Recent reporting revealed the departure of Chris Inglis as the President Biden’s National Cyber Director, the first individual to occupy the position. Inglis assumed the position 17 months ago, boasting a 28-year career at the National Security Agency in a variety of the agency’s mission areas before ending up as its top deputy. The President created the position and selected Inglis shortly after the Colonial Pipeline attack that crippled an important critical infrastructure. Since then, the position has been focused on cyber policy issues and integrating the role into “existing cyber oversight structure.” Based on his brief tenure in the role, Inglis’ major contribution, besides providing legitimacy to the position, was his instrumental involvement in formulating the National Cybersecurity Strategy, expected to be published shortly.
There is much anticipation over the release of the Strategy, which aims to be more aggressive in shifting responsibility to organizations and unshackling law enforcement and intelligence to conduct operations against hostile actors and their networks. In February 2022, Inglis wrote an article in which he advocated for public and private institutions to assume the lion’s share of cybersecurity accountability, as well as enhanced and more robust public-private information sharing, a common-heard clarion call by government officials. But what’s commanding attention is the increased attention to offensive actions as a means to bolster defensive efforts. If this is indeed in the new Cyber Security Strategy, it marks an emphasis on proactively taking the fight to hostile actors, a clear signal that the United States will no longer be reactive to the more egregious cyber incidents but seek to stop potential attacks at their sources.
But the departure of such an experienced cyber individual leaves a vacuum. His deputy Kemba Walden appears well poised to be the next National Cyber Director although individuals like Jen Easterly have equal bona fides to assume the position. Walden served as a former Assistant General Counsel in Microsoft’s Digital Crimes Unit and served with the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Easterly’s prominent background in cybersecurity makes her a worthy choice as well, having helmed Morgan Stanley’s Cyber Fusion Center before assuming directorship of CISA. While both have very similar backgrounds, it appears likely that Walden will be nominated for the role, and has secured Inglis’ recommendation. Moreover, as Inglis’ deputy, Walden is best positioned to implement the yet-to-be-released National Cyber Security Strategy when it’s finally released.
The person that assumes the role will give cyber watchers some insight into how the United States will pursue cybersecurity for ostensibly the rest of Biden’s term as president, whether it is two years or six. If the contents of the Strategy are as many have hypothesized based on Inglis’ comments, the United States is shaping its future cybersecurity efforts on two principles: offense and defense. The latter checks the boxes of traditional cybersecurity practices and concerns such as the focus on securing our most critical infrastructures, increasing industry and private/public collaboration among stakeholders, and more individual organizational responsibility, while the former is clearly a nod toward attacking the enemy, no matter what defense terminology that is associated with these activities.
While the adage, “the best defense is a good offense” seems to have validity on the sports field, it’s completely different in cyberspace where adversaries have the luxury of maneuver, resiliency, and obfuscation. A takedown of infrastructure may not amount to anything more than a temporary pause in operations, while affording the bad guys a glimpse of how they are being tracked. The new National Cyber Director will have the responsibly of being the front person for these defense-forward operations, as they are intertwined with the cyber defense of the nation. As the Administration’s main cyber advisor and ostensible owner of the new cyber strategy, successes as well as failures will invariably fall into this individual’s lap, and while the U.S. Cyber Command has boasted success of such operations leading up to the midterm elections and now in Ukraine, this may not always be the case. No doubt adversaries will adjust to what’s been happening, and perhaps even offer their own versions of hunt-forward operations in an effort to expose U.S. practices.
Recently, an article suggested that the volunteer cyber army that is supporting Ukraine may provide a blueprint for the defense of countries in the face of hostile cyber attacks, advancing the narrative of attack as a form of defense through willing and capable hacktivist proxies. However, there is another side to this coin that sees nationalistic or even just for-hire sophisticated gangs and criminal elements uniting to support the attacking state. Such an effort would be more organized than what’s been transpiring in Ukraine, encouraging states to provide the necessary material and fiscal resources to make them a more formidable presence. This would not reduce the amount of activity but escalate it, allowing irregular forces to operate independently of or with state actors. This does not seem to be an optimal situation.
Kemba recently said that the Strategy will hopefully be published soon but underscored that any strategy was only as good as its implementation. Based on the increased funding for CYBERCOM-led hunt-forward operations outlined in the 2023 National Defense Authorization Act, it’s pretty clear that the “offense” part of the Strategy will be well supported. But what about the defensive part? The Government Accountability Office (GAO) is reviewing a list of outstanding cyber security recommendations that it has been making for years, and found that of the 335 made since 2010, more than half (190) had not been implemented. This begs the question how seriously federal agencies were taking cybersecurity, and weren’t just doing just the bare minimum, kicking the more difficult security considerations down the road.
It will be interesting to see if a New Strategy coupled with new Cyber Director will translate into better cybersecurity for the United States. The desire to attack our adversaries at their source is clearly driving in the direction the U.S. wants to head, a reality helped by geopolitical conflict that could extend into other troubled regions of the world. And while such operations may see some results, the true test of effectiveness will be a couple of years down the road when the cyberspace ecosystem adjusts and recalibrates. Because if the GAO report is any indication, the U.S. has been slow to embrace what it takes to better fortify its cyber defensive posture. If cyberspace continues to deteriorate into a more hawkish environment, actors of all types will be prone to targeting entities that had been considered off limits just a few years earlier.
And the U.S. may not have enough hunt-forward to stop them all.