US cybersecurity director Jen Easterly talks hygiene, Russian attacks

The U.S. government may have a monopoly on national security, but cybersecurity has to be a partnership between the federal government and local, state and private organizations, said Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency.

The agency's challenge, then, is building trust with partners who have grown disillusioned with government agencies and bureaucracy, she said.

More:Mask mandates ‘not rocket science’: Pandemic expert kicks off Washburn’s Homeland Security lecture series

Easterly on Tuesday spoke virtually with Washburn University students and community members as part of the university' Rick Rescorla Homeland Security Lecture series.

Easterly is just the second director to lead CISA, the newest federal agency. Since the U.S. Senate confirmed Easterly to helm the agency in July, she said she's focused on identifying core values and principles for the organization and building a strong culture to help it carry out its homeland security mission.

CISA director follows example of fallen World Trade Center security chief

Washburn's lecture series is named after Rick Rescorla, the decorated veteran and director of security for Morgan Stanley when terrorists flew airplanes into their building in the World Trade Center.

Although he died in the attacks, Rescorla's actions that day — as well as his foresight and emergency preparations in the years ahead of the attacks — are credited with saving thousands of people on Sept. 11, 2001.

Before being confirmed as CISA director, Easterly served in a similar position to Rescorla's as global head of Morgan Stanley's cybersecurity division. She never met Rescorla, but Easterly said she'd long been inspired by the man seen as a leader and security visionary even before his untimely death.

More:In light of cybersecurity attacks, Kansas panel recommends tackling workforce, coordination barriers

After his death, she remembers national leaders and security experts reflecting on how the Sept. 11 attacks weren't just a failure of policy or management, but of imagination.

"And Rick was an example of somebody who didn't fail to imagine the bad things that would happen," Easterly said. "That's why he put so much effort into ensuring that the Morgan Stanley workforce was prepared in the event of whatever horrible thing might happen."

Partnerships key to shielding U.S. homeland from bad cyber actors

It's Rescorla's vision for the unthinkable that Easterly has tried to follow in leading CISA, where the agency's mission is "to protect the nation's critical infrastructure from things like cyber attacks" and "to be able to see around corners, to plan for the worst, to imagine." 

The agency, which was created in 2018 after Congress saw a gap in the nation's ability to defend the homeland from bad cyber actors, loves security so much, "We have it twice in our name."

Cybersecurity can be an abstract concept to many Americans, but Easterly said it encompasses the everyday actions many take for granted. It's the ability to pump gas. The ability to get food at the grocery store. Confidence in withdrawing money from the ATM.

"These are the systems and networks that underpin our daily lives," she said.

The government's challenge, though, is that most of this critical infrastructure is privately run. In the past, private agencies have been frustrated to work with the federal government because of inefficiencies and a lack of trust, she said.

With 9/11, one key failure was an inability for intelligence and law enforcement agencies to connect the "dots" of security threat clues they had collected. With cybersecurity, it's a similar hurdle CISA and other agencies have to solve.

More:A Kansas county is recovering from a cyberattack 13 days ago. Local governments are at risk, experts say.

"Given how the we are constructed in this country, very thankfully, it's not the intelligence community that's going to spot intrusions into private critical infrastructure," Easterly said.

Much of CISA's work, then, is building partnerships and communication channels for private and public organizations to work together to prepare for, identify and respond to cyber threats on U.S. infrastructure.

She said the agency has to move the public's mindset beyond the one President Ronald Reagan described in the 1980s — that government is not a solution, but rather a problem in its constituents' lives.

"We have to work at it every day and we have to be transparent," Easterly said. "We have to be responsive. We can't be a black box. We can't be somebody that never gets back to somebody on an email.

"We're really trying to change the paradigm of how government is perceived, of where the government says, 'We're here to help,'" she continued. "We are actually here to help."

'Cyber hygiene' and Russia

Easterly likened cybersecurity to hygiene, in that it has to be routine and common among the public to be effective.

Nation-states and other bad cyber actors are rarely sophisticated enough to break through adequate cybersecurity walls and measures. Rather, it's when common folk forget to practice basic "cyber hygiene" — such as multifactor authentication, using password keepers, updating systems — that threats slip through.

"Drawing on an analogy, as a homeowner, you could spend on the most expensive security systems, and the most expensive locks," said France Hoang, a 2000 Washburn graduate in criminal justice who moderated the lecture. "But if your kid leaves a window open, then it doesn't really matter."

More:Amid Russia-Ukraine conflict, Kansas pension fund to weigh whether to divest from Russian stocks

Since U.S. intelligence agencies noticed a Russian military buildup in November, CISA has been meeting regularly with its 16 sector groups of industry, state and local partners to make sure the U.S. homeland is prepared for a potential Russian cyber attack.

The groups have even been using channels such as Slack to share real-time information on potential threats and suspicious activity. The agency's website, cisa.gov, features its Shields Up campaign, to help organizations of all sizes "be prepared to respond to disruptive cyber incidents."

"You can't just be reactive in this space," Easterly said. "We've been proactive."

Easterly: You don't need to be a computer scientist to work in cybersecurity

The most common misconception about working in cyber security is that employees must have advanced technical or computer training to work in the industry.

Of course, those who work on threat hunting or incident response usually have computer science backgrounds or education.

But given CISA's mission, many of its workers have backgrounds in building business relationships and partnerships, as well as in communications. In fact, many positions don't require a college degree per se, she said.

However, Easterly emphasized that above all, those who work in cybersecurity for the government are driven by a calling. While Congress recognized CISA's need to hire above the pay rates of most other federal agencies, CISA workers could usually stand to make more on the private sector.

"You come because you want to raise your right hand to support and defend the Constitution of the United States against all enemies foreign and domestic, and that means something to you," Easterly said. "You want to be part of a very special small. cadre in this nation that serves the public, and that's an incredible, sacred responsibility."

Rafael Garcia is an education reporter for the Topeka Capital-Journal. He can be reached at rgarcia@cjonline.com. Follow him on Twitter at @byRafaelGarcia.

Comments are closed.