Dunning-Kruger syndrome is a terrible affliction. It knows no boundaries, affecting people from the lowliest of administrators to those in the highest office. However, its real victims aren’t those who suffer from it – it’s those who suffer under it.
Coined by social psychologists David Dunning and Justin Kruger, the Dunning-Kruger effect is a form of cognitive bias that convinces the incompetent that they’re experts. As Dunning put it, “poor performers are not in a position to recognize the shortcomings in their performance.”
The latest Dunning-Kruger sufferer is former New York City mayor Rudy Giuliani. Recently it surfaced that the attorney had to take his iPhone into the Apple store less than a month after Donald Trump appointed him as his cybersecurity advisor in January 2017. He was locked out of the device after forgetting his passcode and entered the wrong one at least 10 times, FBI agents told NBC News.
“Trump had just named him as an informal adviser on cybersecurity and here, he couldn’t even master the fundamentals of securing your own device,” an Apple store employee reportedly said.
Guffaw all you like at Giuliani’s iPhone trouble, along with his cybersecurity consulting company’s insecure website and his inability to understand Twitter. Never mind that experts called his appointment to the cybersecurity working group at the White House a symbolic hat-tip for his campaign help. A “nothing job.” This all points to a deeper problem.
We’re getting accustomed to appointing the wrong people for important cybersecurity positions. Take Japan’s then-deputy chief of the government's cybersecurity strategy office Yoshitaka Sakurada, who in November 2018 admitted that he doesn’t use computers.
At least Japan has a cybersecurity person in its cabinet. Not so the UK government, which decided it doesn’t need a cabinet minister to oversee the National Cyber Security Centre, despite a Joint Committee report to the contrary.
It wasn’t always like this. Remember Howard Schmidt? He was cybersecurity coordinator in the Obama administration until 2012, and he had true expertise. He wasn’t a lawyer trying to be a security pro. He was the real deal, with a long list of credentials including founding the first dedicated computer forensics lab in the US government. His successor Michael Daniel was an Office of Management and Budget man who tangled with cybersecurity and intelligence budget issues, so he was also familiar with the territory.
Now, we hear that White House branch chief of network defense Dimitrios Vastakis has resigned from the Office of the Chief Information Security Officer (OCISO), which merged with the Office of the Chief Information Officer (OCIO) in July and was responsible for securing the Presidential Information Technology Community (PITC) network. His complaint? Political infighting and leadership changes at the top were stripping the Office of its ability to protect the White House.
“This is a significant shift in the priorities of senior leadership, where business operations and quality of service take precedence over securing the President's network,” Vastakis said, in a memo that doubled as his resignation letter. “As a career cybersecurity professional, this is alarming.”
If cybersecurity is as much of a threat as government rhetoric claims (and it is), then it’s time to put meaningful people with a track record in cybersecurity in leadership positions dedicated to the task of protecting our networks. Anything less is a public disservice. In the years to come, such missteps may cost us dearly.
