Chris Inglis’ new White House office has a startup feel to it. There are desks, a few chairs, a coffee maker and a poster hanging on the wall. But as the head of the newly established Office of the National Cyber Director, Inglis has to make due with what he has while still advising President Joe Biden on the smartest ways for the US to prevent and respond to cyberattacks.
Inglis has already had numerous conversations with the president, who has made clear that the government has a role to play in the defense of the private sector and in assisting the private sector in defending critical infrastructure. And the president knows, says Inglis, that means the government needs to get its own cyber house in order.
But like any real startup, Inglis’ resources are scarce. More than three months after being confirmed by the Senate, he still doesn’t have the full staff he needs to take on his timely and critical mission. That’s because the funding for his office – some $21 million, part of the $1 trillion infrastructure bill making its way through Congress – is still stuck in the political spin cycle. Why does it matter?
“The threat is greater than I can ever remember,” Inglis told me during last month’s AFCEA and INSA Intelligence & National Security Summit in National Harbor, Maryland. “The audacity, the brazenness, the thresholds that have been crossed at every turn; we’re in a difficult place.”
While he’s waiting for Congress to act, he says he’s spending about fifty percent of his time defining his role, being careful not to duplicate the work already being done by other agencies and departments, while spending another fifty percent building relationships that will be important later. Eventually, he’s expected to have a staff of some 75 people who will be expected to work hand in glove with CISA, the National Security Council’s cyber staff, the OMB and others. The remaining fifty percent of his time, Inglis jokes, is spent figuring out how to attract the country’s best talent.
“People are starting to flow into the organization. I’m confident that we’re coming up to a breakout moment, not for the National Cyber Director, but the contribution that we can and should make. I’m sobered by the nature of the challenge, I’m optimistic we can make a difference.”
Optimistic he is. And he’s not even complaining about being given a critical task for US national security and then having to wait for politics to play out before being able to act on it.
“It has been a semi-silver lining in that we would not have had time to think about how we want to apply the resources coming our way.”
While Inglis has been waiting, he and his small team have had time to think about the four things they’d like to focus on right away.
First, is streamlining the roles and responsibilities in government of who handles what when it comes to protecting the public and private sectors from cyberattacks. He also spoke during his confirmation hearing about the importance of allocation of resources and while the Office of the National Cyber Director doesn’t have the authority to move money, it does have what Inglis calls the responsibility to account for cyber money.
“One of the most critical gaps in cyber is that the physical digital infrastructure is not built to a common standard. The executive order related to this requires that within a certain amount of time we have to install basic procedures like multifactor authentication and encryption of stored material. That is a challenge and a potential vulnerability for us. We need to make sure that we make these investments necessary to buy down the lack of investment for years.
The second gap is in talent related to number of people required to occupy these jobs. It’s not simply the folks with IT or cyber in their name, but general cyber awareness. There is some expenditure of resources of time, attention, and money to get awareness right on the part of the truly accountable parties like agency and department heads. We have to make sure they don’t see cyber as a cost center, but an enabler on the part of all the users as they understand what their roles are and what the accountability is.
He admits there is still a level of education needed within government to get there.
“That is usually the case in both the government and the private sector,” he said. “We need to think this way about cyber and invest in cyber so that we can enable the mission, not hold it back. I think that education is the most important and effective way to handle this. Then, it is to make sure that the accountability is aligned and harmonized. We tend to take risk in one place and expect someone in another place to be the mitigator of a risk they don’t understand was taken in the first place. We need to operate in a collaborative fashion and get away from divisions of effort which are an agreement not to collaborate and allow adversaries to pick us off one at a time.”
Inglis says that unity of effort must start at home. “The executive order issued in May has begun to lay out common expectations about the hardware, software, and practices that we need to begin in those spaces,” he said. “Externally, if we have sector risk management agencies who engage the private sector for the purposes of supporting and engaging the critical components of that infrastructure, we need to make sure you don’t need a Ph.D. in government to know who to deal with and what you’re going to get from them.”
He is arguing for the government to also put ‘valuable material’ on the table. “That could be our convening power,” said Inglis. “We could perhaps address and reduce liability or give companies a clue as to what might be around the corner because the government has access to exquisite intelligence. If that setup is possible, we also need a venue where collaboration takes place. Information doesn’t collaborate, people do.”
