White House Cybersecurity Coordinator Michael Daniel sees IT security as a function that can no longer be ignored by the highest officials in federal agencies and departments within the government.
"You can see that pretty much steadily over the course of this administration, cybersecurity has become a more and more important issue," Daniel says in an interview with Information Security Media Group, conducted at this year's RSA Conference [transcript below].
Daniel says the issue of cybersecurity no longer belongs solely in the CISO or CIO realm. "It's moving ... into the senior-policymaker realm, into the deputy secretary/secretary level," he says.
It's that growing importance that has agencies within the government realizing they each have a cyber-mission. "All of those things show a very steady ramp [up] in the importance of cybersecurity for the federal government," Daniel says.
In the wide-ranging interview, Daniel addresses how:
- Automatic, across-the-board budget cuts in the government, known a sequestration, will affect federal cybersecurity programs;
- The federal government is identifying IT security experts it can hire;
- New legislation should update the Federal Information Security Management Act, the law that governs IT security in the federal government.
Daniel came out of near obscurity - he was serving as intelligence branch chief in the White House Office of Management and Budget - when President Obama tapped him last May to secede Howard Schmidt as special assistant to the president for cybersecurity [see Who Is Michael Daniel?].
He holds a bachelor degree in public policy from Princeton University, master of public policy from the Harvard Kennedy School of Government and a master in national resource planning from the National Defense University. After graduating from Princeton in 1992, Daniel took a job as a research assistant at the Southern Center for International Studies, a think tank in Atlanta. Upon receiving his master's degree from Harvard, he joined OMB as a program examiner in the operations and personnel branch, covering the Navy, Marine Corps and contingency operations programs.
ERIC CHABROW: We're days away from automatic, across-the-board budget cuts. How damaging will sequestration be on securing the government and nation's information systems?
MICHAEL DANIEL: I would say that it undoubtedly will have an impact on our ability to keep doing the programs that we've been doing, but I don't believe that overall it will actually prove to be catastrophic to our security programs, because we prioritize those fairly highly. But there's no doubt that it will have an impact and a negative one.
CHABROW: Can you characterize how that impact will take place?
DANIEL: I can't really at this point because agencies are still going through the process of figuring out exactly how they will implement the sequester, and so it's a little difficult. But given the way the sequester has to be implemented across different agencies, it's a little difficult to predict exactly how that will fall out at this point, but it will undoubtedly slow us down in implementing the programs that we want to implement.
CHABROW: Should people be concerned about the security?
DANIEL: I mean there are a lot of reasons to be concerned about the sequester, right? I don't think that the impacts on federal government's cybersecurity are the main driving factors to be worried about in the sequester, but there are plenty of other reasons to be worried about the sequester.
Cybersecurity a Priority
CHABROW: Sequester or not, how is cybersecurity seen as a priority? Obviously it's been a priority since the President took office, but with these recent attacks we've been having, has that elevated the situation?
DANIEL: I think that you can see that pretty much steadily over the course of this administration, cybersecurity has become a more and more important issue. I would say that it's moving out of purely the CISO or the CIO realm and into the senior policymaker realm, into the deputy secretary/secretary level, and I would say that you can see that reflected that more and more agencies across the government are realizing that they have a cyber-mission. All of those things show a very steady ramp in the importance of cybersecurity for the federal government.
Priorities of Cybersecurity Coordinator
CHABROW: You've been in office a little less than a year. How do you spend your time on the job? What are your priorities as cybersecurity coordinator?
DANIEL: I focus on five key efforts that we've got going. The first, which has gotten a lot of the press attention recently with the executive order and the discussion about legislation, is really the efforts to protect critical infrastructure in the United States. What is it that we're doing to make sure that we raise the baseline cybersecurity level of that part of our infrastructure that if something bad happened to it in cyberspace, something really bad happens in real space? I'm also focused on efforts to improve our ability to as a federal government respond to cyber-incidents and to respond effectively and efficiently in a timely manner.
CHABROW: How are we doing?
DANIEL: I think we're doing better, actually. If you look at where we were, say, three years ago and 18 months ago, even six months ago, we're clearly far, far better than we were. We have been able to work and make the interconnects between agencies much better. Our response time is better. Do we need to do a lot more? Obviously, yes. And I think if you talk to individual companies, you would still see a much wider variance in their experience with interacting with the federal government in this space than I would like. But I think the trend is in the right direction.
A third big priority for me is the international arena, working with our partners and allies to talk about what are the norms in cyberspace that we want to see come into being and how nation-states act and act with each other, and supporting that multi-stakeholder open Internet that we believe has driven so much of our growth. So [a priority is] all of the actions that we're carrying out in the international space.
I also am focused on efforts to improve federal network security. That's sort of the security of getting our own house in order, if you will. Then lastly, the fifth area is: what are we doing to shape the future? How do we move beyond just usernames and passwords? How do we have security by default in our systems? How do we make the Internet as a whole less favorable to the intruder but still protect the privacy and civil liberties that we hold dear?
CHABROW: I'm going to get to some of these other issues you mentioned. First, let's talk about diplomacy. The Mandiant report that came out a few weeks ago mentions China as an assailant. How delicate is that for the administration to address?
DANIEL: When you talk about anything that involves China, that's a very large, complex and important relationship to the United States, and so I think that from the White House's perspective, that's obviously something that we take very, very seriously. But as the President said in the State of the Union, we're obviously concerned about any actor, whether they're based here in the United States or whether they're based overseas, that's trying to intrude upon computer systems, steal intellectual property, and cause havoc. Whatever it is that they're doing, we're concerned about all those malicious actors.
