Former White House Cybersecurity Coordinator Michael Daniel offers insights into the evolving cyber threat landscape and discusses the current challenges businesses face with ransomware and cybersecurity policies.
Category
🤖
TechTranscript
00:00Michael, I have to start, first of all, since we're talking about cyber security, you gave
00:06me one little nugget there that you used to be a multi-level marketer of knives as a kid,
00:11so I thought, you know, my vision of the kid in front of the terminal, the gamer who then
00:17becomes the excellent cyber security expert, was that your trajectory?
00:21No.
00:22Okay, so give us a little bit of a sense of you before we get into your expertise.
00:26Sure.
00:28I mean, I will own up to my nerddom, right?
00:32You're reaching for, okay, no, okay, I thought you were trying to pull out a knife.
00:41But I will own up to the fact that I was quite the geek as a child, but I did not pursue
00:45a computer science path.
00:48My background is primarily in economics and finance, so I'm very at home in this space.
00:55I spent most of my early part of my federal career doing budgeting and finance at the
01:00Office of Management and Budget, and so I very much came into cyber from the resourcing
01:06side of things, and come at and think about the issues that we deal with in cyber security
01:13very much from a behavioral economics, from an incentive structure kind of lens.
01:21Can you give us a couple of little nuggets from your time in the White House, because
01:24most of us don't get to go into those rooms, and give us a few stories.
01:29What are your favorite memories?
01:30So I would say-
01:31Or worst memories.
01:32That might even be better.
01:33There are some of those too, but I would say that, first of all, it's much smaller than
01:38you think it is.
01:39So like all of the pictures and the movies and things like that, the hallways are way
01:45too wide.
01:46The ceilings are way too tall.
01:47Hollywood studios.
01:48Yeah, most of the time it's nothing like that.
01:51Even the Oval is not that big, relatively speaking, because it's an 18th century manor
01:58house.
02:00But I would say that some of the stories that we have from that time are really about how
02:07do you actually talk about and think about and address cyber security in a way that normal
02:16people can understand.
02:17My first few meetings in the White House Situation Room, when we were dealing with
02:22these issues, everybody was like this.
02:25Remind people which administration.
02:27So I was with ... Well, I actually worked for multiple administrations, and started
02:32in the Clinton administration, served through the Bush administration, and the Obama administration.
02:37I became Cyber Security Coordinator for President Obama.
02:41And so in 2012 still, people would be like this in the sit room, because they're reading
02:46their talking points, and they wouldn't actually look up and talk to anybody because they didn't
02:50know what they were talking about at that point.
02:54By the time we left in 2017, that was not the case anymore.
02:59And when I first came into the White House, there was a debate about whether or not cyber
03:04security was an issue that actually warranted inclusion in national security discussions.
03:13That wasn't the case by the time we left.
03:16You asked about some examples.
03:19In 2012, the Iranian government started carrying out denial of service attacks against some
03:26of our financial services companies.
03:27From the Iranian point of view, this was equivalent response to the sanctions.
03:34This was an equal response to the sanctions that were being put on them.
03:40But there was a great debate in the White House about what this was.
03:45There were some people who were like, okay, this is the equivalent of the Iranians sailing
03:50a sub up to the coast of Maryland and disgorging a bunch of special operations guys and blowing
03:56stuff up.
03:57Wow.
03:58And other people were like, no, that's not what this is.
04:01It's a denial of service attack.
04:03This is like they've hired a bunch of teenagers to drive up and down the street and play their
04:06radios really loud.
04:09That makes me wonder about state-sponsored hacking today now, radio versus the sub.
04:16But the point was that people were struggling with how do I think about this problem?
04:22What's my analogy?
04:24How do I actually bring my own experience to this?
04:27And that was the problem was that a lot of our previous experiences didn't translate
04:31very well into the cybersecurity situations that we were facing.
04:35You've stayed immersed in this world.
04:36So let's go forward 12 years now to circa today.
04:42Tell us a little bit about the threat landscape.
04:44Obviously everybody in this room is aware of it.
04:47You can't be a CFO, certainly a CISO, and not have that be top of mind.
04:52We all know CrowdStrike's a whole different now.
04:54Of course, your patch can be a problem too, but give us a sense of what you're seeing
04:59and what you would put on our radars.
05:03The CrowdStrike example is an example of what I referred to as evil cyber lord rule number
05:08one when I was in the White House, which is never attribute exclusively to evil when stupid
05:13is still available as an option.
05:15And no apology.
05:16It was crisis management one to one fail.
05:23What I would say in terms of the threat landscape and what we're facing today, you really actually
05:28have a couple of different strands, which is that you have a very thriving criminal
05:36ecosystem that is making a lot of money, that has a couple of different basic flavors that
05:44they use to make that money.
05:48And that threat is continuing to become more intense because we keep making it easier to
05:55be-
05:56Just the ransomware?
05:57Ransomware is a good example, business email compromise, right?
06:00There's a few basic flavors that they use to do these kinds of scams.
06:06And besides that, we're connecting more devices to the internet, so we're constantly making
06:14the threat surface bigger.
06:17And the criminals have figured out that this is a pretty good business model.
06:22New America did a study a few years ago that showed that all things being equal, if you
06:27commit a physical crime in the United States, your chances of being prosecuted and convicted
06:33and spending time in jail is about 50%.
06:36If you commit a cyber crime, your chances of being arrested, convicted, and spending
06:41time in jail is 0.05%.
06:42Wow.
06:43There's your incentive system at work.
