CyberWire Daily - A conversation with Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly. [Special Edition]
Episode Date: July 15, 2022In this extended interview, CyberWire Daily Podcast host Dave Bittner sits down with Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly to discuss her time at CISA and the w...ork of her team. This interview from July 15, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberW with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Hello and welcome to this CyberWire special edition. I'm Dave Bittner.
Jen Easterly is Director of the Cybersecurity Infrastructure and Security Agency, a position she's held for just over a year now.
In her time as CISA Director, she's led a team focused on the cybersecurity of the nation,
guiding the mission of protecting both the public and private sectors.
I spoke with Director Easterly earlier this week.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa. And endless snacks. Yeah, with pools. And a spa.
And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
moves us. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
Well, first of all, it's great to be with you, Dave.
And I just have to say thanks because you all reached out to us to actually put our alerts on CyberWire.
And we are huge fans of the CyberWire. And it's terrific to actually have that as an additional platform for people to get our alerts.
have that as an additional platform for people to get our alerts. So we try and get them out as often and in various different ways and various different platforms, but fantastic to be
part of the CyberWire family and you guys reached out. And so I really appreciate it.
We're very excited about the collaboration as well and just, you know, hoping it continues to lead to more good things. You know, there's been commentary about using the phrase shields up with the initiative,
and I have to say that as someone who grew up watching Star Trek The Next Generation,
it resonates with me, and I get it.
Not everyone has been a big fan of that.
What's been the feedback so far with Shields Up?
Not everyone's been a big fan because they don't like Star Trek or they don't like Shields Up.
Well, I think there's a little bit of the Star Trek thing,
but I think maybe what people take issue is more that it's kind of a binary thing.
They're either up or down, and the natural question is, will they ever be down?
Yeah, no, it's a great
question. You know, we started this a little bit, was my kind of obsession with Star Trek, but
we started this as a way to signal a sense of urgency to our stakeholders, from our critical
infrastructure owners and operators, to our partners at the state and local level, that this was a different situation.
And we wanted to be able to provide a message that could be received and absorbed by all of
our stakeholders, you know, to include the American people, but business owners, large and small,
chief executive officers, the technical community. And we wanted a pretty simple way of doing it,
and that was this sort of Shields Up. I think, you know, to get to your question, and I've been
interrogated on this before by others, at the end of the day, I think we all realize that Shields Up
has to be the new normal. What we've been focused on over the past couple years, certainly motivated by the attacks that we've seen from nation states and cyber criminals and certainly the scourge of ransomware over the past couple years, is the need to collectively raise our game in cyber.
And to recognize that this is not a government thing.
This is not an industry thing.
This is not an individual thing.
This is not an industry thing.
This is not an individual thing.
It's an we're all in this together and we all have responsibility to implement the basics of cybersecurity controls, cyber hygiene for the good of the nation.
And so, you know, Chris Inglis and I wrote an op-ed on this.
Essentially, Shields Up is the new normal.
So the question is, how do we actually
distinguish from being at our highest level of urgency to a shields up, which is, yes, we can
let our incident responders and our SOC personnel take vacation once in a while. Because what we
don't want to have is vigilance fatigue. And as head of America's Cyber Defense Agency, Dave, I'm
particularly worried about that. I want to make sure that my great network defenders, my threat
hunters, my vulnerability management folks, my incident responders are not earning out. And so
ultimately, I think we need a way to calibrate what the threat is, whether it's at a significantly
high level based on what we're seeing from the
intelligence community, our industry partners, or is it a level of what I would call guarded,
which is we always need to be at some level of alert for cyber threats, but we don't need to
be at our highest level of alert. And so that's what we are looking to create, essentially a national
cyber alert system. And this is, the thinking on this, Dave, was very informed by my time in the
financial services sector where the FSISAC, the Financial Services Information Sharing and Analysis
Center, had a mechanism to say, okay, we are at this level. We are going to move to this level.
