In the fallout of several major cybersecurity incidents affecting both government and industry, three of the Biden administration’s leading nominees for IT and cyber positions say they’ll work from the same playbook to prevent and respond to cyber attacks.
Jen Easterly, President Joe Biden’s pick to serve as director of the Cybersecurity and Infrastructure Security Agency, would lead efforts to protect federal civilian networks for cyber attacks, and would work closely with Chris Inglis, the president’s pick to serve in a new role as National Cyber Director.
The White House’s pick to run the General Services Administration, Robin Carnahan, meanwhile, told the Senate Homeland Security and Governmental Affairs Committee the pandemic underscored the “importance and the fragility of our nation’s digital infrastructure,” and resolved to invest in IT modernization projects that improve public-facing services.
Carnahan added that expanded telework for the federal workforce is likely to stick around in some capacity after the COVID-19 pandemic, and would open the door to “creative, practical ways” to shrink the federal real estate portfolio.
“The pandemic changed the way all of us did business, and is really going to, I’m sure, cause agencies to rethink how they want longer-term to implement remote work and what the options are, and that’s going to impact their physical space needs,” Carnahan said.
Cyberspace Solarium Commission leaders Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.) introduced Inglis and Easterly, respectively.
Gallagher touted Easterly’s service on the commission’s cyber “red team,” as well her role standing up the Army’s first cyber battalion. He said CISA, with Easterly at its head, would ensure federal agencies and the private sector “have the resources to detect withstand and respond to cyber attacks.”
King said Easterly and Inglis’s nominations, in terms of their responsibility in overseeing federal cyber policy, carry as much status as the Defense secretary and the chairman of the Joint Chiefs of Staff.
“These are people who will be charged with defending this country in what is an ongoing and serious conflict,” King said.
To put it another way, Easterly said CISA would serve as the “quarterback” protecting federal civilian networks, and leading the federal response effort to major cyber attacks. The National Cyber Director, in this analogy, would serve as the head coach.
“The best quarterback however can’t win a game alone. Cyber must always be a team sport,” Easterly said.
Sen. Rob Portman (R-Ohio), however, continued to push for a better understanding of who would report to whom under a growing bureaucracy of cyber officials. To extend the football analogy, Portman asked: “Would Federal Chief Information Security Officer Chris DeRusha be a running back on the federal cyber team? Would that make Deputy National Security Adviser Anne Neuberger a linebacker?”
“All joking aside, I think we have a real opportunity here, with real experts coming into these jobs, to be able to be sure we’re not duplicating efforts,” Portman said. “Frankly, without accountability, no one’s in charge. If everyone’s in charge, no one’s in charge.”
Inglis said his new role would bring “create coherence, unity of effort [and] unity of purpose across what are already impressive deep and sharp capabilities within the federal enterprise.”
He said he would also identify and fill any gaps in the administration’s cyber response, and also make sure the federal cyber response is greater than the sum of its parts.
“I think that the premise for us, within the United States and like-minded nations, must increasingly be that if you’re an adversary in this space, you have to beat all of us to beat one of us, the National Cyber Director needs to make that true,” Inglis said.
Easterly said she would advance CISA’s dual responsibilities of defending federal civilian government networks from attacks, while also sharing “timely and actionable information” on cyber threats across a wide scope of organizations that includes the private sector. Increasing CISA’s reputation as the lead agency for cyber incident response, she added, would reduce duplicative efforts.
“Sometimes when there is a threat stream or a vulnerability, there will be multiple outreaches from different agencies and I think it’s incredibly important that the government is able to speak with one voice, and that there is coordination across the board,” Easterly said.
Given a rise in ransomware attacks, Inglis said it’s “not appropriate” for companies to pay ransoms to resolve these attacks, but said the current environment leaves some organizations with few good options.
“Unfortunately, we get into a place where that is the only thing that is feasible to save lives or to bring back critical kinds of capabilities … We need to attack the problem as a system, make it such that we’re a hard target,” he said.