(Disclosure: I have worked with nearly everyone mentioned in this article at the Aspen Institute, where most were engaged in the public-private Aspen Cybersecurity Group. I also coauthored a 2018 book on the US government’s approach to cybersecurity with John Carlin.)
With the exception of the Justice Department’s team, the key cyber players share a special background as veterans of Fort Meade, the base of the National Security Agency and US Cyber Command. Beyond Nakasone, Inglis spent nearly 30 years with the civilian side of the NSA, rising to be its deputy director. Before her appointment earlier this year, Neuberger founded and led the NSA’s Cybersecurity Directorate and previously served as its chief risk officer, carving out a unique public voice for an agency not normally known for its public engagement. Easterly, who worked in the NSA’s elite hacking team known as the Tailored Access Operations, in 2009 helped design, along with Nakasone and others, what later became US Cyber Command.
That shared NSA DNA is a belated admission, of sorts, of how long cybersecurity took a back seat in the government’s wider bureaucracy. When the Biden administration went looking post-election for senior, respected leaders who had worked and thought about these issues for years, it really only had one talent pool to draw from.
The NSA and Cyber Command, for its part, moved rapidly during the Trump administration to regularize more aggressive offensive cyber operations. Nakasone, as WIRED reported last fall, has carried out more offensive operations online in his nearly three years heading the dual-hat arrangement than the US government had ever done prior to his tenure—combined. In recent months, US Cyber Command has begun to focus its attention not just on nation-state adversaries but also on transnational organized crime, which US officials increasingly point to as having risen to a scale and sophistication that equals the threat from established online adversaries like Iran and China.
The Biden White House, though, is still very much sorting out its own approach to cyber issues, from Chinese tech companies to ransomware. While Inglis, Neuberger, Monaco, Easterly, and Nakasone are friendly and collegial, they have differing philosophies, and they now find themselves arrayed across government with very different equities, tools, and capabilities.
How Inglis and Neuberger work together and share power inside the White House going forward will be one of the biggest questions of the Biden administration’s approach to the internet, as will the question of how Easterly and Nakasone balance the government’s civilian and military approach online. The answers will have a bearing not just on current technology and security policy but the future of US cyberdefense. If the NSA and Cyber Command split in two at the conclusion of Paul Nakasone’s tenure, then Neuberger, Inglis, and Easterly are among the obvious candidates—along with current NSA director of cybersecurity Rob Joyce—to take the reins of the intelligence agency.
They’ll also need to navigate long-simmering tensions between their respective agencies and their relative funding. CISA was formed only in 2018, out of what had long been a convoluted and shape-shifting DHS component known most recently as the National Protection and Programs Directorate. It’s been on a hiring spree this spring, bringing on hundreds of new cyber professionals, but it’s still only a quarter to a third the size of Cyber Command, and not even a tenth the size of the NSA. It has few true authorities to compel cooperation across the private sector, or even sometimes inside government.
And these are hardly the only complications facing anyone seeking to make a coherent government response to still-growing threats online. Beyond the “big five” outlined above, the US Secret Service and Immigration and Customs Enforcement both also share online enforcement duties, and many Americans were surprised to find this spring amid the Colonial Pipeline incident that the Transportation Security Administration, best known for its blue-uniformed airport security screeners, actually oversees the cybersecurity of the nation’s pipelines, among other odd corners and jurisdictions.