U.S. Cyber Chief in Limbo During REVil Attacks Set to Start Work

The White House plans to swear in the country’s first national cyber director Monday and the Senate expects to consider the nominee for director of the Cybersecurity and Infrastructure Security Agency, ending weeks-long delays on filling the Biden administration’s top cyber posts.

In the three weeks that the top cyber nominees were stuck in bureaucratic and political delays, the U.S. was hit by one of the largest ransomware attacks in history, affecting Kaseya Ltd.’s IT management software and more than 1,000 businesses.

Some lawmakers say the stall in moving Chris Inglis to be national cyber director and Jen Easterly to be CISA director shows there’s not enough urgency in combating growing cyber threats, which also include attacks earlier this year on SolarWinds Corp. and Colonial Pipeline Co.

Senate Homeland Security and Governmental Affairs Chairman Gary Peters (D-Mich.) last month stressed that cyber and ransomware attacks would continue as the top officials to combat these incidents are delayed.

“We urgently need a qualified and Senate-confirmed leader in place before the next major breech, which could be even worse,” Peters said in a floor speech on June 24 – just eight days before the ransomware attack reportedly executed by the Russian-based REvil cyber group.

Instead, Sen. Rick Scott (R-Fla.) put a hold on all Homeland Security Department nominees, including Easterly, until Vice President Kamala Harris visited the U.S.-Mexico border. Harris eventually did visit the border on June 25. Scott said he would then lift the hold, and is expected to do so on Monday when the Senate returns from its two-week recess, McKinley Lewis, Scott’s spokesperson, told Bloomberg Government.

Peters warned ahead of the July 4 holiday that a delay on Easterly’s vote due to Scott’s hold could give ample time for another cyberattack.

“We must be prepared for attacks that could disrupt trains or flights over the holiday weekend,” Peters said in the June 24 floor speech. “We must confirm Mrs. Easterly as the CISA director now, not in two weeks, not in two months.”

Peters expects to ask for unanimous consent next week to move Easterly’s nomination in an expedited Senate floor process, according to a Democratic aide for the Senate Homeland Security and Governmental Affairs Committee. Peters’ committee advanced Easterly’s nomination on June 16, more than three weeks ago.

Easterly, who heads Morgan Stanley’s cyber efforts and formerly worked at the National Security Agency, would be the first Senate-confirmed director of CISA, which partners with government agencies and private companies to defend against and respond to cyber and ransomware attacks. The previous CISA director — Chris Krebs — was confirmed in an earlier DHS cyber role before CISA was formally created in November 2018.

Cyber Director to Swear In

Inglis will officially be sworn-in as national cyber director in the White House’s executive office of the president on Monday morning, according to a person with direct knowledge of the plans. The White House didn’t comment about an official start date. If sworn in Monday, Inglis will start 25 days after the Senate confirmed him on June 17.

Inglis, who also formerly worked at the National Security Agency, will lead the new office focused on creating a national cybersecurity strategy and overseeing federal agencies’ cyber budgets in coordination with the Office of Management and Budget. The role was recommended by the Cyberspace Solarium Commission and signed into law in last year’s National Defense Authorization Act (Public Law 116-283).

Advancing Biden’s cyber nominees is long overdue for Sen. Angus King (I-Maine), the co-chair of the Cyberspace Solarium Commission that was tasked with recommending national cyber policies. Inglis was a member on the commission as well.

“Senator King has not missed any opportunity to share his thinking on the urgency to get a National Cyber Director in place and Inglis’ new office and operations stood up,” Matthew Felling, King’s spokesperson, told Bloomberg Government. “Barely a day goes by without a hack, an information theft or a ransomware destabilizing our information technology infrastructure.”

Rep. Jim Langevin (D-R.I.), also a member of the commission, says it’s time for the nominations to advance, after he pushed for a national cyber director for a decade.

“The never ending stream of cyber incidents has made it clear that we need a cybersecurity expert like Chris Inglis to coordinate cyber strategy across government to fully confront the national security threats of the 21st century,” Langevin said.

Mark Montgomery, the senior adviser to the Cyberspace Solarium Commission, said Inglis will help build out the Biden administration’s cyber team, which includes the National Security Council’s Anne Neuberger and hopefully Easterly once she’s confirmed.

“There are so many issues to handle in the NCD’s remit — building the public private collaboration, getting federal agencies more secure, and planning for adversary malicious cyber campaigns,” he said.

Congress has yet to appropriate funding for the national cyber director office. The White House has asked for $15 million in its fiscal year 2021 budget request, the same amount allocated in the House Appropriations’ Legislative Branch funding bill. In the meantime, the salary for Inglis and a small office staff will be covered by the president’s unanticipated needs fund for this fiscal year, according to a White House official.

With assistance from Courtney Rozen

To contact the reporter on this story: Rebecca Kern in Washington at rkern@bgov.com

To contact the editors responsible for this story: Giuseppe Macri at gmacri@bgov.com; Zachary Sherwood at zsherwood@bgov.com