Chris Inglis, who retired earlier this year as the nation’s inaugural cyber director, told the Maryland Cybersecurity Council that both professionals and individuals need to focus on their roles and responsibilities to keep our digital systems safe.
In his talk, which took place at the council’s meeting held at the University of Maryland Francis King Carey School of Law in Baltimore, he used current events, as well as personal and professional experiences, to frame the “how, why and who” of cybersecurity.
Inglis has served in broad range of security roles during his more than 41 years of federal service. In 2021, he was named by President Joe Biden to serve as the country’s first national cyber director. He shared his insights at the October 20 meeting of the council, a statutory body chaired by Attorney General Anthony Brown and staffed by University of Maryland Global Campus (UMGC).
“Think about the COVID-19 experience,” Inglis said. “In record time, we diagnosed what that was, devised in the form of a vaccine, deployed the knowledge of how that vaccine could be built across multiple companies, logistically produced that vaccine and applied an inoculation to most of the population.
“This would have been impossible even 10 years ago,” he said. “Yet, at the same time, you can’t go a week without reading about the notorious action taken by some adversaries in cyberspace that holds all of us at risk.”
Inglis noted that the COVID-19 vaccine was made possible by a digital infrastructure. Protecting that infrastructure through strong cybersecurity, he added, is a shared responsibility, much like the safety systems that we have built into cars—which assign responsibilities to both automakers and motorists.
“Imagine if in buying your car, the manufacturers of those cars were not accountable for building inherent safety features like air safety bags, seat belts and brake lights,” he said. “I can choose to drive drunk, text and drive or not wear my seat belt, but if I play my role, then I’m participating in a coalition of those committed to the inherent safety in the system.”
Inglis used real-life cyberattacks to address the “how,” “why” and “who” of cybersecurity. He stressed that cybersecurity succeeds not just because of the technology, but also through the assignment of expectations, roles and responsibilities.
In discussing the “how,” he pointed to the criminal gang behind the 2021 ransomware attack of the Colonial Pipeline, which disseminates petroleum products up and down the Eastern seaboard. A single error—the pipeline’s failure to properly configure a virtual private network—enabled the largest cyberattack on an oil infrastructure target in the history of the United States and eroded the trust of millions of people who had believed the system was secure.
“That confidence is what makes a free and open society. Confidence in rules and systems that engender trust, like trusting that we can drive down a road that has opposing traffic and no one is going to come across the line into my lane,” Inglis said.
To explain the “why”—why we have cyberspace and why we care about it—Inglis cited Jeff Moss, the hacker, computer and internet security expert who founded the Black Hat and DEF CON computer security conferences. Moss once asked, “Why do race cars have bigger brakes now?” The answer? So the car can perform as we hope it will perform.
“We need to ask the same question about cyber,” said Inglis. “We have cybersecurity because I want to do my banking, because I want to follow my granddaughter [on social media], because I want to deliver critical functions online. It’s a binary proposition that is all made possible because of digital infrastructure.”
Perhaps even more important than the technology is the “who.”
“The things that people do, the choices they make, the actions they take, whether they are complacent, implicate our cybersecurity future,” Inglis said. “Do we know who is responsible for what? Can we mobilize all the talent in the room?”
Inglis used the Russian nation state attack against the software company Solar Winds in 2020 as an example of a critical people-skills flaw.
“Nobody in that supply chain was thinking about security. The Russians didn’t have to exploit some vaunted technological flaw, they just walked right through the front door,” he said. “What kept me awake at night as the national cyber director was not the Russians, not the Chinese, not the Iranians, not the North Koreans, not ransomware actors, all of whom were quite busy.
“It was the proactive ambivalence of us,” he said.
Inglis shared his experiences in boardrooms and agencies, where almost always he found some degree of proactive indifference. “Everyone would acknowledge cybersecurity and hope that someone is doing something about it,” he explained.
Inglis stressed that we need this in cybersecurity, not just the technology, but the assignment of expectations, roles and responsibilities and getting people skills in the right place.
“Let’s teach our kids as much about cyberspace as we teach them about a hot stove or crossing a city street in a busy city like Baltimore.”
The Maryland Cybersecurity Council was established July 1, 2015, through Senate Bill 542, to work with the National Institute of Standards and Technology and other federal agencies, private sector businesses, and private cybersecurity experts to improve cybersecurity in Maryland.