Cybersecurity criminals rarely face jail time, says former White House cybersecurity coordinator

Fortune

Former White House Cybersecurity Coordinator Michael Daniel offers insights into the evolving cyber threat landscape and discusses the current challenges businesses face with ransomware and cybersecurity policies.

Transcript

00:00Michael, I have to start, first of all, since we're talking about cyber security, you gave

00:06me one little nugget there that you used to be a multi-level marketer of knives as a kid,

00:11so I thought, you know, my vision of the kid in front of the terminal, the gamer who then

00:17becomes the excellent cyber security expert, was that your trajectory?

00:21No.

00:22Okay, so give us a little bit of a sense of you before we get into your expertise.

00:26Sure.

00:28I mean, I will own up to my nerddom, right?

00:32You're reaching for, okay, no, okay, I thought you were trying to pull out a knife.

00:41But I will own up to the fact that I was quite the geek as a child, but I did not pursue

00:45a computer science path.

00:48My background is primarily in economics and finance, so I'm very at home in this space.

00:55I spent most of my early part of my federal career doing budgeting and finance at the

01:00Office of Management and Budget, and so I very much came into cyber from the resourcing

01:06side of things, and come at and think about the issues that we deal with in cyber security

01:13very much from a behavioral economics, from an incentive structure kind of lens.

01:21Can you give us a couple of little nuggets from your time in the White House, because

01:24most of us don't get to go into those rooms, and give us a few stories.

01:29What are your favorite memories?

01:30So I would say-

01:31Or worst memories.

01:32That might even be better.

01:33There are some of those too, but I would say that, first of all, it's much smaller than

01:38you think it is.

01:39So like all of the pictures and the movies and things like that, the hallways are way

01:45too wide.

01:46The ceilings are way too tall.

01:47Hollywood studios.

01:48Yeah, most of the time it's nothing like that.

01:51Even the Oval is not that big, relatively speaking, because it's an 18th century manor

01:58house.

02:00But I would say that some of the stories that we have from that time are really about how

02:07do you actually talk about and think about and address cyber security in a way that normal

02:16people can understand.

02:17My first few meetings in the White House Situation Room, when we were dealing with

02:22these issues, everybody was like this.

02:25Remind people which administration.

02:27So I was with ... Well, I actually worked for multiple administrations, and started

02:32in the Clinton administration, served through the Bush administration, and the Obama administration.

02:37I became Cyber Security Coordinator for President Obama.

02:41And so in 2012 still, people would be like this in the sit room, because they're reading

02:46their talking points, and they wouldn't actually look up and talk to anybody because they didn't

02:50know what they were talking about at that point.

02:54By the time we left in 2017, that was not the case anymore.

02:59And when I first came into the White House, there was a debate about whether or not cyber

03:04security was an issue that actually warranted inclusion in national security discussions.

03:13That wasn't the case by the time we left.

03:16You asked about some examples.

03:19In 2012, the Iranian government started carrying out denial of service attacks against some

03:26of our financial services companies.

03:27From the Iranian point of view, this was equivalent response to the sanctions.

03:34This was an equal response to the sanctions that were being put on them.

03:40But there was a great debate in the White House about what this was.

03:45There were some people who were like, okay, this is the equivalent of the Iranians sailing

03:50a sub up to the coast of Maryland and disgorging a bunch of special operations guys and blowing

03:56stuff up.

03:57Wow.

03:58And other people were like, no, that's not what this is.

04:01It's a denial of service attack.

04:03This is like they've hired a bunch of teenagers to drive up and down the street and play their

04:06radios really loud.

04:09That makes me wonder about state-sponsored hacking today now, radio versus the sub.

04:16But the point was that people were struggling with how do I think about this problem?

04:22What's my analogy?

04:24How do I actually bring my own experience to this?

04:27And that was the problem was that a lot of our previous experiences didn't translate

04:31very well into the cybersecurity situations that we were facing.

04:35You've stayed immersed in this world.

04:36So let's go forward 12 years now to circa today.

04:42Tell us a little bit about the threat landscape.

04:44Obviously everybody in this room is aware of it.

04:47You can't be a CFO, certainly a CISO, and not have that be top of mind.

04:52We all know CrowdStrike's a whole different now.

04:54Of course, your patch can be a problem too, but give us a sense of what you're seeing

04:59and what you would put on our radars.

05:03The CrowdStrike example is an example of what I referred to as evil cyber lord rule number

05:08one when I was in the White House, which is never attribute exclusively to evil when stupid

05:13is still available as an option.

05:15And no apology.

05:16It was crisis management one to one fail.

05:23What I would say in terms of the threat landscape and what we're facing today, you really actually

05:28have a couple of different strands, which is that you have a very thriving criminal

05:36ecosystem that is making a lot of money, that has a couple of different basic flavors that

05:44they use to make that money.

05:48And that threat is continuing to become more intense because we keep making it easier to

05:55be-

05:56Just the ransomware?

05:57Ransomware is a good example, business email compromise, right?

06:00There's a few basic flavors that they use to do these kinds of scams.

06:06And besides that, we're connecting more devices to the internet, so we're constantly making

06:14the threat surface bigger.

06:17And the criminals have figured out that this is a pretty good business model.

06:22New America did a study a few years ago that showed that all things being equal, if you

06:27commit a physical crime in the United States, your chances of being prosecuted and convicted

06:33and spending time in jail is about 50%.

06:36If you commit a cyber crime, your chances of being arrested, convicted, and spending

06:41time in jail is 0.05%.

06:42Wow.

