[iw] - Biden’s Cybersecurity Team Gets Crowded at the Top
rforno at infowarrior.org
Mon Jul 19 08:59:19 EDT 2021
Biden’s Cybersecurity Team Gets Crowded at the Top
It’s a lot of talent, but the US now has five overlapping roles jockeying for limited budgets, authorities, and bureaucratic victories.
GARRETT M. GRAFF
07.17.2021 07:00 AM
JEN EASTERLY JUMPED right into the fray on her first day this week as the second-ever director of the federal government’s domestic cybersecurity agency. Easterly, who most recently worked in the private sector with Morgan Stanley, was confirmed by the Senate on Monday as head of the Cybersecurity and Infrastructure Security Agency, after Senator Rick Scott (R-Florida) held up her nomination for nearly a month. By Tuesday, Easterly was already addressing US election officials as part of CISA’s role securing the nation’s voting infrastructure.
Easterly’s confirmation fills out the final box in the US government’s increasingly multipolar and confounding cybersecurity org chart, nearly six months into the new administration. The Biden White House has already found itself in short order confronting some of the nation’s most serious cyber incidents—from the SolarWinds compromise to a scourge of high-profile ransomware episodes, including an attack against Colonial Pipeline that led to momentary gasoline shortages up and down the East Coast.
After Donald Trump spent years stripping down and cutting cybersecurity agencies—and firing a number of high-profile cyber officials—the Biden administration suddenly finds itself with the opposite challenge: coordinating a glut of high-powered, accomplished people in leadership positions. The good news is that it’s the most serious constellation of cyber talent ever assembled in the US government. The potentially bad news is that the US now has five overlapping roles jockeying for limited federal budgets, authorities, and bureaucratic victories. It's an embarrassment of talent to throw at what remains one of the nation’s most complex and stickiest policy problems. Rather than helping solve the cyber challenge, though, it could very well end up being simply too many cooks in the kitchen.
Beyond Easterly at CISA—which oversees the federal government’s civilian cybersecurity efforts and interfaces with election officials and critical infrastructure sectors to protect local, state, and tribal systems, as well as private company networks and industries—General Paul Nakasone holds the so-called “dual hat” role of heading the National Security Agency’s signals-intelligence efforts and US Cyber Command, the nation’s offensive cyber military capability. He is also in charge of securing the military’s own communications and computer networks.
That shared NSA DNA is a belated admission of how long cybersecurity took a back seat in the government’s wider bureaucracy.
At the White House, Biden created a new senior-level post for Anne Neuberger, now deputy national security adviser for cyber and emerging technology. Neuberger acts as the internal coordinator for Biden’s sweeping, cyber-focused executive order, and she has thus far served as the administration’s public face on cyber incidents. Biden also nominated Chris Inglis to serve in a position newly created by Congress known as the national cyber director, an amorphous and largely undefined role that is meant to serve as the president’s top cyber adviser and coordinator. Inglis was sworn into the role on Monday as well. It very much remains to be seen what role he’ll carve out for himself, or even what kind of team he might build to execute his vision. The new office, which will exist in the White House as part of what’s known as the Executive Office of the President—similar to the White House drug czar or the US trade representative—will sit separate and apart from the National Security Council. It's authorized for up to 75 of its own staff, which would make it one of the largest cyber policy shops in the entire government, although where Inglis will recruit staff and what they would do remains unclear.
Hardly least of all, there’s also the Justice Department, where deputy attorney general Lisa Monaco and principal deputy associate attorney general John Carlin have led efforts to confront foreign adversaries through indictments, bringing a groundbreaking series of cases beginning in 2014 against Chinese military hackers. Monaco and Carlin moved quickly to establish and assert the Justice Department’s role this spring amid the flood of ransomware, announcing an April task force and a surprise seizure that recovered some $2.3 million of the ransom paid by Colonial Pipeline.
