The first U.S. National Cyber Director wants the government to take a tougher, more proactive approach to those who threaten America’s networks: degrade their capabilities and demonstrate how they would suffer should they attack.
John “Chris” Inglis’ vision for his brand-new office somewhat resembles the match-day strategy employed by the Cobra Kai dojo in the original Karate Kid: aim to cause your opponent pain. In other words: sweep the leg.
Earlier this week, Inglis outlined how his office will coordinate the various agencies and entities tasked with warding off and responding to cyber attacks. He and his staff will shape and coordinate budgets, ensure that federal cybersecurity operators are at least as good as their private counterparts, watch for emerging vulnerabilities in digital supply chains, and more.
In an interview at the TechNetCyber conference in Baltimore this week, Inglis provided a few more details on what he sees as his role. One part is playing “coach” to the Cybersecurity Infrastructure and Security Agency, or CISA. Another is crafting a comprehensive strategy to not only respond to hacks and ransomware attacks but also to deter them. Inglis believes that current U.S. strategy puts too much stock in moves like Justice Department indictments, which do little good against adversaries who operate with impunity in safe haven spaces like Russia.
“Start with the psychology of the aggressor…not what we think would make a difference to us,” he said. “Public shaming might mean nothing in some of these countries, right? But what makes a difference to them? You need to start there and you need to bring to bear all the instruments of power. But they need to be properly mobilized and enabled by some degree of timeliness.”
Deterring adversaries, he said, “has to focus on what are the consequences that matter to them. Most of those consequences might not be found in cyberspace; they might be found outside of cyberspace, which means you have to have a systematic or systemic, holistic approach to that. It starts with the psychology of the actors, what makes a difference to them?”
Inglis, in the interview, outlined an approach that sounds similar to the idea of a more proactive defense, what Gen. Paul Nakasone, the head of NSA and Cyber Command calls “defending forward.”
It’s that concept of proactive defense that needs to be scaled up and better coordinated across the government as part of a strategy—not just reacting when big incidents cause bad headlines. Inglis says it’s his job, as the first cyber director, to lay out what that leg-sweeping strategy looks like and implement it across the government.
“We’re going to accept that instruments of power to hold that at risk, to degrade [adversary capabilities] it to disrupt it; to bring it to heal. That’s an inherently governmental proposition if you’re operating off of the territory,” he said. “Those are all collaborative activities. They’re connected activities. But again, back to the question of who’s accountable for what? There’ll be a slightly different org chart for each one of those and each of those are underway.”
Inglis didn’t say exactly how that degradation of adversarial ransomware and hacking capabilities was “underway” but did say that, like any strategy, this one will take time and persistent implementation before it yields victory.