Ransomware was a main focus of concern during a committee nomination hearing today for Chris Inglis to be the nation’s first-ever national cyber director. Amidst a rising number of recent attacks, Inglis detailed how he would deal with the threat of ransomware while also explaining how he would approach building the nation’s cyber policy and approach collaboration if confirmed.
Inglis appeared before the Senate Homeland Security and Governmental Affairs committee June 10 to have his nomination considered, alongside nominee for CISA Director, Jen Easterly, and nominee to lead GSA, Robin Carnahan. The three figures would be frequent collaborators if confirmed.
“While the position of national cyber director may be new, I am mindful that the team I would join, should I be confirmed, is one that is already on the field, impressively diverse and broadly engaged,” Inglis said in a prepared opening statement. “It is a team that includes public servants at federal, state and local levels, and private sector professionals whose collective efforts build, operate and defend the digital infrastructure upon which the delivery of critical services increasingly depends.”
“I am particularly pleased to be able to testify alongside Jen Easterly, the prospective director of CISA, and Robin Carnahan, the prospective administrator of GSA. Should we be confirmed, our collaboration will be an important element of any Federal cyber strategy going forward,” he continued.
The national cyber director position was created by Congress in the Fiscal Year 2021 National Defense Authorization Act (NDAA). If his nomination is approved by the Senate, the 28-year veteran of the National Security Agency will develop a national cyber strategy and become President Biden’s senior advisor on cybersecurity and other emerging tech issues.
Inglis – who has served in the cybersecurity sector and as a commissioner for the National Cyberspace Solarium since his retirement in 2014 – said that as national cyber director he would look to make Federal cyber capabilities and resources available for the private sector to help “systematically attack the system that today is the scourge known as ransomware.”
“When you think about how that system works, there are weaknesses in our technology and oftentimes in the knowledge of the people who are on the frontlines,” Inglis said. “There are sanctuaries that give safe harbor to transgressors, and there are other transgressors who need to be dealt with.”
Ransomware has been a main topic of concern on Capitol Hill this week, with the CEO of a recent ransomware attack having already appeared before both this committee and its House counterpart to discuss the attack. Inglis said fighting back against ransomware will take collaboration across the Federal, state, local, and private sectors.
“There are a great many things that we need to knock the legs out from under [attackers] that will require a team effort,” Inglis said. “The national cyber director has to ensure that there is in fact a strategy that connects all those pieces that is being implemented in a concurrent, unified way such that we might take this down.”
Cyber Director the ‘Coach’
In explaining how she sees the CISA director working with the National Cyber Director, Easterly described that she views CISA as the “quarterback” of the nation’s cyber response, while Inglis would serve as the “coach” in the effort to secure the nation from cyber threats.
“I see the national cyber director as a critical partner, essentially coach of the team responsible for overseeing the implementation of cyber strategy and policy and really bringing that sense of coherence and unity of effort to the Federal cyber ecosystem,” Easterly said at the hearing.
Inglis shared that view of the job and, in facing questions about how the nation can better secure itself from cyberattacks more broadly, Inglis said that the nation needs to create more resilience because cyberattacks will not “stop on their own accord.”
“It’s not a fire raging across the prairie that once it’s consumed the fuel that will simply stop and we can simply wait for that moment. We must stand in,” Inglis said. “We must create resilience and robustness not simply in technology, but in people. We must align actions to consequences; there should be benefits for behaving well and consequences of a negative sort for behaving badly.”
Inglis again touted the importance of collaboration in this effort, not just across public and private sectors, but internationally as well.
“We should make this such that it’s not simply a cyber-on-cyber problem,” Inglis said. “We should bring to bear all instruments of power in a hugely collaborative way across not just the private and public sector, but nations plural. Like-minded nations need to remove the sanctuary and bring to bear consequences on those who hold us in risk.”