The new national cyber director aims to have a complementary approach in the broader federal cybersecurity landscape via a focus on driving technical coherence and fostering collaborative relationships, the inaugural director Chris Inglis said today at GovernmentCIO Media & Research's CyberScape virtual event.
"Cyber is now officially important. It is something that our national security, economic vitality and personal actions all fundamentally depend on. We need to get it its proper placement. Not simply for the private sector, but within the government,” Inglis said about the office's motivations for its founding. "The role of the cyber director is to add value to [the diverse cybersecurity leadership], add context to that."
Earlier this month, the national cyber director office received $21 million in funding in the Senate-passed infrastructure bill, and Inglis expects the office growing to about 75 people. In the mean time, government faces what Inglis noted to be historical challenges and weaknesses in the technical infrastructure and workforce.
“If we don't take care of the defense ... then trying to shoot our way out of this will wind up being insufficient,” Inglis said. “What I am concerned about ... is how do we make use of all those pieces? How do we bring them together so that they complement one another, with a focus on integration and collaboration as opposed to the strengthening of any one of its parts?”
Inglis described four objectives and responsibilities for his role that will shape ongoing work over the coming months.
Drive federal coherence.
This objective includes building off existing efforts, like the cybersecurity executive order. It also includes working with current roles to improve the technical architecture and complement other entities like the Cybersecurity Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS) as well as other leadership roles such as the chief information security officer and others within the defense community.
“We have to preserve the strength of each of those pieces ... but somehow make those coherent and be able to achieve some synthesis,” Inglis said. “We have to create that centralized coherence, but at the same time strengthen the edge.”
Inglis noted inefficiencies a lack of coherence has, such as too much division between roles.
"What that misses is sometimes I won't see the whole of a threat, or you won't see the whole of a threat, and it's only when we begin to compare and contrast that we see it together in a way we couldn't have seen it alone," he said.
Make sure public-private collaboration is in a good place.
Inglis emphasized the importance of partnerships in working together to defend against threats. This means not creating too much division of roles so as not to ensure that "the seams present an advantage for our adversaries," Inglis said. This approach is essential as a large number of cyberspace innovation happens in the private sector, while government's unique role presents access to information, diplomatic and financial power, he added.
“At the end of the day, we need to figure out how to use all the instruments of power that we have — the private sector has many, the government has several more — and use those to integrate and co-join such that we have a collaboration ... in such that an adversary space needs to beat all of us to be one of us,” he said.
The strategy has many implications for industry, which can not only provide many lessons learned, but also well-rounded approaches to tackling such urgent security incidents.
“The government has a lot of lessons to learn as well," said Patrick Gorman, executive vice president at Booz Allen Hamilton, during another session at the event. "The back and forth between the private sector and public sector ... is key to building a good partnership going forward.”
This also means keeping the acquisition process in mind as government acquires technology and capabilities from industry.
“When we look at the whole ecosystem, we have to understand the nuances that have been developed over time,” said Keith Nakasone, federal strategist at VMware during the event. “Having those early and meaningful discussions with the agencies will yield better results to improve the acquisition process as well as being able to provide meaningful solutions that will solve those mission requirements.”
Assess performance of application of dollars to cybersecurity issues.
The national cyber director role "does not need to replicate or compete with" existing efforts like the Technology Modernization Fund (TMF) that allocates funding for improvement projects including bolstering critical infrastructure and ensuring resilient systems, Inglis said. Rather, it will follow the funds and ensure they are being expended appropriately.
Be accountable for present and future resilience.
Being resilient against cyber threats means taking a look at both the technology and the people. This often means considering appropriate budgets are in place, as well as time, attention or adjustments on expectations, Inglis said.
"Moving forward, the muscle memory required to deliver [these objectives] is going to take some amount of exercises ... some amount of role adjustments to get all of that done," he said.
Inglis noted his office's work will not be done so much with resources it owns, but rather in partnership in helping to champion or leverage relationships.
"We will enable, empower and champion the work of hundreds of others both in the public and private sectors such that that team of teams will be considerably more capable because it has the fabric that enrich each of the parts versus operating alone," he concluded.