Michael Daniel Defends Himself, Sort OfObama Aide Responds to Critics on His Lack of Tech Expertise
White House Cybersecurity Coordinator Michael Daniel has come to his own defense, sort of, for his comment in an interview with me back in July regarding his lack of information technology expertise: "Being too down in the weeds at the technical level could actually be a little bit of a distraction."
See Also: What is next-generation AML?
The interview went viral on the Internet, igniting a swell of scornful comments in the blogosphere, on Twitter and in postings on our website, questioning his qualifications to be a special assistant to the president on cybersecurity.
Daniel has remained silent on this matter for nearly two months - he didn't respond to a request through his spokeswoman for a comment when I wrote a blog about the brouhaha (see In Defense of Michael Daniel). But he was asked about it during a cybersecurity forum on Oct. 9 sponsored by the Christian Science Monitor. Here's his response:
"Well, it happened during August [actually, it occurred on July 25], on a Friday, so that was, you know, kind of par for the course in Washington, and it kind of just comes with the territory. ... I think some of it, though, was a misunderstanding of what I was trying to say, which is that ... cybersecurity is such a hard problem. It involves a whole bunch of different disciplines, and we need a bunch of different disciplines in order to address the problem effectively."
Listen to Daniel's statement that ignited the hubbub.
Daniel used his response to the moderator's question to emphasize the wide range of expertise needed to provide the government, critical infrastructure, businesses and society a defense in cyberspace. Citing his personal experience, Daniel explained he's very knowledgeable about cybersecurity matters, but it's his skills as a government policymaker and coordinator that are most needed for him to do his job. It's a point he also made in his interview with me: "My job really here is to focus on coordinating policies across all of the different federal agencies that are involved in cybersecurity. ... You can think of my job as being the chief cat herder for cybersecurity issues inside the administration, trying to keep all of the agencies pointed in the same direction."
At the Oct. 9 forum, Daniel said: "We need a bunch of different disciplines in order to actually effect the problem effectively. As I was mentioning about our workforce initiative, a huge chunk of that is focused on the hardcore, technical workforce that we really need to run the firewalls and develop the software and manage the security systems.
See and hear Michael Daniel address the reaction to his comment about his lack of technology expertise, at time-stamp 46:48.
"But you also need people who are savvy about cybersecurity from a policy standpoint and about how to actually get organizations to make those risk management tradeoffs. How do you get organizations to make changes? How do you get government to do something? How do you get the bureaucracy to actually function? Those are actually different skills sets and we need all of them in the cybersecurity area."
Daniel explained to forum attendees that his staff at the National Security Council's cybersecurity directorate includes engineers with technical skills but also those with other skills including law, the military and law enforcement. "All of those are different aspects of the problem that we need to bring to bear on the issue," he said.
Lack of Authority
The moderator, in asking a follow-up question, made an important point about Daniel's role as cybersecurity coordinator: The position of special assistant to the president does not have any power over organizations that implement cybersecurity plans. Indeed, in the U.S. federal government, the Office of Management and Budget, the Department of Homeland Security, the Department of Defense and individual departments and agencies carry out cyberdefenses. The moderator asked Daniel if the cybersecurity coordinator's role should change and be given direct authority over cyberdefense. Here's Daniel's reply:
"I don't. ... As with any of the White House jobs, a lot of it is about soft power and the way you work with the bureaucracy and different agencies to get them to align policy and move roughly in the same direction. You can be very effective in that space as long as you understand how that space actually operates. I think that cyber is such a humongous issue that you're not going to be able to put any one person in charge of it in that sense. ...
"That would not work very well, and instead, you actually do need somebody who can get to the various aspects of the law enforcement agencies, what we're doing to protect our critical infrastructure, what we're doing in the military and national security space. And, you're never going to put all of that in one spot, under one person, and I don't think that would be a good idea. So, you really need to have those skills to manage across all of those different agencies' lines."
Understanding the Nuances
Diana Burley, a professor at George Washington University who studies IT security skills, says cybersecurity leaders need to possess the technical background necessary to understand the nuances of a highly technical and rapidly evolving technical field as well as the strategic organizational awareness to understand how to effectively implement policies and procedures.
"Of course, this still leaves questions: 'How much technical knowledge is sufficient? What is the proper foundational balance of education and experience? Who determines whether an individual is technical enough?' These are difficult questions to answer and the answer likely will differ for every organization."
For one organization, the White House, and for one position, the cybersecurity coordinator, it seems that its current occupant has the requisite IT security know-how to go along with his policymaking and management skills to get the job done, even if he lacks coding skills.