White House's Cybersecurity Guy Proud Of His Lack Of Cybersecurity Knowledge Or Skills

from the say-what-now? dept

So we were just writing about how the White House appeared to be going with a security by obscurity tactic in denying an Associated Press FOIA request concerning the security behind Healthcare.gov. Specifically, the request was denied because the White House claimed that revealing such info might help hackers. As we noted, if revealing the basic security plan you’re using will help hackers, then you’re not secure and chances are you’ve already been hacked.

Of course, perhaps the reason why the cybersecurity is so awful is because the White House’s “cybersecurity coordinator,” Michael Daniel, not only isn’t a cybersecurity expert but thinks that’s a good thing. I wish I was joking. After spending a few minutes talking about all his training at Princeton and the Kennedy School at Harvard taught him to communicate well and “break down problems” he dismisses the need for actual technical knowledge.

You don’t have to be a coder to really do well in this position. In fact, actually, I think being too down in the weeds at the technical level could actually be a little bit of a distraction….. You can get taken up and sort of enamored with the very detailed aspects of some of the technical solutions. And, particularly here at the White House… the real issue is to look at the broad, strategic picture and the impact that technology will have.

Now there is some truth to the idea that it’s important to be able to look at the bigger picture, but when you’re talking about cybersecurity, part of the way that you can look at the bigger picture is to actually understand the technology. That’s not “a distraction” it’s part of the core and necessary knowledge to then do the job of a cybersecurity coordinator. People who don’t spend much time with these things view cybersecurity and technology as a kind of “magic.” But it’s not. Nor is technology economics, but Daniel thinks it is:

But the other issue in my mind is that at a very fundamental level, cybersecurity isn’t just about the technology but it’s also about the economics of cybersecurity. Why companies choose to invest the way they invest. It’s about the pscyhology of cybersecurity. You know, one of my sayings is that ‘expediency trumps cybersecurity every time’ meaning that people will prioritize convenience over being secure many times. So you need to have the understanding of those kinds of factors: the psychology, the economics, the broad policy, the politics with a little p, in addition to the technology. So you need to be more of a generalist than having a lot of expertise particularly in the technological side.

Yes, in addition to the technology. All of those things are important, but they’re mostly useless if you don’t understand the underlying technology. He’s then asked what are the biggest challenges and… after talking about how important it is to understand the psychology and economics (more important than the technology) he admits that he doesn’t actually understand the psychology and economics. Because, apparently, he wants to make sure that he has none of the job qualifications for the job.

There are a few [challenges] that I can identify. One is that we don’t actually truly understand the economics and psychology behind cybersecurity. We know that a huge number of intrusions rely on known fixable vulnerabilities… We know that intruders get in through those holes that we know about that we could fix. The question is, ‘Why don’t we do that?’ That clearly leads me to the conclusion that we really don’t understand all of those economics and psychology well enough.

So there you have it folks. The White House’s cybersecurity expert doesn’t have the technological expertise, but insists it’s okay because he’s focused on the economics and psychology of the fact that people don’t patch their computers — and then admits he has no idea why that happens.

This doesn’t make me feel any safer.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “White House's Cybersecurity Guy Proud Of His Lack Of Cybersecurity Knowledge Or Skills”

Subscribe: RSS Leave a comment
78 Comments
Anonymous Coward says:

Re: See it this way:

Bad analogy…

You might want someone that’s an expert on real life drug effects on health and society in general running things – otherwise how do you know if what you’re doing is actually effective?

Oh…well yes, right – that’s not actually necessary in the “War on drugs” – which is why we’re still running this war.

Anonymous Coward says:

Re: Re:

” Sounds like jealous nitpicking”

Well, sure, most people have to earn a living. If they want a higher paying job they need to study a more difficult field and be knowledgeable. So how do government employees get away with being idiots with nice pay? Everyone else should be jealous, even those that get paid more in the private market, because they earn their living through being knowledgeable and intelligent and going through the hard work of learning what’s needed. Government employees get nice pay for being idiots.

Rich Kulawiec (profile) says:

I wish you were kidding, too

This is the kind of position where I’d like to see a Spaf, or Schneier, or Forno, or Ranum, or Appelbaum, or Kaminsky, or Halderman, or Landau, or Bellovin, or (insert additional names that should be on the short list as well).

The challenges are enormous. The risks are numerous. The technology is complex. The scale is huge. All of those factors beg for someone with long, deep and broad security expertise, not for someone who’s a self-pronounced newbie.