Inglis likes to point to the example of CISA and the Joint Cyber Collaborative. “They put people from the private sector and the public sector side by side to co-discover threats that hold us at common risk. That project sets up the possibility of implicit collaboration in what we then do with that common operational picture. The government could take ideas that private sector companies turn into proprietary systems and enrich and classify them to deal with it in their system.”
Using what he calls “all the tools in the toolkit,” Inglis also notes the importance of international relationships, which fits nicely into the White House’s International Summit on Ransomware last week in Washington, which zeroed in on tighter cryptocurrency standards, among other things. “Beyond the Five Eyes, what do other like-minded nations think about what is expected behavior in this? What are governmental actions that are appropriate,” he asked.
Inglis has been an active participant in the president’s recent actions in cyber. He took part in a White House meeting with tech leaders in August that was hosted by President Biden, who Inglis says, spent the first hour sharing his vision about how the country should focus on collaborative integration. “The companies represented weren’t only companies like Microsoft and Apple, but people who operate in the critical infrastructure space,” said Inglis. “The people component, educators, were represented reflecting the president’s view that cyberspace is not just technology, it is also the people component. They are a major link in the chain, and we need to get the roles and responsibilities right.”
While he’s waiting for the funding he needs to get his office fully staffed, Inglis said he’s also putting thought into reconciling resources with aspirations. Managing expectations is going to be important. Frustration has been growing for years over what some see as a lack of government response to some of the largest hacks in history. The phrase ‘time and place of our choosing’ as a definition of response has grown old and some Americans are weary of a government that isn’t responding in a more public way to the beating it sees the US taking in cyberspace.
So, I asked Inglis whether there should be red lines in cyber.
“Red lines are both good and bad,” he answered. “They are clear and crisp, and everybody knows what they are. The downside is that because of that, an adversary knows exactly how far they can go. It means that you set up a somewhat permissive environment. Red lines also don’t have context; sometimes there is a reason that a defender would make the ransomware payment. As a matter of policy, the U.S. government does not pay ransomware, but I imagine there will be a situation at some point where a hospital is against the Russian state and actual life and safety is at risk. If there is no other way to get the material back, in order to get back in the business of saving lives, they would want to rethink if a red line is a red line in that particular situation. I think the right thing to do here is not to establish hard thresholds of things with scripted responses, but outline what we are prepared to defend and what principles we will exercise in defense of those things. We commit to defending the private sector when it is held at risk by a nation state in cyberspace as much as in the kinetic space and make that clear to adversaries. I think that would be more helpful in changing decision calculus and creating a useful ambiguity about when and where we will come in.”
Inglis said he’s also thinking a lot about present and future resilience. It’s a worthwhile focus, given that the White House estimates that nearly half a million public and private sector cybersecurity jobs are currently unfilled.
“That is a massive problem,” said Inglis. “However, the more insidious problem is that the 320 million people in the United States who use the internet who have no idea how to properly take their place on the front lines of this issue. There is an awareness issue that requires us not to make Python programmers out of them but to make sure they understand the nature of this space.”
Everyone has heard the old saying that time is money, but in Inglis’ case, time is security so I asked him point blank whether he thought government was moving has quickly as it should on the cyber problem.
“Government is moving at speed; the question is if it is at the necessary speed. I don’t think anyone is moving at the necessary speed. Some are moving at light speed, but at the end of the day, we need an integrated, collaborative approach. While we won’t have unity of command, I think there needs to be a universally felt sense of urgency so that we will all get our heads in the game.”
Congress, are you listening? Oh, and by the way, that poster in Inglis’ office? It reads, ‘Hours Since the Last Surprise.”
“As a startup with maybe too few resources at the start and who often didn’t understand how all the wickets are run, we have our occasional surprise,” said Inglis. “When we encounter those surprises and go to someone with the deep and sharp expertise to help us navigate that, we get what we need. However, we are not a full functioning, full featured, fully capable organization yet. We’re trying to build somebody else’s airplane while we’re free falling from our own. We have a parachute, and we can land safely, but it is a bit of a challenge at times.”
Find out more about why experts like former NSA Director General Keith Alexander (Ret.), Mandiant CEO Kevin Mandia and others have joined The Cyber Initiatives Group, powered by The Cipher Brief
Read more expert national security insights, perspective and analysis in The Cipher Brief