After a releasing an op-ed with Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly last week that called CISA’s “Shields Up” campaign a new baseline for cyber defenses, National Cyber Director Chris Inglis said today that the cost of entry for cyber attackers is still too low to create stout deterrence.
Inglis explained the work that still needs to be done to secure the Federal cyber ecosystem, as well as some of the motivations behind the op-ed, today at the Information Technology Industry Council’s (ITI) Cyber Summit 2022.
In addressing concerns from the cybersecurity industry about CISA’s “Shields Up” campaign, and when those shields could come down, Inglis was clear, “we’ll never not defend ourselves in cyberspace.”
“The cost of entry for aggressors at this moment is still far too low for us to essentially assume ever that this is over,” Inglis said. “Therefore, we have to kind of study on and not perhaps on a flat-out basis, but on a thoughtful basis, continued forward defending ourselves.”
He said that the current landscape of defending against potential nation-state actors – who may conduct operations that bleed past the Ukrainian borders and into the United States or North American Treaty Organization (NATO) allies’ infrastructure – as well as other cybercriminals and ransomware groups, represents “an enduring threat at a high level.”
Inglis emphasized the importance of avoiding “collective complacency” in the cybersecurity sector, where multiple people or organizations recognize an issue but decide it is not their problem to fix.
“Organizations have roles, sectors have roles, governments have roles, but we need to make sure that we allocate the responsibility across all of those,” Inglis said. “As opposed to leaving it to that poor soul at the end of the whip chain, who – because no one else has brought down the risk – is at that moment in time facing up against a ransomware threat that they never, never thought they’d had to prepare for [and] that they have no basis to respond to.”
Inglis also said the Federal government will, at some point, look to create minimum cybersecurity components for commercial IT, similar to efforts taken to secure the aviation, automobile, and drug therapeutics industries.
“At some point in every one of those we have specified the remaining features which are not discretionary,” he said. “Air safety bags and seatbelts are in cars largely because they are specified as mandatory components of those automobiles. When you buy a car today, you don’t have to independently negotiate for an air safety bag or a seatbelt, or analog brakes. It comes built-in. We’re going to do the same thing – I’m sure – in commercial infrastructure that has a security-critical life-critical responsibility to play.”
“Now, [commercial IT is] so ubiquitous and so broadly spread it’s going to be harder to figure out in that case, what are the critical bits and pieces, but I think that we’re working our way through that at the moment,” Inglis said.