tv Cybersecurity Director Discusses Mission Threats CSPAN December 9, 2021 9:37am-10:04am EST
hear discussions on the road to war from both the american and japanese viewpoints, and the effects of the attack on african-americans. exploring the american story, watch american history tv saturdays on c-span2, and find a full schedule on your program guide, or watch online anytime at c-span.org/history. jen easterly, director of the cybersecurity and infrastructure security agency, spoke about the agency's mission, combatting threats and recruiting of talented and diverse cyber workforce. this is hosted by the northern virginia technology council.
thank you, tom. so jen, i just want to start by saying thank you for being here. and thank you for your service to our country. it is a true honor to have you here today. not long ago, you had the opportunity to deliver a keynote at black hat. for those of you in the audience, maybe some of you saw what i had the opportunity to see, and i thought it was an excellent speech. not an easy speech to deliver. a notoriously fickle crowd. i learned a lot. and i think you did a tremendous job educating people on some important topics. but most importantly, i think you did a really nice job of creating trust with a community that's not easy to build trust with. so kudos to you for that. i think you'll do -- that will serve you well in your agenda at cisa. i also learned three other
things from your keynote. i learned that anybody saying cisa will be banned forever. it's cisa. that's true. i learned also that the jcdc was almost named acdc, but unfortunately, tom, the lawyers got in the way. boo. that would have been so cool. and the third thing i learned is that you're a pretty good dancer and you do a mean impersonation of elaine from seinfeld. >> i could do that here. >> so listen, to kick things off, i would like to give you an opportunity to introduce cisa and tell us why and how cisa is sort of unique from other government agencies. >> absolutely. can you hear me? perfect. first of all, thanks very much for the invite to be here. it's great to spend a beautiful friday morning with everybody. and with you, matt, so thank you for the kind introduction.
and thanks to my friend jameel out there somewhere, who set this up. so let me just start with the mission of cisa, if that makes sense. we are the government's newest agency. we were set up at the end of 2018 to be the nation's cyber and infrastructure defense agency, to really fill a gap. now, our mission is to lead the national effort to understand, manage, and reduce risk to the cyber and physical infrastructure that americans rely on every hour of every day. so how do we get our water? how do weget our power? getting gas at the pump, food at the grocery store, money from the bank. so these are the networks and systems that we are basically underpin our lives, and that's what we are responsible for reducing risk to. so we have two key roles that fall out of that, matt. the first is to be the
operational lead for federal cybersecurity, so the protection and defense of the dot gov, and the second and maybe more relevant to this audience is to be the national coordinator for critical infrastructure, security, and resilience. so as we know, over 85% of critical infrastructure is in private hands. and that's why partnerships like this are so incredibly important to the success of our mission. that's why i'm glad to be here with you today. >> yeah, that kind of goes back to the trust comment we talked about. i think the way cisa exists and the trust you have with the commercial partners is, you know, critical to all of us sort of moving the agenda forward from a cyber perspective so that makes a ton of sense. i'm sort of shocked, when i listen to jen speak and saw her keynote at black hat, she was three weeks into the job at black hat. today, i think is 100 days into the job. >> yeah, 100 days. >> 100 days. that's a big job.
