Special Editions 7.15.22
Ep 44 | 7.15.22

A conversation with Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly.


Dave Bittner: Hey, everybody. Dave here. It's our pleasure to bring you this great interview with CISA Director Jen Easterly, where she provides her insight into the current cyberthreat landscape. Be sure to keep up with our "CISA Cybersecurity Alerts," which the CyberWire provides as a public service to the community entirely ad-free. Subscribe in your favorite podcast app or visit thecyberwire.com.

Dave Bittner: Hello, and welcome to this CyberWire "Special Edition." I'm Dave Bitner. Jen Easterly is director of the Cybersecurity Infrastructure and Security Agency, a position she's held for just over a year now. In her time as CISA director, she's led a team focused on the cybersecurity of the nation, guiding the mission of protecting both the public and private sectors. I spoke with Director Easterly earlier this week. 

Jen Easterly: Well, first of all, it's great to be with you, Dave. And I just have to say thanks because you all reached out to us to actually put our alerts on CyberWire. And we are huge fans of the CyberWire. And it's terrific to actually have that as an additional platform for people to get our alerts. So we try and get them out as often as - and in various different ways and various different platforms but fantastic to be part of the CyberWire family. And you guys reached out, and so I really appreciate it. 

Dave Bittner: We're very excited about the collaboration, as well, and just, you know, hoping it continues to lead to more good things. You know, there's been commentary about using the the phrase Shields Up with the initiative. And I have to say that as someone who grew up watching "Star Trek: The Next Generation," it resonates with me. And I get it. Not everyone has been a big fan of that. What's been the feedback so far with Shields Up? 

Jen Easterly: Not everyone's been a big fan 'cause they don't like Star Trek, or they don't like Shields Up? 

Dave Bittner: Well, I think there's a little bit of the Star Trek thing, but I think maybe what people take issue - is more that it's kind of a binary thing. They're either up or down. And the natural question is, will they ever be down? 

Jen Easterly: Yeah, no, It's a great question. You know, we started this - a little bit was my kind of obsession with Star Trek - but we started this as a way to signal a sense of urgency to our stakeholders, from our critical infrastructure owners and operators to our partners at the state and local level, that this was a different situation. And we wanted to be able to provide a message that could be received and absorbed by all of our stakeholders, you know, to include the American people - but business owners, large and small, chief executive officers, the technical community. And we wanted a pretty simple way of doing it. And that was just sort of Shields Up. 

Jen Easterly: I think, you know, to get to your question - and I've been interrogated on this before by others - at the end of the day, I think we all realize that Shields Up has to be the new normal. What we've been focused on over the past couple years, certainly motivated by the attacks that we've seen from nation-states and cybercriminals and certainly the scourge of ransomware over the past couple years, is the need to collectively raise our game in cyber and to recognize that this is not a government thing. This is not an industry thing. This is not an individual thing. It's an - we're all in this together, and we all have responsibility to implement the basics of cybersecurity controls, cyber hygiene for the good of the nation. 

Jen Easterly: And so, you know, Chris Inglis and I wrote an op-ed on this. Essentially, Shields Up is the new normal. So the question is, how do we actually distinguish from being at our highest level of urgency to a Shields Up, which is, yes, we can let our incident responders and our SOC personnel take vacation once in a while? Because what we don't want to have is vigilance fatigue. And as head of America's cyberdefense agency, Dave, I'm particularly worried about that. I want to make sure that my great network defenders, my threat hunters, my vulnerability management folks, my incident responders are not earning out. 

Jen Easterly: And so ultimately, I think we need a way to calibrate what the threat is, whether it's at a significantly high level based on what we're seeing from the intelligence community, our industry partners. Or is it a level of what I would call guarded, which is we always need to be at some level of alert for cyberthreats, but we don't need to be at our highest level of alert. And so that's what we are looking to create, essentially a national cyber alert system. And this is - the thinking on this, Dave, was very informed by my time in the financial services sector, where the FS-ISAC, the Financial Services Information Sharing and Analysis Center, had a mechanism to say, OK, we are at this level. We are going to move to this level. These are the things you should be doing at this level. And then we're not going to stay there forever. We're actually going to come together and decide, do we stay? Do we go up one? Do we move down one? And so we'll never be at, you know, level green. 