CHABROW: Is a solution to a lot of that diplomacy rather than technology, or processes?
DANIEL: I think it has to involve all of those things. If you go and you look at the recent Verizon report on intrusions, you can see that a very, very large percentage of intrusions rely on vulnerabilities that been known for many years. I don't know if that's so much of a technology issue as it is a business-practice issue, but clearly when you talk about the international environment you have to bring all of the tools that we have to bear, particularly diplomacy and our interactions with both our allies and those that are not our allies overseas.
Shortage of IT Security Experts
CHABROW: There's a shortage of qualified IT security experts in government and business. Though there are programs aimed at getting young people interested in cybersecurity careers, we have a serious problem now. How much at risk are we because of the skills shortage and what can government do to get that expertise on board now?
DANIEL: Clearly that shortage is causing some problems and it's a worrisome thing for the government. We have several efforts ongoing to try to address that. One is the national initiative for cyber-education, which is really looking at how you update the personnel authorities across the government to enable us to hire the kinds of talent that we need. I think DHS has done some really impressive work in laying out a framework for the cybersecurity professionals that we need, looking at the pipeline issues. I think this is going to be an issue that we will need to work on for some time, questions like exactly how do you set up that pipeline. Can we work more with community colleges to have those kinds of programs that we need to have more of those professionals available to us?
But I also think that, from my perspective, we also have to be concerned about making sure that not only do we have the technical expertise within the government, but the policy expertise within the government to handle the questions that cybersecurity raises. It raises new and different issues. We need to have both more technically qualified people and people who can work at the policy level to address the issue.
CHABROW: Mark Weatherford, the Deputy Undersecretary for Cybersecurity at the Department of Homeland Security, has recruited some top people from other agencies to a point where he has said that some of his agents have been told, "Keep Mark Weatherford away from us." [Watch the video DHS's Weatherford on Cybersecurity Workforce.] Is that a concern from you where one agency is taking IT security expertise from another?
DANIEL: Given where I sit, we want to make sure that we're attracting the talent that we can for the federal government as a whole. I certainly think we would want to work towards a goal where those kinds of concerns you don't hear them as much because the pool is so large that we have a lot more people to draw from.
CHABROW: Let's focus on the federal government. What's happening in updating the Federal Information Security Management Act, or FISMA?
DANIEL: Right now we're still continuing to make a couple of changes that we can under existing statutes to move away from a compliance-based, every-three-years checklist approach to much more of a continuous diagnostics approach to knowing what's on your network in real-time. Ultimately, we'd like to see legislation in this space to update FISMA to reflect this new framework that we're moving towards so that the statute is more in line with what the best practices are. I think ... a key part of any legislative effort that the administration makes going forward will be those updates to FISMA. You'll continue to see this evolve as we push for that continuous diagnostics effort within the government.
CHABROW: The administration will come up with a proposed bill as it did last year. What will be some of the elements of that bill?
DANIEL: At this point, we're not planning on submitting a full package of legislation like we did in May of 2011. We believe that the principles that were outlined in that package legislation we still support and we're still behind. But I would say that we're more focused on continuing to engage with Congress as they work through their normal process. You hear them talking a lot about the regular order, and we certainly want to work with the various congressional committees as they come up with their bills. I think you'll see us continue to support the principles that we're behind and that we've maintained for some time in terms of improving our ability to do information sharing and working on how to raise the baseline level of cybersecurity in the critical infrastructure. How do we deal with data breaches? How do we modernize FISMA? How do we update some of our criminal statutes in this area? All of those things will be part of the legislative principles that the administration pursues.
Compromising over Cybersec Legislation
CHABROW: Last year, President Obama or the administration threatened to veto over CISPA, which is an information-sharing legislation. The same legislation was introduced this year. The administration has yet to take a position on it. Is the situation changing where you could see CISPA getting passed? Is there room for compromise and if so where would that compromise be?
DANIEL: I think it's actually a little early for the administration to really take a position on a bill that hasn't even made it out of committee yet. Certainly, we're open to working with the House Intelligence Committee as they work on that bill. We have certainly seen some willingness on the part of multiple committees up on the Hill to have a good dialogue on this space. From the administration standpoint, we will continue to push for legislation that matches up with our principles that we think can pass both the House and the Senate and eventually be signed by the President. I'm hopeful that we can accomplish that, but of course this is always - as everybody knows - a difficult political environment. We'll keep working towards that and see what we can achieve.
CHABROW: Do you see anything different in 2013 where legislation could pass where it didn't in the past?
DANIEL: The one thing that I would say is that the legislative debate from the previous Congress and the ongoing cyber-incidents that have ended up in media have continued to raise awareness of the issue and I think that has changed some of the environment such that I think there's a greater awareness of the problem and a greater awareness that we do need to take action in this space. I do think that there are some changes since the previous Congress that do raise the likelihood that we'll get legislation.
CHABROW: Is this an issue where you can get citizen concerns expressed to their lawmakers? Because there has been a lot of publicity since the Mandiant report and all these DDoS attacks against banks and the media companies being hacked?
DANIEL: I do think that awareness across the spectrum is beginning to grow. Certainly more and more people are becoming aware that this could have a direct impact on them in their lives and what they do. All of that does contribute to the way that our system works, which means that there will be additional concerns raised and members of Congress will continue to feel pressured to take action. That's how the system is supposed to work.