National Cyber Leader Ponders Response Vectors to Cyber Adversaries
Changing cyber attackers' ‘thought calculus’ is high on his list to accomplish.
Eight weeks on the job, the national cyber director, Chris Inglis, is examining the confines of how to approach the cyber adversaries and nation states conducting malicious attacks on the U.S. government, critical infrastructure and private sector. The former deputy director of the National Security Agency and a member of that agency for 28 years, Inglis sees how the Russian government is not taking any action against perpetrators.
“I’d like to change the decision calculus of those who transgress in this space, whether it is nation-states who harbor or allow in a permissive way the transgressions, or whether it is the criminals themselves that have been responsible for things like ransomware,” noted Inglis, speaking September 14 at AFCEA International and INSA’s 2021 Intelligence and National Security Summit in National Harbor, Maryland.
Inglis stopped short of calling for specific red lines or boundaries. “Red lines are both good and bad, he stated. “Red lines are clear and crisp, and everybody knows where they are. And an adversary can say I'm going to come right up to that. If you go over that red line, there might be conditions in which the defender would say in the context of this crossing of the red line, that might not be a good idea. Let's take the payment of ransomware. It is the policy of the U.S. government not to pay ransomware, but I would imagine there's going to be a situation at some point in time where a hospital goes up against the Russian nation-state, not wittingly, not knowingly but they find that actual life and safety is at risk. If there's no other way to essentially kind of get that material back to get back in the business of saving lives and otherwise lives will be lost, we probably rethink whether that red line in that particular situation is the right red line.”
In eight weeks on the job, the sobering news is that the threats are greater than ever: Hon Chris Inglis (r), National Cyber Director @WhiteHouse; Former Deputy Director @NSA #IntelSummit21 pic.twitter.com/i2D1aDBm3k
— Kimberly Underwood (@Kunderwood_SGNL) September 14, 2021
Instead of having hard thresholds and scripted responses, Inglis emphasized that it is better to say to a nation-state or an adversary, “These are the things we're prepared to defend, and these are the principles that will exercise the defense of those things,” he clarified. “We reserve the right and we commit to be able to defend the private sector when it's held at risk by a nation-state in cyberspace—as much at it entails risk in the kinetic space. And therefore, place an adversary on notice that you are in a dangerous place, so if you act in a certain way, you are in a dangerous place by your own commission.”
The director noted that approach may be “more helpful to changing their decision calculus” on whether to conduct a cyber attack.
Naturally, Inglis would want to retain “useful ambiguity” about when and where the government would act in protection of cyber assets. “Our actions aren't always going to be broadcast,” he stated. “Perhaps our actions should be felt by an adversary. They should know that they have just felt the hand of whomever.”
The director did cite the recent success of the digital currency seizure, following the ransomware attack on Colonial Pipeline. “We have the ability, the technical means in some cases to follow the money, and in those cases, we will seize it. There have been indictments that have been quite public. [But] is it robust enough, is it quick enough? Most of us would say not yet.”
The actions of Russia to interfere with U.S. elections remains a problem, in that it had lasting effects on the nation’s own confidence in its democracy—the Russian goal to create doubt.
“When you look at what the Russians were doing in 2016, 2020, I might argue that they probably didn't care as much about changing an actual vote as they cared about convincing us that they could or that they did,” the director suggested. “So, it is the doubt, the integrity of the result. And I'm with Chris Krebs. I think that the 2020 election was the most secure election conducted in this nation. But the mere fact that we had some doubt or that there is some lack of confidence universally across our population, that's an issue."
Inglis does support the longtime idea of a sort of cyber Geneva Convention agreement to interdict cyber attacks on critical infrastructure, such as those that could impact the health and safety of citizens. Inglis cited a 2015 effort with the Global Group of Experts that created a declaration of cyber norms. “That doesn't have the same kind of degree of authority that a Geneva Convention might, but it describes the things that were deemed to be acceptable behavior and expected practices, i.e., don't attack critical infrastructure,” he explained. “Don't interfere with the legitimate activities of the CERT, cyber emergency response team, or interfere with the request for assistance by another nation. Those are good and thoughtful practices that like-minded nations should get their arms around. I do think that still has great merit. Whether that ultimately takes the shape of a Geneva Convention, depends upon whether we can muster the sort of confidence within this and other governments of that it is ready for prime time and that it will be enough right to dissuade [cyber actors].”
Inglis is taking direction from his boss, President Biden, and will start with a focus on the government’s cyber strength.
“The president has been crystal clear about what his priorities are in cyber, which is the government has a role to play in the defense of the private sector and the government has a role to play in assisting the private sector in defending critical infrastructure in particular and that the government has to get its own house in order first,” he stated. “We have to make sure that as we build and operate digital infrastructure, and as we do the things necessary on top of that to defend that, we operate with unity of purpose and unity of effort.”
“I'm optimistic, as much as I am sobered by the nature of the challenge, that we can make a difference,” he concluded.