Office of the National Cyber Director Engages Initial Strategy
One of the early efforts of the national cyber director is to tackle how to strengthen the critical infrastructure of the United States. The key to approaching that overwhelming task is to drive coordination across the federal government and the critical sectors, and to identify the crucial subelements that connect each component, versus trying to protect all sectors at once, which is not quite possible, explained Christopher Inglis, national cyber director, speaking at AFCEA International’s TechNet Cyber conference in Baltimore on October 27.
Inglis has a clear vision on where to take the new office, its roles and partnerships to develop. The director presented his strategic intent the next day, identifying how he intends to execute the responsibilities of the White House’s cyber office.
Inglis also announced via Twitter the addition of Chris DeRusha as the Office of the National Cyber Director's (ONCD's) new deputy national cyber director for federal cybersecurity. DeRusha will be dual-hatted; in addition to his new role at ONCD, he will remain the Office of Management and Budget’s chief information security officer (CISO).
“We are excited to see how Chris’s dual designation as federal CISO at [OMB] will improve federal coherence in the cyber domain,” Inglis stated.
As part of the strategic intent, Inglis set the tone for what he wants the office to strive for on behalf of the American people. He wants the nation to be able to safely use and rely on the digital world. “To be sure, there are serious challenges to be overcome in cyberspace—but a vision of what we affirmatively want cyberspace to be for, will be critical to get us there,” the document stated.
He told the AFCEA audience that federal intervention is clearly needed, given the scope and scale of the adversaries’ actions.
“From 2017 forward we've seen an increasingly brazen audacious impactful series of attacks propagated not by persons who live in other nations but by nation states: Russia, North Korea China come immediately to mind, Iran comes in from time to time,” he explained. “What we have found is you don't need to be the target to be the victim, and this can have a sufficiently strong impact on your personal, business or national security dimension, so that it becomes borderline existential, and that the adversaries, the transgressors in this space are undeterred across anyone's definition of a red line.”
The latest phase of types of attacks, which Inglis calls the third wave, “now holds confidence at risk,” he said. “We no longer have the same confidence we once did about whether these critical systems will be there for us when we need them.”
At the heart of Inglis’ role is identifying clear roles for who does what across federal cybersecurity. Inglis intends the ONCD to be a beacon for national-level cyber coordination. The ONCD pledges to be a champion federal coherence of cyber policies and activities; improve public-private cyber-related collaborations; and align cyber resources.
“Ultimately, these efforts mean being purposeful about understanding and overcoming obstacles to cooperation and collaboration, getting the best information into the hands of those who need it, and ensuring all stakeholders—public, private and international—are able to act on it as fast as possible,” the strategic document noted. “We must ‘crowdsource’ our ability to identify and stop transgressors in much the same way they crowdsource their exploitation of us.”
The ONCD will work closely with other White House offices, the National Security Council, the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency (CISA) and CISA risk management agencies and other government stakeholders.
On a national level, the ONCD will drive coordination of cyber-related programs; for the federal government, ONCD will support departmental and agency cyber resourcing. The office plans to assist in promoting a more secure digital supply chain of trusted equipment.
Regarding planning and incident response, the office will ensure federal reporting and responses are “integrated, prepared and practiced in protecting against, detecting and responding to malicious cyber activity across government networks and critical infrastructure,” the strategic intent indicated. To aid the cyber workforce, the ONCD will enable cyber career pathways for both the public and private sectors.
In addition, the ONCD will work with Congress and the private sector “to inform and drive initiatives that depend on the expertise, authorities and resources of all parties,” the document stated.
“We are accountable to report to the Congress about where the cyber dollars are, to what purpose, to what end game they've been expended,” Inglis explained to the TechNet Cyber audience. “We will take a slightly broader kind of interpretation of that to talk about all cyber resources, whether it's people or doctrine, authorities or dollars, and try to give an account of whether we've got the right strategy and whether it's achieving the right ends.”
One early area of the ONCD’s focus is how to improve the cybersecurity of critical infrastructure. With 16 designated critical industries, the need is overwhelming.
“If we were to say that there are 16 critical infrastructures ... and if we were then to further imply that everything inside of every one of those 16 critical infrastructures should be defended with equal fealties, we find ourselves pretty quickly exhausted,” the director concluded. “That simply can't be done. And therefore, either you prioritize inside those sectors to say, ‘This is most important to least important,’ or you do something I think that is considerably more thoughtful, which is to figure out what the connective tissue is between those sectors that creates the critical functions that we care about.”
Efforts are underway, Inglis said, to identify those connecting elements, the specific subcomponents that the most critical activities depend upon. “That makes great sense and we're actually engaged in that activity to try to figure out how to do the horizontal so that we can then prioritize the verticals,” he offered.