George Capehart (profile) says:

Re: I wish you were kidding, too

The challenges are enormous. The risks are numerous. The technology is complex. The scale is huge. All of those factors beg for someone with long, deep and broad security expertise, not for someone who’s a self-pronounced newbie.

Yea, verily. But for me, the worst part is that no one in the hiring process had enough clue to realize the guy was blowing smoke up their a**es . . .

That One Guy (profile) says:

On a more serious note, can the press and everyone else please start giving people proud of their stupidity(not ignorance mind, everyone starts out ignorant, you’re only ‘stupid’ if you choose to stay that way) the mocking they so dearly deserve?

Expecting them to be fired after admitting that they are clearly not qualified for the position would be nice, but probably a bit too much at this step, but public mockery and derision seems completely doable, and more certainly deserved.

Refusal to take them seriously or give them air-time would also be nice, paying attention to morons proud of their stupidity just encourages them, and makes them feel like their opinion on the subject/field is equally valid when compared to someone who actually knows what they’re talking about.

Jason says:

Re: Re:

I’m reminded of the general disgust I felt for the various Senators/Representatives back during… oh, I can’t remember any more, maybe it was the SOPA hearings? Something like that.

The sheer delight that so many of these people take in not knowing anything about the subject they’re supposedly meant to be in charge of astonishes me.

I don’t necessarily expect a Senator, say, to know everything about the technical topic of the day, but if a hearing is coming up one would think they’d take at least a little time beforehand and get familiar with the major points. (And it would be nice if they would refrain from wearing their ignorance as a badge of honor and then laughingly request some “nerds” to come in and explain it to them.)

But a department chief, and people in similar positions, really should have some practical knowledge of what their job entails.

“I’m not a doctor, but I can run this hospital.”
“I’m not an engineer, but I’ll manage this bridge construction project.”
“I’m not a sailor, but I can command this ship.”

I don’t think anyone could get away with making any of those statements out in the real world. Why do we put up with it in government?

Mason Wheeler (profile) says:

Re: Re: Re: Re:

At my last job, the boss was an engineer. He reported directly to the CEO, who was not. Just about everything good, everything successful, that the company had ever done had my boss’s fingerprints in it somewhere.

At my current job, the boss I work for is the CEO. He’s an engineer. Things are pretty successful here. I don’t think I’d ever want to work in a technical job for a boss who’s not technical.

Anonymous Coward says:

Re: Re: Re:2 Re:

On civil engineering projects in particular, there is often the construction manager who is responsible for the engineering, then above him the overall manger who is also responsible for all the things like project financing, land-take, easements, compensation, regulatory affairs, pre-work decontamination, and basically everything which isn’t putting up the structure. (Sometimes fit-out is managed separately from construction too, which has advantages and disadvantages.)

Anonymous Coward says:

There are a few [challenges] that I can identify. One is that we don’t actually truly understand the economics and psychology behind cybersecurity. We know that a huge number of intrusions rely on known fixable vulnerabilities… We know that intruders get in through those holes that we know about that we could fix. The question is, ‘Why don’t we do that?’ That clearly leads me to the conclusion that we really don’t understand all of those economics and psychology well enough.

Uh-oh. Talking about fixing vulnerabilities? Now Mr. Daniel is going to have a nasty run-in with the NSA, who will no doubt thoroughly and vigorously explain to him how important it is to them that the public remain vulnerable to being attacked, since attacking a vulnerable public is the NSA’s main line of work.

Anonymous Coward says:

one of my sayings is that ‘expediency trumps cybersecurity every time’ meaning that people will prioritize convenience over being secure many times. So you need to have the understanding of those kinds of factors: the psychology, the economics, the broad policy

But we know why people prioritize convenience over security – because they’re not technical. Just like you.

Jesus, talk about the blind leading the blind – to try to figure out why blind people are blind.

MrTroy (profile) says:

Re: Re:

But we know why people prioritize convenience over security – because they’re not technical. Just like you.

Actually, people prioritise convenience over security because they usually need to get something done more than they need to stop someone else from doing something (undefined) that they’re not supposed to be doing.

I’m technical (coder by profession and hobby), and I try to set up systems that are as convenient as I can justify, partially because I think that anything less convenient will also end up being less secure, because people (including me) will find ways around the security out of sheer frustration.

In that sense, there are some parallels between security/technology and economics, and Bruce Schneier regularly talks about the economics of security.

