Jen Easterly On The Future of Cybersecurity and Her Agency's Survival

At the end of the day, this is really a world where

a major conflict in Asia,

the potential invasion or blockade of Taiwan

by the PRC could have very real consequences here in the US,

you could see pipelines being affected,

water being affected, telecommunications being severed.

Wired sat down with outgoing CISA Director Jen Easterly

to talk about her time in Washington

and the future of US cybersecurity,

this is the big interview.

[upbeat music]

Hi Jen, I'm so happy to be here with you.

You're in your last days as the director of CISA.

How are your last days feeling?

Well, it's bittersweet, of course.

This has been the best job I've ever had and the best team

and every day it's been a privilege to come into work here,

so it's a little bittersweet to be leaving,

but I feel really, really good about

everything that we've been able to do.

Of course, there's a lot of unfinished business,

but I think we have set a good path for the incoming team.

I know my team is excited to continue

to drive forward on the many priorities that we've set,

but all good things come to an end

and looking forward to next adventures.

And you've been here three and a half years, right?

Yeah, I came in, I was nominated in April,

confirmed in July, so over three and a half years.

And then I was actually part of the transition team,

I was the Cyber Policy Lead

when I was still at Morgan Stanley.

So was working these issues early on

and in fact, when I was the cyber policy lead,

it was during the SolarWinds.

So that was a very interesting incident to observe,

both from being in the private sector,

but also being part of the transition team to see

how far we could come and frankly how far we have come

with respect to being able to secure the.gov,

the federal civilian executive branch.

And so that was a useful sort of marker for me.

That must have been a really interesting vantage point

and a good learning experience.

I didn't realize that that was exactly the timing

of when you came in because you know,

one thing we're gonna talk a lot about you and your tenure,

but one thing I wanted to bring up that I'm sure

it's top of mind for everyone,

and I'm sure it's something you've been engaged with,

is revelations recently about Chinese espionage

and hacking in US telecoms.

So I'm interested to know what you observed

in that other situation,

which was obviously Russian hackers, different situation,

but how were the lessons learned there then applicable

with the work you all are doing now in this response?

Well, certainly what we saw in December of 2020

with the revelations about the intrusions

into federal government networks

as well as businesses around the world,

was a pretty sophisticated supply chain espionage operation.

And off the back of that, there were a lot of things

that were put in place in 2021

to include through the executive order 14028,

where a lot of the responsibilities came to CISA,

there was also some money that came to CISA

through the American Rescue Plan Act,

and I would say the bumper sticker

was to finally allow CISA

in our role as America's Cyber Defense Agency

and as the national coordinator

for critical infrastructure resilience and security

to manage the .gov as an enterprise,

not as a disparate tribe

of a hundred separate departments and agencies.

So what we've been able to put in place

across the so-called fseb, the.gov,

over the past three and a half years,

has given us enormous visibility that we never had before

and has allowed us to detect intrusions much more rapidly

to be able to remediate them

and to get ahead of future intrusions

by understanding from an analytic perspective

what exactly is happening on the .gov.

And then frankly, using that information

to be able to enrich our work with critical infrastructure

because all of our networks are connected,

they're vulnerable in many ways.

And so understanding and enriching what we know

from what we see on the .gov

to what we see in critical infrastructure has also been

a really important evolution.

With respect to China, as you know Lily,

we've been talking about this for years.

The big thing for me that changed

because certainly I've been doing

cyber for a very long time.

We were always very focused on the PRC

with respect to espionage campaigns and data theft

and intellectual property theft.

And we're certainly seeing that now

with this so-called salt typhoon campaign

with intrusions into our telecommunications infrastructure.

But the big thing for me was seeing

intrusions into our critical infrastructure,

not for espionage,

but rather specifically for disruption and destruction.

And we've talked a lot about that,

I testified earlier this year,

but at the end of the day, this is really a world where

a major conflict in Asia,

the potential invasion or blockade of Taiwan by the PRC

could have very real consequences here in the US.

