In the fallout of several major cybersecurity incidents affecting both government and industry, three of the Biden administration’s leading nominees for IT and cyber positions say they’ll work from the same playbook to make federal networks more resilient.
Jen Easterly, President Joe Biden’s pick to serve as director of the Cybersecurity and Infrastructure Security Agency, would lead efforts to protect federal civilian networks for cyber attacks, and would work closely with Chris Inglis, the president’s pick to serve in a new role as National Cyber Director.
The White House’s pick to run the General Services Administration, Robin Carnahan, meanwhile, told the Senate Homeland Security and Governmental Affairs Committee the pandemic underscored the “importance and the fragility of our nation’s digital infrastructure,” and resolved to invest in IT modernization projects that improve public-facing services.
Insight by Carahsoft: Learn about the efforts today and what’s on the horizon by civilian and the military services in rolling out 5G infrastructure and devices to improve mission effectiveness
Carnahan added that expanded telework for the federal workforce is likely to stick around in some capacity after the COVID-19 pandemic, and would open the door to “creative, practical ways” to shrink the federal real estate portfolio.
“The pandemic changed the way all of us did business, and is really going to, I’m sure, cause agencies to rethink how they want longer-term to implement remote work and what the options are, and that’s going to impact their physical space needs,” Carnahan said.
In updated reopening guidance released Thursday, GSA suggested agencies consider “untethering federal work from geographic locations” to improve mission delivery, as well as equity and inclusion.
Cyberspace Solarium Commission leaders Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.) introduced Inglis and Easterly, respectively.
Gallagher touted Easterly’s service on the commission’s cyber “red team,” as well her role standing up the Army’s first cyber battalion. He said CISA, with Easterly at its head, would ensure federal agencies and the private sector “have the resources to detect withstand and respond to cyber attacks.”
King said Easterly and Inglis’s nominations, in terms of their responsibility in overseeing federal cyber policy, carry as much status as the Defense secretary and the chairman of the Joint Chiefs of Staff.
“These are people who will be charged with defending this country in what is an ongoing and serious conflict,” King said.
To put it another way, Easterly said CISA would serve as the “quarterback” protecting federal civilian networks, and leading the federal response effort to major cyber attacks. The National Cyber Director, in this analogy, would serve as the head coach.
“The best quarterback however can’t win a game alone. Cyber must always be a team sport,” Easterly said.
Sen. Rob Portman (R-Ohio), however, continued to push for a better understanding of who would report to whom under a growing bureaucracy of cyber officials. To extend the football analogy, Portman asked: “What is the [federal] CISO, the running back? What’s the deputy national security adviser? Is that a defensive player, [the] linebacker?”
“All joking aside, I think we have a real opportunity here, with real experts coming into these jobs, to be able to be sure we’re not duplicating efforts,” Portman said. “Frankly, without accountability, no one’s in charge. If everyone’s in charge, no one’s in charge.”
Inglis said his new role would bring “create coherence, unity of effort [and] unity of purpose across what are already impressive deep and sharp capabilities within the federal enterprise.”
He said he would also identify and fill any gaps in the administration’s cyber response, and also make sure the federal cyber response is greater than the sum of its parts.
“I think that the premise for us, within the United States and like-minded nations, must increasingly be that if you’re an adversary in this space, you have to beat all of us to beat one of us, the National Cyber Director needs to make that true,” Inglis said.
Easterly said she would advance CISA’s dual responsibilities of defending federal civilian government networks from attacks, while also sharing “timely and actionable information” on cyber threats across a wide scope of organizations that includes the private sector. Increasing CISA’s reputation as the lead agency for cyber incident response, she added, would reduce duplicative efforts.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
“Sometimes when there is a threat stream or a vulnerability, there will be multiple outreaches from different agencies and I think it’s incredibly important that the government is able to speak with one voice, and that there is coordination across the board,” Easterly said.
Given a rise in ransomware attacks, Inglis said it’s “not appropriate” for companies to pay ransoms to resolve these attacks, but said the current environment leaves some organizations with few good options.
“Unfortunately, we get into a place where that is the only thing that is feasible to save lives or to bring back critical kinds of capabilities … We need to attack the problem as a system, make it such that we’re a hard target,” he said.
In addition to coordinating federal cyber response among agencies, Easterly and Inglis also stressed the need to build up the federal cyber workforce.
Easterly said the recently introduced Civilian Cyber Security Reserve Act would strengthen the “connective tissue” between the private sector and government, and would give industry talent an opportunity to lend expertise to the government.
The bill would give the Defense Department and Department of Homeland Security access to a reserve of cybersecurity-trained civilian personnel with prior civilian federal or military service.
Recruiting cyber talent, Easterly added, will also require apprentice and internship programs, as well as building up CISA’s CyberCorps scholarship program.
“You have to look at this not as a one-off position, but as part of a talent ecosystem — from recruiting, to onboarding, to integration, to training and certification, to rewards and recognition and promotion — as part of a whole ecosystem to allow you not just to attract the best talent, but also to retain the best talent. You need to be relentlessly creative, using various different approaches to tap into a diverse pipeline of cyber talent,” Easterly said.
Inglis said building up the federal cyber workforce depends on building a culture that promotes the mission, and gives prospective hires a reason to join government service.
“You need to give them a viable career path. You need to ensure that you’ve accounted for their aspirations to do something more than what perhaps might be the opportunity of the moment,” Inglis said.
Sen. James Lankford (R-Okla.) noted it generally takes more than 100 days to hire employees in the federal workforce, but said the committee would support efforts to onboard in-demand cyber talent in government
“You will run into barriers in trying to get some of these professionals. We want to make sure that we’re clearing as much as possible, but that’s going to require communication among our teams to be able to do that,” Lankford said.