(Bloomberg) -- On March 2, US President Joe Biden’s administration proposed some of the most aggressive measures to fight cyberattacks to date. They would require businesses to beef up their defenses and hold software makers more accountable for security breaches.
Noticeably missing that day was the architect behind the plan: Chris Inglis, America’s first cyber director. Inglis had stepped down from his post a few weeks before the unveiling.
Inglis didn’t say much publicly at the time about why he had resigned after fewer than two years on the job. He told some that he had accomplished what he set out to do. But, according to five people familiar with his thinking and emailed correspondence, the primary reason was clashes with another senior cybersecurity official, Anne Neuberger, the deputy national security advisor for cyber and emerging technology.
Inglis’s resignation dissolved what one veteran of the cybersecurity industry dubbed the “dream team,” led by Neuberger, Inglis and Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, known as CISA. With the Biden administration just beginning to implement the cyber strategy, it has yet to nominate a successor to Inglis.
This trio of highly accomplished, former National Security Agency officials were brought together in 2021 just after cyberattacks had forced shut the nation’s largest fuel pipeline, leading to widespread gasoline shortages, and temporarily wiped out one-fifth of US beef capacity. The US was still recovering from an attack by Russian hackers who had infiltrated federal agencies and major technology companies, in part by installing a digital backdoor in popular SolarWinds software.
They were meant to work hand-in-hand to defend US agencies and businesses against relentless cyber-espionage and a surge in ransomware attacks against everything from energy infrastructure to hospital systems.
But from the start, observers worried that the two White House cyber jobs overlapped and had competing lines of authority, setting the stage for a turf war, according to interviews with more than a dozen people, including current and former White House officials.
Inglis accused Neuberger of withholding relevant information from his office and trying to undermine his efforts to draft the cyber strategy, according to a March 14 email that Inglis wrote to a former colleague that was reviewed by Bloomberg News.
In a statement, Neuberger said she and her staff — who form the National Security Council’s cyber office -- fully supported the cyber strategy, worked closely with Inglis’s team and didn’t undermine their efforts. She also described Inglis’s office as being “frequently unrealistic’’ about how things are done at the White House.
The discord between the national cyber director’s office and Neuberger’s, which hasn’t been previously reported, threatens to imperil the administration’s efforts to curb hacking and roll out its ambitious new cyber strategy, according to one current and three former White House employees. And it comes as the administration is under pressure to protect critical sectors of the economy from foreign threats, particularly from Russia and China.
The cyber director’s office, which was created by Congress and now has about 80 employees, is responsible for making a plan to implement the cyber strategy, under NSC oversight. Kemba Walden, a former Microsoft lawyer and Department of Homeland Security official, is serving as the acting national cyber director, and Biden is expected to nominate a new person in the coming weeks, according to three people familiar with the matter.
A NSC spokesperson declined to comment on a potential appointment. The cyber director’s office declined to comment for this story.
In a statement provided to Bloomberg, Inglis, 68, said he assumed that the “principal partner’’ for his office would be Neuberger’s cyber directorate. At the staff level, he said, conversations between their offices were “often quite productive.”
But he added that every organization outside of Neuberger’s “demonstrated a qualitatively and quantitatively stronger commitment to the foundations of collaboration: transparency and commitment to advance shared interests.” Inglis said there was a lot to learn in setting up a new organization, but he added, “We learned fast.”
Neuberger, 47, said the “reports of discord have had little if any impact,” and she said the Biden administration has done more to improve the nation’s cybersecurity than has been done in the last decade.
A NSC spokesperson separately credited Neuberger with helping to lead “a comprehensive effort to secure our federal government and the nation’s most critical infrastructure.”
“Anne’s leadership and coordination across the federal government have been essential to these achievements,” the spokesperson said.
Mark Montgomery, the former executive director of the Cyberspace Solarium Commission, a Congressionally-mandated group that recommended creating the role of national cyber director, said the two White House cyber offices “should have gotten off to a better start” and that Inglis, Neuberger and their offices “probably all missed an opportunity.”
He said he expects friction with the NSC to continue no matter who becomes cyber director next. Over time, however, he said he hopes that “trouble about what are the chalk-lines” between the two offices subsides as the division of labor is sorted. There isn’t much choice, he said, because neither the cyber threat nor the director’s job is going away.