These are the things you should be doing at this level.
And then we're not going to stay there forever.
We're actually going to come together and decide, do we stay?
Do we go up one?
Do we move down one?
And so we'll never be at level green.
I think we always, as a nation, need to be guarded.
But then we need to calibrate.
When do we move to elevated? When do we move to critical? And we need a disciplined and rigorous way to say,
this is why we're moving and signal to the American people and to critical infrastructure
owners and operators, this is what it means. And these are the actions that you should be taking.
And I think part of that is clarity of communications that technical folks have not always been awesome at.
And it's one reason why we are working so hard to make sure that we are communicating with clarity and with a way that distinguishes the various audiences that we need to communicate to, whether it's the business community, the technical community, the individual.
And so we're really putting a lot of effort in communications and the cyber threat advisory
system will be a piece of that that I think will be value added.
Could you give us some insights as to what goes on behind the scenes at CISA in terms
of collaborating with the various other government agencies to
help spread the word and get this information out to the public.
Yeah, absolutely. You know, one of the things, Dave, that motivated me to come back from the
private sector to government was the impression I had as a member of critical infrastructure,
owner and operator doing cybersecurity within
Morgan Stanley was the government was just not as coherent as it should be, could be
to the private sector in the partnership that needs to be forged to be able to protect and
defend critical infrastructure that Americans rely on every hour of every day.
And I had seen, you know, different products coming from different parts of the government and sometimes sending a slightly different signal.
And one of the things that we are really trying to work hard on is,
and hopefully you've seen this in the alerts that you all publish on your platform is almost all of our
advisories now, Dave, are joint. We do them with FBI. We do them with NSA. Sometimes we'll do them
with the sector risk management agency like Energy or Treasury if it's specific to those sectors.
We'll often do it with our international partners, which is terrific because it sends that common
signal that here is the guidance that we're putting out.
It's informed by the full federal cyber ecosystem and some by the international cyber ecosystem.
And so that is one of the real behind-the-scenes pushes that we've been very focused on over
the past year is much greater coherence.
The other thing that we're really focused on is making sure, and this is also informed by my time
in the private sector, that everything we put out is timely, is relevant, is actionable. When you're
a network defender, whether it's at the state or local level, whether it's in a small business,
a large business, you want the information
that you get to be something that you can actually do something with to help secure your network.
And so we are very focused on making sure that everything we put out is of value and is timely.
And one of the things that I would say to your audience is please continue to give us feedback.
audience is please continue to give us feedback. We are the newest agency in the federal government.
We are a startup agency. We are evolving. And my general view in life is we need to treat feedback as a gift and approach everything we do with a sense of gratitude and a sense of humility.
We need to realize that we are part of a community, which is awesome. And I'm
sure you recognize this, right, Dave? I mean, the cybersecurity community is in many ways really
magical, incredibly focused, dedicated, imaginative, creative people who, whether they work in the
government or whether they work in industry, are very mission-focused and like to solve hard problems. So, we need to approach all of this
as a community. So, we're looking to add value. We are looking to collaborate with all of our
partners. But behind the scenes, we're very focused on being coherent and being value-added.
So, please continue to give us feedback on these advisories
because we want to make them useful to the community.
Well, let's talk about community.
I know that you all have been aggressively recruiting
and indeed have put some things in place
that make it easier for you to be more competitive
with private industry.
I'm excited about this. So I'll talk a little bit about what we're doing, but you know, at high
level, nobody comes to the government to make money. We're able to provide much higher salaries
now. So we've received these new authorities through the cyber talent management system,
and that's great.
People come to government. Why? It's a sense of mission. You get to defend your nation.
Everybody that joins CISA raises their right hand and swears to support and defend the constitution of the United States against all enemies, foreign and domestic. And that's
to me who served most of my life over 20 years in uniform.
It's a really special thing.
In all times, it's a privilege.
And oftentimes, it's difficult and complicated, and it takes a lot of work.
