It’s been two months since President Joe Biden announced his two most important Senate-confirmed cybersecurity picks: Jen Easterly to lead the Department of Homeland Security’s cybersecurity agency, and Chris Inglis to be the national cyber director.
During that time, ransomware attacks have forced temporary shutdowns of a major fuel pipeline and a big meat supplier, and Biden has signaled he will raise the issue of harboring criminal hackers in a meeting next week with Russian President Vladimir Putin.
Americans got their closest look yet of how Inglis and Easterly would approach those pressing issues during a Senate confirmation hearing Thursday. The nominees labeled ransomware a “scourge” that threatens national security, vowed to work with critical infrastructure firms to improve their defenses, and wondered aloud if additional federal regulations were necessary to incentivize firms to reduce their vulnerabilities to hacking.
The U.S. government, Inglis said, must “seize back the initiative that has too long been ceded to criminals and rogue nations who determine the time and manner of their transgressions.” He called on the U.S. and its allies to “remove the sanctuary [to ransomware criminals] and bring to bear consequences on those who hold us at risk.”
Easterly spoke with similar urgency: “We’re now at a place where nation-states and non-nation-state actors are leveraging cyberspace largely with impunity to threaten our privacy, our security and our infrastructure.”
Inglis and Easterly, two experienced veterans of the National Security Agency, have tall tasks ahead of them if confirmed.
Inglis would be the first ever national cyber director, a new, congressionally mandated role designed to make the government better at responding to major hacks, including ransomware attacks. Easterly would take the reins of DHS’s Cybersecurity and Infrastructure Security Agency, an agency charged with protecting federal civilian networks not only from ransomware but also from spying operations like the alleged Russian scheme that exploited SolarWinds software.
The pair would be working with a Congress that has been willing to increase spending on cybersecurity.
Reps. Jim Langevin, D-R.I., and Mike Gallagher, R-Wisc., for example, have asked House appropriators to make $400 million in additional funding available for CISA’s 2022 budget. The White House’s discretionary funding request for CISA in fiscal 2022 totals $2.1 billion.
It will take more than money to put a dent in the stream of ransomware incidents that have hobbled firms in numerous sectors, from health care to manufacturing. In 2020, ransomware payments from victims increased by 311% to reach nearly $350 million in cryptocurrency, according to Chainalysis, a company that tracks virtual payments.
Fuel transporter Colonial Pipeline and meat processor JBS paid $4.4 million and $11 million, respectfully, to criminal hackers to recover from their ransomware attacks. That sparked criticism on Capitol Hill that corporations are fueling a criminal economy that shows no signs of abating.
Asked to weigh in on the issue, Inglis told lawmakers it is important to “hold accountable companies not so much for paying the ransom, but for being in the position where they had to pay the ransom in the first place, for the failure to prepare for that.”
He compared ransomware to a fire that can be managed rather than extinguished.
“What we need to do is to make these systems defensible,” Inglis said. “They’ll never be secure.”
By implementing basic security practices such as multifactor authentication, software patching and network segmentation, Inglis added, security personnel can blunt a great majority of threats. For her part, Easterly said that CISA’s role was to “prevent people from being in that position” of having to pay the ransom by offering technical guidance and threat information.
In the wake of the Colonial Pipeline hack, the Transportation Security Administration has for the first time required pipeline operators to meet mandatory cybersecurity requirements. Pipeline operators are required to report hacking incidents to CISA within 12 hours of detection, and would incur fines starting at about $7,000 for failing to comply with security guidelines.
The pipeline regulations, which add to those governing the electric sector, have some lawmakers and administration officials wondering if more regulations are necessary.
Easterly said it was apparent “that voluntary standards are probably not getting the job done” in terms of prompting adequate cybersecurity protections at critical infrastructure firms.
“There probably is some sort of role for making some of these standards mandatory, to include notification,” she added. “I do think it’s important that if there’s a significant cyber incident, that critical infrastructure companies have to notify the federal government, in particular CISA. We have to be able to warn other potential victims.”
Inglis echoed that point.
“When [private firms are] conducting critical activities upon which the nation’s interests depend, it may well be that we need to step in and we need to regulate or mandate in the same way we’ve done for the aviation industry, for the automobile industry,” he said.