Whether it’s Russia’s alleged role in the 2016 U.S. presidential election or one of the major corporate breaches that seems to occur every week, you can’t escape cybersecurity. But for some, cybersecurity has been a way of life for over a decade.
Among those cyberspace veterans is Cheryl Davis, a former director for cybersecurity policy under the presidential administrations of both Donald Trump and Barack Obama. After a long career of fighting cybercrime and crafting cyber policy for the federal government, which has taken her from the Center for Naval Analyses, the Office of the Secretary of Defense and U.S. Department of Homeland Security, Davis is joining the private sector as a managing director for FTI Consulting.
Davis recently spoke with Legaltech News about the move, the evolution of cybersecurity and policies and threats defining the modern cyber landscape. The interview has been edited for brevity.
So why did you switch from government to consulting?
It was just one of those opportunities that presented itself, and I couldn’t say no to it. I spent most of my career either in government or around the contracting realm, and so I was able to see [cybersecurity] from multiple different angles. It was one of those ‘what’s next’ realms, and hearing about what [FTI] are trying to do, and consulting with their cybersecurity practice, it just seemed like a great next step and something a little bit different, too.
And what are you hoping to accomplish in this next step?
I think just, in general, what we’re trying do is get the full range of cybersecurity offerings, so not just taking it from the reactive [handling] of cyber incidents, the ‘Oh, a cyber incident has occurred, now what?’ but being able to step back and help [clients] with more proactive measures. So understanding what exactly are your critical assets, how are you protecting them, understanding the threat landscape, what are our recommendations for the best polices or data governance and strategies that [clients] could put in place to protect or make more resilient those assets. But then should an incident occur, also be able to offer those services. We’re really kind of helping with that full cycle from proactive to reactive.
How have you seen the government’s attitude toward cyber policy shift over the course of your time in the Security Council and the Department of Homeland Security?
I think there's certainly a recognition—putting those policies in place to address the changing threat, landscape and growth of the workforce, having a workforce that can actually operate in this new type of environment. And I think there’s a recognition too that cyber is not “computer network defense,” as it once was called. It’s now cybersecurity, cyber ops and whatnot, and it really has to be integrated across everything. We can’t do cyber in our stovepipe.
Has the government become more effective in addressing cybersecurity in recent years?
I think, with every incident, we certainly learn. Our government defenders and those in Homeland Security and the FBI are very, very smart individuals who are working hard. And I think some of the programs they’re putting in place and growing are really to the betterment of everybody, and those things are maturing—cyber threat sharing programs, other cybersecurity frameworks like NIST and whatnot. There’s recognition that it’s not just the government that’s responsible for the “be all end all” of cybersecurity, but it’s really a partnership.
Are there more roles now for cybersecurity professionals?
You have a lot of efforts like the NICE [National Initiative for Cybersecurity Education] effort and whatnot. Part of it in the government and the private sector, too, is finding, how do you just develop this necessary pipeline of individuals who are trained in this, whether it be threat protection or mitigation or whatnot, and what is the right training? My pathway coming from chemical engineering to where I am now is a little strange and probably not how we want to continue with the professionalization of this workforce. But what should that look like, and how do you recruit and retain that talent as well?
After working in government, what nation-states do you think pose the greatest cyber threat?
I’ll reference some of the open source reporting and things that I’ve seen. Certainly, with all the buzz and the concern about Russia and what exactly their cyber operators are into and what they’re after and all the concerns about the potential to at least influence on the election front. I just heard this morning concerns into Germany as to what [Russia is] doing. In North Korea, there’s certainly a lot of buzz right now and what, exactly, they’re doing on cyber. I was just reading an article about them going after bitcoin and some of their alleged financial activities. So that’s certainly a concern.
And China has been an interesting case, and all the press of what’s going on there and the agreement during the Obama administration that’s continued and certainly what has been the implication of that. Have the Chinese tampered down a little bit on their cyber-enabled threat of commercial property for commercial gain? And then you have Iran, as well, and what is going on there.
What policies did you find instrumental in enhancing SEC efforts for government as well as private industries?
I think you go back to some of the big work on executive orders and presidential policy directives (PPD)—PPD 21 on critical infrastructure security and resilience, [and] Executive Order 13636, which resulted in the NIST cybersecurity framework. And certainly [influential was] PPD 41, which really just kind of crystallized the government’s posture in cyber incident response. Those, I think, were all very helpful. And then you have the latest batch from the White House, which kind of continue those policies, to understand, “OK, what exactly has worked; what hasn’t worked; what do we need to do better going forward?” That sets the workplace for the next few years.
Of course the cyber commitment with China and that recognition that neither [China nor the US] would conduct or knowingly support the cyber-enabled theft of intellectual property for commercial gain. That commitment, frankly, sets the foundation for [international] cyber norms and what’s the appropriate way nation-states should behave in cyberspace.
So there’s a whole body of work I think out of the last eight, 10 years that we’ve just been really growing on, so I look forward to seeing how [the NSC] continues that and how the private sector can also plug in to approve all of that.
You’ve worked for both the Trump and Obama administrations. What key differences have you witnessed?
I think that, when the new team came in, [the approach] was certainly, “This is the opportunity to take stock of what we’ve accomplished thus far, and let’s see where we can take this now.” I don’t see any stark differencebut a real opportunity to say, “Okay, let’s continue the momentum, get to work, do what we need to do, and what we’re putting in place will only help continue that momentum.”
It’s just one of those really key issues where it doesn’t matter where you stand. There’s a recognition that this is important, and we have to find a way to come together and work on this.