History showed us that highly developed societies can fall down rapidly. Are we at such a reversal point at the moment, because critical infrastructure and therefore the basis of digitization is so vulnerable?
Michael Daniel: Well, I do think that we are at what I would call a strategic inflection point. I don't know about the collapse of civilization but I do believe that for the last 40 years we in the west, western Europe, the United States and others, have leveraged the Internet for vast advances in national security, economic prosperity, social advances. And all of that is now at risk as the cyber threat grows. And it may be that instead of being a strategic advantage for the west, it turns into a strategic liability. And that's a future we want to avoid.
And from your perspective: What must be done to assure that we are not at that reversal point, to avoid that?
Michael Daniel: I think that there are a couple of key factors that I would say. One is we have to change our mindset about how we think about cyber security. We have traditionally thought of it as a technical problem for which there should be an easy technical solution. And the truth is that cyber security is really not just a technical problem. It is also an economic problem, it's a human psychology problem, and so we need to have a different mindset for how we go about treating cyber security. And that means that we need to really adopt a holistic risk management mindset for managing cyber security risks the same way that we manage risk of national disasters, the way we manage the risk of liability from law suits or any of those other kinds of things. And I think those are really the two key components: changing the mindset and adopting a holistic risk management framework that will start to allow us to get our arms around this problem.
Basically, this holistic framework would be your advice to states and companies regarding cyber security or is there more?
Michael Daniel: There are a number of things that companies can and should do. They have to do those two things. Having CEO level attention on the issue is critically important. You have to have a response plan for what you do when the bad day happens inevitably. You have to practice it. So, there is kind of a toolbox of things that companies should really do, but it's more of an organizational mindset shift that's at the root of it than buying this or that appliance or this or that technology. It's really starting to adopt that holistic end-to-end look at your cyber security posture that's really important.
And if we look at the current status. Is from your point of view enough money spent in this area?
Michael Daniel: Well, there's probably a range of answers to that question. Some companies are actually probably spending too much on certain kinds of cyber security and not enough on others. So, it may be that they actually need to reallocate some of their spending. In some cases, some organizations are not spending enough on it. Within the US government where I worked previously we were spending close to between 16 and 20 billion US-Dollars a year on cyber security. And I could argue that that probably should be sufficient for what we were trying to do, it just may needed to have been allocated in a different manner. I do think that more attention and focus and time needs to be spend on the issue. And in some cases it will take more resources. It just depends on an individual government or company's position where they are and what they are already spending on it.
A digitized world can never be safe. So aren't the risks too high to phrase it a bit like too much?
Michael Daniel: No, I don't actually think so. I think that we have to recognize that just like in the physical world you can never completely eliminate all risks. In the cyber world you'll never be able to completely eliminate all risks. We accept risk as society every day. The risk of driving, the risk of going for a swim, the risk of anything that you do. And so it's really a matter of risk management and doing things to structure it so that we drive the risk as low as possible. What I would argue is that as an industry, the cyber security industry needs to think much more about how to enable people to effectively manage the risk, how to make it easy for people to drive their risk down, or easier for them to drive their risk down and approach it in that manner. And I do think that we can make the risk manageable as a society. But we will never drive it completely to zero. And that is something that we will just have to learn to accept.