"Never attribute a cyber incident exclusively to evil when stupid is still available as an option."
I got into cyber – I fell into cybersecurity essentially by chance; I certainly wasn’t seeking to move into the field. In the mid-2000s, I served as the Intelligence Branch Chief at the Office of Management and Budget (OMB), where I led the team overseeing the US Intelligence Community’s budget and spending. At the time, US intelligence agencies began requesting significant funding for initiatives related to “cyber operations” and “cybersecurity,” but few policy-makers understood these funding requests. So, I dug into the issue to try to figure it out and make sensible funding recommendations.
In addition to the resource questions, I became fascinated with cybersecurity’s underlying policy aspects. E.g., the bad guys often get in through a hole we know about AND know how to fix, but the company didn’t take the time to patch. That’s not a technology problem, that’s an incentive problem.
Over several years, I focused more of my time on cybersecurity. Eventually, I became the informal OMB lead for cybersecurity funding issues across the whole government, working closely with the other parts of OMB and the White House on efforts like the Comprehensive National Cybersecurity Initiative, the Cyberspace Policy Review, and similar programs. We also created the Cybersecurity Crosscut that totaled cybersecurity-related spending across the entire US government.
The expertise I developed eventually led President Obama to name me as the US Cybersecurity Coordinator on the National Security Council staff in June 2012. I held that position for 4.5 years until the end of the Obama Administration. Since then, I have run the Cyber Threat Alliance, a non-profit threat intelligence sharing organization.
A positive cyber mindset is – In my experience, the typical mindset regarding cybersecurity underlies many problems. If we think about cybersecurity purely as a technical problem to be solved, we inevitably fail, because cybersecurity encompasses so much more than just technology. If, however, we think about cybersecurity as a long-term risk to be managed, we have more success.
If we think about cybersecurity as a castle and moat problem, where we need to keep the bad guys “out,” we will almost always fail because the bad guys only have to be right once, and we have to be right all the time. On the other hand, if we think about preventing the bad guys from achieving their objectives, then the bad guys have to be right every step of the way along the path to their goal and we only have to be right once.
If we treat cybersecurity as something only the nerdy elite can understand, then the average business owner or citizen will never learn what they need to know. Instead, if we act as if everyone can understand the basics of cybersecurity, then we can empower everyone to raise the level of security across our digital ecosystem. Changing our mindset about cybersecurity can pay huge dividends.
My top tips to those interested in transitioning to a career in cybersecurity are – My career path highlights an interesting feature of the field – computer science is not the only route into it, nor the only discipline needed. Cybersecurity is a multi-faceted problem that spans computer science, engineering, economics, business, psychology, diplomacy, law, and communications, to name a few. Thus, society needs cybersecurity professionals with skills in all these domains.
Moreover, we need diverse backgrounds, thought processes, and life experiences to effectively manage this threat. For example, we need better visual imagery – most cybersecurity pictures are locks, shields, or men in hoodies. Thus, we need visual artists who can diversify our imagery and make it more appealing to more people.
The quote I live by – Anyone who spends significant time around me knows that I love quotes, such as:
“Never attribute a cyber incident exclusively to evil when stupid is still available as an option.” While malicious actors cause many problems, they are not behind every failure, performance glitch, or system crash. It pays to be careful in attributing a computer problem to a malicious actor.
“The first report about a cyber incident is wrong.” Cyber incidents are complex affairs. I have yet to work through a cyber incident without some reported aspect of it changing from the initial disclosure. That’s not because people are incompetent or trying to hide something; an investigation always turns up new facts as it goes along. Therefore, I have learned to take the initial reports about an incident with a grain of salt and not overreact based on initial data.
How should we think about the current state of cybersecurity – The current state of cybersecurity is neither sustainable nor permanent. It is not sustainable because no society can tolerate the level of disruption and economic damage that our lack of effective cybersecurity causes. It is not permanent because we can change it; it is not an immutable fact of nature. We can improve our cybersecurity by making different policy choices. Change will not necessarily be easy, but it is possible.