Policy tied Obama’s hands in cyberspace, says White House Cybersecurity Coordinator
This is the third article in a three-part series on President Barack Obama’s record on cybersecurity issues. Click here for part one, an interview with the Department of Defense’s Aaron Hughes, and here for part two, with Homeland Security’s Phyllis Schneck.
America’s commitment to an open internet somewhat ties its hands in defending against and responding to hacking attacks like those during the election campaign or against Sony Pictures, outgoing White House Cybersecurity Coordinator Michael Daniel said.
“We as a nation have decided we don’t want the government to be our intermediary in cyberspace,” Daniel told CyberScoop in a wide-ranging exit interview. “We don’t want the federal government to build the great firewall of the U.S. and determine what information gets in or out.”
But Americans’ aversion to government control of their networks means citizens and corporations are effectively on the front line — and can be attacked by foreign hackers.
“Because we have made that choice, it means that the government cannot get in-between a company and a foreign government [attacker in cyberspace] in the way that it does in the physical world,” Daniel said.
The U.S. Constitution, along with the commitment to democratic values, complicates U.S. response to the broader information operations and hybrid warfare campaigns that major hacks are now often a part of.
According to federal court documents, hackers from Beijing’s People’s Liberation Army stole intellectual property from U.S. companies for the benefit of their Chinese competitors. North Korean and Iranian state hackers have been fingered for the Sony Pictures hack and distributed denial-of-service attacks against U.S. banks. Russian intelligence dumped hacked emails from Democratic Party officials via Wikileaks and then amplified the negative stories that generated through Kremlin-controlled news channels and automated bot armies of social media trolls.
“Our response will not be a mirror of what our authoritarian adversaries have done because that is fundamentally at odds with how the U.S. functions both as a society and as a government,” Daniel said.
Many options are inherently unavailable to U.S. policymakers, Daniel said.
“We don’t do centralized information management as a country,” he explained.
Cyber-warfare is different for the U.S. because the very battlefield itself — the hardware and software that underlies the internet — is largely owned and operated by the private sector.
“The relationship that we want to have with industry, and the private sector, it’s weird! What is it?” asked Daniel, a 17-year veteran of the Office of Management and Budget.
It’s not contractual or regulatory — although there are contractual and regulatory relationships involved, he said. “We want to be lined up [for response to cyber incidents] … we want to be doing coordinated actions. That’s kind of a new place for us to be” in relation to big private-sector concerns.
“That is very uncomfortable,” for policymakers, he said. “We don’t have good language for this kind of relationship we’re trying to build right now. We’re going to have to come up with some new partnership, some new burden-sharing arrangements.”
Disruption and deterrence
Looking back at the Obama administration, Daniel said he put the cybersecurity achievements in two categories. First was “the policies and deliverables the administration has put in place … tools and policies giving us the ability to disrupt and deter the [cyber] adversary [and] … the concrete manifestation of the lessons we’ve learned” about defending the nation’s networks.
- The National Institute of Standards and Technology Cybersecurity Framework, developed with industry input as called for in a presidential executive order and widely adopted by the private sector.
- The Cybersecurity Act of 2015.
- The Cybersecurity National Action Plan, put into place after the massive breach of Office of Personnel Management files by Chinese intelligence.
- The April 2015 executive order authorizing sanctions against individuals and other entities engaged in major cyberattacks against the U.S.
- Presidential Policy Directive 20 which “provides a framework for managing cyber-operations.”
- The “hard fought and ultimately very valuable” deal with China, whereby Beijing would stop economic cyber-espionage against U.S. companies.
- Promotion of global norms for state behavior in cyberspace, like the G20 accord.
- Presidential Policy Directive 41, which lays out the roles of various government agencies responding to a cyberattack, and the National Cyber Incident Response Plan drawn up under it.
But more intangibly, Daniel said, was a cultural shift among officials that made his job easier than the one his predecessors faced.
“There’s been a culture change across the federal government,” he said, especially in the wake of the OPM hacks. “Cabinet secretaries and their deputies now realize that they have a cybersecurity aspect to their mission, even if they don’t think of themselves as a cybersecurity agency … That is now just part of how the federal government functions.”
He acknowledged that the Obama administration couldn’t necessarily take all the credit for that, “Certainly, there’s been a more general cultural change across the country.”
Regardless of its source, the growing recognition among officials of the importance of cybersecurity gave him a boost his predecessors had lacked.
“I don’t have to argue with people about whether cybersecurity is important anymore. That’s not a challenge and that’s a huge advantage in this role.”
The job, created by Obama and reporting through both the National Security Council and the National Economic Council, is now “easier in that sense,” said Daniel. “It just keeps getting harder in other senses.”
Daniel said he saw his job as being about integration — getting cyber on the table at every meeting. “Integrating the cyber tools into our larger geopolitical statecraft” and integrating different policy tools like sanctions into the cyber response kit.
“The response to a cyberattack doesn’t have to be a cyber-response,” he said.
Daniel said he remains skeptical about the idea a massive and crippling cyber attack by another country, perhaps as a prelude to a military offensive, or by a terror group.
“For an adversary to have the precise effect they want at the time place of their choosing and only that effect, that’s still really hard … And I also think that these very catastrophic events [postulated] are still low probability.”
But Daniel said a smaller-scale attack was a growing possibility as the cyber capabilities of non-state actors increased.
“What I do worry about is somebody bringing together their capabilities to have a regional impact or an impact on a company that causes a broader ripple effect across the economy than for example Sony did” or an attack that causes an outsized public reaction.
“And I think the probability of that [kind of second-tier attack] will continue to rise over time,” he said.