Jen Easterly: We'll - I think we always as a nation need to be guarded, but then we need to calibrate, when do we move to elevated? When do we move to critical? And we need a disciplined and rigorous way to say, this is why we're moving, and signal to the American people and to critical infrastructure owners and operators, this is what it means, and this - these are the actions that you should be taking. 

Jen Easterly: And I think part of that is clarity of communications that technical folks have not always been awesome at. And it's one reason why we are working so hard to make sure that we are communicating with clarity and with a way that distinguishes the various audiences that we need to communicate to, whether it's the business community, the technical community, the individual. And so we're really putting a lot of effort in communications, and the cyberthreat advisory system will be a piece of that that I think will be value added. 

Dave Bittner: Could you give us some insights as to what goes on behind the scenes at CISA in terms of collaborating with the various other government agencies to help spread the word and get this information out to the public? 

Jen Easterly: Yeah, absolutely. You know, one of the things, Dave, that motivated me to come back from the private sector to government was the impression I had as a member of critical infrastructure owner and operator, doing cybersecurity within Morgan Stanley, was the government was just not as coherent as it should be, could be to the private sector and the partnership that needs to be forged to be able to protect and defend critical infrastructure that Americans rely on every hour of every day. And I had seen, you know, different products coming from different parts of the government and sometimes sending a slightly different signal. And one of the things that we are really trying to work hard on is - and hopefully you've seen this in the alerts that you all publish on your platform - is almost all of our advisories now, Dave, are joint. We do them with FBI. We do them with NSA. Sometimes we'll do them with a sector risk management agency like Energy or Treasury if it's specific to those sectors. We'll often do it with our international partners, which is terrific because it sends that common signal that here is the guidance that we're putting out. It's informed by the full federal cyber ecosystem and some by the international cyber ecosystem. And so that is one of the real behind-the-scenes pushes that we've been very focused on over the past year is much greater coherence. 

Jen Easterly: The other thing that we're really focused on is making sure - and this is also informed by my time in the private sector - that everything we put out is timely, is relevant, is actionable. When you're a network defender, whether it's at the state or local level, whether it's in a small business, a large business, you want the information that you get to be something that you can actually do something with to help secure your network. And so we are very focused on making sure that everything we put out is of value and is timely. 

Jen Easterly: And one of the things that I would say to your audience is, please continue to give us feedback. We are the newest agency in the federal government. We are a startup agency. We are evolving. And my general view in life is we need to treat feedback as a gift and approach everything we do with a sense of gratitude and a sense of humility. We need to realize that we are part of a community, which is awesome. And I'm sure you recognize this, right, Dave? I mean, the cybersecurity community is, in many ways, really magical, incredibly focused, dedicated, imaginative, creative people who, whether they work in the government or whether they work in industry, are very mission focused and like to solve hard problems. So we need to approach all of this as a community. So we're looking to add value. We are looking to collaborate with all of our partners. But behind the scenes, we're very focused on being coherent and being value added. So please continue to give us feedback on these advisories because we want to make them useful to the community. 

Dave Bittner: Well, let's talk about community. You know, I know that you all have been aggressively recruiting and indeed have put some things in place that make it easier for you to be more competitive with private industry. 

Jen Easterly: Yeah, I'm excited about this. So I'll talk a little bit about what we're doing. But, you know, at high level, nobody comes to the government to make money. Like, we're able to provide much higher salaries now, so we've received these new authorities through the cyber talent management system, and that's great. People come to government - why? It's the sense of mission. You get to defend your nation. Everybody that joins CISA raises their right hand and swears to support and defend the Constitution of the United States against all enemies, foreign and domestic. And that's, to me, who's served most of my life, over 20 years in uniform, it's a really special thing. In all times, it's a privilege. And oftentimes, it's difficult and complicated, and it takes a lot of work (laughter). So, you know, this is not about us trying to replicate the private sector. It is about us being able to be more competitive from a salary perspective. But again, we're looking for people who want to defend the nation, who are mission-focused, who want to be collaborative team players, who are problem solvers, who are technical but who will also really fit well in our culture. And if you look at our core principles, really, the big themes are about collaboration, teamwork, empowerment, ownership, innovation, inclusion, trust, transparency. That's what CISA is all about. And so those are the type of people that we are aggressively looking to bring on board. And we've made some fantastic hires recently. And we just had this great hiring fair where we had 5,000 people. I almost - you know, I'm - usually have a very low heartbeat. 

