National Security National Security
Photo credit: https://bit.ly/2S81uwW

On April 11, 2021, President Joe Biden announced his selection of Chris Inglis to be his National Cyber Director, and Jen Easterly to lead the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.  Both Inglis and Easterly have strong cyber backgrounds, the former having served as the Deputy Director for the National Security Agency (NSA), and the later, as the Deputy Director for NSA’s Counterterrorism Center. Filling the two senior level cyber jobs comes on the heels of two significant cyber espionage activities – the SolarWinds breach allegedly conducted by Russia, and China‘s alleged orchestration of the Microsoft Exchange Servers breach.  What’s more telling is how Biden has selected former prominent officials from the United States’ primary technical spy agency, whose broad missions cover signals intelligence, cyber security, and various other supporting elements to fill such prominent cyber positions.

The announcement of these picks, which are subject to Senate confirmation, complements Biden’s earlier selection of Anne Neuberger as the Deputy National Security Advisor for Cybersecurity on the National Security Council.  Neuberger was also an NSA alumnus, having served the Agency as its first Director of Cybersecurity.  At first blush, the selection of these highly experienced individuals seems like an immediate shot in the arm for the United States’ struggling cyber security efforts. All are well qualified and possess deep knowledge of the cyber landscape and the actors and activities that operate within the seamless digital folds, including those conducted by the U.S. The assembly of this group made one former private sector executive gush, calling it the cyber equivalent of a “dream team.”

More importantly, the fact that all of these individuals have an NSA-nexus is not lost on our adversaries.  Suspicions of the NSA’s formidable cyber capabilities solidified after Eric Snowden’s exposures of the breadth of NSA’s alleged global spying apparatus.  And while the NSA maintains a division focused on cybersecurity, based on their respective tenures at the Agency, all three had substantial experience in offensive-focused cyberoperations. As Deputy Director of the NSA, Inglis had knowledge of intelligence operations, Easterly played a key role in helping to launch U.S. Cyber Command (CYBERCOM), and Neuberger served for a period as deputy director for NSA’s Operations Directorate. It appears clear that Biden’s message to U.S. adversaries in cyberspace is that “the best defense is a good offense.”  Whether that adage holds water in cyberspace has yet to be substantiated.

While it certainly makes sense to recruit senior officials from the premiere technical agency, it does raise the question if a chance has been missed to build on strengthening public-private partnerships.  When it comes to the defensive aspects of cybersecurity, the U.S. government has maintained that collaboration is essential when it comes to securing critical infrastructure, much of which is owned and maintained by private companies.  Regional partnerships, information sharing venues like industry Information Sharing and Analysis Centers, and organizations like InfraGard are based on the principle of mutual benefit collaboration.

For a long time, information sharing with the government seemed a one-way street with organizations receiving little in return.  This relationship further strained when working with the government could be perceived in an unfavorable light by peers and the public. Thankfully, sharing has improved but is still not at the level where it should be.  Case and point.  After the SolarWinds breach, the Biden Administration advocated more information sharing with the private sector, wanting to establish more “profound” real-time methods for the exchange.  While calls for improvement are positive, the devil remains in the details that are not fully explained.  Ultimately, how this improves incidents like SolarWinds remains to be seen.

Since 2018, the U.S. embraced a defend-forward policy in cyberspace, proactively identifying, monitoring, and when called to do so, taking the fight to the adversary rather than waiting to react to their attacks.  The policy has yielded some positive results like taking down troll farms and disrupting social media activities supporting influence campaigns.  Although these two efforts executed by CYBERCOM likely achieved the commander’s intent, the gains were short-lived and did not dent the resolve of our adversaries to continue to pursue these activities against U.S. interests. The appointment of these three high-ranking cyber officials certainly is consistent with the perpetuation of this strategy.

However, disinformation efforts are not on the same level as sophisticated breaches, and one cannot defend-forward against operations that are not seen or detected. That requires a keen alert defensive posture and not an attacking mindset. At least for the present, it seems that defend-forward might be better positioned to handle more overt hostile cyber actions than those requiring patience, persistence, and above-all, clandestine stealth. 

Biden’s picks have assumed the mantle of a very difficult job that seems to have bested equally qualified and experienced experts and professionals on the national level before.  When discussing best practices for cybersecurity, several consistent themes keep popping up: multi-layered, sharing, collaboration, multi-factored – words that indicate “more” rather than “less,” “diverse” rather than “alike.”  Recruiting the three top cyber officials from the same organization is hardly representative of that “best practices” approach. Excluding private sector cyber specialists, many of whom have worked at the largest multinational companies, dismisses valuable insight into the very types of attacks victimizing U.S. government and critical infrastructure networks.

Such an omission may ultimately stall any advances in the very public-private partnership instrumental for national cybersecurity preparedness that has been espoused by the government. Now that Biden’s team is assembled, the first test is set before them and it’s a big one.  How he decides to respond to SolarWinds and/or the Microsoft Exchange Server breaches will set an unofficial bar of how the U.S. will respond to similar types of attacks in the future.  Given China and Russia’s identification as the top two state threats to the United States in the recent 2021 Intelligence Community Worldwide Threat Assessment, their leaders will be eagerly watching and waiting to see what the U.S. will do.  The longer Biden tries to figure it out, the quicker they will have their answer.