Michael Daniel, on the other hand, sounds like someone who has read one or two of Bruce Schneier’s essays without actually understanding them, but thinks he does. I mean, seriously… That clearly leads me to the conclusion that we really don’t understand all of those economics and psychology well enough. … then perhaps you should check up on some of the research (or even realise that somone else is already doing the research!), and ask someone qualified to understand the results what it means. If you’re willing to do (coordinate) that, then I don’t care if you personally don’t know what it means.

MrTroy (profile) says:

Re: Re: Re:

Oh heck. Just saw the pop-up for a webinar behind the “thinks that’s a good thing” link:

How to Properly Manage Identities and Secure Documents Within Government Agencies
Within the government space, trust is essential…

Unfortunately trust doesn’t work that way within the security space – there, “trust” is another term for “vulnerability”.

You only “trust” something because you have no way to verify it. If you can verify it, there’s no need to trust it. Then again, that seems like it applies just as well to governments, maybe they need a new webinar series…

How To Properly Manage And Interact With The Public Within Government Agencies
Within the government space, transparency and the ability to verify are essential…

Roland Hesz says:

Where does he dismiss the need for technical knowledge?

“You don’t have to be a coder” and ” being too down in the weeds at the technical level could actually be a little bit of a distraction” doesn’t actually translate to “technical knowledge is unimportant”.

It translates to what you actually admit: focusing purely on the technology is not enough.

Can you add a quote to the article where he actually says that technical knowledge is not important?
Because in the quote above he never said that.

I am quite happy to believe that he did say that, but an actual quote would be great.

That One Guy (profile) says:

Re: Where does he dismiss the need for technical knowledge?

Problem is, even if he does believe that technical knowledge is important, by being completely clueless about the field himself, he has no way of knowing if someone that works for him knows what they’re talking about, or if they’re just bluffing/lying/being misleading, and as such, he has no real way to chose who is right for a given job, or decide which, if any, suggestion/plan from his subordinates makes more sense, and should be put into use.

To someone who has no experience or knowledge in a given field, a brilliant, but technical idea, and a stupid, also technical idea, both sound the same.

Roland Hesz says:

Re: Re: Where does he dismiss the need for technical knowledge?

I completely agree with what you write, but that is not the same as dismissing the need for technical knowledge – the claim of the article.

Now all we need is a link/quote that proves that the guy is really clueless and include that in the article to give a solid foundation to the arguments made. I am pretty sure that such a quote or website can be found with no problem.

Anonymous Coward says:

Re: Re: Re: Where does he dismiss the need for technical knowledge?

Indeed. I was looking at the quotes and thinking “Hey… I’ve said things like that myself!”

And yeah, I’m a computer security analyst, and I’ve actually got video on the interweb recording me saying things like that, so there 🙂

Everything he said was true, except the bit at the end worries me:
“That clearly leads me to the conclusion that we really don’t understand all of those economics and psychology well enough.”

If by “we” he means his department, that’s a problem. The NSA and CIA should be able to help him there, as that’s THEIR job.

Plus, the economics and psychology are extremely well known in the field; there are presentations and papers on these topics at every major security conference. What we don’t know is what the solutions to people being social animals are.

I think of (in)security as being similar to the recent discovery that the ability to become cancerous is an innate part of cellular structure — what the cybersecurity force should be focusing on is “what makes people click those links, and what processes can we put in place to stop that?” Because it’s obvious the bad actors know; it comes down to statistics at some level.

So yeah; he doesn’t sound all that clueful in the selected quotes, but he also doesn’t sound stupid. I’d also be interested to see what sort of people work as his advisers, as that will indicate whether he’s actually clueless or not.

But then, nobody in the computer security field prefixes anything with “cyber” — not his fault, but “cybersecurity” ALWAYS refers to the political side of the issue, not the technical details.

John Fenderson (profile) says:

Re: Where does he dismiss the need for technical knowledge?

What stood out to me about his “you don’t have to be a coder” line is that he’s confusing things a bit. You also don’t have to be a coder to understand the issues around computer security and how to address them. The code just implements the concepts. You can understand the concepts without knowing how to implement them in code.

Roland Hesz says:

Re: Re: Where does he dismiss the need for technical knowledge?

He gave that as an answer to a question which we don’t see here.
Was he asked about coding experience? If yes, then a “you don’t have to be a coder…” answer can be appropriate.

Especially when someone is responsible for policies and not the technology.

Listening to the actual interview it seems his role is more selling the policies and solutions to budgeting people than actually figuring out what to code. His title “coordinator” and not “implementer” already hints at this.

