Published by The Lawfare Institute
in Cooperation With
Chris Inglis has been nominated to be the nation’s first national cyber director. Jen Easterly has been tapped to be the next director of the Cybersecurity and Infrastructure Security Agency (CISA). And Anne Neuberger is the deputy national security adviser for cyber and emerging technology at the National Security Council.
All three are wonderful professionals, and the United States will benefit greatly from their expertise. I mean that sincerely, and I wish them all the very best of luck.
But permit me to voice a small note of concern about the apparent focus on espionage and offensive action in the cyber domain that their appointments seem to reflect. All three of them have vast experience—and for all three of these leaders, the depth of that experience comes from their time at the National Security Agency (NSA).
Please do not misunderstand. I am a huge fan of the NSA and of the work that the agency (along with CYBERCOM) does every day. But it is one thing to appreciate the expertise of these individuals and another to think that the top three cyber policy positions in the Biden administration should be filled exclusively by people whose dominant cyber expertise comes from their experience at the NSA. Was there not a single person with a private-sector background, or even a nonmilitary government background, who could have been chosen to serve?
Consider: Neuberger has been with the NSA since 2009 and has served in many roles, including assistant deputy director of operations and chief risk officer. Easterly, likewise, was with the NSA from 2009 to the end of the Obama administration (though, to be fair, she has been with Morgan Stanley for the past four years). And Inglis is a career military officer whose highest position was as deputy director of the NSA before he left to teach at the Naval Academy.
To repeat—none of this is bad. To the contrary, that depth of experience is good for the nation. But the NSA’s focus has been, and will continue to be, on offensive capabilities. As Inglis himself once put it: “If I were to score cyber the way we score soccer, the tally would be 462-452 20 minutes into the game …. In other words, it’s all offense and no defense.” A leader with different experience might, I think, have brought added diversity to their deliberations and a more nuanced understanding of how private-sector cybersecurity functions.
Without in any way suggesting that the experience these dedicated public servants bring to the table is inadequate or inappropriate, can I be forgiven for wishing that President Biden might have picked a private-sector leader for one of these top three cyber positions? Someone, in other words, whose main experience has been in defending the nation’s networks rather than in attacking the adversary.