Joe Biden makes NSA veteran first national cyber director

President Joe Biden on Monday said he would nominate Chris Inglis, a 28-year veteran of the National Security Agency, to be the first national cyber director, choosing a longtime proponent of doing more to harden government and industry computer systems against hacks and other online intrusions.

Biden also said he would nominate Jen Easterly, a former government official who played a leading role in the creation of the military’s US Cyber Command, which conducts the nation’s offensive cyberattacks and operations, to lead the Cybersecurity and Infrastructure Security Agency inside the Department of Homeland Security. And Biden will nominate Robert Silvers, a former cybersecurity official under former President Barack Obama, to be the undersecretary for policy at the department.

If confirmed by the Senate, Inglis would be the first person to serve in a position created by Congress and recommended by the Cyberspace Solarium Commission, a bipartisan panel of which Inglis was a member. In the post, Inglis will not have any direct oversight of offensive cyberoperations but will coordinate with the military and Biden’s national security adviser.

Inglis has embraced what the Pentagon calls a “defend forward” strategy, in which the US goes into foreign networks, hunting for gathering threats. In recent years, he has been unsparing in his criticism of how disorganized American defences remain more than a decade into the era of daily cyberconflict.

“If I were to score cyber the way we score soccer, the tally would be 462-452 20 minutes into the game,” Inglis has told colleagues in the past. “In other words, it’s all offence and no defence.”

In July, Inglis expanded on his views, telling Strategic Studies Quarterly that “there are inconsistencies and gaps across the various departments and agencies, and our nation does not have a cohesive vision for how to work together across the federal enterprise, let alone with the private sector.”

Some lawmakers and intelligence officials are sceptical that the cyber-director position will fix the problem because of the limitations on its ability to direct offensive actions against other countries — a tactic often seen as a key element of deterring other states from conducting operations against the United States.

But the choice of Inglis, which was reported earlier by The Washington Post, has been met with bipartisan praise, including from lawmakers who helped create the position.

“I have just been extremely impressed by his judgment, his knowledge, his demeanour,” said Sen. Angus King, I-Maine, who is co-chairman of the Cyberspace Solarium Commission, which was created by Congress to recommend cyberoperations strategy for the United States. “He has the right combination of experience and knowledge, but also demeanour, experience in both the government and the private sector. I think he’s exactly the right person in the right position at the right time.”

Former colleagues of Inglis' at the National Security Agency credit him with leading the agency through one of the darkest periods in its history, after leaks from Edward Snowden, a former contractor who stole tens of thousands of classified documents and shared them with journalists.

Inglis' arrival in the Biden administration comes as the United States is contemplating responses to the Russian SolarWinds operation, in which hackers got into network management software used by most of America’s largest companies and many government agencies, and what appears to be Chinese exploitation of Microsoft servers.

The administration’s response to those attacks is likely to come before Inglis is confirmed, which will probably take months. Jake Sullivan, the national security adviser, has promised a series of “seen and unseen” responses to the SolarWinds attack. Officials have said a public response is coming, but no announcements are expected this week.

Some in the Biden administration had worried about creating competing power centres by appointing a national cyber director. But officials said their concerns had been resolved by tapping Inglis, someone who has strong ties on Capitol Hill and has worked closely with Anne Neuberger, the deputy national security adviser at the White House for cyber issues.

Inglis, Neuberger and Easterly have all worked closely together before. While some critics of the National Security Agency have questioned the fact that all three spent significant portions of their careers at the agency, others described the experience as an asset.

“I can’t think of anyone who has more unique insight into the history, creation and congressional intent behind this position,” said Frank Cilluffo, director for Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, who served on the commission with Inglis. “He knows what it will take to fulfil the mission and to succeed.”

Colleagues describe Easterly, a graduate of the US Military Academy at West Point who holds a master’s degree in philosophy, politics and economics from the University of Oxford, as the hardest-working and most competent leader at the National Security Agency. The Cybersecurity and Infrastructure Security Agency has been without a permanent director since President Donald Trump fired its previous director, Christopher Krebs, after Krebs refused to back his false claims of election fraud.

Silvers was among those responsible for handling the Obama administration’s response to high-profile cyberattacks. They included the one carried out by North Korea against Sony Pictures in 2014, which decimated the studio’s computer servers and leaked Sony executives’ emails, and the Chinese hack of the Office of Personnel Management, which resulted in the theft of personnel records and fingerprints for millions of government employees.

One of Inglis’ first jobs would be to find ways to increase cooperation between the private sector and the federal government. Private technology and security companies have identified the most recent large hacks before the government has.

Outside experts have proposed various ways to get private industry and government agencies to share more information in real-time about cyberattacks. The Cyberspace Solarium Commission is set to tackle the issue in a meeting Monday.

“Something like 85% of the target space in cyber is in the private sector,” King said. “This isn’t a conflict of the army against army. This is a conflict of the use of cyber against civilian infrastructure. It will also be used against government agencies, of course, but the building of a relationship with the private sector that involves trust and mutual confidence is critically important.”