Dave Bittner: (Laughter) 

Jen Easterly: And, you know, this one elevated my heart rate a little bit. I'm like, oh, my God, 5,000 people. What are we going to do? But the team actually... 

Dave Bittner: Yeah, talk about speed dating. 

Jen Easterly: Yeah, no kidding. So the team actually extended the hiring fair. We were very diligent about following up because I think it's really important that people who apply to CISA have a good experience even in the, you know, recruiting, hiring conversations and then certainly, that we're developing a talent management ecosystem that's, you know, good for recruiting. But the onboarding, the integration and the culture, the coaching, the mentoring, the opportunities for promotion and advancement and all of this is what's going to help us recruit world - continue to recruit world-class talent. And, you know, this is a build. We're not there yet. But I'm excited about the direction we're going in. And, you know, retention is a big part of this. 

Jen Easterly: But I will say I approach this a little differently. I know that a lot of people are not looking to build a career in government. A lot of people want to come in. They want to defend their country. And then they want to go on to other things. And I think that's great because if you come to CISA and then you go do other things in the cybersecurity space, you are contributing to the collective cyberdefense of this nation. So again, I see it as community. And I see it as partnership. And so I love being able to leverage this platform to sort of cross-pollinate excellence against the wider ecosystem and community. 

Dave Bittner: I noticed that recently, you put the word out about a program that is the Cyber Innovation Fellows, which I think is innovative in its own right. Can you take us through that program? 

Jen Easterly: Yeah, it's awesome. So we actually started ideating on this when I visited the National Cyber Security Centre in London last year and spent some time with my friend Lindy Cameron, who's the CEO of the center. And they had this program called i100, Industry 100, where they essentially brought in industry partners. They gave them a NCSC laptop. They made them part of the team for a couple of days, you know, maybe one to two days a week for a period of time. And it extended their reach and their community between NCSC and the private sector. And it was - I sat with a room of about 30 of them and got feedback, and I thought it was a terrific model. 

Jen Easterly: And so this is our pilot to actually create something similar where somebody will come in from the private sector. They will join us as a CISA teammate. They'll join one of our teams. They could join the Joint Cyber Defense Collaborative, or JCDC, our threat hunt team, our vulnerability management team, and actually be part of our mission for a certain period of time a week and then can be up to four months - we can actually extend that. And then they go back to their regular job. But they're sort of an extension of CISA, can get on our network, can help us deal with problems that they might have information about based on what they've been working on in the private sector. 

Jen Easterly: And so it just creates these stronger bonds between the private sector and CISA, which is so important because the magic of this agency is we are very external-facing, which I love. Somebody that grew up in the Army and in the intelligence community and in the policy community where you're very much sort of in your silos - we are very outward-facing, which is awesome. But it's about creating trusted partnerships and bringing people in and having them work in here for periods of time and then go back out and say, wow, what a great agency. We should absolutely partner with them. And so that's what we're looking to develop with the Cyber Innovation Fellows. And it's a partnership with industry in that industry realizes the benefit of sending somebody on their team to come work with us, so they're actually funding that person because they see that benefits and strengthening the connective tissue. So we're doing that pilot. I'm super excited about it. We'll see how that goes, and we might build on that pilot. But, you know, I've been checking in pretty often with my teammates at NCSC, and that program there has been terrific. So we're hoping to build and capitalize on that momentum. 

