Michael Daniel, cybersecurity coordinator for the White House is being taken to task for saying:
“You don’t have to be a coder in order to really do well in this position,” Daniel said, when asked if his job required knowledge of the technology behind information security. “In fact, actually, I think being too down in the weeds at the technical level could actually be a little bit of a distraction.”
“You can get taken up and enamored with the very detailed aspects of some of the technical solutions,” he explained, arguing that “the real issue is looking at the broad strategic picture.”
That quote, from White House cybersecurity czar brags about his lack of technical expertise by Timothy B. Lee, has provoked all manner of huffing and puffing across the computer security community.
It reminds me of candidates for the county commission who would brag about their expertise at running graders, backhoes, and similar heavy equipment. Always puzzled me because I assumed county government would hire people with those skills. Commissioners needed skills at representing the county for grants, making policy decisions, etc.
The security community, or at least reporters purporting to speak for the security community don’t appear to understand the difference between cybersecurity software and cybersecurity policy. You need coders for the former and policy wonks for the latter. Someone could be both but that’s fairly unlikely.
For example, assume a new security algorithm is discovered that can encrypt telephone and email communications with very little overhead for encryption/decryption. Further assume that Daniel has been assured by none other than Bruce Schneier that the algorithm and software that implements it, performs as advertised. And assume Daniel understands none of the details about the algorithm and software.
How does his ignorance impact the formulation of cybersecurity policy with regard to this algorithm or software?
The FBI opposes it because the FBI prefers non-encrypted communications like in the old days when it could just plug into a phone junction box.
The NSA opposes it, at least for others, because then it could not easily tap into email and phone conversations.
The Department of Defense opposes it, primarily because it has long term contractual relationships for security services with firms that don’t have access to the algorithm.
The Library of Congress supports it, at least those outside of the copyright office support it.
Various other groups take positions that seem reasonable to them.
So, how are coding skills going to help Daniel balance the political, social, agency and other politics for a policy concerning such an algorithm?
We all know the answer to that question.
Not at all.
PS: If my example looks like a strawman, come up with one of your own. Technical expertise Daniel can hire, policy expertise, meaning what is expedient given the stakeholders and their influence, not so much.