Thursday, 3 August 2017

MIT Technology Review/Mike Orcutt: We’re Thinking about Cybersecurity All Wrong

MIT Technology Review
We’re Thinking about Cybersecurity All Wrong
Obama’s former cyber advisor, Michael Daniel, on how we need to overhaul the way we manage the new “tool for statecraft.”

    by Mike Orcutt July 31, 2017

Michael Daniel has a unique perspective on today’s chaotic world of cybersecurity. Fresh off a four-year stint as President Obama’s top cyber advisor, Daniel is now president of the Cyber Threat Alliance, a nonprofit team of cybersecurity companies building a platform for sharing information about common threats. MIT Technology Review caught up with Daniel at the Black Hat computer security conference in Las Vegas last week. What follows is an edited transcript of the discussion.

You’ve seen the cybersecurity challenge from the perspective of both the government and now the private sector. How would you describe the moment we are in right now?

Where we are right now is that more and more countries are beginning to incorporate cyber capabilities into their tools of statecraft. We need to recognize that it is going to become a tool of statecraft, not just for the U.S. and the high-end players like Russia, China, Israel, and Great Britain, but for almost everybody. As a result, we need to begin to think through how we set up norms of behavior and rules of the road, so that this is not destabilizing.

Criminals as well as nation-states are getting more sophisticated in their cyber operations. What role can the Cyber Threat Alliance play in addressing this?

At its broadest level, CTA is an information sharing and analysis organization, one that is focused on the vendor and the cybersecurity provider community. There’s not really another organization that does this sort of work. Fundamentally, CTA is about doing two things. First, can we change how competition occurs in the cybersecurity industry to make it more beneficial to the whole? Instead of continuing to compete on “my inadequate pool of data is bigger than your inadequate pool of data,” we need to have shared our pools of data, and the competition should be on “I do better things with the data”—I’m faster, or I integrate with your company better, or I understand your business model better—whatever it is. That’s a higher-value level of competition. Everybody will be better off.
Subscribe to The Download
What's important in technology and innovation, delivered to you every day.
Manage your newsletter preferences

Second, by combining the information we can start to actually map out more effective ways to disrupt the bad guys, and do it across their entire business process. This is not about a kid in his basement; that’s not the real threat. These are organizations that run like businesses, and we need to start thinking about it in terms of disrupting their business models.

But will that approach work if the attacker is a nation-state adversary?

Yes and no. At one level, the idea of producing a playbook would work just as well for a nation-state adversary. Now, their motivations are different. Most nation-states are willing to invest time and money in a way that a criminal organization both won’t and can’t, so the impact that you may be able to have may be different. But you can still impose costs on them and slow them down.

Ultimately, though, the private sector will need to find new ways to cooperate with the government on these issues, given the nature of the threat. How can we innovate in the policy realm to help enable that?

I can give you two examples. We have learned that if you make your retirement system opt-in, in general you get about a 45 to 50 percent take rate among your employees. If, however, you make your retirement system opt-out, you get a 95 percent take rate. There is no technical difference between those two things, but from a process standpoint they yield dramatically different results. Why? Because of the psychology of it. People are lazy. If you make them make a decision, they will find a reason not to do it. But if the option is “Here’s this good thing for you and all you have to do is just go along with it,” only a small percentage will say no. So what’s the cyber equivalent to that? How do we make cybersecurity opt-out rather than opt-in?

Similarly, we’ve got this idea that cybersecurity is like border security. That makes no sense. Everybody in cyberspace is touching somebody else. There is no barrier or intermediary. That means we need to think about cybersecurity and the relationship between the government and the private sector using a completely different model. Maybe we need to borrow some models. For example, look at how we think about natural disasters. In a natural disaster, the response starts locally. If it begins to overwhelm the local officials, the state government steps in. If it goes beyond the state, they might call on mutual aid from other states. If it goes beyond that, FEMA steps in from the national level. What’s the cyber equivalent of that? How do we do the handoff, and decide whether something is the kind of thing the private sector can and should handle on its own, versus something that calls for feds to help? We don’t yet have the policy language to talk about what that relationship is.

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.
Subscribe today


Barack Obama, cybersecurity, policy

Photograph Brendan Smialowski | Getty; Photograph by Seth Schwiet
Mike Orcutt

Mike Orcutt Associate Editor

I’m an associate editor at MIT Technology Review. I report from Washington, D.C., where I’m on constant lookout for stories that illustrate how the U.S. government is embracing (or failing to embrace) emerging technologies, and that highlight… More
Related Video

More videos

This Is How You'll Actually Use AR at Home 00:46

Why I Left the Hospital System and Started Working in Telemedicine 04:03

Botnets of Things: 10 Breakthrough Technologies 2017 01:16
More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

    Samsung’s Quest to Mitigate the Battery Challenge

    How Samsung has expanded its fault resolution capabilities and is now positioned to revolutionize the manner in which the global smartphone industry mitigates future issues.

    by MIT Technology Review Custom
    Wait, Bitcoin Just Did What?

    The digital currency has split into two. What that means will depend on what the miners do.

    by Mike Orcutt
    Under Near-Constant Assault, Ukraine Is Desperately Trying to Bolster Its Cyber Defenses

    A target of infrastructure hacks, the nation’s government has a long way to go if it’s to protect itself in the future.

    by Jamie Condliffe

More from Connectivity
From Our Advertisers

    In partnership with Hewlett Packard Enterprise
    A Field Guide to Digital Transformation

    In partnership with Hewlett Packard Enterprise
    A Fireside Chat: Unlocking the Power of Hybrid, Flexible IT

    In partnership with Samsung
    Fight Scale with Scale

Want more award-winning journalism? Subscribe to Insider Basic.

    Insider Basic $29.95/year*

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

* Prices are for U.S. residents only

See international prices
The Download What's important in technology and innovation, delivered to you every day.

Follow us
Twitter Facebook RSS
MIT Technology Review

The mission of MIT Technology Review is to equip its audiences with the intelligence to understand a world shaped by technology.


    Your Account
    Customer Support

MIT Technology Review © 2017 v.|eiπ|
Post a Comment