Chris Inglis scopes out cyber turf

The newly installed National Cyber Director offered his take on the roles and responsibilities of his office, the Cybersecurity and Infrastructure Security Agency, the National Security Council and agency IT and security operations in responding to federal cyber incidents.

Chris Inglis takes a question during a Naval Academy cybersecurity event May 2, 2018. (U.S. Air Force photo by Maj. Jon Quinlan)

Chris Inglis takes a question during a Naval Academy cybersecurity event May 2, 2018. (U.S. Air Force photo by Maj. Jon Quinlan)

A key player on the Biden administration's cybersecurity team offered a look at how the roles and responsibilities in policy development and incident response are going to work in practice.

Speaking at the Reagan Institute on Thursday, National Cyber Director Chris Inglis said he had been collaborating with top federal cyber officials to determine the scope of his duties since he was confirmed by the Senate in June – and how his role intersects with the National Security Council, the Cybersecurity and Infrastructure Security Agency and security and IT officials inside federal agencies.

"The good news is, there is plenty of opportunity, and plenty of challenge, to justify two, or three, or ten roles," he said, adding: "My responsibilities principally will be inside cyberspace."

Inglis alluded to a cybersecurity event at a federal agency that he was "not at liberty" to discuss in detail as a hypothetical case study.

"Let's say in the recent few weeks that an agency within the federal government experienced some event in cyberspace attributable to something that a transgressor did -- got inside the system began to do some lateral movement inside that system. It's clearly something that has to be addressed, but it's entirely contained within that system," Inglis explained. "At that point, you would expect that the on-scene manager, the chief information security officer of that agency to do what they should do, raise their hand and say, 'I've got an issue over here on this edge of the enterprise.'"

Such an event would involve support from CISA but not necessarily the NSC, Inglis said.

"You don't have to call the National Security Council into play for that because it's entirely contained constrained within that space, though, you need to be mindful that the situation could grow," he explained.

In the event of a cyberattack with widespread consequences, such as the attack on Colonial Pipeline's business systems, the deputy national security advisor for cyber would take the lead, coordinating diplomatic, legal and military response.

More generally, Inglis said, his operation will oversee the adjustment of software and implementation of cyberspace tools to ensure an adequate level of "on-scene leadership" and accountability, he said, while the CISA director will serve as the "on-the-field quarterback," surging agency resources to support the compromised system while assessing its other components for vulnerabilities.

"We need to make sure that we're set up for success in the first place, so there will be a fair amount of exercising and role definition," he said. "The National Cyber Director needs to make sure those roles are preassigned and the muscle memory is healthy and well."