National Cyber Director Chris Inglis speaks at a hearing with the House Committee on Oversight and Reform in the Rayburn House Office Building on November 16, 2021 in Washington, DC. Inglis argued this week that federal government can't simply centralize authority to a single entity. (Photo by Anna Moneymaker/Getty Images)

In Washington D.C., coordination has been the name of the game in recent years when it comes to cybersecurity.

Policymakers have worked feverishly over the past few years to establish formal relationships between the private sector and government, elevate the authorities of agencies like the Cybersecurity and Infrastructure Security Agency and even created a new position, the national cyber director, to lead national coordination of cybersecurity policy.

Sen. Angus King, I-Maine, a commissioner on the Cyberspace Solarium Commission and a proponent of creating the office, has often said that as a legislator, he was looking for “one throat to choke” when there's a damaging breach or breakdowns occur in federal cybersecurity policy.

But Chris Inglis, the first official nominated to that position, argued this week that cybersecurity is too dynamic and far-reaching to place at the feet of a single individual or entity. Particularly a government agency who must manage a technological and critical infrastructure landscape that is mostly private owned.

“A favorite question in Washington essentially runs like ‘well, given that there’s all these creatures in this space, who’s in charge?' And the thinking is that perhaps this is hierarchical – a stovepipe unto itself  – and we can essentially subordinate all of them to some kind of overlord and we can get this right because someone is actually calling out the orders, the script, moment by moment,” said Inglis Tuesday at the Global Privacy Summit in Washington D.C. “It can’t work that way in the diversity of this space.”

Indeed, while Congress created the Office of the National Cyber Director in part out of a desire to centralize cybersecurity authorities, the office is still in the process of staffing up. Also, the position's statutory jurisdiction is limited to defensive operations and has only limited influence on the cybersecurity budgets of other agencies.

While the creation of the NCD and the elevation of agencies like CISA may reflect a desire by Congress to eliminate the stovepiped nature of cyber policy in government, Inglis stated that there “isn’t something inherently wrong with stovepipes.” Each agency and stakeholder just needs to be willing to collaborate with one another and bring their own specific expertise to the table when looking at a specific problem.  

Notably, Inglis gave a shoutout in his comments to the work being done by sector risk management agencies, or departments and agencies that have been designated as the cybersecurity leader within certain industries like financial services (Department of the Treasury), energy (Department of Energy) and water (Environmental Protection Agency). These agencies may look like stovepipes from afar but they also “speak the language of those sectors.” They also have the trusted day-to-day relationships with industry that allow for speedy collaboration in the wake of a cyber incident or longer conversations about how to manage risks in the digital space.  

As entities like CISA and the NCD have come on to the scene in recent years to take a larger role coordinating cybersecurity issues across the public and private sectors, some question where that leaves these other agencies. Last week, leaders on the House and Senate energy committees wrote to Secretary of Energy Jennifer Granholm urging her to ensure her department maintains its position as the cybersecurity lead for the energy sector  – even as CISA begins setting up its new incident reporting regime for critical infrastructure.

Padraic O’Reilly, co-founder of CyberSaint, which offers cybersecurity services to companies in the defense and energy sectors, told SC Media that while the Department of Energy has its own robust cybersecurity program, it’s not always clear from the outside who in government is responsible for what in cyberspace.

“I don’t know how much tooth there is in this sector risk management agency [concept]…I don’t see them front and center on some of this stuff as it comes out,” he said.

This chaotic environment was partly what inspired Inglis to write an op-ed last year calling for a new “cyber social contract,” one where businesses and governments recognize their shared interest and reliance in developing safe and secure technologies, then building the necessary policy frameworks for global supply chains, privacy and liability around that understanding.

While businesses, governments and other organizations have traditionally looked at “cyber” as a force multiplier, allowing them to communicate faster at scale or gain mine massive datasets for insights, Inglis argued in the speech that much of the technology used was not built or designed with security in mind. Responsibility for securing what we collectively call cyberspace (and all the real-world infrastructure it facilitates) has also historically been viewed as a singular one, he said, planted at the feet of each individual owner and operator of the assets in question.

But technology, Inglis added, is often last in the chain of weaknesses an adversary tries to exploit when they’re targeting a system. For years, criminal hacking groups and foreign intelligence agencies have exploited a chaotic, decentralized IT security environment and human error, to compromise not just individual organizations and their customers, but also their third-party providers, their governments and other victims.

“If you’re a transgressor in this space, you want to hold the things that are dependent on cyberspace at risk,” said Inglis. “You typically, classically go in reverse order: you first examine the doctrine, the roles and responsibilities: is there some weakness in that that I can take advantage of? And if we don’t know who is responsible for what, what our expectations, aspirations are of cyberspace now then we have no business worrying through the technology.

Technology is also often less important than the choices made by the people wielding it. With most breaches still beginning with a phishing attack, or lack of multifactor authentication, having a U.S. workforce that where everyone – from IT to executives to janitors – recognize that they play a part in their organization’s security.

“If we get those first two pieces right, then we can bend technology to that purpose.”