Chris Inglis and Jen Easterly set out their priorities in a hearing yesterday before the Senate Committee on Homeland Security and Government Affairs for their nominations for national Cyber Director and Director of the Cybersecurity and Infrastructure Security Agency (CISA), respectively.
Both nominations are historic, stressed Senator Gary Peters (D-MI). If approved, Inglis would be the first ever national cyber director, while Easterly would be the first person in CISA’s three-year history to become a director through a nomination process.
(Former CISA director Chris Krebs became the agency’s first head when it was created in 2018 from a predecessor organization for which he was undersecretary of state, and Brandon Wales rose to become assistant director when Krebs was withdrawn).
These nominations also come at a critical time as ransomware and other attacks cripple large food and energy companies and threaten national security.
“As a nation, we remain at great risk of catastrophic cyberattack,” Easterly said in her opening comments.
Inglis’ experience spanned decades with the National Security Agency (NSA), where he eventually became Deputy Director. Easterly is currently Head of Corporate Resilience and the Fusion Resilience Center at Morgan Stanley and previously worked in counter-terrorism for the federal government.
Senators did not object to the nominations, but asked candidates about their ransomware and cybersecurity staffing plans, and how they envision their two agencies’ interaction.
COACH VS QUARTERBACK
With the prospect of a new position in cybersecurity, several senators wanted to find out the difference between Inglis’ and Easterly’s roles.
Inglis stated that he will manage the creation and adoption of a national strategy to increase the security of the cyber landscape and ensure that federal cybersecurity measures are “coherent and consistent”. He envisioned collaboration between actors at all levels of government and intense collaboration with the private sector, which is so often targeted, as the recent incidents of the JBS and Colonial Pipeline underscore.
“The national cyber director has a highly visible position within the US government that should be expected to provide a clear unified voice and public communication and advocacy,” said Inglis.
Easterly referred to CISA as the “quarterback” of a cyber defense team coached by the national cyber director.
While the FBI focuses on incident investigation and prosecuting perpetrators, CISA focuses on prevention and resilience. If confirmed, Easterly would be tasked with reducing risk to digital and physical infrastructure as the agency works to rapidly share threat intelligence between public and private entities and provide general cybersecurity support.
RANSOMWARE AND CYBER RISKS
Responding to the increasingly well-known ransomware threat requires a wide range of coordinated efforts to strengthen defenses and hamper attackers, Inglis said. The perpetrators are currently supported by everything from weaknesses in victims’ technology and a lack of cyber awareness among some target organizations to the ability of criminals to find safe havens in certain countries. Containing the threat requires a coherent effort to remove all of these supports.
Ransomware attacks have also shown that the government can no longer expect market forces or “enlightened self-interest” to motivate critical infrastructure providers to increase their own cybersecurity, Inglis noted, and therefore the government is likely to have to adopt more standards and regulations.
“We shouldn’t blame companies for paying ransom, but for having to pay the ransom in the first place – for failing to prepare,” Inglis said.
Easterly presented CISA as a resource to help organizations achieve ransomware-preventing levels of protection through the provision of threat intelligence, best practice recommendations, and technology support from the agency.
Jen Easterly testifies during a hearing about her nomination to head CISA.
Public and private collaboration on cyber threats generally needs to be improved. The exchange of information today largely means that companies hold back from reporting incidents until they have a full understanding and then simply provide facts. Inglis said a more effective approach would be for organizations to communicate with each other early on, even if understanding of the situation is still developing, to allow for a faster response.
He also said partners should share their interpretations of events so that other companies have the context to fully understand and use information.
“The exchange of information is a very important dimension of public-private cooperation,” said Inglis. “But that often fails because we only exchange information. We don’t share perspectives. We don’t share what might be a hunch or an insight. “
STAFF
The difficulty of hiring enough cybersecurity staff is an ongoing issue that could be a focus for Easterly, who said her first priority is making sure CISA has the staff, resources, and powers to move its work forward.
According to the (ISC) ² Cybersecurity Workforce Study, US public and private organizations would have needed around 359,200 more cybersecurity professionals to protect their critical assets in 2020 than were available in the national talent pool this year.
Senator Alex Padilla (D-CA) pointed to this finding, adding that the problem is worsening in the federal government due to efforts to retain recruited professionals.
For Inglis and Easterly, the solution to this problem is manifold. Inglis advised raising cybersecurity awareness in K-12 training to develop the talent pipeline and reduce the hurdles in hiring requirements that can block professionals who have the right skills, for example, but not formal ones Have a computer science degree. Easterly also advocated offering a wide range of avenues into employment such as apprenticeships, internships, and reserve programs.
As soon as new hires arrive at the door, companies need to offer them the opportunity to feel the effects of their work and find long-term career opportunities, Inglis said.
“You don’t need to think of this as a one-off position, but rather as part of a talent ecosystem, from recruiting to onboarding to integration, training and certification, rewards and recognition and promotion,” said Easterly.
source https://collegeeducationnewsllc.com/senate-hearing-clarifies-new-federal-cybersecurity-roles/
No comments:
Post a Comment