You could see pipelines being affected,

water being affected, telecommunications being severed,

rail lines, power, exactly.

And that is all part of a very deliberate effort

by China to incite what they call societal panic

and to deter our ability to marshal military might

and citizen will.

This is all part of a very deliberate campaign

and that's why we have been so laser focused,

leveraging our technical talent at CISA

to be able to work with the private sector to identify

and eradicate these types of actors from their networks

to provide mitigation and hunting,

guidance, hardening guidance in

what we just put out for telecommunications,

guidance on how to communicate securely.

You saw that in some of our recent guidance

on end to end encryption,

encrypted communications, which is really important.

And then to work through mechanisms

like our joint cyber defense collaborative

that we stood up in August of 2021

to work with a wide variety

of those critical infrastructure sectors,

power, telecommunications, aviation, transportation,

to ensure that we have a common picture of the threat

and that these entities know what they need to do

to reduce risk.

I think one of the most important things,

and you and I have talked about this before,

vis-a-vis Ukraine when we did a panel together

with Viktor Zhora of the Ukraine Cyber Defense Agency

is really the importance of resilience.

It is gonna be extremely difficult

to prevent disruption in a scalable way,

and so we have to prepare for it.

We have to acknowledge that disruption may occur,

but the way that we train our people, how we exercise,

how we architect our systems needs to enable us to detect,

respond, and then recover

so that we can mitigate the downtime

for critical infrastructure services

that are necessary for the American people.

Do you think the espionage operations

are getting too much focus and that actually,

there needs to be more focus

on this critical infrastructure infiltration?

That activity is tracked under this group volt typhoon.

Is there maybe what folks are talking about

in the public sphere is different than the focus

at an agency like CISA or what's the balance there?

Yeah, I mean we are very focused overall

on PRC cyber actors,

whether they're the so-called salt typhoon

focused on espionage,

whether it's volt typhoon,

focused on disruption and destruction,

we are focused on working with our federal partners,

with our industry partners

to be able to identify these actors and intrusions,

eradicate them and harden our networks.

I think we should not get too down the rabbit hole.

And is it salt, is it flax, is it volt?

At the end of the day, China, as we've seen in

assessments from the intelligence community,

is the most formidable, persistent cyber threat

that we are dealing with, that we will deal with.

And it's why frankly very early on when I got here, Lily,

I felt I needed to get what are the big ideas, right?

You're leading a federal agency,

a fairly new federal agency,

one that's been through a huge effort to organize it,

one that's just been after a pandemic,

a contentious election.

So what are the big ideas

to build America's cyber defense agency?

And that was all about how do we catalyze

and mobilize collaboration,

collaboration with industry, with international partners,

with state and local partners.

And to do it in a way that's not the old hack needs stale

public private partnerships where you go meet once a month

and share secret level information,

it's really ongoing, real time work together

with a recognition that if your critical infrastructure,

a threat to one is a threat to many,

given the interdependence of networks.

It's also a recognition that the federal government

has to be responsive, has to be transparent,

has to add value.

That was very much informed by my time at Morgan Stanley.

And that you really needed these scalable platforms.

So the collaboration piece,

the fact that big corporations

needed to recognize this threat

as a existential business risk,

one that they needed to prepare for and really manage,

not as something that the IT folks deal with,

but manage as a matter of good governance.

So this idea of corporate cyber responsibility,

because as you know,

the vast majority is owned by the private sector,

they are now on the front lines,

they are on the front lines of the cyber fight.

So they have to recognize

that they have a really important role

in managing that cyber risk and working with the agencies

to help us mitigate that risk.

So this whole idea of corporate cyber responsibility,

the other one was cyber civil defense.

My friend Craig Newmark talks about this,

but I love to think about this

in our campaign for secure our world.

