The onset of the Biden administration has brought big changes to the way cybersecurity roles and authorities are dispersed and coordinated throughout the federal government, and not just because of the usual turnover that happens when the White House switches parties.
Congressional legislation created a new national cyber director office at the White House and Chris Inglis was confirmed earlier this year. Meanwhile, Biden’s team named NSA Cybersecurity Director Anne Neuberger as their newly minted deputy national security adviser for cyber and emerging tech issues after the Trump administration eliminated the cyber coordinator position on the National Security Council.
That has created lingering questions about how the new cyber regime in Washington is set up, who is responsible for doing what and how each component can be empowered to operate freely while also cooperating smoothly with each other and the private sector.
At a Sept. 9 event hosted by the Reagan Institute in Washington, D.C., Inglis laid out the administration’s vision for how these different positions will interact.
“The good news is there’s plenty of opportunity, plenty of challenge to justify two or three or 10 roles,” Inglis said.
His full comments are worth highlighting as they touch on the many nuanced ways that the government can direct, influence or nudge cybersecurity policy and how that gives each official and agency space to operate:
“Anne Neuberger … and I have sorted [these roles] consistent with the statute and consistent with the National Security Council’s responsibilities, such that my responsibilities principally will be inside cyberspace, when we determine that there’s a problem to be addressed inside cyberspace and we have the means whether that’s been adjusting hardware, software, using the cyber capabilities of the federal government to address an issue that requires coordination, policy formulation by the national cyber director.
"But in the traditional fashion, when an issue inside cyberspace requires us to bring to bear other instruments of power — whether it’s diplomacy, law enforcement, maybe it’s a cyber-on-cyber issue and you bring the U.S. military or law enforcement into play — we have to adjudicate those concerns, those opportunities across the broader set of national security issues, and so Anne Neuberger will take the lead on that. And at the end of the day, there’s a huge intersection between those two roles, and we’ll work our way through that through frequent and rich engagement.
"I would just say that on the other end of the spectrum is the on-the-field quarterback, [CISA director] Jen Easterly … and most of the operations that the U.S. government undertakes that require some coordination in execution are actually Jen’s. So, similarly, I and Jen Easterly have a frequent and rich dialogue, often two or three times a day, to make sure that those roles complement one another and that we’re never contending for the same space.”
Inglis referenced two recent incidents that highlight the differing roles that he, Neuberger, Easterly and others play in the new order: the Colonial Pipeline ransomware attack and an incident "in recent weeks" where hackers gained access to a single federal agency's systems.
For the Colonial Pipeline incident, the government had to work through a range of both digital and real-world considerations. If the nation experienced a fuel shortage, how would the remaining supply be allocated or prioritized between the government and military, industry and local consumers? Should a response use diplomacy, offensive cyber operations, or both, to press the Russian government to respond to ransomware groups operating within their borders?
Those responsibilities would largely fall to Neuberger and the National Security Council. Meanwhile, Inglis and his office would oversee and coordinate many of the defensive cybersecurity responses managed by agencies like CISA, sector coordinating councils and industry over things like patching, mitigating or removing suspect hardware and software and surging security resources in the wake of a significant cyber attack.
While sensitive to the argument that these cross cutting responsibilities should be defined clearly enough for everyone to do their jobs, he also pushed back on the idea that the delineations needed to be concrete, noting that many of these positions were created to increase coordination between federal entities, not further stovepipe them.
"I've got a limited set of tools and if I stop at my firewall, in terms of what I know and what resources to bear, I'm going to be less capable than if I actually partnered, if I actually collaborated with the thing to the left or right of me," he said. "Division of effort is, at the end of the day, an agreement to not collaborate, so we have to bring those walls down."
He also alluded to a cybersecurity incident that affected an unnamed federal agency in recent weeks to illustrate the role that agency-level executives play in the larger cybersecurity ecosystem when it comes to flagging incidents or anomalous behavior.
“Another event — I’m kind of not at liberty to say the details of this — but let’s say in the recent few weeks that an agency within the federal government experienced some event in cyberspace attributable to something that a transgressor did — got inside the system, began to do lateral movement inside that system,” said Inglis. “It’s clearly something that has to be addressed, but it’s entirely contained within that system.”
It’s not clear which incident he’s referring to, but a Fox News report on Aug. 21 cited an anonymous source claiming the State Department had been hit with a cyberattack and had been notified by U.S. Cyber Command.
The federal government has not confirmed those reports and Inglis did not mention State in his remarks, but did say the National Security Council, which focuses on bringing all elements of federal power to bear down on a problem, would not necessarily be leading or coordinating federal response if the attack was limited to a single agency’s IT environment.
"At that point you would expect that the on-scene manager, the chief information security officer of that agency, to do what they should do, raise their hand and say I've got an issue over here on this edge of the enterprise," he said.