At CISA, even the chief of staff has been marinated in cybersecurity

As the government's lead agency on cybersecurity, the Cybersecurity and Infrastructure Security Agency known as CISA keeps getting higher budgets, more people a...

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

As the government’s lead agency on cybersecurity, the Cybersecurity and Infrastructure Security Agency known as CISA keeps getting higher budgets, more people and more programs. Although her role is administrative, even CISA’s chief of staff has a long history in the cybersecurity field. For an update, Kiersten Todt joins me now.

Interview transcript:

Tom Temin: Ms. Todt, great to have you on.

Kiersten Todt: Great to be with you, Tom again, thanks so much.

Tom Temin: And I think the last time we spoke with you, you were advising companies and federal agencies in the space of cybersecurity. But this kind of is a next logical step for you. Correct?

Kiersten Todt: Absolutely. And I think as you know, I mean, CISA is the federal government’s newest agency, but the agency responsible for defending the nation in cyber. It’s a great evolution for me, and certainly always very grateful for the opportunity to serve.

Tom Temin: And as chief of staff, you have been here at a time of growth for the agency, because it’s pretty much bipartisan support for what it does, and for increasing its budget. And so what’s that like? Because that’s not the case for most agencies?

Kiersten Todt: Well it’s been an interesting time. I’m coming up on my one-year anniversary in August. And I think what happened last year in cybersecurity is pretty fascinating, because cybersecurity really became more of a kitchen table issue, if you look at Colonial Pipeline, or the JBS food manufacturing issues, events. I live in the Commonwealth of Virginia, and we saw lines at the gas pump because of Colonial Pipeline. And that wasn’t because there was a shortage of gas. But that was because there was a fear of the shortage of gas. And that’s kind of one of the first times we saw cyber having impact on people’s lives where they actually felt it. And I think, as we look at this issue, and we’ve always talked about cybersecurity as a nonpartisan issue, what we’ve seen both parties coming together to say, we’ve got to be able to defend the nation, industry, bring together all of the resources to bear to make ourselves more resilient.

Tom Temin: And I’ve heard agency cyber people say more and more with greater frequency that they are using the tools and the services that CISA is offering civilian agencies, much more than they said that they were using national programs and protection directorate, if I can remember that old name.

Kiersten Todt: Another great acronym. Well, absolutely. I mean, I think when we look at CISA we sort of see its mission in three buckets. There’s the workforce piece, both internally to the agency itself as we’re building out. There’s what CISA is responsible for in protecting the .gov. There are 101 federal agencies and so CISA’s role is to help defend each of those agencies in cyberspace. And then there’s its work with industry and how it collaborates with industry. And I think that middle bucket to your point has really evolved and progressed. We have a catalog of known exploited vulnerabilities which we share with industry, but importantly, we’re sharing with our agencies. And then we’ve had very specific works through our binding operational directive on those vulnerabilities that we’re seeing most exploited. And, our partnership with all these agencies is certainly improving and growing and seeing much more as a partnership and collaboration.

Tom Temin: And on that personnel and workforce front, have you found ways to maybe speed up, let’s say, or somehow compress the typical federal hiring cycle, because what you’re hiring for is so crucial.

Kiersten Todt: Well, there’s so many aspects to this. And this is obviously a number one-priority for our agency and for the director, is building out the workforce, not just for CISA but really setting a template for workforce development and cybersecurity. For this industry. We talk a lot about the vacancies, I would assert that actually every job just about in the private sector, as well as government has a cyber piece to it. We’re all using a phone, we’re using a laptop. And so being able to really bring this interdisciplinary approach to cybersecurity is critical. We have the cyber talent management system, which was launched in November of last year in some direct hiring authorities. And importantly, it’s how do we go in to where the talent is? We can’t expect everybody to log on to USA Staffing but working much more to build out a younger workforce, going to high schools, to vocational schools, community colleges, and prioritizing diversity, equity inclusion and accessibility. I’m particularly proud that we’re going to be engaged in a neurodiversity effort this year, to be able to truly build an inclusive work environment.

Tom Temin: And you’ve also got some pay flexibilities, too, because that’s an issue in the cybersecurity field.

Kiersten Todt: Right. And that’s occurring right now through our cyber talent management system. And I think, as we look at these other elements, it’s how do we ensure that we are attracting the best talent and treating our employees right, and that certainly is, this is a livelihood and this space right now, cybersecurity is a national security priority, and that prioritization is critical, and it’s certainly something that CISA takes very seriously.

