Biden's Nominees Face Questions Over Cybersecurity ConcernsSenators Asked Chris Inglis and Jen Easterly About Cyberthreats
President Joe Biden's nominees for White House cyber director and director of the U.S. Cybersecurity and Infrastructure Security Agency faced numerous questions from senators during their confirmation hearing Thursday, including how the federal government should respond to a recent spate of ransomware attacks and other cyberthreats to business and the nation's critical infrastructure.
See Also: Threat Briefing: Ransomware
If confirmed by the Senate, John "Chris" Inglis would become the nation's first national cyber director - a position created earlier this year by Congress - while Jen Easterly would be the first Senate-confirmed CISA director since November 2020. A formal vote to confirm the two has not been scheduled as of now (see: NSA Veterans Nominated for Top Cyber Posts).
Inglis and Easterly have extensive experience in government and both are veterans of the U.S. National Security Agency. If approved by the Senate, the two are expected to work closely with Anne Neuberger, the deputy national security adviser for cyber and emerging technology, to tackle a range of cybersecurity issues as well as concerns that the federal government's infrastructure needs to be updated and modernized to counter threats such as ransomware and nation-state hacking campaigns.
During Thursday's hearing before the U.S. Senate Homeland Security and Governmental Affairs Committee, Inglis was introduced by Sen. Angus King, I-Maine, who co-chaired the Cyberspace Solarium Commission, which recommended creating the cyber director's role. King noted that cyberthreats should change the way the U.S. thinks about national security and that more coordination and resources are needed.
"We think of conflict in terms of armies and battleships and air forces, but we're really now talking about how the frontlines of this conflict can take place anywhere - in a server farm, on Wall Street, in a pipeline company or an electric company or a water service utility. Really, anywhere in America," King said.
During Thursday's confirmation hearing, Inglis noted that one of his first duties would be to help define the role of White House cyber director and to ensure that there is coordination among various agencies that have responsibility for cybersecurity, including CISA. He added that the federal government must also take responsibility for improving its infrastructure.
"Given those realities, we must ensure that our technology is built and deployed with security foremost in mind, and that the supply chains that support them are free from security risk, and that our people are cyber literate, and that the roles, responsibilities and accountability are sufficiently well-defined, and that we remove the fissures and seams and cyber defenses that offer adversaries opportunities to find and exploit weaknesses," Inglis said.
Ohio Republican Sen. Rob Portman, who is the ranking member of the committee, asked about duplication of duties between CISA, the national cyber coordinator and Neuberger in her role on the National Security Council. Both Inglis and Easterly committed to coordinating with other agencies and preventing overlap.
During her opening remarks, Easterly noted that the federal government needs strong cybersecurity leadership to tackle the issues the country faces.
"Even as we contend with billions of daily intrusions against our networks by malicious actors, I believe that as a nation, we remain at great risk of a catastrophic cyberattack," Easterly said.
When asked by Sen. Josh Hawley, R-Mo., if private companies, especially those that oversee parts of the nation's critical infrastructure, are doing enough to bolster their cyber defense, Inglis noted that more government regulation is likely needed.
"There are generally three ways that [cyber] standards can come about. One is enlightened self-interest; that's apparently not working. The second is market forces; that's apparently not working. And the third is some imposition of standards or regulations," Inglis said.
During questioning about election interference from nation-states, Easterly said that she wants to continue with many of the same programs that CISA initiated in the runup to the November 2020 election.
"If I'm confirmed, I would take a very hard look at that effort to see what CISA's role can be and should be in [combating] misinformation/disinformation. And I would also want to make sure that CISA continues to be seen as a nonpartisan and apolitical agency in all of the actions that it takes," Easterly said.
The nominations of Inglis and Easterly come at a time when the White House is looking to fill several key cybersecurity leadership positions within the administration as the country has faced numerous cyberthreats over the last six months, ranging from the SolarWinds attack disclosed in December 2020 to the more recent ransomware incidents involving Colonial Pipeline Co. and the meat producer JBS.
If confirmed as national cyber director, Inglis will have oversight over the defense of federal networks and infrastructure as well as the cyber budgets of various agencies. The position, however, will not involve offensive cyber activities, which will remain with the National Security Council and U.S. Cyber Command.
The conformation of Inglis would also reestablish the cyber director role within the White House, which had been created by the Obama administration and then eliminated by former President Donald Trump in 2018. Afterward, lawmakers sought to recreate the position again with greater authority but also making it subject to congressional oversight.
At the same time, CISA has been without a Senate-confirmed director since November 2020, when Trump fired Christopher Krebs following the U.S. elections. Since then, Brandon Wales has served as acting director (see: InfoSec Community Supports Krebs After Ouster From CISA).
Inglis is an Air Force veteran and retired brigadier general with more than 40 years of experience in the federal government. He worked at the NSA for 28 years - including nearly eight years as the senior civilian leader and deputy director at the agency under both the Bush and Obama administrations - before stepping down in 2014. He currently works as a managing director for the Paladin Capital Group.
Easterly retired as an Army intelligence officer in 2011 and then was named as deputy for counterterrorism at the NSA. She later served on President Obama's National Security Council staff. After leaving the government, Easterly worked as Morgan Stanley’s head of firm resilience and oversaw the company's fusion resilience center.
While in the Army, Easterly worked with Gen. Keith Alexander, who was then director of the NSA, to help establish U.S. Cyber Command. She also worked with Paul Nakasone, who is now a four-star general and the head of both Cyber Command and the NSA.