CISA Jen Easterly & Dean Bobby Chesney
It’s the first day of the 2023 Texas Tribune Festival in Austin and at the Omni Trademark Ballroom it’s a full-court press for CISA Jen Easterly and UT Law School Dean Bobby Chesney, who are going to discuss cyberwar: attacks and defense strategies. They brought guitars. Easterly is wearing tall, black cowboy boots with white decorative scrolling.
Easterly, the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), has been enjoying her visit. Last night Austin’s ex-mayor, Steve Adler, took her and other TribFest participants on a music crawl.
Dean Chesney, who has expertise in international law and research matters including cyberwar and deep fakes, partners with CISA on cybersecurity research projects with UT Austin’s law students. (https://law.utexas.edu/faculty/robert-m-chesney/)
Easterly, who is holding her custom CISA Cube (a type of Rubik’s Cube) is here to explain how CISA is helping to defend America’s critical infrastructure from cyber-attacks and how she came to run CISA.
Easterly was a fan of the 1983 “War Games” growing up. She named her son after the film’s AI: Joshua. A self-described nerd, Easterly loved puzzles and mastered the Rubik’s Cube at age 11. She obtained an extensive collection by betting toy store managers that she could solve any cube in under two minutes. (For more on Easterly’s interest in cubes, including Speed Cubes, see her keynote at the Black Hat conference.
Easterly was not a gamer or a hacker in her teens. She got into cyber while serving in Iraq. An army colonel, Easterly was given a tough project: provide real-time intel on bombing networks during military ops around Camp Victory near the Bagdad airport. She worked with a team of coders, pulling data from numerous sources to search out enemy activity and sent comms to the U.S. ground forces, using the power of tech to save lives. That was 15 years ago. Now she has the top job with CISA.
Easterly gazes forward as Chesney asks questions, but her hands continually turn the CISA cube, quietly idling the engine of her thoughts. She’s working on multiple levels, always thinking a few steps ahead of the game.
Understanding the mind of the adversary
“It’s easier to be an attacker than to defend against multiple potential attacks. Developments with AI makes cyber defense even more challenging,” Easterly said.
Cybersecurity is seen as too technical for regular citizens to understand and implement. But as digital as our lives are, it’s critical, especially as the Covid bump increased use of the internet for work, banking, purchases, and home management. Unfortunately, most people put “safety last” when setting up software and hardware at home. This must change. And CISA is working to bring cyber hygiene to the people.
An age of acceleration
Easterly listed developments in tech that have increased our opportunities and risks, referencing Thomas Friedman’s book, “Thank You for Being Late.” Friedman’s thesis is that the world is accelerating rapidly on multiple levels, including globalization, climate change, and the expansion of technology. Based on Gordon E. Moore’s observation, technology is progressing logarithmically and exponentially in computing power, leading to the growth and development of artificial intelligence systems.
Easterly rattles off statistics for online users: 7 billion are on cell phone, 5 billion on computers, 5 billion on social media; 30 billion devices are linked on the net. As usage grows exponentially, the world increasingly relies on tech. CISA’s mission is to defend the infrastructure on which our devices run.
The internet: a #Caterday distribution system
Due to the internet’s original design and purposes, which could be said is a network best suited to moving images of cats over distances, the underpinnings are built on mutual trust. The internet is inherently unsafe and insecure. We accept and normalize this because of our need to use the network. Security is an “after the fact” bolt-on and not an integral part of its design.
The dark side of the web is cybercrime. The federal estimated cost of cyber-attacks could run as high as 10.5 trillion by 2025. CISA evolved for the same reason that the EPA evolved for the environment: it is a response to damage.
“Security is in our name twice,” Easterly said —”Cybersecurity and Infrastructure Security Agency.” CISA started in 2018 with a mission to lead the U.S. to reduce risks in both the public and private sector. CISA works as an operational component of the Department of Homeland Security (DHS), protecting critical infrastructure such as refineries, transportation systems, and communications networks.
Most technology is owned and operated by the private sector. CISA has created “free stuff” to provide to organizations to defend their networks, building partnerships with the private sector and with regulators, providing expertise, but CISA is not a law enforcement group and does not collect intel.
Trust, Threats, and Election Security
Asked about creating and losing trust, Easterly said that trust is hard to build and easy to lose. She referenced how her CISA predecessor, Chris Krebs, was “fired by tweet” for declaring that the 2020 presidential election was secure. (https://www.washingtonpost.com/politics/2021/11/17/it-been-one-year-since-trump-fired-cisa-director/)
The U.S. election system was, and is, secure: CISA works constantly with state officials to protect elections. Each state has its unique, separate election system. In the past, state officials wanted nothing to do with the feds or with CISA, but Chris Krebs built trust. Easterly said she benefits by the groundwork done by Krebs for election security in 2024.
