Inglis steps into the new role as the U.S. reels from repeated hacks of both government agencies and privately run infrastructure. In 2020, Russia hacked computer systems inside at least nine federal agencies and roughly 100 companies in the SolarWinds breach. Then in March, Microsoft revealed a hacking campaign against its email service that the U.S. later attributed to China. And in May, ransomware criminals breached the networks of Colonial Pipeline and forced it to shut down a gasoline pipeline that supplied fuel to much of the East Coast.
“The bad actors are not standing still,” said Inglis, a 28-year veteran of the National Security Agency who spent seven and a half years as its deputy director. He said he’ll focus on how to “hold them at bay and ensure that they don’t succeed in ways that, far too often in the past, they have.”
Inglis’ position, which Congress created in last year’s defense policy bill, has few formal powers, but he’s responsible for reviewing agencies’ cyber budgets and evaluating their spending decisions.
In his budget reports to OMB and Congress, Inglis said he’ll highlight both “investments that are not on the books but that should be made” and inefficiencies in existing spending.
Federal agencies sometimes neglect cyber spending, seeing it as a distraction from other programs that directly support their missions. Inglis says he thinks he can change that mindset by orchestrating speedy assistance from DHS’ Cybersecurity and Infrastructure Security Agency when agencies get hacked — which will underscore why they need to take the issue seriously in the future.
Inglis’ goal of what he calls “federal coherence” on cybersecurity could be a tough one to achieve. To get agencies to follow the same playbook, he will have to corral the dozens of agency chief information officers and chief information security officers who oversee nearly $100 billion in annual IT and cyber spending.
Inglis also vowed to ensure that agencies follow a “common practice in what we buy and how it operates,” in part through his oversight of many of the new requirements for federal contractors — especially software suppliers — in Biden’s May executive order, which lays out how companies must develop and test their products.
Another major task for Inglis will be ensuring the federal government takes a consistent approach to helping critical infrastructure operators — from hospitals and schools to pipelines and power plants — prevent and respond to attacks. The private sector sometimes describes existing systems as scattershot and contradictory.
Inglis, who has said the time may be right for new cyber regulations — particularly for critical infrastructure — will help formulate the Biden administration’s position on any new rules. Industry groups have pushed back against regulations, saying voluntary standards offer greater flexibility amid changing technology.
“Enlightened self-interest and market forces only get you so far,” Inglis said. “There are going to be some critical functions where we must consider, to what degree is it not optional to achieve a certain standard” of security.
The administration is reviewing a bipartisan Senate cyber incident reporting bill, but it has yet to state its position on that or other potential mandates. The executive order’s contractor rules could provide a blueprint for broader security mandates in the future — as could new critical infrastructure standards that Biden mandated in a separate directive.
Cyber specialists have been wondering how Inglis will work with Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger, given the administration’s previous resistance to Inglis’ role over its accountability to Congress and potential duplication of NSC responsibilities.
Biden appointed Neuberger because his aides favored keeping cyber inside the NSC, which is less accountable to Congress than Inglis’ new office.
Inglis said there was “room enough in this” for both Neuberger and him, though he added that the wide-ranging nature of cyber policy precluded “very clean … boundaries” between their portfolios.
Inglis said he’ll oversee “activities that can be addressed entirely within cyberspace,” such as patching vulnerabilities, and ensure that “everyone is playing their part.” But when cyber incidents require the “application of other instruments of power,” such as diplomatic negotiations or financial sanctions, Neuberger and the NSC will take charge. He pointed to the Colonial Pipeline hack, when the NSC oversaw the government’s response to fuel supply issues.
“The purpose of our power is to not create a new entity for its own sake, but rather to add value,” Inglis said.
Inglis is still setting up his new office, which lacks permanent funding and is instead drawing from a White House contingency budget. He said he’s spoken to “dozens” of potential staffers and that many of them are in the process of joining his team, which Congress envisioned eventually growing to 75 people.
“For the moment, what we’ve done is to lay out what the functions are that those people would undertake,” Inglis said. “They’re coming. They’re in the pipeline.”