Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Connectivity

We’re Thinking about Cybersecurity All Wrong

Obama’s former cyber advisor, Michael Daniel, on how we need to overhaul the way we manage the new “tool for statecraft.”

Michael Daniel has a unique perspective on today’s chaotic world of cybersecurity. Fresh off a four-year stint as President Obama’s top cyber advisor, Daniel is now president of the Cyber Threat Alliance, a nonprofit team of cybersecurity companies building a platform for sharing information about common threats. MIT Technology Review caught up with Daniel at the Black Hat computer security conference in Las Vegas last week. What follows is an edited transcript of the discussion.

You’ve seen the cybersecurity challenge from the perspective of both the government and now the private sector. How would you describe the moment we are in right now?

Where we are right now is that more and more countries are beginning to incorporate cyber capabilities into their tools of statecraft. We need to recognize that it is going to become a tool of statecraft, not just for the U.S. and the high-end players like Russia, China, Israel, and Great Britain, but for almost everybody. As a result, we need to begin to think through how we set up norms of behavior and rules of the road, so that this is not destabilizing.

Criminals as well as nation-states are getting more sophisticated in their cyber operations. What role can the Cyber Threat Alliance play in addressing this?

At its broadest level, CTA is an information sharing and analysis organization, one that is focused on the vendor and the cybersecurity provider community. There’s not really another organization that does this sort of work. Fundamentally, CTA is about doing two things. First, can we change how competition occurs in the cybersecurity industry to make it more beneficial to the whole? Instead of continuing to compete on “my inadequate pool of data is bigger than your inadequate pool of data,” we need to have shared our pools of data, and the competition should be on “I do better things with the data”—I’m faster, or I integrate with your company better, or I understand your business model better—whatever it is. That’s a higher-value level of competition. Everybody will be better off.

Subscribe to The Download
What's important in technology and innovation, delivered to you every day.
Manage your newsletter preferences

Second, by combining the information we can start to actually map out more effective ways to disrupt the bad guys, and do it across their entire business process. This is not about a kid in his basement; that’s not the real threat. These are organizations that run like businesses, and we need to start thinking about it in terms of disrupting their business models.

But will that approach work if the attacker is a nation-state adversary?

Yes and no. At one level, the idea of producing a playbook would work just as well for a nation-state adversary. Now, their motivations are different. Most nation-states are willing to invest time and money in a way that a criminal organization both won’t and can’t, so the impact that you may be able to have may be different. But you can still impose costs on them and slow them down.

Ultimately, though, the private sector will need to find new ways to cooperate with the government on these issues, given the nature of the threat. How can we innovate in the policy realm to help enable that?

I can give you two examples. We have learned that if you make your retirement system opt-in, in general you get about a 45 to 50 percent take rate among your employees. If, however, you make your retirement system opt-out, you get a 95 percent take rate. There is no technical difference between those two things, but from a process standpoint they yield dramatically different results. Why? Because of the psychology of it. People are lazy. If you make them make a decision, they will find a reason not to do it. But if the option is “Here’s this good thing for you and all you have to do is just go along with it,” only a small percentage will say no. So what’s the cyber equivalent to that? How do we make cybersecurity opt-out rather than opt-in?

Similarly, we’ve got this idea that cybersecurity is like border security. That makes no sense. Everybody in cyberspace is touching somebody else. There is no barrier or intermediary. That means we need to think about cybersecurity and the relationship between the government and the private sector using a completely different model. Maybe we need to borrow some models. For example, look at how we think about natural disasters. In a natural disaster, the response starts locally. If it begins to overwhelm the local officials, the state government steps in. If it goes beyond the state, they might call on mutual aid from other states. If it goes beyond that, FEMA steps in from the national level. What’s the cyber equivalent of that? How do we do the handoff, and decide whether something is the kind of thing the private sector can and should handle on its own, versus something that calls for feds to help? We don’t yet have the policy language to talk about what that relationship is.

Hear more about security at EmTech MIT 2017.

Register now

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.