The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: The U.S. government is getting closer to having a national cyber czar

Analysis by
Anchor of The Cybersecurity 202 newsletter
June 10, 2021 at 7:37 a.m. EDT

with Aaron Schaffer

Congress is getting closer to confirming the first-ever national cyber director as the government lurches from one cyber crisis to the next. 

President Biden’s nominee for the post, Chris Inglis, is facing a confirmation hearing this morning before the Senate Homeland Security and Governmental Affairs Committee — the first step in what is likely to be an easy path to confirmation. 

If confirmed, he will be immediately responsible for some of the biggest cyber challenges ever to hit the government, including recovering from a massive Russian theft of data and a scourge of ransomware attacks against vital U.S. infrastructure. 

“He’ll be putting his boat in the middle of the rapids and immediately need to start paddling or get submerged,” Suzanne Spaulding, a top cybersecurity official during the Obama administration, told me. “On the plus side, in the middle of a crisis there’s an opportunity to get people on the same page. They tend to be ready to put all the jurisdictional tensions on the back burner and roll up their sleeves.”

Inglis comes to the job after a nearly three-decade tenure at the National Security Agency, including as deputy director. Since leaving the NSA, he’s taught at the U.S. Naval Academy and served on the boards of FedEx and Huntington Bancshares.

If confirmed, his job will be to ride herd on a half-dozen government agencies with vital cybersecurity roles that haven’t always worked effectively together.

“It’s almost impossible to overstate the seriousness of this [cybersecurity] risk, which is growing day by day, and the importance of a totally coordinated response,” said Sen. Angus King (I-Maine), who will be introducing Inglis at the hearing. 

Congress created the national cyber director job in October after years of concern the government’s cyber policies were disjointed with no single person in charge. 

Creating the role was essentially the top priority for the congressionally led Cyberspace Solarium Commission, which issued its report last year with 75 recommendations to overhaul government cybersecurity. King co-chaired that commission with Rep. Mike Gallagher (R-Wis.). Inglis was a commission member, as was Spaulding. 

“We genuinely need a unified, one-team approach to cyber. We need someone who’s conductor of the orchestra,” said Frank Cilluffo, another Solarium commissioner who was a White House cybersecurity official during the George W. Bush administration and now runs Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security.

Inglis’s job will include coordinating cyber defense for civilian agencies across the government and reviewing those agencies’ cyber budgets — a mammoth task as the agencies struggle to secure their systems in the wake of the Kremlin-backed SolarWinds hack.

He will also probably play a major role as the administration struggles to combat a wave of ransomware attacks that increasingly threaten national and economic security.  

This was [the type of] scenario we envisioned [on the Solarium Commission] where you really need a strong coordination led by the White House,” Spaulding said. “When you’re in a situation like this, it’s all hands on deck and everyone needs a common situational awareness.”

Inglis won’t oversee policy for offensive hacking done by the military and intelligence agencies, which will be managed by Anne Neuberger, deputy national security adviser for cyber and emerging technology, another NSA veteran.

Cyber experts are pushing for a quick confirmation. 

“Chris Inglis is the exact right person to become our nation’s first national cyber director, a position that I’m so proud to have helped create,” Rep. Jim Langevin (D-R.I.), another Solarium commission member and co-founder of the Congressional Cybersecurity Caucus, told me. “There is no one better prepared to coordinate the federal government’s cybersecurity policy and navigate the many cyber challenges that we’re currently facing.”

Chris Krebs praised Inglis and Jen Easterly, a White House and NSA veteran who's also facing a confirmation hearing today to run the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Krebs ran that outfit during the Trump administration. 

“We’re fortunate to have enormously talented professionals like Jen and Chris volunteer for public service (again)," Krebs told me. “They each bring a relevant blend of experience — both technical and operational, public and private — and are exactly what we need right now when things seem as bad as they’ve ever been.” 

Former president Barack Obama created a similar White House post during his tenure, but with somewhat more limited authorities. 

The officials who served in that job, Howard Schmidt and Michael Daniel, helped shepherd the administration through cyber crises, including the Office of Personnel Management breach of tens of thousands of highly sensitive security clearance forms and Russian interference in the 2016 election. 

But former president Donald Trump discontinued the role in 2018. Since then, cybersecurity has mostly been managed in a patchwork fashion between the White House, intelligence agencies and the Homeland Security and Justice departments.  

The confirmation hearing begins at 10:15 a.m. You can watch it here.

The keys

Biden revoked Trump’s bans of TikTok and other Chinese apps, replacing them with a new security review.

The executive order Biden signed could prompt fresh steps to restrict the apps, Jeanne Whalen and Ellen Nakashima report. After the government reviews the apps, it can choose to “take action, as appropriate,” the Biden administration said in a fact sheet.

“The administration is extremely committed to ensure protection of Americans’ data from foreign at-risk apps across the board … including large and popular apps,” a senior administration official said. “I think there are a wide range of actions that can be negotiated or imposed to ensure Americans’ data can be comprehensively protected.”

Colonial Pipeline’s CEO doubled down on defending his decision to pay a ransom to a hacking gang.

