Federal CISO DeRusha Named Deputy National Cyber DirectorDirector Chris Inglis Also Outlines Vision for NCD Office, Level of Accountability
National Cyber Director Chris Inglis on Thursday announced that Federal Chief Information Security Officer Chris DeRusha will concurrently serve as his deputy at the newly created office. Inglis, a Senate-confirmed top adviser to the president on cybersecurity matters, also released a "statement of strategic intent" outlining his own official duties - as lawmakers question the jurisdiction of top-level security leaders.
Speaking at an event hosted by the Center for Strategic and International Studies on Thursday, Inglis, who is the former deputy director of the National Security Agency, said, "This is not a subjugation of [DeRusha's] authorities to the national cyber director. It's an alignment and harmonization.
"So if you're a CISO in the federal enterprise and you hear each [of us] speak, we're finishing each other's sentences, [and] we're not going to [give] conflicting guidance. It will always be complementary."
The personnel announcement was part of a media blitz from Inglis' office, in which he took to his new Twitter account to describe DeRusha's dual designation, issued his office's vision statement and published a related op-ed in The Wall Street Journal.
Staffing and Collaboration
The national cyber director said his office will ultimately grow to some 75 to 80 staffers - with 25 being hired by the end of 2021. Still, that tally, he told CSIS moderator and cybersecurity researcher James A. Lewis, is not enough for the office to tackle federal security challenges alone. Instead, he said, his office will depend on collaboration with Congress and leaders such as Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger, who was a co-panelist during the Thursday event; new Cybersecurity and Infrastructure Security Agency Director Jen Easterly; and U.S. Cyber Command and National Security Agency Director Gen. Paul M. Nakasone.
"I'm not the first, practically speaking, national cyber director. I follow on the heels of others who tried to do the same thing, which is: How do we bring coherence? How do we drive public-private collaboration?" Inglis said Thursday. "How do we have some degree of performance assessment and how do we account for not just present resilience … but future resilience?
"The role of the national cyber director … complements what the deputy national security adviser for cyber does, it complements what Jen Easterly [at] CISA does, and then all the other sector risk management agencies.
"There's a multiplicity of parties that have to collaborate in order to [achieve] that resilience. So, we need to get the roles and responsibilities right," he added. "We need to get people up to speed - not just the ones that have cyber in their titles, but everyone who plays a role in cyberspace. And we need to get the technology right."
John Ackerly, a former technology policy adviser at the White House, commented on the announcement, telling ISMG, "Cybersecurity needs to be an urgent focus at the federal level. I'm pleased to see that the White House is investing in leadership that will be dedicated to, and accountable for, our nation's cybersecurity strategy."
"I applaud the effort … to try and more clearly demarcate roles and responsibilities over the nation's cybersecurity," says Scott Shackelford, director of the Program on Cybersecurity and Internet Governance at Indiana University. "But the key will be coordinating between the 'alphabet soup' of ONCD, OMB, CISA, CYBERCOM, and the intelligence community."
NCD Mission Statement
In his new document, Inglis reconfirms that his office will drive coordination of missions and programs to protect local government and private sector networks, ensure optimal cybersecurity practices within federal departments and agencies, support said agencies as they plan and budget for cyber resources, "cultivate a more secure digital supply chain," equip federal agencies charged with cyber defense, and improve pathways for cyber talent.
"These efforts will improve our ability to collaborate, take Americans off the front lines of cyber conflict, and improve our national and economic security," the statement says.
So Neuberger, for example, remains a top adviser to the president on cyber issues tied to national security concerns - including the global ransomware threat and risks to critical infrastructure. Meanwhile, the Easterly-led CISA remains the government's operational agency - protecting against nation-state actors, for instance.
Ackerly, the co-founder and CEO of the security firm Virtru, says, "The statement sets a clear, high-level vision of cybersecurity that should be baked into the everyday lives of Americans.
"If executed well, this will be incredibly powerful: The outcome would strengthen public trust in government, safeguard our nation's most valuable data, and put much-needed parameters around privacy and security for every American."
"[This] is a much-needed document that lays down a forceful marker for the role that Director Inglis and the White House see the ONCD taking," says Marcus Fowler, a former department chief for the Central Intelligence Agency who is currently the director of strategic threat at the firm Darktrace. "The mention of 'Budget Review and Assessment' stuck out to me specifically as possibly the most telling indication of ONCD's growing importance, because that tends to be the most contentious area for political debate.
"I greatly appreciate that the mission and responsibility areas sit solidly in the cybersecurity and defense space. Comments around directing offensive operations would have been met with much greater resistance from policymakers and the intelligence community."
'I'm the Accountable Person'
Inglis' post stems from a recommendation of the congressionally created Cyberspace Solarium Commission, launched in 2019 - which ultimately offered dozens of cybersecurity policy recommendations, 25 of which have been codified into law. The co-chair of the commission, Sen. Angus King, I-Maine, said the Inglis-led ONCD represents an ability to unify disparate elements of the government's security efforts or, put plainly, identifies "one throat to choke."
At a recent hearing in the Senate Homeland Security and Governmental Affairs Committee, however, Sen. Rob Portman, R-Ohio, was keen to point out that there is still confusion on point of contact for firms dealing with a security incident.
"I am ultimately the accountable person," Inglis said at the time. "Now, my job is to make sure that that accountability has been allocated properly to agency and department heads."