This was the question introduced last week when Michael Daniel, the White House Cybersecurity Czar, made comments that his lack of technical skills was an asset to his job. This, of course, caused a lot of debate about whether Mr. Daniel needed to be a “coder” to be effective at his job.
Here is my take. A CC (Cybersecurity Czar), CISO, CIO, etc., does not have to be a coder or developer to be able to function efficiently in their jobs. They do, however, have to have an understanding of how the technology that they are managing, purchasing, or building national policy around, works. If a CC does not have a proper (read: real world, not read from a book) understanding of how a firewall works, how can we expect them to make good strategic policy around how we should use them? One of the points Caitlyn Hayden, National Security Counsel spokesperson, makes is that from the POTUS on down, they rely on Mr. Daniel’s “expertise”. How can Mr. Daniel have any expertise in a field he doesn’t understand?
If you have not done heart surgery, you can’t claim to be a heart surgeon. The same holds true for technology. If you have not been in a “cyber” role before, how can we believe that you have any understanding of the risks involved in different cyber scenarios? If you are building policy around DDoS attacks and you don’t understand how they work, or what tools you would use to counter them, then what good is your policy?
One of the truly frightening things is any policy that is created that allows for a kinetic response to a cyber attack. Our ability to properly attribute attacks to countries or groups is pretty poor at this point. We can make assumptions but they are just that, assumptions. If Mr. Daniel does not understand how the technology works, we can get policy built that is based on false assumptions that could lead to escalations and violence in the real world.
I, for one, prefer my strategies and policies based on actual expertise, not the assumptions of an amateur.