The whole idea is make cyber hygiene as common as

physical hygiene.

Washing your face, brushing your teeth,

it's the whole campaign inspired by schoolhouse rock

that we did a whole music video.

The idea is you want to make cyber sexy and cool,

not something that's scary

because if people are scared by things,

then their brain shuts down.

Make it cool, make it fun, make cyber sexy,

that's been one of the things I've been driving towards.

And then the last thing is secure by design.

And that's make cyber sexy, make technology safe.

For decades, we've accepted a world where

technology has been delivered to us full of vulnerabilities.

And so we've spent time glorifying the villains

and blaming the victims.

We have to now hold vendors accountable

for designing and developing and testing and delivering

software and technology

that is specifically focused

on driving down the number of exploitable flaws.

So you think about those big ideas

and that's what we've been driving towards.

Again, a lot of unfinished business.

But when you think about the continued ransomware attacks,

when you think about the continued attacks from China,

that we can expect to continue,

these are not exotic attacks,

these are attacks that are using

for the most part, known vulnerabilities.

And so ensuring that the tech that we rely upon

is as secure as possible is incredibly important as well.

And I wanna ask you more about

holding vendors accountable,

by tying into the other thing you were saying about,

public private partnership and developing that rapport,

has been concerning to see how difficult it seems

to have been for the telecoms

to eradicate the Chinese hackers from their networks

and to be certain or be very confident.

Has there been progress

on some of those things that you're talking about

in terms of being able to have that transparency

and insight into what's actually going on?

Yeah, it's a really important question.

So after the revelations of these breaches,

we stood up what's called a Unified Coordination Group,

which brings together the federal agencies, CISA, FBI,

the intelligence community.

We are focused on the response, so we are responding.

FBI is going after, they're investigating,

going after potential threat actors.

The IC folks like the National Security Agency are using

what we see in the intelligence to understand

the extent of this intrusion by foreign actors.

And we're coming together to work with

those known and suspected victims,

and so we've been doing that for months now.

I understand that some of the victims

have talked about being able to remediate these threats

and I think that that's gonna be a long-term effort.

I mean this has unfortunately been out in the press a lot

and anything that gets-

Unfortunately too!

Anything that gets out there has the downside

of having adversaries change their tactics.

So while I think the transparency to consumers is important,

it also makes it more difficult

to then find these actors within the networks.

So while they're using

known defects and technology to get in,

once they're in, they are hard to find.

And in fact, CISA and this is one reason

I'm so proud of the incredible technical talent of our team,

it's one of the few agencies in the government

that have been able to find both volt typhoon

within critical infrastructure as well as salt typhoon.

And in fact, it was our work to find salt typhoon

that then led to law enforcement

being able to identify virtual private servers

that were being leased by the adversaries.

And then that unraveled the wider campaign.

And that's just an example

of some of the things that we're doing

that have helped improve our ability

to manage the security of the .gov.

But this is a long-term effort, frankly,

and I don't expect it to be remediated in the short term,

that's why at the end of the day,

we need to focus on resilience.

On the telecommunications infrastructure more broadly,

we have to understand that comms,

just like my point on software and technology,

these systems were basically architected

for speed and efficiency,

They weren't built with security as top of mind,

security is in many ways in telecommunications

and other aspects of critical infrastructure

has been bolted on because at the end of the day,

a lot of this technology was developed for speed,

for driving down cost, for cool features,

security was an afterthought and a bolt-on,

and that's why we have a cybersecurity industry

and jobs like mine.

So when I talk about the story of cybersecurity,

I actually wanna work myself out of a job,

I want to envision a future where ransomware

is a shocking anomaly

where damaging software vulnerabilities

by nation state actors are as infrequent as plane crashes.

A world where the technology

that we've come to rely on every hour of every day

is first and foremost secure so that we can believe in

what we are using

and what is driving and powering our daily lives

as something that is safe for ourselves, for our families,

for our small businesses.

