thanks everyone for joining in personand online appreciate folks making itout on a Monday morning we are reallyhonored today to welcome this is asecond director Jen easterly todaydirector easterly was confirmed almosttwo years ago July of 2021 and she leadsthe agency’s efforts to understandmanage and reduce risk to the nation’scyber and physical infrastructure priorto coming to sizza director easterly washead of firm resilience at MorganStanley and before that was a SpecialAssistant to President Obama and seniordirector for counterterrorism on theNational Security Council directoreasterly is a graduate of West Point andspent more than 20 years in the armyduring which she twice received theBronze Star she also holds a master’sdegree in philosophy political politicsand economics from the University ofOxford where she studied as a Rhodesscholar welcome thank you for joining ustoday pleasure to be here thanks Jeff soin terms of format we have a fewdifferent topics we’re going to coverand we hope to leave some time at theend for questions for folks in the roomwhen we ask questions we’ll have somemics please please just identifyyourself and who you’re with and then goahead and ask your questionumso again hard to believe it’s been twoyears time flies when there’s not muchgoing on I guessI want to start by talking about one ofthe topics that you’ve covered a bunchrecently and that’s making productssecure by Design in April sizza alongwith FBI NSA and several partner Nationsreleased a set of principles andapproaches for security by Design anddefaultum can I start with a definitionalquestion of security by Design versussecurity by default and overlap how doyou see the two of them and also I guesswhere do you see resilience as part ofthat well first of all thanks for havingme here it’s great to be back at Aspenum so if I could just step back a littlebit and kind of set the scene for wherethat initiative came from and then wecan talk the details on design anddefault and how we think aboutresilience’s role so in cyber securityyou often get asked about how bad is ityou know you talk about how threatactors are becoming more complex andmore Dynamic and more sophisticated andmore well-resourced and how the bar isbeing lowered for cyber criminals andthen you talk about it 6.5 trillion then8.5 trillion then 10.5 trillion in cybercrime damages around the world and italmost seems like it’s just going to getworse and worse and worse and when welooked at it from our perspective ofcyber Defenders we said we need to dosomething different things like publicsecurity announcement campaigns cyberhygiene they’re all really important butin to enable us to get ahead of cyberthreat actors we need to actually take anew approach and that was about movingUpstream right so there’s stuff you cando to put measures in place to defendyour infrastructure to make yourselfsafer online but at the end of the daythe underlying cause for most breachesand most incidents really come back tothe technology and so Eric Goldsteinwho’s our head of cyber security atsystem I wrote a foreign affairs articlein February where we talked about weneed to catalyze a sustainable approachto cyber security and Technology productsafety was the first big piece of it andthere was the idea of corporate cyberresponsibility where CEOs and Boardsneed to embrace cyber security and cyberrisk as a matter of good governancethere was the idea of persistentoperational collaboration and thenfinally cyber civil defense which was aterm coined by Craig Newmark to talkabout the role of society and keepingourselves safe so technology productsafetyso the thesis is we don’t have as ourfriend Dimitri El perovich would sayNorth Korea and Iran or Russia a Chinaproblem those are all problems but atthe end of the day it’s not a cyberproblem it’s a technology problem and aculture problem and it comes down to twobasic things we’ve essentiallynormalized the fact that technologycomes off the production line full ofvulnerabilities and flaws dozenshundreds thousands and we’ve acceptedthat we’ve accepted that we have toconstantly upgrade ourselvesconstantly let’s see here constantly isthis working constantly patch uh andthat is just not the way it can be orshould be and secondly we’ve acceptedthat the cyber security burden is placedon individuals and small businesses whoare least aware of the threat and leastcapable of Defending themselves andobviously you saw tones of that in theNational cyber security strategy as welland so what we want to do is ensure thattechnology manufacturers Just as automanufacturers put seat belts in airbagsand cars that they are building productsthat are both secure by design meanmeaning that they are tested developedand deployedto reduce the number of flaws that canbe exploited by malicious cyber actorsso a good example of what we mean bysecure by Design is coding using memorysafe code so about two-thirds ofsoftware vulnerabilities are what’sknown as memory unsafety uh usuallydeveloped with C or C plus plus and sonow actually there’s a lot more memorysafe code like rust and Python and Javaand so you can actually starttranslating and and transferring some ofthis code to be