she's still new, but it's impressive to be able to have this conversation at this level of depth with you. could you share your priorities for cisa? kind of what you have been able to accomplish so far in the first 100 days, and then where do you think you're going to go in the coming years and what do you hope to accomplish? >> first of all, i'll say i really didn't know what to expect when i took this job. obviously, it was amazing to be nominated for it and just given what's going on in the world, i thought it was really important to come back to government, to do the job. but again, i had never served in the department of homeland security before. i was in the army, i was in the intelligence community, i was in the white house, but never in dhs. i have to tell you, in all honestly, matt, this really is the best job i have ever done. i think it's the best job in government. and the reason, i was going through the confirmation process, a good friend of mine,
she used to be our deputy secretary at homeland, said it's interesting. in the world of national security, so really the world where i spent most of my time, counterintelligence, the army, the federal government has monopoly power, but in homeland security and cybersecurity, the federal government is a coequal partner with the private sector and our tribal and territorial colleagues. it's really all about partnership, which i love. and you know, every day, i probably spend 60 to 70% or more of every day meeting with partners, either in industry or at the state and local level. which, again, is incredibly fun because you're recognize, it's all about building partnerships, relationships, and trust. so it's a fantastic job. you know, it's hard to think 100 days, that sounds like it's been a while, but every day has been fantastic. and so, you know, i see a couple things that i'm focused on over
the, whatever, three years, whatever it is. maybe four buckets that i'll give you. the first is really leading the transformation of cisa, as we know, it's the newest agency. it's founded by my good friend chris krebs, and then it wend through a pandemic, a contential election cycle, and a whole bunch of things that happened this year that were really pretty intense work. so the transformation piece of this is not a trivial endeavor. we went through a big reorganization, and now we really need to make sure that we have, number one, most importantly, the people, the technology, and the process to set us up for success in the coming 10, 20, 50, 100 years. that transformation is hugely important, and we can talk more about that from a workforce perspective. the second is all of the work that we have to do on federal cybersecurity. so you know the executive order
that came out in may, there were about 35 different tasks that either cisa is part of or cisa leads. so a ton of work there that i think is really fundamental to insuring that we can better protect and defend the dot gov, and we're really central to that effort as the operational lead there. the third big bucket is critical infrastructure, cybersecurity, and as i said, we're the national coordinator, so a lot of work to build and strengthen those partnerships, but specifically, we're doing 100-day sprints with several sectors, the pipeline sector, the electricity sector, coming up is water. and we're laying out performance goals and standards, that came out of a white house national security memorandum, so a lot of good work so that we can baseline and really harmonize a lot of the work going on out there in terms of cybersecurity performance goals. and then finally, it's partnerships. all about partnerships. and i talked a lot about that at
black hat, and that has to be underpinned by trust, whether it's a business relationship or a marriage, it's all about the foundational trust. but you know, one of the things that i'm excited about that we have done over the past few months, we can talk more about it, is the jcdc. i'm excited about some of the people things. we set up a great partnership with my friend dr. barrett, who is the ceo of girls who code, so we have a collaborative partnership with them, and we are really focused on diversity, which is a personal passion of mine, and i would say for those of you who don't know, it's share the mic in cyber day, so my own twitter account, cisa jen, is being taken over by my teammate, iona, so please check that out today. it's a great program. >> that's awesome. >> that was -- yeah, a lot of leaders across the government. >> normally it's not good to
have your twitter account taken over. >> exactly right. when i first mentioned this, my lawyers also were like, what are you doing? but i'm actually super excited about it. so please check that out. but these opportunities to build a really diverse workforce. i'm the director of cisa, but i think of myself in three key roles. i'm the chief transformation officer. i'm the chief recruiting officer. and then i have told my team, i'm the chief belonging officer. because i believe so strongly that we need to create a culture that prizes collaboration and teamwork and trust and transparency and innovation and inclusion and ownership and empowerment, and if you build an environment that at the end of the day is one of psychological safety, where you have people who are coming from all backgrounds and bringing different perspectives to enable us to solve our most difficult problems, then that's really an environment of belonging. and that's what i have done throughout my career, is i build
organizations. so huge focus on culture as well. >> yeah, it's a complicated, complicated puzzle you're describing, and i know you like to solve puzzles. >> i do. >> it makes perfect sense. listening to you talk, just reflect on the jcdc and the last letter c is collaborative. and it's inside, outside, it's industry. it's public, it's private. it takes a community to collaborate, to sort of move the agenda forward with respect to improving the nation's cybersecurity, so kudos for that. >> thank you. >> the theme of the capital cybersecurity summit is bridging the gap between policy and practice. can you tell us a little bit more about the jcdc that was announced recently in april? >> yeah. >> and just tell us what cisa is doing to kind of take that forward. >> yeah. you know, i would love to. it's great to think about how do you -- because there's good
policy out there. i was in the white house for two tours, and that's really the center of gravity for policy. but at the end of the day, you have to figure out how to actually operationalize that policy, and being at the cutting edge, being at the operational lead for a lot of things in the cybersecurity world is really fun to do that. it is super fun. so jcdc, where did that come from? it was a fantastic idea. i think it first was envisioned by the niac, the national information advisory council that you're probably aware of, matt, and then it was picked up by the cyberspace solarium commission. i can't say enough good things about a solarium commission as a red teamer for it. at the end of the day, there are a lot of commissions out there that government does, but very few have actually been able to come up with recommendations that found their way into law. >> right. >> and certainly, this one did. and to be honest, cisa, before i was even nominated, benefitted a
lot from what was in the ndaa. one of those things was the jcpo. the joint cyber planning office. and the idea behind this is really bringing people together from the government and from fr the government and from the private sector to plan proactively against major threats to the nation. but if you look at the legislation it is much more than planning. creating a common picture, planning, exercising and then implementing cyber defense plans. so when i came on board, you know, being a retired military officer and somebody who's done a lot of planning in my life, i just thought this was a fabulous opportunity do something early on to really be that signal on both, we're going to be proactive, not reactive. >> right. >> and we're gonna be that agency that is not another lumbering government bureaucracy but something that is much more akin to the private sector. this idea of a private/public collaborative.
