Biden’s cyber chief wants to help software developers code better and Americans click smarter

National Cyber Director Chris Inglis is planning projects focused on the security of open-source software and the cyber literacy of the American public as he seeks to establish himself within a crowded constellation of cybersecurity leaders in the Biden administration.

Inglis, a former NSA veteran who was confirmed by the Senate last summer to lead a newly-created White House office, is moving quickly to demonstrate the value of his team amid growing threats from adversaries like Russia and China and cyber criminals such as ransomware gangs. His staff will grow to 25 people this week and is expected to reach 75 people by the end of the year.

“We have too little resilience built into this digital infrastructure, and we need to improve that,” Inglis said in an interview Friday. “We need to make sure that we buy that tech debt down.”

Inglis’ open-source software security initiative will focus partly on coordinating the work that the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology and the National Telecommunications and Information Administration are doing to promote secure coding practices, well-run vulnerability disclosure programs and other basics. But he said his team is also planning “our own initiatives” aimed at improving the resilience of open-source software — the freely distributed, often volunteer-written code that underpins essential aspects of modern life.

“The government has extraordinary expertise … that it needs to put on the table and make a contribution to the private sector … and it can and will do that,” Inglis said, citing NIST’s work in particular.

Inglis spoke at a White House meeting Thursday that included federal officials and representatives from major tech companies and open-source software organizations. The Biden administration has committed to helping the software community shore up the security of critical coding projects. Security professionals say federal investment will be key to the success of private-sector programs designed to protect open-source code.

Inglis’ workforce initiative will build on one of the core missions that he identified for his office in an October vision statement.

Across the United States, hundreds of thousands of cybersecurity jobs remain unfilled, a shortage that analysts describe as one of the nation’s most serious weaknesses. But Inglis said his initiative will go beyond just preparing people to fill those jobs. He wants to raise the cyber literacy of the entire population, given that responsible online behavior is now as important to collective safety as responsible driving.

By spreading basic cybersecurity knowledge far and wide, Inglis said, “we can increase resilience and robustness not just in technology, but in people.”

Another one of Inglis’ projects should reassure cyber professionals who are watching as hundreds of billions of dollars flow to states and cities for infrastructure upgrades as part of the bipartisan bill that President Joe Biden signed last November.

Inglis said his ambition is “making sure that all of that money is spent in a way that is cyber-aware, to ensure the resilience and robustness of those infrastructure items are fully delivered to the American people.”

Inglis said he was being careful not to “oversell and under-deliver” on any of his initiatives, but he said the public should expect to see some progress on them within the next quarter.

A resource for agencies’ cyber chiefs

One of Inglis’ biggest priorities is making sure that the entire government moves cohesively to confront its cyber challenges. That means ensuring that agencies’ chief information security officers have a shared understanding of the administration’s goals and making sure they receive the support they need from the White House.

Federal CISO Chris DeRusha, whom Inglis tapped to serve concurrently as his deputy focused on government cybersecurity, is “leading an effort across the federal CISOs” to clarify what the White House expects of them and help them prioritize those tasks, Inglis said.

Inglis estimated that he has met with about one-fifth of the roughly 100 agency CISOs, seeking to understand how each defends their networks, many of which have quirks related to their agencies’ missions. “They're teaching me quite a lot about … the challenges [and] the opportunities that they face,” he said.

Long-term work buffeted by crises

Inglis has been overseeing agencies’ compliance with many of the tasks in Biden’s May 2021 cyber executive order, including the rollouts of multi-factor authentication and encryption across the federal government. The administration has declined to release statistics about how widely agencies have deployed these basic features. But Inglis, whose office is in the middle of an EO assessment, said that “we've made substantial progress.”

What’s holding back agencies is “the tyranny of the moment,” Inglis said. “All of these systems are being used for valuable mission purposes,” so it’s hard to take them offline for complicated and time-consuming upgrades.

The recurring security crises haven’t helped, either. In December, security researchers disclosed a severe vulnerability in the Java code library Log4j, which is present in thousands of widely used software products. The flaw, which was estimated to affect hundreds of millions of devices, sparked a global rush to patch affected software and highlighted once again how little most organizations know about the code they’re using.

In addition to blindsiding the security community, the incident intruded on efforts to implement Biden’s executive order, according to Inglis.

“We thought we were on course to make all the necessary investments [in] the architecture,” he said, “and you have to pause and deal with … something that's been a weakness in the architecture that's been there for quite some time.”

“We're going to have to balance current operations [and] the occasional surprise” with investing in future resilience, he added.

Cyber office takes shape

Inglis has rapidly grown his team since receiving a $21 million budget in the infrastructure bill. He expects to have 25 employees onboard this week, plans to double the size of his team in the next few months and reach his congressionally-authorized cap of 75 employees by the end of the year.

In addition to a principal deputy, Inglis will have four other deputies managing several of his most important missions, including budget and strategy, technology resilience, national cybersecurity and federal cybersecurity, with DeRusha already in place overseeing the latter mission.

“But as a startup, we need to reserve the right to adjust that as time goes by,” he said. “We understand that … as our aspirations meet reality, some adjustments might be necessary.”

Inglis is keen to ensure that his budget oversight authority doesn’t create conflicts with OMB. His office has met with OMB, and together they have formed joint teams to collaborate on the work for which they share responsibility.