At a joint nomination hearing for several positions Thursday, national cyber director nominee Chris Inglis was given the early task of explaining the role of the office which, if confirmed, he would be the first to head.
"If confirmed, you will be in a very challenging position of being the first national cyber director, your authorities have never been utilized and your role has never been performed, and many other leaders in government have cyber responsibilities as well," noted Chair Gary Peters, D-Mich.
"I am concerned about the overlap," said ranking member Rob Portman, R-Ohio, later adding: "I am concerned about the duplication, leading to a lack of accountability."
On the dais for Thursday's hearing alone were two nominees cybersecurity positions in the federal government – Inglis for national cyber director and Jen Easterly for the new head of the Cybersecurity and Infrastructure Security Agency. Inglis and Easterly would join Anne Neuberger in the executive branch, who has taken on a newly created National Security Council position focusing on cybersecurity and emerging technology. The Transportation Security Agency was forced two weeks ago to utilize its sectoral cybersecurity oversight role to implement cybersecurity regulations for the oil and gas pipeline industry, which may inspire agencies like Agriculture, Energy and the EPA to take the reins of their allotted sectors as well. The growing ransomware threat has activated the departments of Justice and Treasury, and recent cyberespionage has engaged Cyber Command, the NSA and law enforcement.
Somewhere in the middle, Inglis will be asked to carve out a space for the national cyber director.
“What [the NCD role] really is pushing for is to create coherence, unity of effort, unity of purpose, across what are already impressive capabilities within the federal enterprise, and a partnership with the private sector where most of cyber gets built, operated, innovated, and defended,” said Inglis.
“So I think that the primary purpose of the National Cyber director must be to add value, coherence, leverage connection to all of those other pieces, and to identify when necessary when something's missing, and to ensure that the national strategy, and their implementation strategy, ultimately creates a coherent effort.”
The origination of the NCD position picked up steam last year when the Cyber Solarium Commission included the role as part of its recommendations: someone at the White House, in charge of coordinating the nation's cybersecurity interests. Under National Security Advisor John Bolton, President Trump eliminated the position of White House cybersecurity coordinator. By putting someone at that nexus point, Congress would have the benefit of “a single throat to throttle” in emergencies, as Senator and Solarium Commission co-chair Angus King has routinely worded it.
King introduced Inglis at the hearing, noting the grave needs for cybersecurity leadership.
“America is under attack. We're under attack today,” said King, who went on to say the “two positions that we're really talking about today are the equivalent of the secretary of defense and the head of the Joint Chiefs of Staff.”
Like Inglis, Easterly’s nomination was a first. CISA has never had a traditionally nominated director before. Chris Krebs, the last and so far only confirmed head of the agency, had been appointed head CISA before Congress elevated its importance to require confirmation.
Inglis and Easterly addressed several cybersecurity issues during their nominations, including the broad cybersecurity crisis that has impacted the private sector since last year through major espionage and ransomware campaigns.
Easterly was asked how her CISA would be able to strengthen the nation’s cybersecurity posture. She answered that the mission might be “very complicated,” but her main approach would be threefold: Improving CISA’s workforce, ensuring CISA’s technical capacity, and bolstering its public and private sector partnerships.
“We know that CISA is really an agency of partnerships and its success is highly dependent on the quality of those partnerships, whether that's state and local, tribal, territorial; whether that's partnerships with DHS across the federal government or the very important partnership that has with the private sector," said Easterly. "So it is incredibly important to focus on resources on visibility and on those partnerships, if I am confirmed."
CISA’s ability to maintain those partnerships has recently been under scrutiny, after Colonial Pipeline did not call the agency directly during its ransomware crisis. Colonial did, however, call the FBI who looped in CISA. Easterly told the Senate that CISA and the FBI working in tandem; not requiring separate notifications was actually a sign that the government was working together rather than every agency going into business for itself.
Sen. Josh Hawley, R-Mo., said that the outbreak of cybersecurity incidents in critical infrastructure may require regulation to address.
Inglis and Easterly agreed that may become a necessary option, with Inglis reflecting on three options for improving cyber posture.
"One is enlightened self interest; that's apparently not working. The second is market forces; that's apparently not working. And the third is some imposition of standards or regulation on top of that."