Friday, October 29, 2021

Biden's new cyber czar is pushing for collective defense inside government and out


Ellen Nakashima
Thu, October 28, 2021

WASHINGTON - The Office of the National Cyber Director wants to bring cohesion to efforts to strengthen computer defenses across a sprawling set of more than 100 civilian agencies even as it seeks to drive more robust cybersecurity in the private sector.

"This is the beginning, not the end" of the attempt to ensure that the United States enjoys a secure and open Internet, said National Cyber Director Chris Inglis in an interview Wednesday laying out strategic vision for the federal government's newest agency.

Part of that effort may eventually include cybersecurity mandates for critical infrastructure.

"You can't rule that out," said Inglis, who was confirmed by the Senate as the first national cyber director in June and sworn in the following month. "I'm confident that at some point we'll get to that bridge and have to cross it."

He noted that such mandates would have to be set by Congress, and would be done "on an exceptional basis as opposed to a primary tool."

Congress established the office last year and purposely placed it in the White House, making the director report to the president, to ensure it had prominence and influence, and would be in a position to coordinate cyber defense efforts across the federal government.

Confronting challenges in cyberspace is a top priority for President Joe Biden, who has raised the issue of ransomware - a highly disruptive attack in which hackers demand exorbitant payments to free computers paralyzed by malware - with Russian President Vladimir Putin.

Inglis's office will work toward building resilience against ransomware assaults, which often originate from Russia. But deterring them through bilateral talks, international pressure from allies and disruptive actions is more appropriately overseen by the National Security Council, he said.

Inglis has designated Chris DeRusha as his deputy for federal cybersecurity. DeRusha, who is also the federal chief information security officer for the White House Office of Management and Budget, will serve in a "dual-hat" role that is intended to bring his budget and cybersecurity expertise to the effort.

A key lever for the office is the ability to review agencies' cybersecurity budgets and recommend changes that will align spending plans with the president's cybersecurity priorities.

"It's a great opportunity to have that synergy," DeRusha said. "We're excited to have that extra capacity" afforded by the new office.

The coordination should be a boon for federal agency cybersecurity officers, Inglis said. "Particularly if you're a chief information security officer, you'll see us speaking in complementary ways and using our resources in a collaborative manner."

Inglis said that raising the federal government's cyber game is essential, but only a "predicate" to the broader effort to improve public-private collaboration. "You need to do that before the other things become a viable possibility," he said.

"I think we'll use our buying power" with federal contractors to encourage stronger cybersecurity practices, he said. But "we're not going to be big enough to drive the entire marketplace."

Inglis' role could be seen as encroaching on that of the head of the Cybersecurity and Infrastructure Security Agency, Jen Easterly, who leads the federal agency in charge of cybersecurity for civilian agencies and critical industrial sectors.

But Inglis said he sees himself more as a "coach" with Easterly as "quarterback." The two, who once worked together at the National Security Agency, speak daily about cyber matters.

"My job is to ensure that she has the right resources and the right authorities within the scope of what the federal government can do on its own, and that her job is to execute," said Inglis, a former NSA deputy director. "So when she goes on the field, she has significant resources and a growing capacity to succeed."

The office is just starting to hire and Inglis said he expects to have about 25 personnel by year's end, working toward a total of about 75.

The office will build on a federal executive order issued in May that, among other things, will require companies selling software to the government to meet a set of standards. The hope is that effort to improve software security will ripple across businesses and critical industries nationally and internationally.

After Congress established the office in December, the Biden administration created a new role of deputy national security adviser for cyber within the NSC. Debate ensued over whether that job would conflict with the NCD.

The administration's delay in naming a national cyber director frustrated some lawmakers, who wanted to see the position filled quickly amid major incidents such as the SolarWinds hack, which saw government agencies and private companies compromised by Russian government operatives. But the naming of Inglis appeased the critics.

"Standing up the Office of the National Cyber Director finally provides the government with the strategic leader who both reports to the president and to Congress and thus can lead both the federal cybersecurity effort and build the public-private collaboration that is necessary to the defense of critical infrastructure," said Mark Montgomery, senior adviser to the bipartisan Cyberspace Solarium Commission, which recommended the office's creation.

No comments:

Post a Comment