Both nominations are historic, emphasized Sen. Gary Peters (D-MI). If approved, Inglis would be the first-ever national cyber director, while Easterly would be the first person in CISA’s three-year history to become director via a nomination process.
(Former CISA Director Chris Krebs became the agency’s first leader when it was formed in 2018 out of a predecessor organization for which he was undersecretary, and Brandon Wales rose to acting director when Krebs was ousted).
These nominations also come at a critical time, as ransomware and other attacks lay low major food and energy firms and threaten national security.
“As a nation, we remain at great risk of a catastrophic cyber attack,” Easterly said during her opening comments.
Inglis’ experience includes decades at the National Security Agency (NSA), where he eventually became deputy director. Easterly is currently Morgan Stanley’s head of firm resilience and the Fusion Resilience Center and previously worked in counterterrorism for the federal government.
Senators presented no objection to the nominations, but questioned the candidates about their game plans for tackling ransomware and cybersecurity staff shortages as well as about how they envisioned their two agencies interacting.
COACH VS QUARTERBACK
Facing the prospect of a new cybersecurity position, several senators wanted to pin down what the difference would be between Inglis' and Easterly’s roles.
Inglis explained that he would manage the creation and adoption of a national strategy for making the cyber landscape safer and ensure federal agencies’ actions on cybersecurity are “coherent and unified.” He envisioned collaborating among players at all levels of government as well as engaging deeply with the private sector — which so often becomes targeted, as the recent JBS and Colonial Pipeline incidents underscore.
“The national cyber director occupies a highly visible position within the U.S. government, one that should be expected to offer a clear unified voice and public communications and advocacy,” Inglis said.
Easterly described CISA as the “quarterback” of a cyber defense team coached by the national cyber director.
While the FBI focuses on investigating incidents and pursuing perpetrators, CISA focuses on prevention and resilience. If confirmed, Easterly would be charged with reducing risk to digital and physical infrastructure, as the agency works to quickly share threat intelligence among public and private entities and provide general cybersecurity assistance.
RANSOMWARE AND CYBER RISKS
Responding to the increasingly high-profile ransomware threat will require a wide array of coordinated efforts to shore up defenses and impede attackers, Inglis said. Perpetrators are currently bolstered by everything from weaknesses in victims’ technology and lack of cyber awareness at some targeted organizations to criminals’ ability to get safe harbors in certain countries. Mitigating the threat requires a cohesive effort to dismantle all those supports.
Ransomware attacks have also demonstrated that the government can no longer expect market forces or “enlightened self-interest” to motivate critical infrastructure providers to elevate their own cybersecurity, Inglis observed, and thus the government will likely have to pass more standards and regulations.
“We should hold companies accountable not for paying ransom but for being in a position where they had to pay the ransom in the first place — for the failure to prepare,” Inglis said.
Easterly presented CISA as a resource for helping organizations achieve ransomware-thwarting levels of defense through the agency’s provision of threat intelligence, best practice recommendations and technological assistance.
He also said partners should share their interpretations of events so that other entities have the context to fully understand and make use of information.
“Information sharing is a very important dimension of public-private collaboration,” Inglis said. “But that often fails because all we do is share information. We don’t share perspectives. We don’t share what perhaps might be a hunch or an insight.”
WORKFORCE POWER
Difficulty hiring enough cybersecurity workers is a persistent problem, and one that may come front and center for Easterly, who said her first priority would be ensuring CISA has the staff, funds and authority to drive its work.
U.S. public and private organizations would have needed roughly 359,200 more cybersecurity professionals to protect their critical assets in 2020 than were available in the national talent pool that year, according to the (ISC)² Cybersecurity Workforce Study.
Sen. Alex Padilla (D-CA) pointed to this finding and added that the problem is exacerbated in the federal government due to struggles to retain professionals who are recruited.
For Inglis and Easterly, the solution to this issue is multifold. Inglis advised improving cybersecurity awareness in K-12 education to develop the talent pipeline, as well as reducing hiring requirement barriers that can block professionals who may, for example, have the right skills but lack a formal computer science degree. Easterly also advocated offering a wide variety of pathways into employment such as apprenticeships, internships and reserve programs.
Once new hires are in the door, organizations need to provide them with opportunities to feel the impact of their work and find long-term career opportunities, Inglis said.
“You have to look at this not as one-off position but part of a talent ecosystem, from recruiting to onboarding to integration, to training and certification, to rewards and recognition and promotion," Easterly said.