so you know, i point to two unique things. people always ask well how is this different. so one, it is the only federal cyber entity in statute, in law, that combines the power of the federal government. so by statute you have cisa, nsa, fbi, cyber com, dod, doj. all of those agencies that bring the full force of the u.s. government when you are thinking ab cyber defense operations. and the magic and ingenuity and creativity of the private sector to come together to create that common operating picture to solve the visibility issue. to be able to plan and exercise against the most serious threats and then to implement those plans. and the second thing is, you know, cisa has a super power, it is our very expansive information sharing authorities. so where some agencies can share bilaterally, we can share many to many. so we've already brought in more than 15 partners.
our alliance partners. csps, isps and cyber security vendors again to solve that visibility issue. but by have been able to use that to benefit of all of our partners, as we're able to get information that is seen globally on other infrastructure and then share that with other partners and probably saw the joint seal we did the other day with our teammates at fbi and nas on black matter. that was enriched by some of our jcdc partners. so i am really hopeful that this paradigm shift in mission from just plain old partnership to true operational collaboration from information sharing to true information enabling. >> yeah. >> i think we can seize this moment in time to make a substantive material difference for the nation. >> yeah, i mean, as the organizing committee for this year's event, we were sort of getting our thoughts collected. there is a lot going on, you know, on the government side, the policy side. there is a lot going on in the
industry on -- >> no kidding. >> -- the commercial practice side. this idea of bridging the gap between policy and practice, you know, as i listen to you just talk, you know, it's -- it's really healthy for me to hear and imagine something like jcdc can exist and literally be the bridge. like, that is the bridge between policy and practice, and it ultimately has to get to practice really quickly, really efficiently, with agility. you know, lather, rinse, repeat. all the things we know are important to puzzle solving and innovation. i'm personally really excited to see where jcdc can go as a bridge into practice in the future. >> can i just make one comment that? >> yeah. >> having spent the last four and a half years at morgue substantially. interesting. two observations. and remember i spent about 27 years in government before i joined the private sector. when i was looking back at the government from the private sector, it often came off as incoherent. not well organized to be able
that o support the private sector. and again that is why i think having an entity that has all of those organizations is so important to be able to share, to your point, in near real time. right? we have to be able to move at the speed of cyber. we know that our adversaries are. and so again, that's why i think that coherence, that cohesion, that unification of authorities and super powers across all of the federal cyber ecosystem can make a real difference. >> yeah. fail fast, test in the wild kind of stuff. it is critical to success, as you know. speaking of, perhaps, not failing fast, but maybe, umm, love to get your thoughts on president biden's executive order on cyber security. it was issued in may. two months later you were confirmed as director of cisa. given the very limited amount of time that we have here today i'd love to get your thoughts on two
specific fronts that i know are, you know, front and center for me personally and probably many people in this room, and back to this sort of bridging the gap between policy and practice, sort of the commercial side of in this collaborative that we're talking about. the first thing i'd like to get your thoughts son is the zero trust security model. specifically the eo instructs agencies to, quote, assume breeches are inevitable or have already occurred. how do you -- how should we be thinking about that? and how do you think about zero trust? and how does that play into this concept of public/private partnership in the bridge from policy to practice. >> great question. you know it is funny we talk so much about the importance of trust and now we're talk about the importance of zero trust. so little ironic. >> -- >> exactly. the e.o. i would say just a great contribution and my teammates at cisa before i
arrived worked very close on that. and the detail, sense of urgency that is encapsulated in that order is really, really important. now, it is mostly focused on federal, cyber security. but much of what's in there is really a signaling mechanism. >> that's right. >> to the community, to critical infrastructure that these are really rp important things that you need to do to modernize your infrastructure. to enable you to have greater visibility into that infrastructure. to develop incident response playbooks. that is another thing there. to ensure that you are doing afteraction reviews because that is another thing on the cyber security review board that we're about to -- cyber safety review board we're going to announce shortly, which i'm excited about. so all of that stuff is very expensable into any spice of space of cyber security. and there is a lot of talk about