So, you know, this is not about us trying to replicate the private sector.
This is not about us trying to replicate the private sector.
It is about us being able to be more competitive from a salary perspective.
But again, we're looking for people who want to defend the nation, who are mission-focused, who want to be collaborative team players, who are problem solvers, who are technical, but who will also really fit well in our culture. And if you look at our core principles, really the big themes are about collaboration, teamwork,
empowerment, ownership, innovation, inclusion, trust, transparency.
That's what CISA is all about.
And so those are the type of people that we are aggressively looking to bring on board.
And we've made some fantastic hires recently.
And we just had this great hiring fair where we had 5,000 people.
I almost, you know, I usually have a very low heartbeat.
And, you know, this one elevated my heart rate a little bit.
I'm like, oh, my God, 5,000 people. What are we going to do? But the team actually, yeah, no kidding. So the team
actually extended the hiring fair. We were very diligent about following up because I think it's
really important that people who apply to CISA have a good experience, even in the, you know,
recruiting, the hiring conversations. And then certainly that we're
developing a talent management ecosystem that's good for recruiting, but the onboarding, the
integration into culture, the coaching, the mentoring, the opportunities for promotion
and advancement. And all of this is what's going to help us continue to recruit world-class talent.
And this is a build. We're not there yet, but I'm excited about the direction we're going in. going to help us recruit world, continue to recruit world-class talent. And, you know,
this is a build. We're not there yet, but I'm excited about the direction we're going in. And,
you know, retention is a big part of this, but I will say I approach this a little differently.
I know that a lot of people are not looking to build a career in government. A lot of people want to come in, they want to defend their country, and then they want to go on to other things. And I think it's great because if you come to CISA and then you go
do other things in the cybersecurity space, you are contributing to the collective cyber defense
of this nation. So again, I see it as community and I see it as partnership. And so I love being
able to leverage this platform to sort of cross-pollinate excellence against the wider ecosystem and community.
I noticed that recently you put the word out about a program that is the Cyber Innovation Fellows, which I think is innovative in its own right.
Can you take us through that program?
Yeah, it's awesome. So we actually
started ideating on this when I visited the National Cybersecurity Center in London last
year and spent some time with my friend, Lindy Cameron, who's the CEO of the center. And they
had this program called I-100, Industry 100, where they essentially brought in industry partners.
Industry 100, where they essentially brought in industry partners. They gave them a NCSC laptop.
They made them part of the team for a couple of days, maybe one to two days a week for a period of time. And it extended their reach and their community between NCSC and the private sector.
And it was, I sat with a room of about 30 of them and got feedback.
And I thought it was a terrific model.
And so this is our pilot to actually create something similar where somebody will come
in from the private sector.
They will join us as a CISA teammate.
They'll join one of our teams.
They could join the Joint Cyber Defense
Collaborative or JCDC, our threat hunt team, our vulnerability management team, and actually be
part of our mission for a certain period of time a week, and then can be up to four months. We can
actually extend that. And then they go back to their regular job, but they're sort of an extension of CISA, can get on our network, can help us deal with problems that they might have information
about based on what they've been working on in the private sector. And so it just creates these
stronger bonds between the private sector and CISA, which is so important because the magic
of this agency is we are very external facing,
which I love. Somebody that grew up in the army and in the intelligence community and in the
policy community where you're very much sort of in your silos. We are very outward facing,
which is awesome, but it's about creating trusted partnerships and bringing people in
and having them work in here for periods of
time and then go back out and say, wow, what a great agency. We should absolutely partner with
them. And so that's what we're looking to develop with the Cyber Innovation Fellows. And it's a
partnership with industry and that industry realizes the benefit of sending somebody on
their team to come work with us. So they're
actually funding that person because they see that benefits in strengthening the connective tissue.