And that's the work that we've been catalyzing.

There's much more work to do,

but I think we have laid out a roadmap.

And the most important thing

about getting those big ideas right,

was before we were able to put any of that into play,

was we had to have the right talent and the right culture.

Starting from day one frankly, it was making sure

that we could retain the talent we have

and then hire some of the incredible world class talent

that has been able to find these threat actors,

help to eradicate and evict them,

and then to ensure that we are working collaboratively

with our partners to help them drive down risk

to the critical infrastructure Americans rely on.

When you were talking before

about how in the wake of SolarWinds,

there were opportunities for CISA

to expand its funding, its powers.

Do you feel like the agency has the levers of control now

that it needs to do its work?

We are much bigger than when I started,

in terms of number of people, we're about 3,400 people.

We've hired over 2,100 people since I came on board,

which is pretty incredible when you think about

the talent that is very mission driven,

but they could go get paid a lot more money

in the private sector,

so really proud of that, our budget is nearly $3 billion.

We have much more authorities,

to include some of the authorities we got

out of the cyberspace solarium commission,

like the Joint Cyber Planning Office,

which we made the Joint Cyber Defense Collaborative,

like our ability to persistently hunt on federal networks.

That has allowed us to discover things like

the salt typhoon campaign that I mentioned.

So I think we are in great shape right now.

What I would just tell my successor, first of all,

you're inheriting the best job in government.

But I would also say,

look, we are America's cyber defense agency.

When you compare our size to the law enforcement agencies,

the investigative agencies or the intelligence agencies,

we are much smaller,

but I think we punch far above our weight.

The magic of CISA is the fact that

we are a partnership agency, a voluntary agency

and everything we do is rooted

in being able to catalyze trusted partnerships.

And so it's not authorities

to force compliance or enforcement.

We're not a regulator, we're not a military agency,

we don't collect intel, we don't do law enforcement.

Everything we do is by, with and through partners,

providing no cost services and capabilities

to enable critical infrastructure entities

to manage and reduce risk.

And I'm really proud of where we are,

but there's much, much more work to be done.

And do you think the new administration

will be supportive of that?

On the one hand, in his first term,

president Trump was actually the one who elevated CISA

to be an agency, full fledged agency.

But on the other hand, there have been some comments

that make it seem like perhaps his administration

is no longer sort of putting a priority

on the mission of the agency.

So are you concerned about that?

No, I'm not concerned about it.

I think anybody that takes a hard look at what CISA is,

the talent that we have,

what we accomplished over the last several years

will appreciate the value that we bring

to the American people.

And CISA success is the success of the American people,

it's national security.

And while I know there's been a lot of

discussion of politics and partisanship,

at the end of the day,

cybersecurity critical infrastructure security

is not a political issue, it's not a partisan issue.

And the American people understand that.

And I grew up in a world

where we didn't think at all about politics,

I was a military officer,

I worked for President George W. Bush, president Obama,

now President Biden, I am never driven by politics,

I'm driven by mission.

And I think that is very much the spirit and ethos

of folks within CISA, we are very focused

on driving down risk to the American people.

If you just look at, for example, the elections,

the elections when election infrastructure

was designated as critical infrastructure in 2017,

that really was a no trust environment.

The states didn't want the federal government

at all involved in elections,

which are run by state and local officials.

And it took a lot of work by my predecessor and that team

and now my team to move from a no trust,

low trust environment to a pretty high trust environment.

I mean, one of the things that I'm most proud about

over the past several months

was our work with election officials across the country,

to include some very conservative

Republican secretaries of State,

spending time with Dave Scanlan up in New Hampshire

with Phil McGrane in Idaho.

And then we spent time at the Midwest

Election Security Summit with Bob Evnen of Nebraska,

Scott Schwab of Kansas,

Paul Pate of Iowa, Jay Ashcroft of Missouri,

Monae Johnson of South Dakota,

and so this really shows people out in America

where the work actually happens

look at us as an agency that is there to help.

