In July, the US appointed its first National Cyber Director (NCD). While we've long heard about a "cyber tzar," this position is both similar and different. The NCD is similar in that the position serves as the principal adviser to the president on cybersecurity. It is different in three ways: First, the NCD is to "lead the coordination of implementation of national cyber policy and strategy," as per the legislative text, meaning we will finally have a chance at a unified, one-team approach to cyber across all the agencies. Second, the position is endowed with a staff of 75 people rather than being essentially a single person. Third, as co-chair Sen. Angus King put it, it gives Congress "one throat to choke." The Senate confirmed Chris Inglis as our first NCD. I can think of no better choice.
Inglis now has three key problems to address. First, he must create a system for getting the right cyber personnel into the government. Second, he'll set precedent for the process — and effectively power — of the NCD for handling incidents and forward-looking strategy. Third, he needs to focus on removing the substantial barriers to adopting modern tech within the government.
Getting the Right People
The US needs to gather the best minds by recruiting raw technical talent and empowering that talent to do what they do best. With the right people, we will build consistently toward long-term solutions; with the wrong people, we will continue to have lackluster response. I say technical talent specifically because that is the pain point. Getting a top-level bureaucrat or business leader to join an administration is not a challenge — but finding a top-performing cyber engineer willing to join the US government is.
Inglis must fundamentally refocus the government to attract and retain people. The main bottleneck is simple: compensation. Would you volunteer to take home significantly less pay than those in private industry positions to work for the government? That's exactly the choice our government asks of cyber experts today. Inglis must figure out how to fix this.
Creating the Right Processes
Coordinating roles are difficult because they come with no real authority; it must be created by the incumbent. While the Senate gave the NCD the ability to "promulgate such rules and regulations as may be necessary to carry out the functions, powers, and duties vested in the Director," it's uncertain what that will mean in practice. In fact, the same act that created the NCD also states that the position does not modify any authority of existing operating agency heads, and it does not authorize the NCD to direct to conduct any specific defensive authorization. In other words, existing agency heads can essentially do what they want.
The key will be for the NCD to turn the "one throat to choke" for senators to "one voice of the agencies" that Congress listens to, especially regarding the power of the purse. If the NCD is seen by agencies as the role that determines how Congress creates the budget, for example, then those agencies will have to work with the NCD as a true partner. Inglis is a skilled operator, and he knows the best way to do this is by showing how agencies can be more empowered by working together than in their own silos.
Getting the Right Technology
I've worked with the US government throughout my life in many capacities. The biggest barrier in modernization isn't will within the government, it's procurement. Want to bring in a modern tool to improve cyber? Show me where, on that contract written umpteen years ago, that tool or requirement appeared. Then fill out a form in triplicate. Then put it out for bid, where of course only the existing large-scale government integrators will participate.
For example, fuzzing was the key technology used to automate finding vulnerabilities in the Cyber Grand Challenge, it is part of the Microsoft Security Development Lifecycle, and it's effectively used by Google to find tens of thousands of bugs and vulnerabilities automatically. Want to deploy it in the government to make software safer? That's a challenge of procurement and regulations.
Inglis should focus on modernizing procurement in a way that empowers agencies, even for large-scale "programs of record" that have long-standing contracts. Part of the trick will be moving procurement itself to a more agile framework. Experts on the ground — not lifelong middle managers, bureaucrats, or generals in the Pentagon — must be empowered to adapt and even require tools that make a difference as part of government acquisition and system maintenance.
Dear Mr. Inglis, You Can Do This!
I've spoken with Inglis many times. He is not a career bureaucrat. He is a leader who has spent his career in service to the nation. While cyber is always tough, he can make a difference by focusing on those three things: people, process, and technology. First, make it so we can recruit the right people. Second, figure out how to turn coordination into amplification as a process. Third, make it so we can bring in technology at the speed it evolves, not the speed at which contracts are written.