In the meantime the question was: “How much do you have to know about the technology behind information security for this position [coordinator]?”
FULL ANSWER: “You actually have to start to develop a broad sense of the kinds of technology that’s available but you don’t have to be a coder”

So we are mocking a guy who is a project/resource manager for not being a deep level coder.

Anonymous Coward says:

Re: Re: Re: Where does he dismiss the need for technical knowledge?

Listening to the actual interview it seems his role is more selling the policies and solutions to budgeting people than actually figuring out what to code. His title “coordinator” and not “implementer” already hints at this.

But if he doesn’t know anything about what he’s selling, how does he know he’s selling the correct solutions?

Chronno S. Trigger (profile) says:

Re: Where does he dismiss the need for technical knowledge?

I kinda agree with Roland Hesz here. Yes, if you read between the lines it can be seen that he doesn’t have any advanced knowledge of security, but he shouldn’t. He’s suppose to be in charge of a team of experts. Those experts are suppose to be the ones with advanced knowledge of specific areas of security.

His team is suppose to have that advanced, specific knowledge. His job is to make sure that the person with the right knowledge is in the right place at the right time. You don’t need to know the weeds, you just need to be smart enough to listen to the people who do.

Anonymous Coward says:

Re: Re: Where does he dismiss the need for technical knowledge?

It looks like this guy values his managerial skills over his domain knowledge. One hopes he is effective in using this to get his team in position to get the job done.

There is a reason why high ranking officers in the military are called “generals”.

However, not everyone who makes a high level position has this essential skill.

There is a reason for the popularity of Scott Adams’ Dilbert comic strip and the Peter Principle.

Chronno S. Trigger (profile) says:

Re: Re: Re: Where does he dismiss the need for technical knowledge?

Oh, you’re absolutely right. Not a lot of people can be good managers. However, the quotes given don’t suggest anything ether way for Michael Daniel. It doesn’t speak negatively for him, but it also doesn’t speak positively ether.

What we do know is that he’s a politician. He used a lot of words to say absolutely nothing.

Roland Hesz says:

Re: Re: Re:2 Where does he dismiss the need for technical knowledge?

“He used a lot of words to say absolutely nothing.”

Reminds me of people working at banks.
“We made no progress” is four words, but they can talk for 15 minutes implying but never actually saying it.

“One mistake and you’re out” culture does that to people.

Not holding my breath, but let’s see how he will do it.
(Although, let’s admit, it will be pretty tough to assess the results properly)

Anonymous Coward says:

Uhm … I wonder if I can somehow twist my ignorance into being a good thing at a job interview

“see, all of your other employees are very knowledgeable and experienced and educated. This deters them from looking at the broad picture. My ignorance here helps me look at the broad picture because I don’t let details and facts get in the way of my perspective.”

Imagine if a doctor tried to advertise his ignorance as a way to look at the broad picture of the patient’s health.

John Fenderson (profile) says:

Re: Re:

“see, all of your other employees are very knowledgeable and experienced and educated. This deters them from looking at the broad picture.”

I’ve interviewed a lot of people over the years for software engineering jobs. Would it surprise you to learn that two of the interviews I remember the most were ones where the candidate made that exact argument? They didn’t get the job.

John Fenderson (profile) says:

The economics of security

I don’t know why he thinks the economic aspect of security isn’t well-understood. It is (as well as any economic aspect is understood, anyway). The economic principles of security don’t change just because you add the horrendous prefix “cyber-” to it.

Perfect security is literally impossible. You can throw more resources into security to require more resources to be used to subvert it, but there’s a law of diminishing returns involved. Because of this, security is always subject to a cost/benefit analysis. Sometimes, that analysis indicates that the best security is relatively light, sometimes the best security is to lock everything down as tightly as possible regardless of costs.

The economics of security, at heart, don’t really differ much from the economics of safety (or anything else, really).

John Fenderson (profile) says:

Re: Re:

That’s a criticism that would more properly be applied to the entire government, not just the white house. As an aside, aren’t there only two jobs in the white house that we elect people into? President and Vice President? I could be wrong, but I think most of the White House positions are appointed.

I also think that the criticism isn’t apt. I think that most of the people in the federal government understand very well how democracy and the Constitution work. It’s just that sometimes they ignore it.

bshock says:

in first

No one has mentioned the Dunning-Kruger Effect yet. This individual is practically the U.S. Poster Child for it: someone so ignorant of a subject that he’s too ignorant to appreciate his own ignorance.

Which makes him sound very much like every MBA I’ve ever known. That’s practically part of their curriculum.