06:46Absolutely.
06:47It's a completely different cost-benefit analysis.
06:49One of the things I notice when I talk to leaders is not existential angst, but that
06:55trope that, well, if you've all been breached, you just don't know it yet, which almost in
07:01a way is just like a, eh, I'll deal with it when it comes.
07:06That does not seem to be a useful strategy in this environment where the stakes are high
07:12and you can avert attacks, right?
07:15Yeah.
07:16I'm very frustrated with the approach of the assume breach approach.
07:22It's not because it's not true.
07:23In many ways, it's right, but in my view, it sends the wrong message.
07:28It sends a very fatalistic message that there's nothing that you can do to address your cybersecurity.
07:36That's just completely wrong.
07:38There are, in fact, well-known, well-researched, well-supported practices that will meaningfully
07:46reduce your cyber risk.
07:47Now, will you ever be able to drive your cyber risk to zero?
07:51No.
07:52Any more than you can drive your natural disaster risk to zero, right?
07:56But you can substantially lower it and you can make your company, your organization much
08:01more resilient to cyber incidents.
08:04You can transform this threat into something that you can manage over the long term.
08:10Let me ask.
08:11I want to get to some advice here, but I want to ask about the policy landscape given the
08:15role you're currently in.
08:17What should be on our radars right now with regard to what you're seeing in terms of policy,
08:23what's needed in policy?
08:24And let's, obviously, the US, but if there's anything on the global landscape as well,
08:28because that always impacts how we act.
08:31From a policy standpoint, there's really two broad efforts that we have to engage in.
08:39One is, how do you actually make the ecosystem more resilient?
08:45How do you raise the standards of care?
08:49How do you establish the standards of care for cybersecurity?
08:52How do you raise them so that we get to the level of cybersecurity that we want?
08:57But also, how do we start baking cybersecurity in for the beginning?
09:01How do we actually start doing secure by design?
09:05Which means, how do you design software and hardware to actually be secure from the beginning,
09:10rather than being like, oh, we've got this product, now we need to make it secure?
09:15How do you actually build that in from the beginning?
09:17How do you make it secure by default, so that when you pull the thing out of the box or
09:20you deploy it on your network, it's secure to begin with?
09:24There are actually many, many CISOs who would be familiar with something called hardening
09:29guidelines, which is like, how do you actually take software and make it more secure?
09:35My view is, we actually need loosening guidelines.
09:37The software comes out of the box, already in its hardened state, and you really have
09:43to loosen it up a little bit to make it work for you.
09:46That's a much better place to be in.
09:51Those things, how do we actually change the market so that you have secure by design be
09:59the primary method by which software developers are working?
10:03How do you incentivize secure by default?
10:06How do you actually raise that level of cybersecurity across the ecosystem, make people more resilient?
10:13Those are the resilience side policy questions.
10:17Now, we're talking about the intersection of CISO, security officer, and then CFO.
10:24The money question, one of the things that fascinates me is the whole question of culpability.
10:29You've seen in the UK, for example, that they're going after the banks and saying, if you are
10:35letting these bad actors use your accounts, you, in fact, are culpable.
10:40Give me some sense of, and I know we want to turn this to a table conversation very
10:44soon, but where you see that intersection, and especially with regard to what's happening
10:50with the financial risk.
10:53We mentioned, of course, ransomware.
10:55We know about that.
10:56We know that companies often don't like to talk about it for very good reasons.
11:01I think what's happening on the policy front there and what's happening on the technology
11:05front there is fascinating.
11:08I think the question is, how do we establish the standards of care so that we know what
11:15is the baseline that we're going to hold companies to?
11:18Because I do think that companies bear a responsibility to protect their networks, protect their customers,
11:24protect their data.
11:25But at the same time, you also can't ignore the fact that we don't want to punish victims
11:33that have done all of the right things.
11:36The issue for us right now has been that we haven't been real clear about what all
11:39the right things are.
11:42As a policy matter, we need to get much more clear about, okay, if you've done these things,
11:47then you're going to have safe harbor.
11:49If you haven't done those things, now if you're a ...
11:53Profitability.
11:54Right.
11:55My example is, if you're a, you store it, one of those you store it places, and you
12:01say, please store your stuff with us because it's secure, but you don't have any fences,
12:06you don't have any guards, you don't have any cameras, you don't have any alarm systems,
12:10well then maybe somebody could actually say, no, actually, in fact, you're kind of liable
12:14for some of that.
12:15Yeah.
12:16My dad's garage.
12:17It doesn't count.
12:18Yeah.
12:19So sorry.
12:20But if you've done all of those things, and you still were facing an incident, then no,
12:23you probably shouldn't be held liable for that.
12:26But we don't have those standards yet well established across a lot of the cybersecurity
12:31areas.
12:32I know we're going to turn this to a table conversation now, so I'm going to let you
12:36have one last final thought.
12:38It can be haiku length or just advice, and obviously we'll continue hearing from you
12:44at the table, but any thoughts?
12:46What advice would you have if you were in the role of the people at this table, CFO,
12:51CISO, et cetera?
12:52So I would say that cybersecurity is a business multiplier.
12:59It is an investment that you make to make the rest of your business actually run.
13:04And cybersecurity is one of those classic things that you can either pay me now, or
13:09you can pay me later.
13:10And I guarantee you that paying me later will be way more expensive.
13:13Exactly.
13:14Good advice.
13:15Well, please join me in thanking Michael.
13:16Obviously, continue the conversation.