06:43There's your incentive system at work.

06:46Absolutely.

06:47It's a completely different cost-benefit analysis.

06:49One of the things I notice when I talk to leaders is not existential angst, but that

06:55trope that, well, if you've all been breached, you just don't know it yet, which almost in

07:01a way is just like a, eh, I'll deal with it when it comes.

07:06That does not seem to be a useful strategy in this environment where the stakes are high

07:12and you can avert attacks, right?

07:15Yeah.

07:16I'm very frustrated with the approach of the assume breach approach.

07:22It's not because it's not true.

07:23In many ways, it's right, but in my view, it sends the wrong message.

07:28It sends a very fatalistic message that there's nothing that you can do to address your cybersecurity.

07:36That's just completely wrong.

07:38There are, in fact, well-known, well-researched, well-supported practices that will meaningfully

07:46reduce your cyber risk.

07:47Now, will you ever be able to drive your cyber risk to zero?

07:51No.

07:52Any more than you can drive your natural disaster risk to zero, right?

07:56But you can substantially lower it and you can make your company, your organization much

08:01more resilient to cyber incidents.

08:04You can transform this threat into something that you can manage over the long term.

08:10Let me ask.

08:11I want to get to some advice here, but I want to ask about the policy landscape given the

08:15role you're currently in.

08:17What should be on our radars right now with regard to what you're seeing in terms of policy,

08:23what's needed in policy?

08:24And let's, obviously, the US, but if there's anything on the global landscape as well,

08:28because that always impacts how we act.

08:31From a policy standpoint, there's really two broad efforts that we have to engage in.

08:39One is, how do you actually make the ecosystem more resilient?

08:45How do you raise the standards of care?

08:49How do you establish the standards of care for cybersecurity?

08:52How do you raise them so that we get to the level of cybersecurity that we want?

08:57But also, how do we start baking cybersecurity in for the beginning?

09:01How do we actually start doing secure by design?

09:05Which means, how do you design software and hardware to actually be secure from the beginning,

09:10rather than being like, oh, we've got this product, now we need to make it secure?

09:15How do you actually build that in from the beginning?

09:17How do you make it secure by default, so that when you pull the thing out of the box or

09:20you deploy it on your network, it's secure to begin with?

09:24There are actually many, many CISOs who would be familiar with something called hardening

09:29guidelines, which is like, how do you actually take software and make it more secure?

09:35My view is, we actually need loosening guidelines.

09:37The software comes out of the box, already in its hardened state, and you really have

09:43to loosen it up a little bit to make it work for you.

09:46That's a much better place to be in.

09:51Those things, how do we actually change the market so that you have secure by design be

09:59the primary method by which software developers are working?

10:03How do you incentivize secure by default?

10:06How do you actually raise that level of cybersecurity across the ecosystem, make people more resilient?

10:13Those are the resilience side policy questions.

10:17Now, we're talking about the intersection of CISO, security officer, and then CFO.

10:24The money question, one of the things that fascinates me is the whole question of culpability.

10:29You've seen in the UK, for example, that they're going after the banks and saying, if you are

10:35letting these bad actors use your accounts, you, in fact, are culpable.

10:40Give me some sense of, and I know we want to turn this to a table conversation very

10:44soon, but where you see that intersection, and especially with regard to what's happening

10:50with the financial risk.

10:53We mentioned, of course, ransomware.

10:55We know about that.

10:56We know that companies often don't like to talk about it for very good reasons.

11:01I think what's happening on the policy front there and what's happening on the technology

11:05front there is fascinating.

11:08I think the question is, how do we establish the standards of care so that we know what

11:15is the baseline that we're going to hold companies to?

11:18Because I do think that companies bear a responsibility to protect their networks, protect their customers,

11:24protect their data.

11:25But at the same time, you also can't ignore the fact that we don't want to punish victims

11:33that have done all of the right things.

11:36The issue for us right now has been that we haven't been real clear about what all

11:39the right things are.

11:42As a policy matter, we need to get much more clear about, okay, if you've done these things,

11:47then you're going to have safe harbor.

11:49If you haven't done those things, now if you're a ...

11:53Profitability.

11:54Right.

11:55My example is, if you're a, you store it, one of those you store it places, and you

12:01say, please store your stuff with us because it's secure, but you don't have any fences,

12:06you don't have any guards, you don't have any cameras, you don't have any alarm systems,

12:10well then maybe somebody could actually say, no, actually, in fact, you're kind of liable

12:14for some of that.

12:15Yeah.

12:16My dad's garage.

12:17It doesn't count.

12:18Yeah.

12:19So sorry.

12:20But if you've done all of those things, and you still were facing an incident, then no,

12:23you probably shouldn't be held liable for that.

12:26But we don't have those standards yet well established across a lot of the cybersecurity

12:31areas.

12:32I know we're going to turn this to a table conversation now, so I'm going to let you

12:36have one last final thought.

12:38It can be haiku length or just advice, and obviously we'll continue hearing from you

12:44at the table, but any thoughts?

12:46What advice would you have if you were in the role of the people at this table, CFO,

12:51CISO, et cetera?

12:52So I would say that cybersecurity is a business multiplier.

12:59It is an investment that you make to make the rest of your business actually run.

13:04And cybersecurity is one of those classic things that you can either pay me now, or

13:09you can pay me later.

13:10And I guarantee you that paying me later will be way more expensive.

13:13Exactly.

13:14Good advice.

13:15Well, please join me in thanking Michael.

13:16Obviously, continue the conversation.

Category

Transcript

Recommended