Michael Daniel has a unique perspective on today’s chaotic world of cybersecurity. Fresh off a four-year stint as President Obama’s top cyber advisor, Daniel is now president of the Cyber Threat Alliance, a nonprofit team of cybersecurity companies building a platform for sharing information about common threats. MIT Technology Review caught up with Daniel at the Black Hat computer security conference in Las Vegas last week. What follows is an edited transcript of the discussion.
You’ve seen the cybersecurity challenge from the perspective of both the government and now the private sector. How would you describe the moment we are in right now?
Where we are right now is that more and more countries are beginning to incorporate cyber capabilities into their tools of statecraft. We need to recognize that it is going to become a tool of statecraft, not just for the U.S. and the high-end players like Russia, China, Israel, and Great Britain, but for almost everybody. As a result, we need to begin to think through how we set up norms of behavior and rules of the road, so that this is not destabilizing.
Criminals as well as nation-states are getting more sophisticated in their cyber operations. What role can the Cyber Threat Alliance play in addressing this?
At its broadest level, CTA is an information sharing and analysis organization, one that is focused on the vendor and the cybersecurity provider community. There’s not really another organization that does this sort of work. Fundamentally, CTA is about doing two things. First, can we change how competition occurs in the cybersecurity industry to make it more beneficial to the whole? Instead of continuing to compete on “my inadequate pool of data is bigger than your inadequate pool of data,” we need to have shared our pools of data, and the competition should be on “I do better things with the data”—I’m faster, or I integrate with your company better, or I understand your business model better—whatever it is. That’s a higher-value level of competition. Everybody will be better off.
Second, by combining the information we can start to actually map out more effective ways to disrupt the bad guys, and do it across their entire business process. This is not about a kid in his basement; that’s not the real threat. These are organizations that run like businesses, and we need to start thinking about it in terms of disrupting their business models.
But will that approach work if the attacker is a nation-state adversary?
Yes and no. At one level, the idea of producing a playbook would work just as well for a nation-state adversary. Now, their motivations are different. Most nation-states are willing to invest time and money in a way that a criminal organization both won’t and can’t, so the impact that you may be able to have may be different. But you can still impose costs on them and slow them down.
Ultimately, though, the private sector will need to find new ways to cooperate with the government on these issues, given the nature of the threat. How can we innovate in the policy realm to help enable that?
I can give you two examples. We have learned that if you make your retirement system opt-in, in general you get about a 45 to 50 percent take rate among your employees. If, however, you make your retirement system opt-out, you get a 95 percent take rate. There is no technical difference between those two things, but from a process standpoint they yield dramatically different results. Why? Because of the psychology of it. People are lazy. If you make them make a decision, they will find a reason not to do it. But if the option is “Here’s this good thing for you and all you have to do is just go along with it,” only a small percentage will say no. So what’s the cyber equivalent to that? How do we make cybersecurity opt-out rather than opt-in?
Similarly, we’ve got this idea that cybersecurity is like border security. That makes no sense. Everybody in cyberspace is touching somebody else. There is no barrier or intermediary. That means we need to think about cybersecurity and the relationship between the government and the private sector using a completely different model. Maybe we need to borrow some models. For example, look at how we think about natural disasters. In a natural disaster, the response starts locally. If it begins to overwhelm the local officials, the state government steps in. If it goes beyond the state, they might call on mutual aid from other states. If it goes beyond that, FEMA steps in from the national level. What’s the cyber equivalent of that? How do we do the handoff, and decide whether something is the kind of thing the private sector can and should handle on its own, versus something that calls for feds to help? We don’t yet have the policy language to talk about what that relationship is.