Derek Kerton (profile) says:

Re: in first

Hey…I was going to comment on DK effect. But searched, found you had done so, and was one millisec away from clicking insightful…before seeing you diss me in the latter part of your comment.

So, in child-like response: FU. Your degree and education is stupid, too. Stupid was the core of your curriculum. And many other broad, sweeping, incorrect criticisms.

There, balance is achieved.

Raging Alcoholic (profile) says:

Re: Re:

Barack Obama is undoubtedly a smart guy but his administration uses the the stupid card a lot. He wanted a government of academics so why does lack of knowldege seem to be his best defense.
Hillary Clinton thinks she is the victim of Benghazi.
The IRS can’t find its emails.
The attorney general is being persecuted.

These are the kinds of excuses you would expect to hear from children in the 7th or 8th grade.

I don’t like George Bush but atleast he knew to shut up and let his generals fight a war.

Mason Wheeler (profile) says:

Re: Cyber!

We’re getting closer to that all the time.

Just a few months ago, a woman with a bone growth condition that caused her skull to thicken out of control, putting horrible pressure on her brain, had her entire skull surgically removed and replaced with a 3D-printed prosthesis. The prosthesis is inert and not robotic, but… just think about that. There is a woman alive today, walking around as a functioning member of society, with an artificial skull!

Just five years ago, that would have been considered “something from a William Gibson novel.” Today it’s reality.

For decades now we’ve had people who are only alive because they have had an artificial heart or a cybernetic heart-control implant (pacemaker) added into their body. Now they’re making pacemakers that run on software. What is a person bearing that if not a cyborg? That’s reality today.

Heeeeeeeey, welcome to the future! Somehow it went and arrived on us while we were all busy in the present.

Mason Wheeler (profile) says:

People who don’t spend much time with these things view cybersecurity and technology as a kind of “magic.” But it’s not.

I dunno. As a programmer, I spend my days creating and fine-tuning arcane formulae composed of complex, often bizarre symbols, ordered according to cryptic rules and priorities that would drive a mere mortal mad to think about too deeply (or at least really, really confuse them) in order to produce incantations that, once invoked, perform effects that alter the world.

What am I if not a modern-day mage?

TestPilotDummy says:

War by Deception

I don’t buy it.
It’s dis-information.
You going to tell me the NSA doesn’t do this?
This dude is a FACE on a coverup.

What the hell is “cyber” anyway? Did you mean computer and electronics security? why not just say that?

If he truly doesn’t have any tech under the belt, then he’s condemned to a leadership roll and playing by the new socialist utopia agenda and silver bullet failures, meanwhile publicly talking about vision, or the future while using fear and rolling it out with un-accountable, un-auditable (fuck sounds like voting machines again) sub-contractors

It’s a hidden invisible disaster essentially rolling in slow and fast motion

ECA (profile) says:

Politician=Plumber?
Politician=Technogeek?

To anyone that knows much about OS’s, Programming, hardware, hardware coding, Servers, and in all that, vulnerabilities and restrictions of ALL of the above..
There are things that hardware can do, and things Programming can do, and Something that can be done on both sides..
Being able to BUILD a computer and install an OS, is nothing to the knowledge needed for this job.

Anonymous Coward says:

US Cyberguru and Canada Cyberguru - Dumb and dumber

A brilliant choice for the head of cybersecurity… cough… cough… It seems that the skill level to lead the US cybersecurity needs only to know how to smooze around the cocktail circuit in Washington. While on the other hand, the Chinese and Russians actually have cybersecurity ( or more approporiately anti-cybersecurity ) experts. No wonder the Chinese and Russian state sponsored hackers are punching holes in all commercial and government IT infrastructures. Oh wait… the US cyber-guru-guy doesn’t need to know anything computer related because his counterparts over at the CIA and NSA know the little things that make up cybersecurity defense and offensive measures. At least the US cyberguru is in good company… as his counterpart up in Canada is also a political hack appointed to the position based on who he knows on the cocktail circuit and not in the realms of cybersecurity.
.
Heck… even Al Qaeda and ISIS (ISIL) have people in their cyber-operations units that know more about cybersecurity then the fools allegedly trying to protect North America.

Seegras (profile) says:

Bullshit Jobs and Clueless Lawmakers

I think this is related:
http://strikemag.org/bullshit-jobs/
This here too:
http://www.psmag.com/navigation/politics-and-law/sopa-debate-highlights-congresss-ignorance-38666/
As are recent phenomena like “creationism”.

There’s a culture developing, where knowledge, science and craft are de-valued.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...