At the Institute of Critical Infrastructure Technology Awards Dinner and Gala on Nov. 10, 2022, the Federal Drive with Tom Temin caught up with Jen Easterly, t...
Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
At the Institute of Critical Infrastructure Technology Awards Dinner and Gala on Nov. 10, 2022, the Federal Drive with Tom Temin caught up with Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency.
Interview transcript:
Tom Temin
In receiving your award tonight, you mentioned violence and physical threats. What’s the connection between that and the CISA mission, which you know, every day there’s a new patch update?Jen Easterly
So CISA is cybersecurity and infrastructure security, we actually are responsible for reducing risks to both cyber infrastructure and physical infrastructure. And we serve as what’s called the sector risk management agency for election infrastructure. So anything that could threaten the integrity of election infrastructure, whether it’s cyber threats, insider threats, physical threats, or threats of disinformation or misinformation, we’re responsible for helping our state and local election officials do what they need to do to keep their systems and their infrastructure secure and resilient. So we have a whole team of folks who are experts in physical threats. It’s not the most well known part of CISA, but the infrastructure security division under David Muffington does the Office of Bombing Prevention, school safety, they have physical threats and resilience threats. So you know, cyber is the reason why CISA was created as an operational component. But we still have the physical security mission.Tom Temin
And as a retired Army officer, then you know how to handle that end of things, don’t you?Jen Easterly
Well, I mean, I have a lot of experience and all sorts of security issues across the board. And frankly, in resilience, I was the head of firm resilience at Morgan Stanley and responsible for not just cyber threats, but technology incidents and weather events and infectious disease and terrorist attacks. And so you have to look at the full range of disruption to infrastructure to really be able to protect it.Tom Temin
And you mentioned this evening that our elections seem to have gone pretty darn well. There’s still some counting going on. But we’re not seeing any of the threats that happened maybe last time, there are no claims of oh my gosh, this was stolen, et cetera, et cetera, but disinformation, from whatever source continues to be something that seems to plague the nation. What are your thoughts on what’s ahead for disinformation, what can CISA, if anything do about this? And, you know, how do we even define it?Jen Easterly
So we are most concerned about disinformation that can be used by our foreign adversaries. And we’ve seen this from the Russians, the Iranians, the Chinese to be able to sow discord among Americans to undermine confidence in the integrity of our elections. And so we do three things. First of all, we put out information about tactics of disinformation. So people can recognize these tactics and the techniques that Americans need to build resilience against disinformation, things like actually looking critically at something particularly if it stokes your emotions, questioning the source doing some investigation, and then not amplifying it, if you’re not sure that it’s accurate. So we put out work around that. Second, we have something called election security, rumor versus reality, which is really just election literacy. Because elections are actually very complicated. And if you’ve seen one state’s election, you’ve seen one state’s election. And so if somebody has a question about how do you protect a Dropbox, how does absentee ballots work? How do you reconcile provisional ballots, there is a lot of confusion out there. And so we are putting out information that Americans can look at to essentially answer their questions about complicated issues around voting. But most importantly, what we do is we amplify the voices of state and local officials who are the true subject matter expert and the trusted voices in their communities that Americans should go to if they have any questions at all. And so that’s the thing that we always came back to is talk to your state or local election official. And we obviously work very, very closely with them and want to do everything we can to support them.Tom Temin
And also in your remarks, you mentioned that the long term issue with cybersecurity is not simply data loss, or ransomware. That happens this week or that week. But really deterrence and the idea of innovation and American continuance of leadership and innovation technologies, which have the ultimate source of competitive advantage, maybe elaborate on that for a minute.Jen Easterly
Well, as I mentioned in the remarks, these are things that I am personally very concerned about, if you think back 15 years and all of the things that have led us to deal with the technology ecosystem of today. It is inherently insecure. And so what we need is to be able to create a secure technology ecosystem and that needs to begin with the major technology providers creating software that’s secure by design and see here by default, we’ve somehow accepted this insane cultural norm, that software is full of vulnerabilities with incentives misaligned towards capability expansion and speed to market and not for security. And what that does is it places the burden of security on the millions of consumers who are least prepared to defend themselves. And so it’s incredibly important that we work with the technology providers. And at CISA, we’ve been calling for radical transparency. So everybody understands what’s in the technology that they rely on every hour of every day. It’s why we’ve been calling for transparency around multifactor authentication adoption. That’s why we’ve been working on software bill of materials, SBOMs, so we know what’s in software and what vulnerabilities are inherent in it. But we need to have an understanding of what’s in our software, what’s in our supply chain, and really catalyze a movement of radical transparency around software so we can raise the cybersecurity baseline for the nation.Tom Temin
And what’s it like to run an agency that has amazing bipartisan support? Unfortunately, John Katko (R-N.Y.), has retired as the Republican on the committee overseeing CISA. But he said, I want to see it a $5 billion agency. You don’t hear that from Republicans very much. But the idea is that both sides really support the agency. Can you take some credit for that?Jen Easterly
I’m not in the business of taking any credit for the agency. It’s a big agency, and I have the privilege to lead the folks there. But Rep. Katko when he came into office, he made cyber a huge part of his focus area. He has been an amazing ally and friend, and we’re very sorry to lose him and Jim Langevin (D-R.I.) and Rob Portman (R-Ohio). But as you mentioned, cybersecurity is a nonpartisan issue. And so I am hopeful that whoever comes in to the next Congress is going to realize that the threats that we face to our networks, our systems, our data, our privacy from nation state actors and cyber criminals are getting more complex, more dynamic every day. And we need to continue to focus on how we build America’s cyber defense agency so we can defend the nation in cyber, so I’m hopeful we’ll continue to get the support that we need.Tom Temin
Will we ever get past the password?Jen Easterly
I sure hope so.Tom Temin
Do you use a password vault yourself?Jen Easterly
Of course.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED