Many cybersecurity experts vented frustrations on Twitter yesterday about a recent interview by White House cybersecurity coordinator Michael Daniel published by Gov Info Security. In the interview, Daniel -- a longtime federal employee who was previously intelligence branch chief at the Office of Management and Budget -- seemed to suggest that his lack of specific technical expertise was actually an asset in his role as the nation's cyber czar, as former Federal Trade Commission chief technologist and current Princeton computer science professor Ed Felten noted on Twitter:
White House cybersecurity czar “sees his lack of technical expertise in IT security as an asset in his job”. http://t.co/P6GUTuUP38
— Ed Felten (@EdFelten) August 21, 2014
Information security experts were not amused, although some did poke fun at Daniel's expense -- including another former FTC chief technologist who made a Power Point joke.
Matthew Blaze, a professor of computer and information science at the University of Pennsylvania and well known security researcher, mockingly replied, "This is the same reason I'm sure I'd make a terrific surgeon. Why be bogged down by so-called 'knowledge' and 'experience'?"
Yahoo Chief Security Officer Alex Stamos made a similar point:
@EdFelten The Chairman of the JCS led an Armored division in Iraq I. The Atty Gen was a prosecutor. Why can't cyber czar config a firewall?
— Alex Stamos (@alexstamos) August 21, 2014
In a follow up Tweet, Stamos also wrote that the "lack of respect shown to information security as a profession by the government is infuriating." Carl Malamud responded to Felten's original tweet with just the word "sigh."
Listening to the full audio of the interview, suggesting that Daniel was explicitly bragging about his lack of technical expertise is probably overstating his comments. But he does make the point that his role is largely about coordinating policy responses rather than implementing specific technical solutions, the details of which he worries might distract him from the larger picture:
You have to start to develop a broad sense of the kinds of tech that is available. You don't have to be a coder to really do well in this position -- in fact, I think being too down in the weeds at the technical level could actually be a little bit of a distraction in that sense... [Interview is interrupted by Daniel being called to the West Wing.] ... I think that part of the way it's a distraction is that you can get taken up and sort of enamored with the very detailed aspects of some of the technical solutions. And, particularly here at the White House and in other senior positions across the government, the real issue is to look at the broad, strategic picture and the impact that technology will have.
His job, he argues, is to be more aware of the economics and psychology of cybersecurity than the actual technical implementation of solutions and to navigate the policy and political landscapes. And he's not alone in that assessment -- in a follow-up to the interview posted by Gov Info Security, Jim Lewis, a senior fellow focusing on cybersecurity at the think tank Center for Strategic and International Studies, is quoted as saying, "You need someone with a strategic point of view and policy skill to make progress." Lewis added that "technical skills are inadequate for policy and strategy and a focus on technology leads to bad outcomes."
Elsewhere in the interview, Daniel does say it's important to have that technical expertise around to advise him when it comes to specific problems. But in an interview with the Post, Stamos argued for the opposite relationship -- for leadership to have more technical skills and aides to provide strategic advice. While calling Daniel "an impressive person" who seems dedicated to his job and generally understands the issues, Stamos said Daniel's comments show how government has trouble valuing his industry's skill set.
"I just disagree that people who are in tech leadership positions in government shouldn't have hands-on experience," Stamos says. "In every other section in government we demand that." The head of the Centers for Disease Control is a doctor and the attorney general is a prosecutor, Stamos says, asking why cybersecurity should be treated differently.
"Technology is a profession just like those -- if government wants to get better at technology, they need to treat it seriously," he argues -- citing the problem-plagued launch of Healthcare.gov as an example of a governmental failure to live up to the technical needs of its citizens.
"When you're at a level like [Daniel], your job is to make difficult decisions between what are not obvious paths," Stamos says, especially in cybersecurity where the market is flush with different vendors hawking various products. "If you're going to make those decisions, it should be informed by your hands-on experience and ability to understand what people's day-to-day jobs are like on the most basic level," he argues.
In a statement to the Post, the White House defended Daniel's statements and his role in the administration. "Anyone who has worked with Michael Daniel recognizes that he is a master of the substance and technology undergirding U.S. cyber policy," National Security Council spokeswoman Caitlin Hayden wrote. "The senior-most officials in this Administration—from the President on down—rely on Michael’s expertise."
The point Daniel made is a sound one, she argues. "As Special Assistant to the President and Coordinator of Cybersecurity for the National Security Council, he should not be spending his time coding or otherwise buried in tactical details – he provides guidance on policy matters of national importance," Hayden says, adding that his portfolio is "tremendously large, diverse, and important, and his skillset is perfectly aligned to handle it.”