President Biden’s nominees to fill two top federal cybersecurity posts on Thursday emphasized the urgency of coordinating across the government to strengthen the nation’s cyber preparedness.
“If the past year has taught us anything, it is the obligation we have as leaders to anticipate the unimaginable,” Jen Easterly, nominated to head the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), told the Senate Homeland Security and Governmental Affairs Committee. “While the digital revolution of the past several decades enabled unprecedented growth and innovation, the increasing connectivity also introduced great peril.” (See Biden to Name Morgan Stanley’s Easterly as CISA Head.)
Joining Easterly at Thursday’s hearing was Chris Inglis, a retired Air Force brigadier general and former deputy director of the National Security Agency whom Biden nominated as the first National Cyber Director in the Executive Office of the President, and Robin Carnahan, Biden’s nominee for administrator of the General Services Administration.
Easterly and Inglis “are both firsts for this committee,” chairman Gary Peters (D-Mich.) noted in his opening remarks, referring to the fact that the committee has not held confirmation hearings for either post before. CISA’s founding director Chris Krebs did not require a hearing because he was already confirmed in his previous role as head of the agency’s predecessor when CISA was formed in 2018, while the National Cyber Director position was created just last year by the 2021 National Defense Authorization Act.
Senators Warn of Redundant Roles
Peters also remarked on the novelty of Inglis’ position during the hearing, pressing him to define the responsibilities of the new post and how he would avoid redundancy between his planned “Cyber Directorate” and established government organizations like CISA — a question on the minds of several other lawmakers.
Inglis explained that he hoped to be a coordinating force across the cybersecurity landscape, bringing “coherence [and] unity of purpose across what are already impressive, deep and sharp capabilities within the federal enterprise.” He also expressed the desire to extend these collaborations into the private sector, creating a coherent cyber response strategy among all major stakeholders.
“I think that the premise for us within the United States and like-minded nations must increasingly be that if you’re an adversary in this space, you have to beat all of us to beat one of us. The National Cyber Director needs to make that true,” he added.
Easterly was also challenged to define her agency’s role and how she would avoid butting heads with Inglis and other federal cybersecurity players. In her opening remarks, Easterly characterized CISA as a “quarterback … leading asset response for cyber incidents” under the direction of the Cyber Director as a “coach … overseeing the implementation of cyber strategy and policy.”
This prompted ranking member Rob Portman (R-Ohio) to jokingly ask, “What’s the Deputy National Security Advisor? Is that a defensive player, a linebacker?”
“All joking aside,” Portman continued, “we have a real opportunity here, with real experts coming into these jobs, to be able to be sure we’re not duplicating efforts. And frankly, without … ultimate accountability, if everyone’s in charge, no one’s in charge.”
“I … agree with you that accountability is critical,” Easterly responded. “If I’m confirmed, I would expect you and [DHS Secretary-designate Alejandro] Mayorkas to hold me accountable for the very specific operational mission that CISA has, to manage and mitigate risk to our digital and physical critical infrastructure.”
Portman also took the opportunity to complain to Easterly about what he considered a lack of communication on CISA’s part. As an example he presented a printout of a document the committee recently received from the agency, in response to a request for information about CISA’s EINSTEIN threat reporting system, noting that the entire document was blacked out. Portman called this “not terribly useful” and urged Easterly to improve the agency’s responsiveness if confirmed.
“I absolutely believe in the strong oversight role that this committee has, and if confirmed, I would 100% commit to doing everything I possibly can to make sure that you get all of the information that you need to perform those important oversight roles,” she replied.
Nominees Address Cyber Talent Gap
Another major concern at the hearing was the cybersecurity talent pool. Senator Alex Padilla (D-Calif.) noted that the International Information System Security Certification Consortium’s 2020 Cybersecurity Workforce Study found that the U.S. cybersecurity gap — the difference between the number of skilled professionals that organizations feel they need to protect critical assets and the number of skilled workers available — stood at 359,000 last year, and asked for the nominees’ recommendations for boosting the nation’s talent level.
“We have found that the pipelines aren’t generating enough, either in the diversity [of talent] or in the literal numbers,” Inglis said. “We need to actually work those pipelines [and] start as early as possible, K through 12, creating awareness on the part of those up-and-coming students about what the possibilities are to take on very viable careers.”
Inglis also suggested rethinking “what the fundamental qualifications are to take one of these jobs,” noting that requiring university degrees may keep talented applicants out of positions for which “good critical thinkers [and] people who’ve got a good work ethic” are best suited.