Critical infrastructure a key issue for US cybersecurity chief

In Dublin last week, Obama’s special assistant, Michael Daniel, speaks about the White House’s commitment to cybersecurity plans

Michael Daniel, special assistant to US president Barack Obama and cybersecurity co-ordinator at the White House. photograph: julia schmalz/bloomberg>

Michael Daniel, special assistant to US president Barack Obama and cybersecurity co-ordinator at the White House. photograph: julia schmalz/bloomberg>

 

Michael Daniel’s appointment in 2012 as US president Barack Obama’s “cybersecurity czar” – or more formally, cybersecurity co-ordinator for the White House and special assistant to Mr Obama – initially drew a baffled response in US political and information security circles.

“My personal favourite headline was, ‘Who is Michael Daniel?’,” he says, laughing.

As chief of the intelligence branch of the national security division of the White House’s office of management and budget for over a decade, his focus had been high-level administration, analysing and understanding security policy development, well out of the public eye.

“There’s no question” his appointment came as a surprise, “given my background,” he says. But his previous role gave him in-depth knowledge of national security programmes and capabilities, across several presidential administrations, both Democrat and Republican. “Part of the reason the White House really wanted me was to send a clear message that cybersecurity was not a partisan issue. And to get things done inside the [government] bureaucracy,” he says.

Transformation
However, becoming the very public cybersecurity face of the administration has required a major transformation in how he works. “I’ve had to spend time to develop other skills. And honestly, that has been a lot of fun.” He says he also has had a lot more exposure to private industry, and “this has been a learning experience”.

Actually meeting people he would only have known by name or reputation in his previous role, has been particularly interesting, he says.

“The one that surprised me the most is Vint Cerf,” he says with another laugh. Cerf is often called the “father of the internet” for his role in helping create the fledgling internet, and is currently “chief internet evangelist” at Google. “I expected him to be this kind of long-haired hippie California guy, and nothing could be further from the truth. He’s a fabulous, amazing guy, very sharp and very focused.”

In Dublin last week to speak at the Institute of International and European Affairs’ cybersecurity conference on Friday, Daniel says his top priority is to get across to citizens, governments and private industry, both domestically and internationally, how committed the Obama administration is to bringing in a rigorous cybersecurity initiative, one that will improve and protect critical infrastructure.

“That’s the thing I’m most focused on. What I hope people will take away from me is the seriousness with which the administration approaches those goals.” However, he is cautious not to sound too US-centric in this task.

“Certainly the US government does not have all the answers,” he acknowledges. “This is a shared problem that can only be addressed by people working together on it.”

And yes, the ongoing revelations about the extent of surveillance domestically and internationally by the US National Security Agency (NSA) have damaged the EU-US relationship and made his task much harder.

Trust
“The NSA issues are not in my immediate wheelhouse,” he notes, and will not go into them in detail, but he readily acknowledges “they are very, very serious”, adding that he is working on ways to re-establish trust with those he speaks to in foreign governments.

He argues that there can be both strong privacy protections and cybersecurity policy.

“Cybersecurity and privacy are not in competition. They are mutually reinforcing. If you want good data protection, you want good privacy, and you want good cybersecurity.”

He will take that as the starting point for conversations with his European counterparts, he says. He adds that he knows the two sides “won’t think the same” on all issues, “but that’s okay. We improve best practice by learning from each other”.

The cybersecurity concerns he wishes to highlight can be boiled down to a few key issues. The first is cybercrime and the use of the internet to carry out a range of more “traditional” crimes.

“This is a transnational, global problem and runs quickly across borders,” he says.

Then, there’s the threat to intellectual property, including the theft of trade secrets and other corporate information. Often companies don’t even realise data have been stolen until long after the theft, he notes.

Threats to critical infrastructure are a growing problem and have become fact rather than disaster movie topics, he notes, but adds that those kinds of large-scale cyberterrorism scenarios “are not very prevalent right now. But that does not mean there are not significant threats. The difficulty in my space is calibrating that message. We don’t want to overblow the threat, while we also don’t want to undersell it.”

Finally, he lists “the threat to the multi-stakeholder internet itself”. Some countries have been advocating having more highly monitored and controlled national internets rather than one loosely governed one.

“We don’t think that’s the way to go,” he says. The internet has been a great driver of innovation and development – in part because it has no single-government, top-down management – and the US is committed to promoting that continued approach, he says.

Incidents
An ongoing concern remains the low level of reporting of incidents by private industry. Companies, for various reasons including competitive concerns about revealing vulnerabilities or data breaches, have been slow to hand over details of incidents. Even FBI director Robert Mueller has taken to making public speeches on the problem, including one in Dublin last year, asking for better private industry co-operation with the security agency.

There’s a need to share information, and share it quickly after incidents, says Daniel. That’s a joint approach he wishes to foster with both the private sector, and between governments.

“The issue in my mind, is we really need to continue to build partnerships between government and industry and it has to be a real, shared partnership.” That means finding ways of being more transparent and open without naming specific threats, and in a way that protects privacy, he says.

“The only way we can address [cybersecurity threats] is for those groups to bring what they do, what they’re good at, to the table.”

Meanwhile, the Obama administration is working to publish a voluntary framework for addressing cybersecurity threats to critical infrastructure, a project driven by Daniel as cybersecurity co-ordinator. The preliminary version came out last month, and responses will be taken until mid-December. “We certainly actively encourage input,” including from international parties, notes Daniel.

More information, and links to the document, are on nist. gov/itl/cyberframework.cfm.