Dave Bittner: You know, it strikes me that as a new agency, a new organization within the government, you really do have a bit of an advantage of being able to create your own culture. And I think those of us who've seen what you've been doing from the outside - I think that's really remarkable. This is not a stuffy government agency. You're out - as you say, you're forward-facing. You're out there meeting people where they live. And I think that makes a difference. 

Jen Easterly: Yeah. I mean, thanks for saying that. That's really - it's funny. So today is my one-year since I was confirmed. 

Dave Bittner: Congratulations. 

Jen Easterly: So - thank you. So I'm a little reflective about what have I learned over the past year? And I often say, Dave, I really didn't know what to expect from this job because, you know, I hadn't been in DHS before. CISA was a new agency. It was created when I was at Morgan Stanley. And I will tell you in all sincerity, this is the best job - best job I've ever had. I think it's the best job in government. And it's a job that is very much focused around relationships and partnerships and people, which is awesome. And as you said, to be able to create trusted partnerships, you have to meet people where they're at. And I am - you know, I decided when I came back from the private sector, I wasn't going to change anything about my - you know, what I was doing in the private sector. And so, you know, I like to get out and meet people and have fun and let people know the things that I love, like rock music, and really spend time getting to know my partners. And so that's the best part of it. 

Jen Easterly: And as I often say, you know, we're not another lumbering bureaucracy. We can't be. You have to move at the speed of cyber. And so wherever I go, it's about getting to know other people. I often say, you got to lead by the platinum rule, which is not treat others as you want to be treated, but treat others as they want to be treated because we're all different, right? We all experience things differently. We hear things differently. We absorb information differently. We're a product of different experiences. And so you really have to take time to get to know how other people think, how - what makes them tick, how they operate, to create that trust. 

Jen Easterly: And you're not going to be able to create that trust if people don't think that you're being authentic. And so that's what it's all about, is it's like, I just got to be me. You know, be your authentic self. In some ways as a leader, it's incredibly important to be able to show vulnerability, and that's how you create these trusted partnerships. And so when people look at CISA, I don't want them to see this, you know, as you said, fusty bureaucracy. They want to see people that look like them, that are fun people who are having a good time, solving really tough problems, defending the nation, and be a team that people want to join. 

Jen Easterly: And to your point, you know, totally on the culture, I spent so much of my time over the past year laying out, working - basically co-creating with our teammates and our employees all across the board, what are our core values? - collaboration, innovation, service, accountability. What are our core principles, the things that we expect from each other and that really lay the foundation of how we behave, you know, both within our teams and to our partners across the board? And a lot of that is grounded in building an environment of psychological safety, which I'm a huge proponent of, because I think that's the key to people waking up in the morning and say, I can't wait to do my job. I love my teammates. I feel empowered by my leadership, and I feel like I'm making a difference every day. 

Jen Easterly: And that's the culture that we are trying to build at CISA because as I often tell my team, if that's not what your life's about, go do something else. Life is short. It really is very short. I lost my little brother to suicide, and that was a huge, you know, impact, obviously, on my life. But what it taught me is you got to make the most of every single minute and don't spend that minute giving power to things or people that make you unhappy. Spend that minute making a positive difference in the lives of others. 

Dave Bittner: Now, one of the things that I know you launched last year was the Joint Cyber Defense Collaborative. How's that going? 

Jen Easterly: Yeah, I think it's going great. So the JCDC was built off the back of authorities that we got from Congress in the beginning of 2021. And the fantastic thing about this is these are authorities that - so based in law, brings together the power of the federal cyber ecosystem. It's the only entity in the U.S. government that does that. So within the law, you've got CISA, NSA, FBI, CYBERCOM, Justice, the director of national intelligence. You've got the Secret Service. You've got the national cyber director all together in one platform, which is terrific, because that can be essentially the platform where we interface with the private sector. So the private sector doesn't have a - have to figure out, where do I go when I want to engage with the government in cyberdefense planning and operations? And so we have built this platform of the JCDC. Over the past year, we develop what we call the JCDC Alliance, which are about 25 of the biggest technology companies in the world - so the cybersecurity vendors, the ISPs, the CSPs, the backbone infrastructure companies. And why is that important? - because these companies underpin our critical infrastructure and provide us that visibility into that threat environment. 

