In a conversation with journalist Kim Zetter Friday at the hacker conference DEF CON, White House National Cyber Director Chris Inglis asserted that the way forward for cybersecurity is defense, defined roles and responsibilities and investing in resilience and robustness.
According to Inglis, there are “three waves of attacks” that have progressed in recent years.
The first wave “focused on adversaries holding data and systems at risk.” In the second, the attackers “still held data and systems at risk, but they then abstracted that into holding critical functions at risk.” The third is an attack on confidence, as exemplified by the attack on the Colonial Pipeline.
“The most important lesson from that is [attackers] then held the confidence of millions of people at risk,” Inglis said. “And what they eventually succeeded in doing was in defeating one, they defeated all. They defeated tens of millions of people because of a single person’s error. We need to flip the script.”
Inglis declared that the solution is to focus on defense, and specifically collective defense.
“The only reasonable solution is to get serious about defense; to make defense the new offense, such that if you’re an adversary in this space, you’ve got to beat all of us to beat one of us,” he said. “That requires an investment upfront on resilience, robustness, not just in data and systems, but in roles and responsibilities. That’s how you defend collaboration, and confidence too, so that you need to make sure that everyone in the system understands what role they play in the defense of that system, so that everyone can participate in their own defense.”
Inglis pointed to Ukraine’s cyber defense as a good example of collective defense between their preparedness, collaboration as well as the confidence in the resilience and robustness of what their suppliers are providing them.
When it comes to proactively preventing or mitigating attacks like Colonial Pipeline, SolarWinds and Operation Aurora because of—as Zetter put it—“a lack of anticipation or imagination” of what future attacks could look like, Inglis stated that people and organizations need to clearly understand their roles and responsibilities.
“We actually don’t know who is accountable for what in delivering the resilience and robustness that’s required in digital infrastructure, not for its own sake, but so that it will deliver personal activities, business activities, so on and so forth,” he said.
In addition to focusing on defense, Inglis highlighted the need for vertical and horizontal reconciliation for issues as well as the need to focus on capital expenditures. He added about the importance of responsibility across the supply chain.
“We need to make sure that we’re no longer going to accept that you can deliver a system to somebody who’s using it for some purpose and have made no investment in its inherent resilience and robustness,” Inglis said. “We need to allocate responsibility and accountability to the providers, the suppliers, the integrators, so that they actually invest what’s required to make those systems inherently resilient and robust.”
He added that this measure is important “so that it’s not the person who’s operating at the end of that web chain stuck with a system that can’t be defended, and having to wholly defend themselves against somebody that they actually can’t beat on that given day.”
Inglis also discussed using foreign manufactured goods, such as semiconductors, that are used in a variety of critical infrastructure. He urged for the need “to have an honest, eyes-wide-open recognition of what the true cost is [of] relying on foreign produced critical infrastructure.” However, he stated that these items cannot be “ripped and replaced” because the United States needs to have the capacity to onshore or reshore these items. One example of such effort is the newly enacted CHIPS and Science Act, which seeks to bring back semiconductor production to the United States so the nation is not solely reliant on foreign-made chips.
Inglis noted that the federal government cannot just look at one or two departments. It must try to address the whole pie, not just a slice, when combatting this issue.