Colonial chief executive Joseph Blount decided to pay the ransom because of the strategic importance of Colonial’s pipeline infrastructure and to “support the country,” he told the House Homeland Security Committee, Aaron Gregg reports. But lawmakers retorted that the cycle of ransomware payments will continue unabated unless hackers are deterred. 

Blount also pushed back during the hearing against the notion that the company has refused voluntary security reviews from the Transportation Security Administration, an apparent swipe at lawmakers. As The Post and other media reported, Colonial repeatedly delayed such a review because the company wanted to first complete a headquarters move. 

Rep. Bonnie Watson Coleman (D-N.J.) slammed Blount on that point during the hearing, saying “delaying these assessments for so long amounts to declining them, sir.” Blount said the TSA has scheduled a security assessment for the company in late July.

Here are other major takeaways from the hearing:

  • It took Colonial four days to tell the FBI that it paid the ransom to the hackers, Blount said. The company did not consult the FBI about paying the ransom because the FBI discourages companies from paying such ransoms, he said.
  • The decryption tool provided by the hackers “wasn’t actually needed at the time” because of computer backups and other measures, Mandiant chief technology officer Charles Carmakal said. Colonial hired Mandiant to help resond to the incident.
JBS paid hackers an $11 million ransom to help restore its meat processing operations.

The company paid the ransom after a majority of JBS plants were already back online, said Andre Nogueira, JBS USAs chief executive. The company made the payment to shield JBS plants from further disruptions and to limit downstream effects on companies and farmers who rely on its products, he said, the Wall Street Journals Jacob Bunge reports.

“It was very painful to pay the criminals, but we did the right thing for our customers,” Nogueira said.

Government scan

  • White-hat hackers found more than 230 digital vulnerabilities in U.S. Army technology systems during Hack The Army 3.0, according to the company that ran the project, HackerOne. Of those vulnerabilities, nearly half were rated high or critical. The results come five years after the Pentagon and the Defense Digital Service launched the U.S. government’s first program incentivizing hackers to find bugs in its public-facing software.

Global cyberspace

Qatar's Al Jazeera network says it combated cyber attack (Reuters)

Italy to set up cybersecurity agency ahead of national cloud plan (Reuters)

Securing the ballot

Secretive private donors have been key financial backers of a partisan election audit in Arizona.

Private groups, many of which are allied with former president Donald Trump, have paid for most of the audit in Maricopa County, which is taking place despite pushback from county officials who say the election was not tainted by fraud, the Guardian and OpenSecrets’ Sam Levine and Anna Massoglia report

The state’s GOP-run Senate, which authorized the recount, allotted just $150,000 for the effort despite having enough money to pay for the full investigation. At least $150,000 in funding for the effort has come from Voices and Votes, a tax-exempt group run by news anchor Christina Bobb, who works for the right-wing One America News, or OAN. The group is not “in any way” affiliated with OAN, Bobb told BuzzFeed News.

“It is wholly inappropriate that the Arizona state senate is hiding the mechanisms by which their sanctioned activity is being funded,” said former Maricopa County recorder Adrian Fontes. “The lack of transparency there is just grotesque.”

The firm Cyber Ninjas, which is overseeing the audit, has declined to say who is funding it outside of the $150,000 in state funds allocated by the Arizona Senate.

Cyber insecurity

Pipeline Investigation Upends Idea That Bitcoin Is Untraceable (New York Times)

Hackers force Iowa college to cancel classes for four days (Motherboard)

Privacy Patch

Amazon's Sidewalk, a neighborhood device network, is 'uncharted territory' for data privacy, watchdogs say (CyberScoop)

Chat room

TFW the Cybersecurity and Infrastructure Security Agency takes yesterday’s Chat Room and justanswers it.

Brianna Lennon, the county clerk of Boone County, Mo.:

Former CISA director Chris Krebs:

Daybook

  • FBI Director Christopher A. Wray testifies before the House Judiciary Committee today at 10 a.m.
  • The Senate Homeland Security and Governmental Affairs Committee holds a confirmation for Jen Easterly and Chris Inglis, Biden’s picks for director of the Cybersecurity and Infrastructure Security Agency and national cyber director, respectively, today at 10:15 a.m.
  • Rep. John Katko (R-N.Y.), the top Republican on the House Homeland Security Committee, discusses cybersecurity at an American Enterprise Institute event on Friday at 10 a.m.
  • Gen. Paul Nakasone, the director of the National Security Agency and commander of U.S. Cyber Command, testifies before a House Armed Services Committee panel alongside the director of the Defense Intelligence Agency, Lt. Gen. Scott Berrier, and Undersecretary of Defense for Intelligence and Security Ronald Moultrie on Friday at 11 a.m.
  • Senate Intelligence Committee Chairman Mark R. Warner (D-Va.) discusses cybersecurity and other issues at a Washington Post Live event on June 14 at 11 a.m.
  • House Homeland Security Committee panels hold a hearing on lessons learned from the U.S. government response to a ransomware attack on Colonial Pipeline on June 15 at 2:30 p.m.
  • Dustin Moody, the head of the National Institute for Standards and Technology’s cryptographic technology group, discusses the future of cybersecurity and quantum technology at a Center for Strategic and International Studies event on June 15 at 3 p.m.

Secure log off