Seven months into Joe Biden’s presidency, an administration confronting several cybersecurity crises finally has a permanent director en route to take over one of the top few cyber posts in the federal government.
Once she’s sworn in, Easterly — the departing head of Morgan Stanley’s Fusion Resilience Center and a former White House and National Security Agency official — will be busy with the aftermath of a spree of ransomware attacks that have attracted the attention of policymakers like none before. They include incidents at fuel supplier Colonial Pipeline, meat processor JBS and software company Kaseya, where a compromise opened the door for attackers to claim perhaps thousands of victims.
In the early months of the Biden administration, officials also have contended with a cyber-espionage operation that involved the federal contractor SolarWinds, and a Microsoft Exchange Server breach that claimed a wide swath of victims.
In written testimony before the Senate Homeland Security and Governmental Affairs Committee at her nomination hearing in June, Easterly spoke about the role of CISA’s director.
“Within the federal cyber ecosystem, CISA is the ‘quarterback,’ charged with protecting and defending federal civilian government networks; leading asset response for cyber incidents; and ensuring that timely and actionable information is shared across federal, non-federal, and industry partners,” the testimony reads.
She and Chris Inglis, sworn in Monday as the White House’s national cyber director after the Senate acted on his nomination last month, also talked about moving beyond voluntary security standards for critical infrastructure.
“There probably is some sort of role for making some of these standards mandatory, to include notification,” Easterly said. “I do think it’s important that if there’s a significant cyber incident, that critical infrastructure companies have to notify the federal government, in particular CISA. We have to be able to warn other potential victims.”
After the committee voted to advance her as CISA head, Sen. Rick Scott, R-Fla. — despite supporting Easterly — placed a hold on her nomination and other DHS political picks conditional on Biden and Vice President Kamala Harris visiting the Mexican border. Harris did so two weeks ago, during which time the Senate has been on recess.
Easterly’s wait, exacerbated by a delay in Biden waiting until April to put forward her nomination, came at a critical time.
Easterly’s pause in Congress wasn’t substantially worse than the two previous people to inhabit the office, however. The Trump administration announced it would nominate Chris Krebs as the permanent director of CISA’s predecessor agency, the National Protection and Programs directorate, in February of 2018. The Senate confirmed him in June. Krebs had been functionally serving in the job since August of the year before.
The Obama administration sent the nomination of Suzanne Spaulding to serve as NPPD head in January of 2014 and the Senate advanced her nomination two months later. The White House had signaled its intent to nominate Spaulding in August of 2013, but she too effectively served as acting head of the agency in the interim.
In a floor speech Monday, Senate Homeland Security and Governmental Affairs Chairman Gary Peters said the attacks on Kaseya and a reported attack on the Republican National Committee came during Scott’s hold.
“Unfortunately, these are only the latest of several recent cyberattacks threaten our government, critical infrastructure and key industries,” the Michigan Democrat said. “These attackers will stop at nothing to infiltrate our networks and [we] urgently need qualified Senate-confirmed cybersecurity leaders in place to fight back.”