National Cyber Director's Vision for the Future Flags Overdue National Plan

National Cyber Director Chris Inglis drew attention on Friday to the continued absence of a national cybersecurity strategy—something the Government Accountability Office expects his office to deliver—while envisioning collaboration across sectors of industry that may have independently managed risks in the past, but are now increasingly dependent on each other.  

“I thought I might give voice to what is the sense of an emerging strategy,” Inglis said. “This isn't the US strategy, but it is a sense of the emerging strategy that I would, in part, observe, in part kind of use as my mantra of what we need to do going forward that addresses not just ransomware but more broadly addresses kind of the causes underneath that give rise to that phenomenon and so many others.”

Inglis was speaking at an event the law firm Venable hosted on combating ransomware, one year after a comprehensive report stakeholders from across the public and private sectors—including nonprofit entities—published with recommendations to address the challenge.

“What we need to do in high consultation and high collaboration, is figure out what we do together so that we spread that risk across the spectrum of generation and defense and response, as opposed to delegating that by our inaction to that poor soul at the end of the supply chain, who inherits all the risks that we didn't buy down through resilience or through doctrinal approaches,” Inglis said, suggesting, “a division of effort, which has largely been the model we've been following for probably 40 years—‘you defend your stuff based upon what you know, based on your authorities, based upon kind of your insights, I'll defend my stuff,’” is no longer appropriate.

A lot of the administration’s approach to addressing foundational weaknesses—in the software development practices of government contractors like SolarWinds, for example—as well as helping to defend from and respond to attacks, has created work for agencies like the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency. 

But the administration has also launched projects for private sector enterprise customers of foundational information and communication technology to engage more deeply with sector-specific risk management agencies, such as the Department of Energy and the Environmental Protection Agency, which governs safety for the water sector.

“One of the things the administration is really trying to do is empower the sector risk management agencies, and EPA is especially one of the top priorities,” Elke Sobieraj, director for critical infrastructure cybersecurity within the National Security Council, said Wednesday at a separate event hosted by the National Association of Water Companies. “That's definitely something that we're pushing and [Deputy National Security Advisor for Cyber and Emerging Tech] Anne Neuberger feels very strongly about. CISA has gotten a lot of resources when it comes to the cybersecurity piece and as the national cybersecurity coordinator, but we need the other sector risk management agencies to also step up.”

Inglis said his office is currently analyzing the capabilities of sector risk management agencies in an effort to clarify roles and responsibilities and to determine how they should act collectively, both in their operations and their doctrines.

“It's not about trying to figure out how to hierarchically align these things, but rather horizontally how to align these things,” he said. “This must be something that has a concurrent set of activities side by side by side that are complementary. I think that's a good example of the way forward.”