Ex-US cyber boss slams politics getting in the way of preparedness

interview The bodies responsible for securing America from cyberattacks are currently too fragmented to be successful, according to former US National Cyber Director Chris Inglis, the first person ever to hold that job. 

The Register spoke with Inglis on October 1 as the federal government shut down, a key cyber-threat sharing law expired, funding for a similar intel-swapping effort at the state and local level ended, and the US Cybersecurity and Infrastructure Security Agency reportedly furloughed 65 percent of its workforce. 

In all, it's not a good look for American cybersecurity at a time when the US faces mounting digital threats from China and Russia, along with homegrown cybercriminals.

When asked about US cyber-readiness, Inglis told The Register that "it's almost fractured by design, because we haven't quite stitched it together."

He pointed to at least two current dilemmas. "One is the cessation of the CISA of 2015."

He's referring to the decade-old Cybersecurity Information Sharing Act: a voluntary cyber-threat information-sharing law between the private sector and the federal government that provides legal protections to companies and other non-federal entities to encourage them to share threat indicators with the feds.

CISA 2015 expired on September 30 despite widespread support from industry - and despite any real opposition from anyone on either side of the political aisle. It seems to have been a case of benign neglect.

"I don't know anybody who opposes its extension, and yet it has lapsed," Inglis said. "I'm hoping the activities that have taken place under CISA 2015 have been sufficiently valuable to all sides that sharing will continue - to at least some degree - until the legislation can be put back in place."

We need every living soul on the front lines

The furloughed federal employees, many of whom are tasked with defending government networks and other critical infrastructure, are "also regrettable," Inglis said. 

"Leave aside politics. Each and every person who's on the front lines of this is essential for the collective effort that we're mounting," he continued. "It's not to say that there isn't a bulwark of people in the private sector and non-federal positions who are also important, but we need every living soul on the front lines."

"Fracturing this by design, because we don't have the right sense of a coalition - taking some assets off the field - it's not wise at this moment in time, because the transgressors never have a day off." Inglis said.

Plus, AI allows cybercriminals to scale their attacks much more rapidly, helping them write a convincing phishing email in multiple languages with legit-looking company logos, or make a digital scam more convincing via AI-generated images, audio, and video.

"Transgressors are studying it, using it every day, at scope and scale, and that becomes something that's not simply a quantity of activity on the periphery of the things we defend, but it takes on a qualitative inflection point, and that's a huge threat," Inglis said. 

• Ex-NSA chief warns AI devs: Don't repeat infosec's early-day screwups
• Feds cut funding to program that shared cyber threat info with local governments
• Cyber threat-sharing law set to shut down, along with US government
• Air Force admits SharePoint privacy issue as reports trickle out of possible breach

Defenders "typically lag" in adopting new technologies because they, unlike the attackers, don't want to ship or use a product with any major defects. This gives the criminals an 8- to 12-month advantage over infosec professionals, according to the former National Cyber Director, and "we can't afford that at this moment in time."

This doesn't mean skimping on securing AI systems, he added. Safety and security should be built into AI models during development, not layered on as an afterthought, which will cost less in the long-term, Inglis said. But that requires investment, both financial and in terms of human resources, across corporations and government. Overall, he says, securing our digital infrastructure needs to receive the same level of attention and investment as any other core business practice.

"If we invested more in the resilience of digital infrastructure, if we knew that like the back of our hands - take away the possibility somebody is going to live off your land and you don't know it - we could actually put a dent in this," Inglis said. "You make the case that their business proposition, the viability of that company, depends upon digital infrastructure in the same way that hiring the next CEO, or making wise choices about what markets and what capital structure you have does. That's where we need to place digital infrastructure." ®