At the 13th Annual Billington Cybersecurity Summit, Cybersecurity and Infrastructure Security Agency Director Jen Easterly kicked off the event with a fireside chat discussing CISA’s priorities. Moderator Lynn Dohm described the state of the world as chaotic and stressful. She kicked off the chat asking Easterly about where cybersecurity fits into her priority framework at CISA.
Easterly recalls that she was born the day of Bobby Kennedy’s funeral, and she has really taken one quote from Kennedy to heart – “Some men see things as they are, and say why. I dream of things that never were, and say why not.”
“We need to look at the possible. Imagine the future that we want to have” said Easterly said. She called everyone to come together to build a safe, secure, and resilient ecosystem. There’s a spot for everyone to be a defender. She said cybersecurity has been elevated as a priority for the federal government by this White House administration. While there are challenges, there are opportunities.
Everyone loves to say that hackers need to be right only once, but defenders need to be right all the time, Easterly said. But Easterly calls defense sexy, and she wants to make it the new offense.
Easterly confirmed that there’s amazing talent out there in the defense community. But she acknowledged that we need to work together to make hacker’s jobs harder, emphasizing the role of partnerships.
State of cybersecurity in U.S.
Easterly pointed out that our cyber defenders and operators could go up against anyone. But it’s less about capabilities. She said that it’s about the morality levels of our adversaries. We need to come together to protect the vulnerable systems – schools, hospitals – places that Russia has no problem attacking.
CISA’s Shields Up campaign offers cybersecurity advice for everyone from companies to families. The campaign warns of the threats spilling over from the Russia invasion of Ukraine, and emphasizes everyone needs to be prepared to mitigate malicious cyber attacks.
The demand for cybersecurity talent is high at CISA – along with the need to retain workers and keep them motivated. Easterly emphasized the need to protect the workforce from ‘vulnerability fatigue.’ Employers need to care for the holistic health of their team members, including mental health, Easterly emphasized.
After the fallout from Solarwinds, the federal government’s cybersecurity tasking increased, and Easterly noted that CISA had over 35 tasks in the aftermath. CISA is working on items like Zero Trust, securing clouds, securing industrial sectors, collaborating with NIST, and many other priorities. The agency will release their strategic plans in a few days with the following four pillars:
- Cyber Defense
- Risk Reduction and Resilience
- Operational Collaboration
- Agency Unification
The Critical Infrastructure Act of 2022 (CIRCIA) was passed in March, and it requires critical infrastructure entities to report any cybersecurity incidents or ransomware payments to be reported to CISA within hours. And now, Easterly confirmed that CISA is putting out an RFI in a few days to stakeholders to help inform the agency about proposed regulations. They also have 11 listening sessions scheduled to kick off around the country that will provide CISA with public input on different aspects of the regulations.
Trust is Critical
Easterly pointed out that CISA’s goal isn’t to overly burden the private sector; CISA is about coming alongside and helping. Partnerships are a key priority at CISA, and Easterly called trust the most important currency in cyberspace. At CISA, they approach every partnership as a trust exercise because they are incredibly important to the future of cybersecurity.
When it comes to attacks against NATO partners, like Iran just did, CISA confirmed that the U.S. partners with allies to defend cybersecurity globally. But she noted that partnerships come with expectations too. We need to be sure everyone is doing the basics to keep themselves safe.
Easterly noted again, “We’re all in this together…defense is the new offense.”