So we're doing that pilot. I'm super excited about it. We'll see how that goes and what we
might build on that pilot. But, you know, I've been checking in pretty often with my teammates
at NCSC and that program there has
been terrific. So we're hoping to build and capitalize on that momentum. It strikes me that
as a new agency, a new organization within the government, you really do have a bit of an
advantage of being able to create your own culture. And I think those of us who've seen what you've been doing from the outside, I think that's really remarkable. This is not a stuffy government agency. You're out,
as you say, you're forward-facing, you're out there meeting people where they live. And I
think that makes a difference. Yeah. I mean, thanks for saying that. That's really, it's funny. So
today is my one year since I was confirmed. Congratulations. So thank you. So I'm
a little reflective about what have I learned over the past year. And I often say, Dave, I really
didn't know what to expect from this job because I hadn't been in DHS before. CISL was a new agency.
It was created when I was at Morgan Stanley. And I will tell you in all sincerity, this is the best job, best job I've ever had.
I think it's the best job in government. And it's a job that is very much focused around
relationships and partnerships and people, which is awesome. And as you said, to be able to create
trusted partnerships, you have to meet people where they're at. And I am, you know, I decided when I came back from the
private sector, I wasn't going to change anything about my, you know, what I was doing in the
private sector. And so, you know, I like to get out and meet people and have fun and let people
know the things that I love, like rock music, and really spend time getting to know my partners.
And so that's the best part of it. And as I often say, we're not another lumbering bureaucracy. We
can't be. We have to move at the speed of cyber. And so wherever I go, it's about getting to know
other people. I often say you've got to lead by the platinum rule, which is not treat others as you want
to be treated, but treat others as they want to be treated because we're all different,
right?
We all experience things differently.
We hear things differently.
We absorb information differently.
We're a product of different experiences.
And so you really have to take time to get to know how other people think, what makes
them tick, how they operate to create that trust.
And you're not going to be able to create that trust if people don't think that you are being
authentic. And so that's what it's all about is like, I just got to be me. Be your authentic
self. In some ways, as a leader, it's incredibly important to be able to show vulnerability.
And that's how you create these trusted partnerships.
And so when people look at CISA, I don't want them to see this, you know, as you said,
fusty bureaucracy.
They want to see people that look like them, that are fun people who are having a good
time solving really tough problems, defending the nation and be a team that people want
to join.
And to your point, I, you know, totally on the culture, I spent so much of my time over the past year, laying out, working, basically co-creating with
our teammates and our employees all across the board. What are our core values, collaboration,
innovation, service, accountability? What are our core principles, the things that we expect from
each other? And that really lay the foundation of how we behave,
you know, both within our teams and to our partners across the board. And a lot of that
is grounded in building an environment of psychological safety, which I'm a huge proponent
of because I think that's the key to people waking up in the morning and say,
I can't wait to do my job. I love my teammates. I feel empowered by my leadership and I feel like
I'm making a difference every day. And that's the culture that we are trying to build at CISA
because as I often tell my team, if that's not what your life's about, go do something else.
Life is short. It really is very short. I lost my little brother
to suicide. And that was a huge impact, obviously, on my life. But what it taught me is you've got
to make the most of every single minute and don't spend that minute giving power to things or people
that make you unhappy. Sp spend that minute making a positive difference
in the lives of others.
Now, one of the things that I know you launched last year was the Joint Cyber Defense Collaborative.
How's that going?
Yeah, I think it's going great.
So the JCDC was built off the back of authorities that we got from Congress in the beginning
of 2021.
the back of authorities that we got from Congress in the beginning of 2021. And the fantastic thing about this is these are authorities that, so based in law, brings together the power of the federal
cyber ecosystem. It's the only entity in the U.S. government that does that. So within the law,
you've got CISA, NSA, FBI, CyberCom, Justice, the Director of National Intelligence, you've got the Secret Service,
you've got the National Cyber Director, all together in one platform, which is terrific
because that can be essentially the platform where we interface with the private sector.
