WASHINGTON: The US must retake the initiative on cyber, the person likely to be the first White House national cyber director told Congress today.

“The pace of events and our adversaries deny us the luxury of biding our time before we seize back the initiative that for too long has been ceded,” Chris Inglis told the Senate Homeland Security and Government Affairs committee.

The national cyber director should “create coherence, unity of effort, and unity of purpose” across government and the private sector to combat cyber adversaries.

Asked specifically about ransomware threats, Inglis said the cyber director needs to be an “advocate and connector” of various cyber capabilities across the public and private sectors in order to “systematically attack” the components that make ransomware possible — from adversaries’ technical capabilities to the countries that harbor cybercriminals and the financial ecosystem that enables them.

“There are a great many things we need to knock the legs out from under, and that will require a team effort,” Inglis said.

“I think that the premise for us within the United States and likeminded nations,” Inglis said, “must increasingly be that, if you’re an adversary in this space, you have to beat all of us to beat one of us. The cyber director needs to make that true.”

Inglis, an Air Force veteran who was also deputy director of the NSA, was nominated by President Biden and has been strongly endorsed by Sen. Angus King, who co-chaired the Cyberspace Solarium Commission. The commission recommended creating the White House job, which was formally established in the 2021 National Defense Authorization Act.

“America is under attack. We are under under attack. [Cyber] is one of the most serious conflicts, one of the most serious challenges this country has faced in the post-WWII period,” King said as he introduced Inglis. King echoed earlier statements urging the US to “reimagine conflict” to entail elements beyond kinetic warfare.

“If the past year has taught us anything, it’s the obligation we have as leaders to anticipate the unimaginable,” Jen Easterly, Biden’s nominee to take over CISA, said at the same confirmation hearing, echoing the 9/11 Commission’s finding that the US government experienced a “failure of imagination” in anticipating the 9/11 attack.

“I believe as a nation we remain at great risk of a catastrophic cyberattack,” Easterly said. Easterly is an Army veteran who also spent part of her government career at NSA.

Inglis said the cyber director must ensure the US secures technologies, addresses supply chain risk, improves US citizens’ cyber literacy, and closes “the fissures and seams in cyber defenses that allow adversaries to find and exploit cyber.”

The last bit alludes to what CYBERCOM and NSA Gen. Paul Nakasone has called “gaps” in US cyber defenses.

The 2021 NDAA defines several specific responsibilities for the director, Inglis noted, to include:

  • Spearhead a unified federal effort on cyber;
  • Develop and implement a national cyber strategy;
  • Coordinate federal civilian budgets, policies, and plans;
  • Foster public-private collaboration; and
  • Improve resilience, robustness, and defense of cyber systems.

“The primary purpose of the national cyber director must be to add value, coherence, leverage, and connection to all [federal and private sector cyber defense] pieces and to identify, when necessary, when something is missing to ensure that the national strategy and the implementation of that strategy ultimately creates a coherent effort,” Inglis said.

Meanwhile, Easterly said she sees CISA’s role as “quarterback” in protecting domestic networks, while the cyber director is “essentially the coach of the team, responsible for overseeing the implementation of cyber strategy and policy and really bringing that sense of coherence and unity of effort to the federal cyber ecosystem.”

This includes, she said, CISA providing technical assistance, threat information, guidance, and the educational resources to ensure that federal, state, and local governments, as well as the private sector, are prepared to defend themselves in this “very complex cyber environment.”