zero trust and hugely important when you think of the concept of assuming the breech. trust nobody. verify everybody. we don't live in a world anymore where perimeter is okay. we need to be able to create architecture it is a allow us to defend in-depth. what we've done is a couple things. the paragraph talks about mood radiation, zero crowd and zero trust, omb put out a zero trust strategy and we followed it up with a zero trust maturity model we issued and put out for comments. we went comments on everything we do by the way. this is all about a community and there are a huge amount of experts out there. we did that and also put out a cloud technical reference architecture. again, if there are two things that we're saying, it is move into the cloud and instantiate these principles that allow us
to be better, to be safer and more secure throughout the full network. so a lot of work done there. and a lot of expertise that we are tapping into across the federal government, a lot hoff this is being worked with our teammates at nist. and with our teammates at omb and with new teammates at the national cyber director office and that's been terrific. and i think, you know, the other really good thing in the order is all about software, supply chain. right? you know, we saw with solar winds but that was not isolated. we've been looking at these supply chain attacks forever and even at morgan stanley we were very focused on securing of the supply chain and making sure all of our vendors we are vetted and were secured because as you know we could spend a billion dollars at a big bank. but we're only secure as our weakest link and. that is why at the end of the day this collective defense principle is so critical to all
of us. because everything is connected. everything is interdependent. therefore, everything is vulnerable. so is software and supply chain work on this, the big news out of that was the s-bomb. you know, we come one these crazy acronyms. i don't know why you get them. but software bill of materials. >> i -- >> we need acronyms that only sound like '80s rock bands. sbom, software bill of materials, which what's in that. but it is a good way to start incentivizing knowing what's in your products, knowing what's in your inventory and really leaning into the importance of the software supply chain and we've got some world class experts on sbom who are helping us because we're now the global lead in global supply chain.
>>. yeah i'm excited about that executive order because it really puts us in the leads for a lot of things that i think, i hope, i intend will help us make a real difference in federal cyber security. and i don't think anybody can look at that and say the status quo is acceptable. it is not. within there we're working with congress and working on transforming einstein. and our continuous diagnostic and mitigation program which are incredibly important as well. so more to come. but, you know, it is an exciting space. and a lot of great priorities in the coming years. >> yeah, 100% and the tectonic shifts that are happening. in the world. just, you know, on prem to cloud, you know, in the commercial side of this policy-to-practice bridge, it is
so transformative. and to see it, you know, in clear detail with respect to the e.o. i think is another healthy indicator it is really a collaborative between public and private. >> absolutely. >> so good stuff. so finally, you have talked about the importance of workforce and as the priority of yours. you mentioned earlier in this conversation you consider yourself sort of the chief recruiting officer at cisa. could you share what you are doing more specifically to build cisa's employee population? its talents, diversity? and how do you see that diversified pool of talent sort of being critical to cisa success? >> yeah. so, you know, things that i've written and what i told the workforce and what's been out there publicly it. really is for me all about people. cyber security is not about technology. it is ultimately about people. and so insuring that we have a
talent management ecosystem that cannot just attract but retain the best talent in the world. so cisa is the place where the best network defenders want to come work. and that is what i am looking to build with my team. and that really starts out with the build of that ecosystem. what i mean by that, matt, is it is not just great recruiting. but it is on boarding and integration and mentoring and coaching and reward and recognition and allowing for mobility and rotation and having a secession plan. so we are really looking at that employee experience in a very private secretary way. much of what i'm doing is informed by a lot of things i learned about people operations when i was in the private sector. so what i'm really looking to do is cut down on bureaucracy we deal with in the hiring world and try and accelerate the ability to tap into great
talent, diverse talent appliance and bring them on the team. from a more tactical perspective, the focus on diversity, partnership with girls who code. we also the week released news about a new grant. a million dollars each to cyber warrior foundation and enpower which focused on developing unrealized talent in underserved communities, which is fabulous. we are really tapping into these groups that wouldn't necessarily think about cyber security as a profession. and so i'm very excited about other opportunities like that. and then the other thing i'm super motivated about is we are finally going implement some new authorities that we got seven years ago to enable us to hire and pay much m