Tom Temin: We are speaking with Kiersten Todt, chief of staff of the Cybersecurity and Infrastructure Security Agency. And on that issue of neurodiversity that seems to be a growing area where people that have neurological issues that might be harming their ability sometimes to interact with people nevertheless are not actually intellectually challenged, they could be a genius in a particular area, especially in these technical and coding type fields and cyber. Tell us a little bit more about that effort.

Kiersten Todt: Absolutely. I mean, the neuro distinct population is one that we have tended not to be inclusive of in workplace environments. When you think about an interview, what you’re told is to make eye contact, or how people’s disposition, what that can lead to as far as these very rigid guidelines. And so as we’re looking at building out an inclusive environment, what’s critical is that we are pulling in talents and aptitudes across the board. Cybersecurity is a multidisciplinary interdisciplinary issue. And so the aptitudes and talents that we need to bring in to build creative and innovative solutions exist in all people. And so we as a federal agency have a real opportunity to lead the way in looking at how do we attract that talent and work with those organizations that are working with neurodiverse individuals. We’re fortunate being our offices in the Commonwealth of Virginia, obviously, the federal government’s in Washington, D.C., there’s some great resources that work with neurodiverse individuals when they’re coming out of high school coming out of colleges, that we are partnering with now to bring that talent into our workforce.

Tom Temin: And just out of curiosity, how are people like that accommodated? If you have someone that’s hearing or sight impaired or mobility impaired, there are well-known technological aids that can help them do their work. For the neurodiverse, though, that’s a little bit of more of a subtle issue, isn’t it?

Kiersten Todt: Well, it’s really talking about how do we create that openness in the workforce. We were working with an individual in the private sector, who is a neurodiverse individual who was talking about how in his signature line, he talks about how he interacts with people. And so it’s looking at tools, whether it’s through technology, whether it’s someone sharing at the outset, this is how I will engage with you everything from I don’t answer a cold call to I schedule times. But it’s really about those tools and communication. And if we think about all of that, that really applies to everybody. And so one of the things that we found as we’re building out this inclusive environment is that the tools that we’re learning by bringing in neurodiverse individuals, as well as others, that those tools that are important to them are important to everybody.

Tom Temin: And what else should we know about the cyber talent management service? This is not brand new, but it’s still evolving?

Kiersten Todt: Right? Well, so we launched in November of last year. So it’s still pretty new. But it is very much about how can we bring in talent to your point with a different type of hiring authority. And this is through the Department of Homeland Security. It’s a broader DHS effort. We’re obviously working very closely with them. But it’s a tool intended to bring on talent more quickly, and to be able, to your earlier point, to have the compensation for the types of skills and expertise that we’re looking at recruiting and retaining here at CISA.

Tom Temin: And I imagined, though, like say, agencies, such as the FBI and other elements of the Justice Department, where you might be competing with well-paid people in the private sector, the mission is still a pretty good sell?

Kiersten Todt: Tom, it absolutely is. And I think one of the things when we’ve talked about different workforce development, if people are coming in cold to this, they’ll say, well, how do we get more people to get interested? And what we are often saying to them, that’s not the issue. I’ve been so impressed with the caliber of people that are truly focused on the mission that want to come work at CISA. We just held a hiring event last week with over 5,000 interested candidates. And when I talked to schools, I just spoke to a group of undergrads and graduate students last year, I mean last week, and there were so many that are legitimately interested. And I think that it’s a wonderful element in time in this cybersecurity space. But I think it also is about the mission of the organization, and what we’re looking to do and how we’re looking to do it. And I think, as we build this out from a government perspective and an industry perspective, bringing in this talent is going to be critical to our success.

Tom Temin: We’re speaking with Kiersten Todt. She is chief of staff at the Cybersecurity and Infrastructure Security Agency. And we’re facing the clock. Can you stick with me for another segment?

Kiersten Todt: Yes, absolutely.

Tom Temin: On the topic of jointness, and sharing with industry and with other elements in the government, with academia, the Joint Cyber Defense Collaborative. Tell us more about that, and what progress you’re making there, what some of the initiatives under that are.

