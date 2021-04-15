The four bipartisan congressional members of the influential federal Cyberspace Solarium Commission are praising President Biden’s selection this week of Chris Inglis to be the country’s first national cyber director and Jen Easterly to lead the Cybersecurity and Infrastructure Security Agency.

“As our adversaries’ attempts to probe our networks become bolder, the need for a leader with statutory authority to coordinate the development and implementation of a national cyber strategy to defend and secure everything from our hospitals to our power grid could not be more clear,” said a statement from Sen. Angus King (I-Maine), Rep. Mike Gallagher (R-Wis.), Sen. Ben Sasse (R-Neb.) and Rep. Jim Langevin (D-R.I.). King and Gallagher co-chair the commission, which was established in 2019.

Inglis, Easterly and Anne Neuberger, the government’s first deputy national security adviser for cyber and emerging technology, are taking on a big task.

A GAO report issued last month urged the federal government “to move with a greater sense of urgency commensurate with the rapidly evolving and grave [cyber] threats to the country.” It recommended the Biden administration fill gaps in former president Donald Trump’s cybersecurity policy, or scrap it and start anew. This is the most recent of more than 40 cyber-related reports the agency has issued since 2018.

The GAO and the commission previously called for the creation of the national cyber director post, and Congress did so in January. Inglis, a former National Security Agency deputy director, was instrumental in crafting the commission’s recommendation for the position he will hold if confirmed by the Senate.

Twenty-six commission recommendations were adopted by Congress. No recommendation was more vital than the proposal to create a cybersecurity coordinating office in the White House, King said by telephone.

Four “challenges,” the GAO’s euphemism for problems, have long plagued the nation’s increasing reliance on digital operations. The watchdog office said the federal government should:

●Establish a comprehensive cybersecurity strategy and perform effective oversight. None of 23 agencies the GAO reviewed near the end of Trump’s tenure had fully implemented “key foundational practices” for information technology supply chains.

●Secure federal systems and information. Cybersecurity weaknesses related to “ineffective information security programs” were demonstrated by the December discovery of a widespread cyberattack, nicknamed SolarWinds after a company involved, that hit government agencies, critical infrastructure and the private sector.

●Protect cyber critical infrastructure. Federal agencies have not fully implemented about 60 percent of 80 recommendations the GAO made since 2010. “As a result, the risks of unprotected infrastructures being harmed are heightened,” the office said.

●Protect privacy and sensitive data. “The vast number of individuals affected by various data breaches has underscored concerns that personally identifiable information is not adequately being protected,” the agency said.

Within the four areas, the GAO recommended 10 “critical actions,” with establishing and executing a comprehensive national and international cybersecurity strategy at the top of the list. Also on the list are addressing weaknesses in the cybersecurity workforce, the federal response to cyber incidents and the protection of privacy and sensitive data.

Workforce issues have long pestered cybersecurity programs at all levels and drew special attention from the commission. Federal documents have pointed to “a persistent shortage of cybersecurity and IT professionals to implement and oversee information security protections to combat cyber threats” in the government and private sectors, the GAO said.

While some progress was made under Trump, the report said his Office of Management and Budget and the Department of Homeland Security did not implement a government-wide workforce plan. The GAO gave OMB seven cybersecurity workforce shortage recommendations in April 2020. None has been implemented.

Why has the government’s cybersecurity protection been so lacking for so long?

“Nearly two decades of neglect and underinvestment in our cyber capabilities have put us in a pretty deep hole, but the federal government is beginning to act with a sense of urgency to address these challenges,” said Gallagher, after declaring “the warning signs are flashing red in cyberspace.”

Neglect and underinvestment persist because “it can hard to connect investments to security outcomes in a concrete way,” said Rep. Bennie Thompson (D-Miss.), chairman of the House Homeland Security Committee. “People can go into an airport and see screening technologies deployed and watch TSOs [transportation security officers] screening passengers, and there are painful reminders about how poor aviation security can hurt people.”

But “cybersecurity is more abstract,” Thompson added. “Sometimes the consequences of a cyber incident are immediate and easily observable, sometimes they aren’t.”

Speaking of consequences, King wants Biden to announce a “clear, declaratory deterrent policy” that would lead to retaliation against foreign foes who cyberattack the United States.

Now, “we keep getting attacked and there’s no serious response,” King said Tuesday. There has not been “a major response that would change the calculus of our adversaries. To put it bluntly, we’ve been a cheap date in cyber. . . . We’ve taken a lot of hits and our adversaries have not felt any consequences.”

King estimated that Russian President Vladmir Putin “can hire 8,000 hackers for the cost of one jet fighter.” King is not critical of Trump’s cybersecurity efforts but says “this administration has to really step up.”

After Biden hit Russia on Thursday with sanctions for “malicious cyber activities,” including attempts to undermine U.S. elections, King called it “an important step.”

“There must be a price paid for cyber intrusions,” he said on Twitter, “and today that bill is coming due to Moscow.”