National Cyber Director Chris Inglis said his nascent office will be focused on “doctrine and people issues” within the federal government, raising the collective floor of U.S. cybersecurity knowledge and laying the groundwork for longer-term investments in secure software and hardware.
While providing an update to the Information Security Privacy Advisory Board, Inglis said on Wednesday that his office — created through the 2021 National Defense Authorization Act — is still less than halfway through its initial hiring phase. The Office of the National Cyber Director currently has around 30 employees on staff, but that number is expected rise to around 85 when initial hiring efforts are complete.
It's taken some time to get the office up and running, Inglis said, noting he was "confirmed in June (2021), showed up in July, but the funding didn't show up until November."
"Often times there's this issue of [being] authorized, not appropriated, and we experienced that,” he told the board.
As it continues its hiring spree, the office will turn its focus to a number of short-term and medium-term goals to help bolster the nation’s collective cybersecurity. That starts with providing more “coherence” to the distinct roles and responsibilities among agencies within the federal government when it comes to carrying out different cybersecurity missions and engaging with the private sector.
To that end, Inglis said that his office will look to set up tabletop exercises in the near future to test the federal government’s response to different cybersecurity scenarios. Additionally, while Congress has given his office limited authority to review the cyber budgets of other agencies, he said he is seeking to “broaden that remit” to include assessments of the proper roles and responsibilities for staff, where and how dollars are expended and prioritized and make recommendations for more efficient resource allocation.
For too long, cybersecurity strategies have focused on addressing technological flaws or vulnerabilities at the expense of looking at the larger process that governs how they’re used. While some tend to think of cyberspace as “a pile, a body of technology,” Inglis said it is more instructive to look at the domain as the sum total of the underlying technologies, the individual choices made by the people who manage them and the overall organizational doctrine that spells out who is responsible for protecting what.
Over the medium term, the office will work to promote transparency programs in the software supply chain (like software bill of materials, aka SBOMs, and additional support for open source software developers), as well as improving basic cyber hygiene among the U.S. workforce.
While the immediate response to the Log4j vulnerabilities demonstrated the promise of the federal government bringing its collective resources to bear on a problem, it’s still largely a reactive model that doesn’t address the way many cyber vulnerabilities are introduced into the system in the first place. The ultimate goal is to re-orient the federal government’s broader approach to its investments — whether through individual procurements or broader programs like recently passed $1.3 trillion infrastructure law — towards products, solutions and processes that have security baked in.
Inglis said his office will also continue to work through strategies to improve the cybersecurity workforce both inside and outside the federal government. That includes not just speeding up existing hiring or retention policies around cybersecurity but reexamining them writ large, from the type of job requirements listed to overhauling education, training and outreach efforts in order to reach new and broader demographics.
They will also be executing a new strategy to promote upskilling the baseline cybersecurity knowledge of workers around the country who make use computers or software in their day-to-day jobs but “know less about what’s happening in cyberspace than they do about the management of a hot stove or crossing a busy street.”
“We have to make sure that from the earliest age on — we don’t necessarily need to make them all Python programmers, that would be nice but that we make them cyber aware.”