument that’s hard to counter. It ensures that people without the right skills are making decisions and despite their best intents we are often forced to reinvent the security wheel. Our next generation of leaders needs to be able to look at current leaders and feel inspired with a duty to do better. It is difficult to do that when people from the community are not given the opportunity to lead. Cyber security cannot be a job that we allow just anyone to do. Technical fields demand technical understanding even if the solution sometimes does exist in economics, policy, and strategy.
It’s Not About Michael Daniel
Michael Daniel’s comment is particularly worrisome. However, overall he makes good points when he discusses how technical discussions can sometimes distract from strategic visions. He likely has his own daily challenges trying to impact change in a job where he has a lot of responsibility but not a lot of authority. The people that placed him in his job likely did so with good reasons. He shouldn’t be vilified but instead be used to recognize the larger issue here. The ability to have technical discussions, the experience of having been in the weeds, and the knowledge of how to abstract those discussions to meet the audience in attendance are skills that cannot be substituted. There have been defenses of Mr. Daniel’s comments from outside the cyber security community. Comments from the National Security Council praised Michael Daniel for his technical knowledge and expertise he provides senior policy makers.  And that’s part of the problem. It does not matter if people without experience in a field believe someone else is an expert. Policy makers outside of cyber security are not good judges of cyber security expertise. The cyber security community is. Experience, education, and knowledge in those fields provide validation to that expertise. The level of lip service that is paid to cyber security makes it feel like the field is a joke to the government and thus hard to convince people to care. Whether Michael Daniel has earned his accolades is not the point. The lack of expertise and background leaders have in the technical fields creates a culture and environment that is discouraging at best and destructive at worst. Whether or not you care about cyber security you should care about its impacts on issues such as personal data, banking systems, net neutrality, privacy issues, critical infrastructure protection and more. Answers to cyber security issues must be rooted in education and backed by experience. The cyber security community deserves people that have actual experience in cyber security. The nation deserves the same.
Robert M. Lee can be found on Twitter at @RobertMLee. His views and opinions do not represent or constitute an opinion held by the U.S. Government, Department of Defense, or Air Force. They are his alone.
http://www.forbes.com/

No comments:

Post a Comment