“Congress has willed it, and they will not unwill it.”
This story is based on interviews with more than three dozen people, many of them current or former White House officials. Nearly all of them asked not to be identified to speak candidly about sensitive issues.
In 2020, the Cyberspace Solarium Commission, tasked with coming up with recommendations to bolster US cyber defenses, urged the creation of a national cyber director’s office to act as the “principal advisor” to the president on related issues. Trump signed it into law on Jan. 1, 2021.
The Biden administration was initially reluctant to appoint someone to the post, according to eight people familiar with the issue. The job was viewed as a way for Congress to gain influence over cybersecurity in the executive branch and to dictate who should have the president’s ear, they said. The director is expected to report annually to Congress and can be called to testify, unlike NSC officials.
Besides, during the first six months of the Biden administration in 2021, the White House already had someone handling cyber issues: Neuberger. The NSC, where Neuberger heads the 14-person cyber office, is the “principal forum” for presidential decision-making on national security.
A former star at the NSA, Neuberger oversaw the response to a spree of major hacks. She took over the investigation of the so-called SolarWinds cyber-espionage campaign and led the response to breaches of Colonial Pipeline and JBS SA, the world’s largest meat producer.
In addition, she crafted an executive order on cybersecurity, released just after the Colonial attack, that her supporters say showcased her ability to get things done.
Nonetheless, Biden – beholden to the new law – nominated Inglis as the first national cyber director that April. A former US Air Force pilot, Inglis has advanced degrees in engineering and computer science and spent 28 years working at the NSA. He started that July.
Inglis and Neuberger seemed to be natural collaborators. They had worked together at the NSA, and she advocated for him to be chosen as national cyber director. They began meeting in person for weekly sync-up sessions. He attended Neuberger’s daughter’s wedding in August.
But the two clashed over issues large and small, according to seven people familiar with their relationship.
For instance, Inglis’s office was miffed when they learned about an open-source summit being led by Neuberger from companies that were invited, according to John Costello, who resigned in December as Inglis’s chief of staff. They also weren’t told when Neuberger’s office sent a letter to US governors — asking them to shore up their defenses against potential Russian cyberattacks, he said.
Neuberger and Inglis later disagreed on whether she had personally informed him about the summit in advance, according to a person familiar with the issue. Inglis and his team attended the function, according to a White House release about the event. As for the letter, Neuberger’s staff was responding to an urgent request from the president and swamped with other work during the early days of the war in Ukraine, according to two people familiar with the NSC’s perspective.
But the “straw that broke the camel’s back,” as Inglis wrote in the March 14 email, was conflicts over the cyber strategy.
“Three separate deputies from the cabinet called me over one weekend in early December to relay that Anne was asking them to repudiate the strategy that my office had labored for months to construct – one that Anne had told me the Thursday before that she would support at the upcoming deputies meeting,” Inglis wrote.
Inglis declined to identify the deputies, and Bloomberg couldn’t independently corroborate Inglis’s account.
For her part, Neuberger said her office worked closely with Inglis’s office “throughout the drafting of the strategy.’’
She said she made “pre-calls’’ to agencies to learn about any issues that might surface in advance, after some government departments had raised concerns. “The purpose of those calls was to help avoid a meeting getting bogged down,’’ she said, in her statement to Bloomberg. “I’m quite surprised if any deputies took that as a request to repudiate the strategy.”
To Neuberger, the “core difference of view” between her and Inglis related to how much of the strategy needed to be shared with federal agencies before it went to the president. Neuberger said she recommended an in-person, cross-agency meeting “to get buy-in” — particularly among agencies that might have to defend it on Capitol Hill — and Inglis “ultimately agreed.’’
Even now, Inglis said he didn’t see his position and Neuberger’s as “inherently discordant’’ and believes “they can be, and must be, complementary roles going forward.’’
Whoever Biden picks as the next cyber director will need to collaborate with Neuberger and CISA’s Easterly, who have a strained relationship and don’t speak outside of meetings and official functions, according to four people familiar with their relationship.
Easterly declined to comment for this story. She has previously told Bloomberg that she focuses more on operational issues while Neuberger deals with policy.
On March 20, Easterly announced she had named additional members to CISA’s Cybersecurity Advisory Committee, including one member of the cyber dream team: Inglis.