The first few months with a national cyber director will come with a learning curve — it's the first time the role has existed — but that's not what nominee Chris Inglis wants.
Today's security issues "transcend cyber," encroaching on economic fairness and legal perils, Inglis told senators during his nomination hearing before the Senate Homeland Security & Government Affairs Committee last week. The Senate confirmed Inglis as the NCD by voice vote Thursday. During the June 10 hearing, he spoke alongside Jen Easterly, nominee for director of the Cybersecurity & Infrastructure Security Agency (CISA), and Robin Carnahan, nominee for administrator of the General Services Administration (GSA).
While there are technicalities to sort out, the primary goal of the role is to fill a void in national cybersecurity strategy across agencies and sectors. The role is meant to evolve the nation's cybersecurity posture to become greater than the sum of its parts, combining a vast network which encompasses the federal and local governments, intelligence community, law enforcement, and the private sector.
The U.S. is confronting whether foreign competitors are operating fairly or in a way that evades U.S. standards for probable cause. "That then moves us to a higher level where the national cyber director would be expected to participate in the National Security Council," and issues that rise to the level of White House concern, said Inglis.
The current structure of coordinating among agencies and between sectors is "the question of the moment," and the reason why the NCD role was created, Inglis said. It is "not entirely clear" that today's methods or routines are coherent and operate with a single strategy.
Work to be done
President Joe Biden nominated Inglis in April. Inglis served as the deputy director of the National Security Agency (NSA), and is a distinguished visiting professor of cyber studies at the United States Naval Academy. He also served as a commissioner on the Cyberspace Solarium Commission (CSC), which recommended the NCD role in its 2020 report. The recommendation was adopted into law in the National Defense Authorization Act (NDAA) in December.
The NCD "would not direct or manage day-to-day cybersecurity policy or the operations of any one federal agency," and instead would principally serve as the president's advisor, according to the CSC. The NCD would work in concurrence with the president's national security advisor or national economic advisor.
Most importantly for the private sector, the CSC sees the NCD as the central coordinating force between contributors to cybersecurity, including the private sector and academia. The commission wants to see the NCD encouraging business leaders to engage with Information and Communication Technologies (ICT) standards forums, though Congress is discussing the idea of a joint collaborative environment, Sen. Angus King, I-Me. and co-chairman of the CSC, told reporters during a presser Wednesday. The environment would give a platform to real-time information sharing.
The current state of information sharing is weak. "We find that we disappoint one another," said Inglis, referring to the gaps in information sharing. Inglis wants to lower barriers of entry, and share information "at the lowest possible level, not after we have a well-formed idea," but when people can collaborate from the outset.
It won't be until the public and private sector find mutual benefits from information sharing that a cross-sector relationship will be self-sustaining.
Companies, particularly with critical infrastructure, should designate a senior official for interacting with the government on behalf of cyber, Suzanne Spaulding, advisor to Nozomi Networks, member of the CSC, and former under secretary for the Department of Homeland Security, told Cybersecurity Dive in an email. Companies will have to establish the role as Inglis finds the voluntary nature of some industries' cybersecurity guidelines lacking.
"There are generally three ways that the standards can come about," said Inglis, including:
- Enlightened self interest
- Market forces
- Imposition of standards and regulations
The first two are "apparently not working," Inglis said, though acknowledging there have been steps toward regulations.
The Transportation Security Administration (TSA) last month issued a cybersecurity directive for the first time for the oil and gas industry. It will be a delicate balance between the public and private sector — being able to achieve unfiltered innovation while remaining compliant with standards, Inglis said.
"I'm a big fan of market forces as the primary way to essentially drive the economy," he said.
Because the private sector isn't "monolithic, you find great variants in terms of what influences" it, Inglis said. The "enlightened self interest" factor might arise when a business claims their digital infrastructure is an element of business, not a commodity. For businesses lagging, the government might need to apply more mandates.
The NCD "will have the responsibility to assure to the president and to the Congress that the federal cybersecurity strategy is the right one," said Inglis.
To support the office of the NCD, Biden allocated $15 million in his FY2022 budget proposal. If approved by Congress, the $6 trillion budget would provide $58.4 billion for IT, including $9.8 billion for cybersecurity at civilian agencies.
The timeline for Easterly's confirmations is unknown, but King does not want to see the office of the NCD and its ability to hire contingent on Congress' ability to pass the proposal.
"I'm hoping that we're going to be able to do some supplemental funding and not have to wait for the final budget" by the fall. Whether or not the budget proposal passes and impacts the office of the NCD is a fair question, King said, "we're trying to get that sorted out right now."
Editor's note: This article has been updated to reflect the Senate confirmed Chris Inglis' nomination Thursday.