There were approximately 65,000 ransomware attacks last year in the United States, and that number doesn’t seem to be slowing down. Over the past few weeks, cybersecurity has dominated the headlines, as companies regularly pay vast sums of money to the hackers who have broken into their systems. The recent Colonial Pipeline attack triggered a flurry of action, sending gas prices soaring and costing the company nearly $5 million in ransom, of which the Department of Justice was able to recover about half. Although not a ransomware attack, hackers stole the source code for several games made by Electronic Arts just yesterday. JBS, the world’s largest meat processing company, recently paid $11 million in ransom after hackers disrupted operations in several of its plants. While these attacks have garnered media attention and robust government responses, the vast majority of cyberattacks on critical infrastructure in the United States, plaguing schools and at least 235 hospitals, often fail to attract this level of attention, and lives, education, transportation, and of course, money, are at risk.
Grappling with this onslaught of cyberattacks, the Senate is considering the nominations for two critical positions to lead U.S. cybersecurity strategy in the Biden administration. In Thursday’s confirmation hearings, senators questioned Jen Easterly, the nominee to lead the Cybersecurity and Infrastructure Security Agency (CISA); Chris Inglis, nominated for the newly created position of White House national cyber director; and Robin Carnahan, nominated to lead the General Services Administration.
Echoing Commerce Secretary Gina Raimondo’s statement on Sunday that ransomware attacks “are here to stay,” Inglis warned senators that these kinds of cyberattacks cannot be stopped.
Ransomware “will not stop of its own accord,” Inglis said. “It is not a fire raging across the prairie that once it’s consumed the fuel, it will simply stop, and we can simply wait for that moment. We must stand in.”
However, deterrence is largely impossible in this area, according to Inglis. But by undertaking a range of activities, by relying on the “resilience and robustness in people,” and by bringing together all instruments of power in a unified way across agencies and across nations, the United States may be able to make systems defensible, he told the committee. In this way, even if perfect prevention cannot be achieved, the fire can still be made manageable.
But his message was clear: cyberattacks are here to stay, and it’s going to take all hands on deck to mount a defense.
As the nominees answered several queries about their proposed approaches to this growing national security issue, four key themes emerged:
- People are the problem.
The human factor remains the weakest point in cybersecurity protection. Human error often acts as the entry point for hackers to enter a computer system, and many major crises began with poor cyber procedures. (The Colonial Pipeline system did not require multi-factor authentication, merely a “complicated password.”) Critical then for the nominees was promoting the basics of good digital hygiene, practices that computer users can undertake to protect themselves and their machines from harm. Both Easterly and Inglis saw their roles as promoting these practices, such as improving passwords and implementing multi-factor authentications, not just amongst their own departments but also across the federal government and nationwide more broadly. Easterly also emphasized the need to educate members of the public so that they are prepared to protect themselves when attacks like ransomware happen, while Inglis stressed the need to identify the weaknesses and knowledge of people on the front lines.
- But people are also the solution.
Cybersecurity experts have known for some time that the United States is facing a critical shortage of qualified workers in the field, with some estimates identifying that the United States needs approximately half a million workers to meet demands. The federal government has not been immune to this drought, and much of the discussion with the nominees centered on their plans to recruit, train, and maintain talent. Easterly offered three key ways through which these goals could be realized: (1) culture is foundationally important, and leaders need to create a culture that emphasizes ownership, innovation, collaboration, empowerment, and diversity; (2) federal cybersecurity positions must be part of a larger talent ecosystem that treats the job as part of a career development strategy, not as a one-off position; and (3) CISA must develop creative approaches to obtain a diverse pool of candidates, including internships, rotational programs, and strengthening the connective tissue between the private and public sector. Inglis reiterated much of Easterly’s points, highlighting the need to inspire prospective employees to come to the government mission and to provide them with a viable career path that promises investment in their careers and longevity. Inglis went even further, suggesting that pipelines to jobs are insufficient to address employment needs and that the United States must broaden its scope to develop talent at earlier levels. In elementary, middle, and high schools, policies should be implemented to create awareness amongst students that these jobs are available and how they may be accessed. Inglis also stressed the need for greater flexibility in setting standards for basic qualifications, questioning the requirement for bachelor’s degrees and allowing employees to access jobs in multiple places. Senator Jacky Rosen (D-NV) also spoke to this need for flexibility, pointing to the Civilian Cyber Security Reserve Act, which would establish a civilian Cybersecurity Reserve Program to supplement the Department of Defense and Department of Homeland Security in times of crisis or higher demand.
- Cohesion (between agencies and between states) is key.
While the nominees were sparse on details when it came to answering how to combat cyber-insecurity, they reiterated one common theme throughout the hearing – cohesion is critical. Inglis identified information sharing between agencies as one of the biggest barriers inhibiting cybersecurity, as the reluctance of officials to share insights and hunches, rather than merely information, prevents agencies from acting with a common cause. Easterly, speaking from her personal experience as the global head of Morgan Stanley’s Cybersecurity Fusion Center, identified a common issue for private sector companies when crises arise – multiple federal departments reach out to the private actor, making it confusing for them to know who their point of contact should be and to whom they should be listening. For Easterly, it is critical to ensure that agencies speak with one coordinated voice. She frequently referred to her position as head of CISA as the “quarterback” of the federal cybersecurity system, responsible for cultivating this voice by ensuring timely and actionable information sharing across the federal, nonfederal, and private sectors. To achieve these goals of “unity” across agencies, Easterly emphasized CISA’s need to promote visibility in cyber operations across agencies – “if you can’t see it, you can’t defend it” – and focused on developing partnerships with agencies to facilitate a coordinated approach to cybersecurity.
For his part, Inglis identified his role as national cyber director as one centered on promoting “unity of effort” and “unity of purpose” (a sentiment often echoed by Easterly). The primary purpose of his position, he stated, is to add value and coherence to cybersecurity policy in order to signal to adversaries that they “need to beat all of us, not one of us.” Combating cyberattacks must be a team effort, he said, and the national cyber director must work to ensure that there is a strategy in place that can implement the work of various agencies in a unified way.
In addition to interagency cohesion, Inglis also emphasized the need for international cooperation in combating cyberattacks, particularly from States that function as sanctuaries or safe harbor for transgressors. He also spoke to the need for the United States to be committed to advocating for issues of economic fairness, which can level the playing field for U.S. cyber industries battling competitors aboard.
- The Private Sector Needs Supervision.
One partnership heavily emphasized by both Easterly and Inglis was the relationship between the federal government and the private sector. Congress is increasingly losing its patience for poor cybersecurity preparedness by large corporations as hackers continue to exploit these vulnerabilities to attack critical infrastructure in the United States. While the Transportation Security Agency has imposed new cybersecurity regulations in light of the recent ransomware attack on Colonial Pipeline, private sector engagement with the federal government during times of (cyber) crises is currently voluntary, motivated by what Inglis calls “enlightened self-interest” and market forces. These two forces have failed to compel many companies to develop adequate precautions for cyberattacks, and both Inglis and Easterly signaled a willingness to impose mandated standards on private companies as a result. Inglis compared the possible regulations to those placed on other critical infrastructure industries, such as aviation or automobiles, while Easterly emphasized the need for a notification requirement for companies that have been reluctant to report cyberattacks to the federal government. (Senator Mark Warner (D-VA) is currently preparing a bill that would require critical infrastructure businesses, federal contractors, and agencies to report cyberattacks to the government.) Inglis also noted that the government needs to hold companies responsible for being in the position where they had to pay ransom in the first place.