WASHINGTON D.C. – In an afternoon keynote address at the Billington Cybersecurity Summit yesterday, Michael Daniel, a special assistant to the president and White House Cybersecurity Coordinator, refuted the common sentiment that the Internet is difficult to defend because it is borderless. To the contrary, Daniel explained that the border is everywhere on the Internet, and what is really lacking is an interior.
This lack of a homeland, so to speak, is perhaps one of the most understandable reasons that Internet security presents so many problems. Many of the problems actually seem to be fairly straightforward and simple, Daniel argued, creating a frustrating paradox.
At the center of most data breaches, most network compromises, most security incidents in general are well-known security vulnerabilities, many of which already have patches available. Either that, he explained, or they involve passwords.
We’ve made it to the moon, Daniel joked, but we still have not found a way to replace the password. He went on to say we all know we need to install updates, yet old and known bugs cause a far greater amount of havoc than zero-days.
Daniel described himself as the “chief cat herder for the government in all cybersecurity policy.” In reality though, his job mostly involves leading inter-agency development of cyber-policy and instigating a partnership between the government and private sector. He’s also at the core of the government’s cybersecurity framework and has said one of his primary goals is to “kill the password dead,” which also happens to be the goal of the president’s National Strategy for Trusted Identities in Cyberspace.
Much of Daniel’s presentation revolved around a simple question: Why is cybersecurity so hard?
He argued the somewhat obvious question is worth asking, “because at one level, if you take a step back and think about the issues, particularly from a technological perspective, security shouldn’t be an issue because criminals and attackers get in through holes we know about but simply have not fixed.”
“Why can’t we just fix them?” He asked. “Probably because the problem is a harder one than it appears to be.”
Daniel recited a few reasons why the problem is harder than it appears.
First he addressed our collective failure to truly understand “the economics and the psychology of cybersecurity.” The fact that we know where the problems are but cannot get the stakeholders to fix the problems means that we clearly do not understand the incentive structure behind cybersecurity.
“We have to change our approach or we will fail,” he warned. “Technology cannot compensate for bad business decisions in cybersecurity.”
The second major reason has to do with where the Internet began and what it is now.
In the beginning, he said, the Internet was limited and inhabited by a small class of technophiles. Outside of the Defense Department and some researchers, the government did not really use it and did not really care about it. Now everyone is online and the government is deeply interested in the Internet.
“What used to be devised by tech experts, is now the focus of a highly political process,” Daniel said. “Once easy decisions are now hard.”
He went on to explain that the vast intent and impact of cyberspace changes how people think about it. Critical infrastructure wasn’t connected to the web when it was built. People didn’t care about code security and privacy because there were no social networks and the amount of data online was negligible. Then we went online in a big way to great success and now people care about security and privacy.
The third reason the Internet is so hard to secure is because it is fundamentally different from the physical world.
“The way cyberspace works is not the way the traditional world works. Traditional understandings of Internet are true but misleading. There are borders everywhere in cyberspace. The Internet does not lack borders, but interiors.”
Everything lives and operates right at the border, he explained. There is no cyber-homeland. In the physical world, we have border security, which is relegated the government. When everything lives on the border, then we all share the responsibility for protection.
“We must cross boundaries that we have otherwise decided shouldn’t be crossed.”
Ultimately, Daniel believes solving the security problem begins and ends with simplifying the problem itself. Part of his mission – and thus the mission of the cybersecurity framework he is tasked with helping to develop – has been to frame the issue in language that is understandable outside the highly technical IT and information security departments. He’s made it a goal to make sure that executives are getting a clear picture about what the problems are, how they can be addressed, and, more broadly, what it all means.
This, he claims, will help address a hard problem in a simple way.
“It’s slow but you can make incremental progress that way. I think that is the only way you can eventually address this very hard problem. The cyber problem is addressable. It is solvable, but we need new thinking and new technology.”