In describing his lack of information technology expertise, White House Cybersecurity Coordinator Michael Daniel didn't do himself justice when he said in an interview with me, "Being too down in the weeds at the technical level could actually be a little bit of a distraction." (See Michael Daniel's Path to the White House to listen to the full interview.)
See Also: Rethinking Endpoint Security
That remark put Daniel in the crosshairs of critics, igniting a surge of derisive comments in the blogosphere, on Twitter and in postings on our website, questioning his qualifications to be an assistant to the president on cybersecurity. Several commentators characterize Daniel's comment as bragging about his lack of technical expertise. Daniel wasn't bragging, and those commentators either didn't listen to the full interview or just don't understand the nature of the job of White House cybersecurity coordinator.
Listen to Daniel's quote in full.
The most biting criticism came in a blog by Timothy B. Lee on Vox.com titled White House Cybersecurity Czar Brags about His Lack of Technical Expertise. In it, Lee cites Princeton computer scientist Ed Felton as saying it's hard to imagine senior policymakers with responsibility for other technical subjects making this kind of claim. "Imagine a White House economic adviser arguing that experience in the weeds of economic research would be a distraction, an attorney general making that claim about time in a courtroom, or a surgeon general bragging about never having set foot in an operating room," Lee writes.
He's Not a CISO
True, those types of experiences would be relevant if Daniel ran an information security operation or managed Homeland Security's National Cybersecurity Communications Integration Center, or purchased IT security hardware or software for the government. But that's not what he does; he's a policymaker. As he puts it, his main responsibility is "herding cats." Simply, his job is trying to get various federal agencies and other stakeholders on the same page on implementing the government's cybersecurity policy.
"I'm not sure the criticism is warranted as all things at the White House are controlled by the inbox," a former top White House cybersecurity policy adviser says. Indeed, my interview with Daniel was interrupted when he was called to the West Wing.
Jim Lewis, senior fellow at the think tank Center for Strategic and International Studies and one of cybersecurity's most respected thinkers, says the squabble over Daniel's comments explains why cybersecurity is so messed up.
"Computer scientists were in charge and they did a terrible job, being lost in the weeds and largely clueless about policy," Lewis says. "You need someone with a strategic point of view and policy skill to make progress. A computer scientist reading Clausewitz at the beach does not make them a strategist and having them go down to Capitol Hill a couple times a year does not make them politically skilled. ... Please, we don't let the mechanics drive the race car unless we want to lose. Technical skills are inadequate for policy and strategy and a focus on technology leads to bad outcomes."
Second Guessing Choice of Words
That's a theme picked up by security consultant Paul Rosenzweig, former deputy assistant secretary for policy at the Department of Homeland Security. "Daniel did not say that experience in the weeds of cybersecurity was unnecessary, only that the more difficult questions usually have strategic-level solutions, not tactical ones. That's right, as anyone who understands strategy knows. Sun Tzu said: 'Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.' Daniel rightly is saying the same thing, in a different vernacular."
Mark Weatherford, former DHS deputy undersecretary for cybersecurity, says Daniel was a bit inarticulate: "Michael probably wishes he could have said what he said a little bit differently and perhaps a little bit more elegantly, but fundamentally I think he's accurate."
Weatherford, the former chief information security officer for the states of California and Colorado, came to his jobs with technical know-how, earning a master's degree in information security. Not surprisingly, he says having technical expertise doesn't hurt, but adds: "I don't think Michael's lack of technical background has been a hindrance to him in doing his job"
Karen Evans, the former federal chief information officer, worked with Daniel at the White House Office of Management and Budget, when he served as the intelligence branch chief at the White House Office of Management and Budget. She says the managerial and policymaking skills Daniel culled during his years in government prepared him for his current White House position (see Who Is Michael Daniel?).
Can't Have It All
"You don't have to be a subject matter expert in everything you do, but you have to have those core capabilities like managing change, having business acumen, reading the political environment, understanding financial management and understanding the dependencies on IT into a program, but you don't have to be a cybersecurity professional to manage cybersecurity professionals," she says.
What does Daniel think about this brouhaha? He didn't respond to a request for a comment through his spokeswoman.
For the record, Daniel holds a bachelor's degree in public policy from Princeton University, a master's in public policy from the Harvard Kennedy School of Government and a master's in national resource planning from the National Defense University.
Cybersecurity today - whether in government or business - requires a variety of skills, including technical, managerial and policymaking. But no one individual needs all three, even those in leadership positions. On Daniel's White House staff are technologists who provide him with insight on how technologies work.
Leaders like Daniel can understand the importance of IT security and its various components to safeguard the government and nation without having to know the technical details behind each app and system.