So the private sector doesn't have to figure out where do I go when I want to engage with the government
in cyber defense planning and operations. And so we have built this platform of the JCDC over the
past year. We develop what we call the JCDC Alliance, which are about 25 of the biggest
technology companies in the world. So the cybersecurity vendors, the ISPs, the CSPs,
the backbone
infrastructure companies. And why is that important? Because these companies underpin
our critical infrastructure and provide us that visibility into that threat environment.
So the idea is you bring together the federal cyber ecosystem and that community to help us
bring together, connect the dots and drive down risk to the nation at
scale. And this is a model that's really been accelerated through some of the urgency around
Log4Shell, where we really had to work very closely with the technology community, with the
rest of the critical infrastructure community, with the fantastic researcher community,
very quickly to put together a way to be able to share information and inform each other so that we could help drive down invasion of Ukraine, where we came together with these companies. We actually built a Ukraine tensions plan, a multi-phase plan about what
we were going to do if there was an actual invasion, what we were going to do if there was a
related attack on U.S. critical infrastructure. And we developed, I like to joke, Dave, that we used a very exotic technical tool to share information called Slack.
So we developed these Slack channels, and it's been transformative in terms of people across industry, across the government, sharing information in real time that then gets enriched by what the government has, but what we have from our international partners. And the cool thing is, is a lot of that is then reflected back in the advisories that you all
help us get out. And so oftentimes we'll develop something, we'll share it with our JCDC alliance
partners. They'll help enrich it maybe from what they have been seeing. And then what goes out
is something that's more useful to the community because it's got the government, it's often got international partners, it's got industry contributing to it.
And that, I think, is what has made our advisories over the past year so much more powerful.
It's the collaboration that we have brought that is really much, much more than
partnership. We're moving away from this hackneyed public-private partnership to what is, I like to
call, true operational collaboration, where we are together sharing relevant insights and
information, connecting those dots to drive down risk to the nation at scale. So, you know, we're almost a year old for JCDC, so it's still new, but I've been really
encouraged by the team and what they've been able to accomplish and, you know, frankly,
just really proud of them.
It's going to sound like a basic question, but I think you'll get what I'm going for
here, which is how do you and your colleagues, your teammates measure success?
Yeah, it's a great question. You know, we're actually putting together the first CISA strategy
and that should come out in the coming months, but that is the key question. And as you know,
because you've been in this world for a while, that's the question that all of us ask. How do
you measure reduction of cyber risk?
In fact, when I came to this agency, our mission was to understand and manage risk to our cyber
and physical infrastructure. And I very intentionally changed it to, we lead the
national effort to understand, manage, and reduce risk to the cyber and physical infrastructure that
Americans rely on every hour
of every day. And so what that's predicated on is being able to articulate measures of performance,
which don't really tell us much about risk reduction. You know, how many advisories did
we put out? How many incident response did we conduct? But more importantly, measures of
effectiveness. How are we able to truly drive down risk to the nation? yet, we're very hopeful
that the new legislation, the cyber incident reporting legislation, will help us get that
baseline. Because frankly, we don't have a baseline and a lot of things go unreported.
And so I'm excited about finally getting that legislation in place. We're going through a
rulemaking process. It's going to be very consultative and collaborative.
I'm very focused on harmonizing the reporting here
with the other reporting that's required of industry.
So it's not overly burdensome,
but I think that'll help us establish that baseline.
So we can actually say,
oh, we are driving down the number of vulnerabilities. we're driving down the number of compromises,
the number of incidents, and we are truly raising the baseline of cybersecurity across the nation.
And so that is one of the big things that I'm focused on in the coming year.
All right. Well, Assistant Director Jenny Sterling, thanks so much for taking the time for us today.
Yeah, absolutely.
Thanks so much, Dave.
Really appreciate it.
Our thanks to Director Easterly
for spending the time with us.
And thank you for listening
to this CyberW Wire special edition.