(Disclosure: I have worked with nearly everyone mentioned in this article at the Aspen Institute, where most were engaged in the public-private Aspen Cybersecurity Group. I also coauthored a 2018 book on the US government’s approach to cybersecurity with John Carlin.)
With the exception of the Justice Department’s team, the key cyber players share a special background as veterans of Fort Meade, the base of the National Security Agency and US Cyber Command. Beyond Nakasone, Inglis spent nearly 30 years with the civilian side of the NSA, rising to be its deputy director. Before her appointment earlier this year, Neuberger founded and led the NSA’s Cybersecurity Directorate and previously served as its chief risk officer, carving out a unique public voice for an agency not normally known for its public engagement. Easterly, who worked in the NSA’s elite hacking team known as the Tailored Access Operations, in 2009 helped design, along with Nakasone and others, what later became US Cyber Command.
That shared NSA DNA is a belated admission, of sorts, of how long cybersecurity took a back seat in the government’s wider bureaucracy. When the Biden administration went looking post-election for senior, respected leaders who had worked and thought about these issues for years, it really only had one talent pool to draw from.
The NSA and Cyber Command, for its part, moved rapidly during the Trump administration to regularize more aggressive offensive cyber operations. Nakasone, as WIRED reported last fall, has carried out more offensive operations online in his nearly three years heading the dual-hat arrangement than the US government had ever done prior to his tenure—combined. In recent months, US Cyber Command has begun to focus its attention not just on nation-state adversaries but also on transnational organized crime, which US officials increasingly point to as having risen to a scale and sophistication that equals the threat from established online adversaries like Iran and China.
The Biden White House, though, is still very much sorting out its own approach to cyber issues, from Chinese tech companies to ransomware. While Inglis, Neuberger, Monaco, Easterly, and Nakasone are friendly and collegial, they have differing philosophies, and they now find themselves arrayed across government with very different equities, tools, and capabilities.
How Inglis and Neuberger work together and share power inside the White House going forward will be one of the biggest questions of the Biden administration’s approach to the internet, as will the question of how Easterly and Nakasone balance the government’s civilian and military approach online. The answers will have a bearing not just on current technology and security policy but the future of US cyberdefense. If the NSA and Cyber Command split in two at the conclusion of Paul Nakasone’s tenure, then Neuberger, Inglis, and Easterly are among the obvious candidates—along with current NSA director of cybersecurity Rob Joyce—to take the reins of the intelligence agency.
They’ll also need to navigate long-simmering tensions between their respective agencies and their relative funding. CISA was formed only in 2018, out of what had long been a convoluted and shape-shifting DHS component known most recently as the National Protection and Programs Directorate. It’s been on a hiring spree this spring, bringing on hundreds of new cyber professionals, but it's still only a quarter to a third the size of Cyber Command, and not even a tenth the size of the NSA. It has few true authorities to compel cooperation across the private sector, or even sometimes inside government.
And these are hardly the only complications facing anyone seeking to make a coherent government response to still-growing threats online. Beyond the “big five” outlined above, the US Secret Service and Immigration and Customs Enforcement both also share online enforcement duties, and many Americans were surprised to find this spring amid the Colonial Pipeline incident that the Transportation Security Administration, best known for its blue-uniformed airport security screeners, actually oversees the cybersecurity of the nation’s pipelines, among other odd corners and jurisdictions.
Despite the multitude of agencies with a slice of the cyber pie, important gaps remain. No agency has real ownership over identifying, combating, and fighting disinformation and misinformation online, although there are early indications that Biden’s DHS may try to take some control over that issue in the months ahead. The component seemingly interested in stepping into the information operations space? Yet another player: DHS’s Office of Intelligence and Analysis, whose new leader this month, John Cohen, is himself a 30-year veteran of law enforcement and intelligence.
Senator Angus King (I-Maine), who helped lead the Solarium Commission that recommended the creation of the national cyber director office and increased investment in government cyber roles, trumpeted this week’s new staffing on Monday.
“Now,” he said in a statement to The Hill, “it’s time for us all to get to work.”
More information about the Iw