Kiersten Todt: Absolutely. Well, we launched this last August. And for those of us that have been in this space for a long time, we know that the term public-private partnership lost its meaning a while ago. What the JCDC is doing is real actionable intelligence sharing and actionable engagement between industry and government. And we saw it really come into play effectively into practice with the Log4 show event last December. That was revealed on a Friday. On that Saturday, we gathered the group of companies that are our partners, to look at the data to look at what we were seeing and I think what’s so important about this is it’s not always about having the answers but about bringing together government and industry to share those data points in real time. We’ve developed a Slack channel, which is allowing for this back and forth of information exchange, which was particularly valuable when Russia invaded Ukraine and afterward. And what was interesting about the JCDC is we put together a plan in December for this anticipation of Russia’s invasion of Ukraine. We tested it in January. And then, unfortunately, we executed it in February when Russia did invade Ukraine. And I think that certainly our real time work with industry has proven to be very helpful. We had an event where we brought a company engaged with foreign countries when they saw a vulnerability, our partnerships with the [US-CERT]s of over 100 countries has also allowed us to bring those relationships to industry. Because as we all know, no one entity can defend our nation, can defend a sector by itself. And so this is all about how do we bring together these entities, but importantly, share that intelligence, which is relevant in the moment so that we can start putting together these data points.

Tom Temin: And when Russia did execute on that invasion of Ukraine, people anticipated that there would be some kind of a cyber wave going along with that. Did they in fact, kick over a beehive and release a lot of cyber activity?

Kiersten Todt: Well we certainly have seen Russia’s cyber attacks on Ukraine. So I think it’s important people are often saying, hey, we haven’t seen anything. Make no mistake, Russia has certainly used cyber tools against Ukraine. And what we have done as a nation is, we had concerns over our energy sector, over our financial sector communications. And so we CISA as well as the federal government writ large, have worked very closely with the sectors to share information, when we’re getting it and to help them be more resilient. My background has been in homeland security, counterterrorism, and we always, said, particularly after 9/11, you can’t prove what you’ve prevented. And so I’m always very cautious when people are saying, hey, we haven’t seen anything. I won’t necessarily pat ourselves on the back to say, hey, well, we must be doing a perfect job. But I certainly think we’re doing a good job. And so it’s very important to recognize that this is a marathon. We just don’t know what mile we’re in. And we continue to have to focus on the resiliency of our infrastructure and that joint industry government partnership.

Tom Temin: Well, it’s probably noteworthy that this deeply into the pandemic and its aftermath with still a fairly significant portion of the federal workforce, teleworking and remote working, that has not been a vehicle for any large-scale successful attack on government, databases or government systems so far as we know.

Kiersten Todt: Well, certainly, with the pandemic, and with everyone going online, and remotely, we expanded the threat surface, right, we made it much more vulnerable. But what we are seeing is therefore a prioritization of those tools to make our infrastructure more resilient to make this threat landscape, reduce the risk. That’s something that we are constantly working on at CISA is how do we reduce and manage the risk to our infrastructure, which certainly is the federal government that plays a key role in that.

Tom Temin: Is it fair to say that the National Institute of Standards and Technology, the NIST folks and a lot of cyber and computer system brains over there are informing a lot of the initiatives that CISA undertakes?

Kiersten Todt: NIST is a great partner. I worked closely with NIST on the development of the voluntary cybersecurity framework. I worked closely with NIST when I was running President Obama’s commission on cybersecurity. And I think, one of the things that we always have to look at in cybersecurity is there’s not one entity within government or industry that does it all. And NIST has been a great partner to CISA. The Office of the National Cyber Director is a great partner, the FBI we work closely, NSA, all of these elements have become so much more important to our partnerships to create this resilience and also their relationships with industry and with foreign countries and foreign governments.

Tom Temin: And what about Shields Up? Because that is guidance that is available to really anybody and all the sheets or so forth, and all the sub menus are on the website for anyone to access. I’m wondering if there’s some connection between what industry is learning from CISA and how that might inform what the Defense Department is trying to do with CMMC, which they’ve had a little bit of a struggle with in recent years and months.