I think one of the things

that's been really important, Lily,

is we have put an enormous amount of effort

into building our field force,

as we've grown those 2,200 hirees,

we've built hundreds in our force of cybersecurity advisors,

physical security advisors who are out in every state

to work with critical infrastructure owners and operators,

businesses, large and small,

to work with election officials,

state and local officials.

And these are folks from those areas.

So while you may not, trust the federal government,

if you're sitting in a state somewhere,

a very conservative state,

you trust your cybersecurity advisor

who you've known for years and years.

And so that comes with sort of a built in ability

to build those relationships.

So I'm very aware people don't trust institutions,

people trust people.

And it's why everybody in CISA is very focused on

not only having the technical talent

to enable us to understand and reduce risk,

but to build collaborative partnerships, right?

It's about developing those relationships

to allow us to work together to reduce risk to the nation.

And frankly, it's why I've been all over the world,

all over the country to help us build that trust,

catalyze that trust, advance those partnerships

in a way that we can work together

for the collective defense of the nation.

Let's say this, defense is hard, right?

We know that.

And when you were talking about holding vendors accountable,

wanting to make these exploitable vulnerabilities,

a plane crash once in a blue moon rather than

so common, are we getting there on that?

It feels like on endpoints on,

in some ways there has been a lot of progress on,

that type of detection,

but then things move to the periphery,

they move to network devices, cloud,

the ongoing need for account hygiene and account security.

So are we winning, can you win at defense?

Do you worry about that?

You're right, defense is hard.

I say that as the America's cyber head goalie

and that's why it has to be a team.

'cause you need all those levers of power.

As much as we work to hunt for and eradicate Chinese actors

and work with critical infrastructure to build resilience,

our partners need to hold those actors accountable

and to be able to hold our adversaries at risk.

Whether that's through offensive cyber capabilities,

whether that's through indictments or sanctions,

and so that's when we talk about cyber as a team sport.

But yes, we're on the defensive side and it's a challenge.

I think we are making progress,

we have seen when we launched this

secure by design campaign, I like to call it the revolution,

but at the end of the day, this has been something that

there have been thought leaders talking about

for years and years and years.

We wanted to give it a platform

that was really highlighted

by some of my fantastic technical experts.

Started working on this,

talked about it first in November of 2022,

then launched it at Carnegie Mellon

in a big speech in early 2023,

and then came together with our federal partners,

with international partners

to start laying out the key principles for secure by design.

Later that year,

we locked arms with our international partners,

but importantly, we worked very closely

with technology vendors.

And you saw that in the pledge that we launched at RSA

started out with 68 technology vendors, now we're over 260.

And these are vendors who voluntarily committed

to make significant and measurable progress on key areas,

whether that's enabling of multi-factor authentication,

reducing default passwords, moving towards memory safety.

And several of them have already started publishing

progress that they've made.

And look, at the end of the day,

these technology vendors want to create safe products,

it's just decades and decades

where it hasn't been a priority,

it's been driving down cost, it's been features,

it's been speed to market for competition.

And so I think we really have seen

vendors grasping onto this.

You remember Ralph Nader wrote this bestselling book in 1965

all about car crashes.

Cars were not focused on being safe,

and I talk about secure by design

as unsafe at any CPU speed.

And you think about from 1965,

I think it wasn't until 1983

when the first state mandated use of seat belts.

So it took a long time.

It takes time, yeah.

But what I'm excited about Lily,

is I think we can get there quicker.

GPU speed.

Yes, maybe exactly, exactly.

you're going in my, you're speaking my language sister.

So it's AI,

I think we can use the incredible power of AI

and that's why we've been so excited about

how do we use generative artificial intelligence

in large language models for cyber defense?

