The White House this week picked two professionals for top cybersecurity posts who have substantial experience in handling cybersecurity matters from a national security and intelligence perspective. This could signal a shift in how the United States approaches the task of pushing back against repeated cyberattacks by Russia and China.
The Biden administration said it would nominate Chris Inglis to become the first National Cyber Director, a position inside the White House advocated by the congressional Cyberspace Solarium Commission. Jen Easterly was chosen to become the next director of the Cybersecurity and Infrastructure Security Agency, or CISA, which is housed in the Department of Homeland Security.
Their nominations come as the United States is still reeling from two large cyberattacks — one against SolarWinds by Moscow, and the other on the Microsoft Exchange server by Beijing. Both attacks have exposed multiple government agencies and hundreds of U.S. firms that were clients of the two software companies.
White House officials have said the administration is crafting executive orders that would address how to respond and likely include punitive actions against the perpetrators.
Inglis, a computer scientist with multiple graduate degrees, was a commissioner on the Solarium Commission and previously served as the deputy director of the National Security Agency, the country’s chief electronic eavesdropping agency. A graduate of the U.S. Air Force Academy, Inglis has commanded Air Force units. In addition to holding teaching positions and working with nonpartisan groups, Inglis is a managing director at the cyber investment firm Paladin Capital.
Easterly, a West Point graduate, served as an Army intelligence officer who was later involved in starting the U.S. Cyber Command, the chief military outpost for offensive cyber operations. She served as the senior director for counterterrorism in the White House National Security Council during the Obama administration. After leaving government, Easterly became the head of cybersecurity at investment banking firm Morgan Stanley.
If confirmed by the Senate, both nominees would bring a unique combination of national security, policy and technical expertise to their jobs unlike others who have held similar positions, said Jim Lewis, senior vice president at the Center for Strategic and International Studies.
“What you’re seeing is a shift from the technical community — people who were in the IT business — to people who know something about policy,” said Lewis, a cyber policy expert. “The main source of that is going to be the intelligence community,” Lewis said, speaking of people who have technical expertise as well as a background in foreign policy and national security.
Inglis and Easterly worked at the NSA under the agency’s then-director, Army Gen. Keith Alexander, who became the first head of the newly established U.S. Cyber Command in 2010.
Both nominees are likely to advocate a tough response to China’s cyberattacks, intrusions and espionage, and also to push back against foreign policy experts within the Biden administration who appear to be reluctant to get tough against Russia, Lewis said.
Some foreign policy specialists within the administration are saying, “‘Oh, if we do something back to Russia, they’ll be mean and we’ll be more vulnerable,’” Lewis said. With respect to China, business leaders in the United States appear to be equally worried about pushing back on Beijing’s cyber activities, he said.
In the internal debate about how forcefully Washington ought to act against Moscow and Beijing, Inglis and Easterly are likely to be key players, and to push back on objections about getting tough, Lewis said.
The two nominees also bring a deep understanding of sources and methods involved in gathering, use and analysis of intelligence information, as well as the dangers of not sharing information across different agencies, said Tom Gann, the chief public policy officer of security research firm McAfee.
“Those are huge assets even in roles where the principal focus may well be on defensive operations,” Gann said.
The officials are also likely to help the U.S. government at large understand the importance of tapping into intelligence and threat information that resides on so-called endpoints, or the final users of software and networks, Gann said.
In the case of the SolarWinds and Microsoft Exchange attacks, both of which were aimed at software middlemen or suppliers, the evidence of a breach might have been detected earlier if information from end-users’ computers had been better integrated into a national picture, Gann said.
Inglis and Easterly also bring knowledge of offensive cyber tools in the hands of the NSA and Cyber Command and how their use changes the behavior of attackers.
Infusing that knowledge in thinking about cyber defense would be helpful, said Frank Ciluffo, a member of the Solarium Commission and director of the McCrary Institute, a think tank about cybersecurity issues at Auburn University.
“For years now, offense has outpaced defensive capabilities,” Ciluffo said. “What we want to do is to bring some of those capabilities to the defensive side of the house.”