Kiersten Todt: One of the things that we have focused on so much at CISA is our communication with our stakeholder audience. And so while we may not always have perfect information, it’s sharing what we know when we know it. And I really commend the Biden administration for looking to declassify information as quickly as it can, particularly when it came to Russia’s invasion of Ukraine. But when you look at Shields Up, that was very much about getting important and direct information out to industry quickly. So we talked about multi-factor authentication, empowering your CISOs, getting senior leadership of companies to empower CISOs, encryption – making sure that companies were prioritizing these elements, raising the bar. What’s been fascinating is, as we’ve again, kind of gone in this marathon of Russia’s invasion of Ukraine, what we’ve heard from companies is we don’t want Shields Down. This actually is kind of the new normal. And how do we get this to a sustainable place? Because obviously, there was a surge of resources. And that’s not sustainable. But how do we manage that? And Tom, I make the analogy to what we were doing after 9/11. I was in the Senate during 9/11, and was an delegate on the National Capital Planning Commission. And we talked about the temporary fences around the Capitol, we talked about temporary bollards around the monument. And then we closed down Pennsylvania Avenue, the National Capital Planning Commission made those bollards permanent. And I think that’s kind of this heightened next step. And it’s something that we’re seeing in industry, which is a positive because there’s an awareness. And importantly, there is a real support for companies taking this next step toward being more secure.

Tom Temin: We are speaking with Kiersten Todt, chief of staff of the Cybersecurity and Infrastructure Security Agency. And in the analogous vein in putting up some of those physical security measures that are permanent, you don’t want to mar the site of Washington so it doesn’t look like Pyongyang, which, in some parts of Pennsylvania Avenue toward 9th Street, kind of do. But you know what I mean?

Kiersten Todt: Yeah, absolutely.

Tom Temin: The idea of cyber security everywhere has to be consistent with usability of services the government offers. So I’m wondering, does the JCDC also tie in with, the GSA’s attempt and project to upgrade Login.gov, which they want agencies to use to enable people to get to the government without so much fuss, and yet consistent with security?

Kiersten Todt: Right, and that’s really in cooperation with our cybersecurity division. I think your point is exactly right, which is, there’s always been this tension in cybersecurity about educating the end user and moving security away from the end user. How do we make things accessible and usable, but keep them secure? And that’s a tension I think that we see continuously. But what we are seeing in this evolution of cybersecurity is a greater tolerance for security. And for what that is. We always say security is not convenient, we think about the seatbelts for the generation that grew up without seatbelts. Then when that became mandatory, it was inconvenient. Bicycle helmets, but when you start to create that culture of security, you have individuals that are actually choosing it, because they know that their lives are better and a bit more easier. We’re still in that journey, as far as making a culture of security in this country and truly in the world. But I do think we’re seeing progress for that accessibility piece and that ease of use.

Tom Temin: And bringing this around to the staff part of the chief of staff job, besides direct cybersecurity expertise, which you need in great volume, what other personnel human capital needs does the agency have at this point?

Kiersten Todt: Well, building out the workforce. We have vacancies, as you mentioned earlier. We’ve been given a lot of money by Congress to do our mission. With great power comes great responsibility. There’s a lot here. So we take that very seriously. But it’s building out the people, attracting the talent. And as I said earlier, it’s not just about us sitting here in the D.C. area, the National Capital Region, expecting talent to come to us. We need to go into the communities where this talent exists, underserved communities, non-traditional places where talent is whether it’s nonprofits, again vocational schools, community colleges, we have a lot of partnerships that we’re looking to build out so that we are truly bringing in an interdisciplinary workforce that represents our diversity, equity, inclusion and accessibility priorities. And that is, a number one priority for what we’re doing. And again, it’s not just about building CISA under that guideline, but hopefully getting to a place where CISA becomes the model not just for government, but for the workforce.

Tom Temin: And as it gets procurement and acquisition authority, which is coming next, you’ve got a serious, specific issue of getting an acquisition workforce built.

Kiersten Todt: Absolutely. I mean, this is we are building our workforce in real time and looking to do it as quickly as we can. We have a tremendous human capital team, and really across the board, the team of people that have been brought in because to your earlier point, these individuals, our team is so driven by mission. And I feel very fortunate every day to be walking into this office with people that are putting service and mission at the forefront and prioritizing it.

Tom Temin: Kiersten Todt is chief of staff at the Cybersecurity and Infrastructure Security Agency. Thanks so much for joining me.

Kiersten Todt: Thanks so much, Tom. Great to be with you as always.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News Networkcybersecurity

    Shields up: CISA’s response to the targeting of critical infrastructure and what it means

    Read more
    Getty Images/iStockphoto/maxkabakov

    Cyber Safety Review Board’s first report gives CISA thumbs up for Log4j response

    Read more