from the say-what-now? dept
Of course, perhaps the reason why the cybersecurity is so awful is because the White House's "cybersecurity coordinator," Michael Daniel, not only isn't a cybersecurity expert but thinks that's a good thing. I wish I was joking. After spending a few minutes talking about all his training at Princeton and the Kennedy School at Harvard taught him to communicate well and "break down problems" he dismisses the need for actual technical knowledge.
You don't have to be a coder to really do well in this position. In fact, actually, I think being too down in the weeds at the technical level could actually be a little bit of a distraction..... You can get taken up and sort of enamored with the very detailed aspects of some of the technical solutions. And, particularly here at the White House... the real issue is to look at the broad, strategic picture and the impact that technology will have.Now there is some truth to the idea that it's important to be able to look at the bigger picture, but when you're talking about cybersecurity, part of the way that you can look at the bigger picture is to actually understand the technology. That's not "a distraction" it's part of the core and necessary knowledge to then do the job of a cybersecurity coordinator. People who don't spend much time with these things view cybersecurity and technology as a kind of "magic." But it's not. Nor is technology economics, but Daniel thinks it is:
But the other issue in my mind is that at a very fundamental level, cybersecurity isn't just about the technology but it's also about the economics of cybersecurity. Why companies choose to invest the way they invest. It's about the pscyhology of cybersecurity. You know, one of my sayings is that 'expediency trumps cybersecurity every time' meaning that people will prioritize convenience over being secure many times. So you need to have the understanding of those kinds of factors: the psychology, the economics, the broad policy, the politics with a little p, in addition to the technology. So you need to be more of a generalist than having a lot of expertise particularly in the technological side.Yes, in addition to the technology. All of those things are important, but they're mostly useless if you don't understand the underlying technology. He's then asked what are the biggest challenges and... after talking about how important it is to understand the psychology and economics (more important than the technology) he admits that he doesn't actually understand the psychology and economics. Because, apparently, he wants to make sure that he has none of the job qualifications for the job.
There are a few [challenges] that I can identify. One is that we don't actually truly understand the economics and psychology behind cybersecurity. We know that a huge number of intrusions rely on known fixable vulnerabilities... We know that intruders get in through those holes that we know about that we could fix. The question is, 'Why don't we do that?' That clearly leads me to the conclusion that we really don't understand all of those economics and psychology well enough.So there you have it folks. The White House's cybersecurity expert doesn't have the technological expertise, but insists it's okay because he's focused on the economics and psychology of the fact that people don't patch their computers -- and then admits he has no idea why that happens.
This doesn't make me feel any safer.