New CISA director wants to spend less time cleaning up after big hacks, more time preparing for them
U.S. cybersecurity officials have scrambled to respond to one major hacking incident after another over the past nine months, from the alleged Russian intrusions into federal networks using bugged SolarWinds software, to the extortion of Colonial Pipeline, which controls the East Coast’s biggest fuel artery.
Jen Easterly, the new director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), wants to break that cycle, and spend less time putting out fires and more time preparing for incidents in an attempt to reduce their impact. It’s a goal that will draw on Easterly’s experience working on cyber operations for the military, and her time trying to safeguard one of the largest U.S. investment banks from hackers.
To date, actions taken by federal and private sector organizations “to protect us from threats are just not keeping pace,” she said in a recent interview.
This month, Easterly set up the Joint Cyber Defense Collaborative (JCDC), a government-backed initiative that enlists some of America’s largest network security firms to drill for cyberattacks with the government. AT&T, Google Cloud and Microsoft are some of the big names involved in the effort.
The goal is to ensure that critical infrastructure firms, CISA, the FBI and other agencies are coordinated in responding to a major hack. That means improving on the response to the Colonial Pipeline hack, which forced the company to shut down fuel deliveries for days in May. While Colonial Pipeline said it promptly communicated with federal officials, then-acting CISA Director Brandon Wales said he still didn’t have technical details on the ransomware attack days after it occurred.
The U.S. government’s solution to policy failures is often to set up a new agency. Easterly, a former Army intelligence officer who was most recently the top cybersecurity executive at Morgan Stanley, is counting on the JCDC to deliver results through repetition and training. The initiative had its first meeting on Monday, where it focused on defending against ransomware.
“We do not normally bring together the federal government and the private sector to do left-of-boom activity, to do planning,” Easterly said.
A growing profile
The new cyber defense initiative is an example of CISA’s growing profile. The three-year-old agency won plaudits from election officials for its cybersecurity efforts during the 2018 and 2020 elections. CISA has also gained more traction with security researchers, in part by hiring people from that community. CISA last year brought on Josh Corman, a respected health care cybersecurity expert, to help the agency protect coronavirus vaccine developers from hacking.
House lawmakers have proposed increasing CISA’s 2022 fiscal budget by $400 million, for a total of $2.4 billion. In March, CISA received an additional $650 million in funding as part of the coronavirus relief package.
How the agency spends its newfound cash, and whether it hires and retains personnel with key technical skills, could shape the government’s ability to withstand hacks for years to come.
CISA now aims to hire people who can reverse engineer malware and run analytics on hacks, Easterly said, as well as find recruits who aren’t technical by training but are versatile enough to be assets in other ways.
“I really want to send a signal that we are not your lumbering government bureaucracy,” she added.
Easterly said the agency plans to spend a good portion of the $650 million on improving its ability to hunt on federal civilian networks for malicious code. The National Defense Authorization Act that became law in January authorizes CISA to comb agencies’ networks for threats without advanced notice. Those are the kind of proactive deployments that analysts say are sorely needed in the wake of the so-called SolarWinds campaign, in which alleged Russian spies spent months collecting intelligence from U.S. agencies after leveraging a software update from a seemingly trustworthy government contractor.
On election security, Easterly said CISA will likely continue the “Rumor Control” initiative during the 2020 election in which the agency aggressively debunked false information that questioned the legitimacy of the vote. Angered by the fact checking, Trump fired Chris Krebs, Easterly’s predecessor, by tweet.
Supporters of former president Donald Trump have continued to falsely claim that there was significant fraud during the election.
“I do worry about the environment that we’re in where there is this, I think, misperception about the security of the 2020 election,” Easterly said. “Our role is to ensure that the American people have the facts that they need to be able to make good decisions. And we’re not going to convince everybody, of course.”
The ‘glassiest of houses’
Easterly spent a chunk of her career devising ways to break into computer networks.
She was part of a team that in 2009 and 2010 helped stand up U.S. Cyber Command, the military’s hacking unit. Before that, she worked at the National Security Agency’s elite offensive team, formerly known as Tailored Access Operations.
She’s now returning to government service on the other side of computer network operations, and is likely to find herself in interagency meetings with former military colleagues who advocate for offensive efforts. The success of a U.S. hacking operation rests in part on officials’ ability to blunt the impact of any response from foreign adversaries.
“It’s important that I do have both sides of the equation so that I understand where folks are coming from on the offensive side,” she added. “But my job is to be the nation’s premier network defender. And so our equities are always about making sure that we are doing everything we can to defend federal networks and to defend our critical infrastructure.”
In conducting hacking campaigns, the U.S. government has to worry about retaliatory hacks from foreign intelligence services on American companies.
“We live in the glassiest of houses and we always need to keep that in mind,” Easterly said, in a nod to America’s numerous Fortune 500 firms that could be targets of foreign hackers.
Easterly’s cybersecurity experience includes a stint as an adviser to the North Atlantic Treaty Organization mission in Afghanistan in 2010 and 2011, according to her LinkedIn profile. As she spoke to CyberScoop, the Biden administration was trying to evacuate thousands of Americans from Afghanistan after the fall of that country to the Taliban.
Easterly said she had concerns that sensitive data left behind by Americans leaving Afghanistan could fall into the hands of foreign governments. But the people left behind loomed larger in her thinking.
“I think a lot of veterans are struggling with: Was it all worth it? Was our sacrifice worth it? And my general view is it was,” Easterly said. “We should be proud of our service for the difference that we were able to make for that period of time to improve the lives of the Afghan people.”
But she called the scenes out of Kabul, where Afghans were clamoring to get onboard departing U.S. aircraft, “heartbreaking.”
“I worry for the Afghan people,” she added.