So when you think about, for example,

not to geek out on you too much,

when you think about, when you think about

two thirds of software vulnerabilities are memory safety

vulnerabilities, right?

So buffer overflow or use after free vulnerabilities,

and when you think about SQL injection,

if you can drive down,

if you can move from memory unsafe to memory safe.

So moving from C and C++ to things like Rust,

refactoring that code

can drive down the number of software vulnerabilities.

And so I'm excited about how fast this is moving.

I wanna make sure that these capabilities

are built to also be secure by design.

And so we've been extending

what we've been working on in software into AI

and that's been a huge effort

and a lot of fun, frankly,

under the leadership of our Chief AI officer.

But just think about using these capabilities.

This can accelerate our ability

to get to a secure by design future.

And what does that mean?

It doesn't mean perfect cybersecurity,

we're never gonna get to perfect cybersecurity,

but what we can get to is a technology ecosystem

that is much safer, much more secure,

and frankly, defensible.

So driving down the number of exploitable defects,

exploitable flaws that can really be accelerated

by the use of generative AI,

so I'm super pumped about that.

So I have to ask you, there's rumors,

are you or are you not going on tour when you leave CISA?

I certainly hope to be,

you and I actually met over a mutual friend Meryl Goldberg.

You wrote a fantastic article about

her time in a Klezmer band

and being in the Soviet Union and encoding music.

And she and I ran into each other in the green room at RSA

and I saw these instruments, the saxophone,

and I was like, oh my gosh, what's happening?

And that started this wonderful friendship.

We have bonded over music.

I played piano and guitar when I was young,

but I really started with electric guitar

when my son started taking it up during COVID.

Oh, there you go.

And it's been the thing that has,

because I love all kinds of music,

that's what's behind the joint Cyber Defense Collaborative.

But I started taking up electric guitar

and that has been become my passion, my obsession.

And as we were really focused on election security

over the past couple months, I wasn't able to practice,

but now I'm getting back to it.

So I hope my big post-retirement plan several years from now

is to start this bar, to have a band.

We're gonna do magic, we're gonna do improv,

I'm gonna be the bartender, and so.

Is there gonna be a cyber tie in or?

Well, there'll always be some cyber tie in.

My team, I really wanted to start my own podcast in this job

called, Bourbon and Bites,

'cause I'm a big old fashioned fan,

but they didn't like the whole bourbon thing.

So there could be some podcasting from the bar.

There you go, okay.

But the cyber will always

be a part of my life no matter what I do.

Something I've done forever

and I'm very passionate about the importance of

ensuring that we secure our world.

For everybody from K through Gray.

And it's one of the things that's been motivating me

to make cyber sexy and make tech safe.

Will there be Rubik's cubes

at every table in the bar?

There will, there will be Rubik's Cubes.

I'm also sort of obsessed with the Rubik's Cube

and I think we might have talked about this before,

but, so this is actually a CISA Cube

and I like to think of it as a kind of a magic cube.

But let's see here, oh, there we go, all right, so.

Oh, there we go.

There we go, solve this CISA cube.

But I love this thing because when I was 11,

these things were introduced into the world

and I was a huge puzzler and a video game person,

and I became obsessed with it, learned how to solve it,

and then I would go to toy stores,

say, I was this little kid with pigtails,

if I can solve this in less than two minutes,

will you give me a free one?

So I was able to amass this whole.

The whole trove.

And the reason I love it is because Erno Rubik,

who invented the thing, talked about, if you are curious,

you will find the puzzles around you.

And if you are determined, you will solve them.

And when I think about

the type of incredible technical talent

that we have here at CISA,

you think about the intellectual curiosity,

it's the hacker mindset, it's the problem solver,

but it's the determination, the relentless drive

to solve the most complicated problems out there.

And that's, sort of symbolized in the CISA Cube.

Well, it's really a pleasure to talk to you.

You as well.

Thanks so much for joining us.

Thank you as well, Lily.

[upbeat music]