Jen Easterly: So the idea is you bring together the federal cyber ecosystem and that community to help us bring together, connect the dots and drive down risk to the nation at scale. And this is a model that's really been accelerated through some of the urgency around Log4Shell, where we really had to work very closely with the technology community, with the rest of the critical infrastructure community, with the fantastic researcher community, very quickly to put together a way to be able to share information and inform each other so that we could help drive down risk of exploitation from that pretty serious and ubiquitous vulnerability. It was also the urgency of Shields Up, our Shields Up campaign with the invasion of Ukraine, where we came together with these companies. We actually built a Ukraine tensions plan, a multiphase plan about what we were going to do if there was an actual invasion, what we were going to do if there was a related attack on U.S. critical infrastructure. And we developed - I like to joke, Dave, that we used a very exotic technical tool to share information called Slack. 

Dave Bittner: (Laughter). 

Jen Easterly: So we developed these Slack channels. And it's been transformative in terms of people across industry, across the government, sharing information in real time that then gets enriched by what the government has or what we have from our international partners. And the cool thing is, is a lot of that is then reflected back in the advisories that you all help us get out. And so oftentimes, we'll develop something. We'll share it with our JCDC alliance partners. They'll help enrich it, maybe from what they have been seeing. And then what goes out is something that's more useful to the community because it's got the government. It's often got international partners. It's got industry contributing to it. And that, I think, is what has made our advisories over the past year so much more powerful. It's the collaboration that we have brought that is really much more than partnership. 

Jen Easterly: We're moving away from this hackneyed public-private partnership to what is - I like to call - true operational collaboration, where we are together sharing relevant insights and information, connecting those dots to drive down risk to the nation at scale. So, you know, we're almost a year old for JCDC. So it's still new. But I've been really encouraged by the team and what they've been able to accomplish and, you know, frankly, just really proud of them. 

Dave Bittner: This is going to sound like a basic question, but I think you'll get what I'm going for here, which is - you know, how do you and your colleagues, your teammates, measure success? 

Jen Easterly: Yeah, it's a great question. You know, we're actually putting together the first CISA strategy, and that should come out in the coming months. But that is the key question. And as you know, 'cause you've been in this world for a while, that's the question that all of us ask. How do you measure reduction of cyber risk? In fact, when I took - when I came to this agency, our mission was to understand and manage risk to our cyber and physical infrastructure. And I very intentionally changed it to, we lead the national effort to understand, manage and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day. And so what that's predicated on is being able to articulate measures of performance which don't really tell us much about risk reduction. You know, how many advisories did we put out? 

Dave Bittner: Right. 

Jen Easterly: How many incident response did we conduct? But more importantly, measures of effectiveness - how are we able to truly drive down risk to the nation? And so we're actually putting together those things right now, you know, in terms of how we're looking at things, just to see if we're having traction on the things that we are doing without clearly articulated MOP or MOE yet. We're very hopeful that the new legislation, the Cyber Incident Reporting legislation, will help us get that baseline because, frankly, we don't have a baseline, and a lot of things go unreported. And so I'm excited about finally getting that legislation in place. 

Jen Easterly: We're going through a rulemaking process. It's going to be very consultative and collaborative. I'm very focused on harmonizing the reporting here with the other reporting that's required of industry so it's not overly burdensome. But I think that'll help us establish that baseline so we can actually say, oh, we are driving down the number of vulnerabilities. We're driving down the number of compromises, the number of incidents. And we are truly raising the baseline of cybersecurity across the nation. And so that is one of the big things that I'm focused on in the coming year. 

Dave Bittner: All right. Well, CISA director Jen Easterly, thanks so much for taking the time for us today. 

Jen Easterly: Yeah, absolutely. Thanks so much, Dave. Really appreciate it. 

Dave Bittner: Our thanks to Director Easterly for spending the time with us. And thank you for listening to this CyberWire Special Edition.