Kim Wyman was CISA’s senior election security advisor (since November 2021). Wyman was involved in oversight of the 2022 election cycle. Easterly says that election cycle was secure. This June, Cait Conley has taken additional responsibilities as election officer for election security as CISA preps to make sure election workers and officials have what they need for 2024.
Easterly said that she admires the dedication of state election officials and is concerned about threats such as active shooters, foreign disinformation, outside and insider threats to networked systems.
“We should not discount the fragility of our democracy. Everyone can play a role.”
For general network security, the first step is accurate identification of the threat landscape. Easterly listed potential threat actors: adversary nations, including China, Russia, Iran, North Korea. Other threat actors include global cybercrime gangs that seek to hijack and hold systems for ransom. They see a target rich, resource poor landscape that includes schools, healthcare, and other infrastructure. One challenge to CISA protecting systems from threats include public policies that are based on a perception of “interference” from the government.
Easterly said that the U.S. needs a sustainable approach to threat assessment and a higher level of response:
- Corporate cyber responsibility as a business risk. The 2023 Securities and Exchange Commission (SEC) cyber disclosure rule will require companies to report how they manage cyber risks to their investors.
- Persistent collaboration. Congress authorized CISA to create the Joint Cyber Defense Collaborative (JCDC) to form public-private partnerships for cyber defense. We use Slack channels to share private and government information and resources. CISA has a GitHub to release open-source software for cyber defense. JCDC and CISA was active as defense of Ukraine ramped up.
- Civil Cyber Defense (Adler and Chesney are on the advisory board) works with small public partners. UT Austin students are involved in the project and after training, the students will be deployed to local companies to consult on security.
- Secure by Design. TCP-IP protocols were not created with security in mind. Software is also vulnerable. Social media’s stated mission is to move fast and break things. AI is a new form of potential security issues. CISA aims to drive down the flaws. Small businesses should not bear the burden of built-in security risks.
Weaponized innovations
Tech innovations make processes easier, faster, better: both for us and potentially for our adversaries. Consider the many networked systems that could be weaponized. Easterly hearkened back to an early publication, produced by Al Qaeda, called “Inspire Magazine”. Printed in English and available in the U.S., it was designed to invite “lone wolf” attacks. One 2010 article was titled, “How to make a bomb in the kitchen of your mom.” The published recipe was used to make pressure cooker bombs used during the 2013 Boston Marathon.
(https://www.adl.org/resources/blog/islamists-launch-three-new-magazines-hoping-one-will-inspire)
Cyber hygiene can be broken down into steps:
- Use multi factor authorization.
- Update your software immediately when you receive an update alert.
- Use complex unique passwords and use a password manager.
- Report phishing attempts and learn how to recognize them.
To spread the word about these safety habits, CISA just released its first public service announcement, which Easterly says is “Wes Anderson inspired”.
Ransomware and enemy states
Asked about whether to pay cybercriminals when personal or organizational data is hacked and held for ransom, Easterly said that it is a “tough choice”. If possible, do not make payment. Rewarding criminals for hacking data is a bad idea. Often, organizations don’t get their data back anyway, even after they pay. CISA can help groups get up and running without paying ransom. But a better idea is to put network security in place beforehand, to prevent your “worst day ever”.
Asked about TikTok software and hardware that is made in China, Easterly said she was more concerned about how China and other threat actors are pre-positioning in our networks for future disruption. We should expect disruption, be prepared, and be ready to recover quickly. Disruption to oil pipelines and transportation in the event of war is a primary concern.
Closer to Fine
The infosec discussion veered into a discussion of the recent Barbie movie and Easterly’s favorite scene where Barbie drives out of Barbieland, singing along to Indigo Girls “Closer to Fine.” Chesney and Easterly proceeded to play an instrumental cover of the song to close out the panel. The two then delighted the audience by playing it.
Official cover of “Closer to Fine” in Barbie, the Movie
Want the original Indigo Girls performing “Closer to Fine”?
Bios (from Tribfest)
Jen Easterly
Director, Cybersecurity and Infrastructure Security Agency
Easterly is the director of the Cybersecurity and Infrastructure Security Agency. She previously led the firm-wide resilience effort at Morgan Stanley after a lengthy public service career that included serving in the White House twice, helping to stand up the Army’s first cyber battalion, and working more than 20 years in intelligence and cyber operations.
Bobby Chesney
Dean of the University of Texas Law School
Chesney is the dean of the University of Texas School of Law and is known for his scholarship on both cybersecurity and national security. He is co-founder of the podcast “Lawfare” and co-hosts “The National Security Law Podcast” with Steve Vladeck.
Newosity: future report 