saferum so that’s an example of secure byDesign secure by default is it comes outof the box with security features bakedin meaning you don’t have to enablemulti-factor authentication after thefact you don’t have to harden yourinfrastructure you actually need toloosen your infrastructure if you decideyou want to be less safe and less secureand so these are features that are bakedin they come to you and so you don’teven have to think about it so all of uscan continue to take the steps that weneed to do to be safe but really at theend of the day the idea is all of thesethings should drive down uh the numberof exploitable flaws in all of ourproducts and last thing is we put outthat product which we’re excited aboutbecause we had six countries join usalong with FBI and NSA we’ve been doinggreat listening sessions Within industrywho’ve given us a lot of really goodfeedback and we’re going to put outadditional products on it to help peopleunderstand at the end of the day whatthey should be asking for in terms oftaking products that are both secure byDesign and secure by default so I’mgoing to pick up a little bit on thecyber civil defense a bit later in thecontext of election security but withinthis realm are there things that thegovernment or Civil Society can do tohelp educate the end user to eitherdemand more secure products or to bemore secure by default like what is thisis the good result for the end userthe dog that didn’t bark you just don’tsee bad activity and things are runningsmoothly yeahit it’s interesting you say that the dogthat didn’t bark because this is this isa challenge for everybody in securityyou know how do you prove that yourreturn on investment is worth it and soone of the things that we’re veryfocused on at cisa is ensuring that wehave measures of Effectiveness that canhelp us say we are driving down risk uhand it’s one of the initiatives thatwe’re working on across the agency butin particular the national uh RiskManagement Center so so the big questionhow do we achieve secure by Designsecure by default this is not an easything we are dealing with Decades ofmisaligned incentives and you can goback to the putative birth of theinternet if you say 1983 when tcpip wasimplemented to allow computers to talkto each other well back then uh theinternet we know was never created withsecurity in mind you know famously DanKaminsky the late uh Pioneer securityresearcher famously said uh SecurityInternet was never designed withsecurity the internet was designed tomove pictures of cats and it’s very goodat moving pictures of cats but you hadan Internet that is now full of virusesyou have software that is full of flawsum you had the era of move fast andbreak things with social media which isarguably full of disinformation andmisinformation and so it’s really beendecades and Decades of companies puttingspeed to Market and features over Safetyand Security and so what we want to dois essentially be able to send Marketsignals because that’s what’s beenmissing a clear signal so that consumersknow what to ask for and that’s theconversation that we’re startingconsumers need to know and it’s one ofthe great initiatives that you led Jeffwhen you were at the NSC for examplelike security labelingso I can look at a product and tell howsecure it is before I buy that Internetof Things productum and so really one of the principlesthat we put out in our approaches tosecure by Design was Radicaltransparency and so we’re calling forcompanies to actually put outinformation about how secure theirproducts are does it come withmulti-factor authentication what is itwhat’s their roadmap to memory safe codeis single sign-on enabled without payingextra so all these things that consumerstypically sort of think are kind ofmagic and they just assume things andthen they sign their agreement to acceptliability which essentially is what youdo when you turn on a device we’rereally trying to make sure that it’smore educated consumers and thegovernment can of course have a big roleyou know the government can also have abig role as you well know because ofpurchasing power and so the e01 4028that you helped to to right when youwere at the NSC talks a lot about howyou can use the government’s purchasingpower to drive vendors to create saferproducts and to ensure that you havestandards built in and we’re goingthrough the federal acquisitionregulations process which is veryByzantine and very bureaucratic buthopefully we’ll get there and that willhelp I think drive a good portion of themarket to start creating Products thatcome with less and less vulnerabilitiesfrom the end user’s perspectiveum do you have in mind any goodresources that they can go to today tounderstand how do I make an informedsecurity decision I think the quote thatI think you said in February that aloved was uh you know companies areincentivized to create features andlower costs but not create safetechnology that has to stop and youtalked about the market forceswhat are some of the resources thatfolks online could go to today whilethey’re watching thisso I wouldwhy would our website it’s um cisa.govforward slash secure by Design and youcan see the product that we put outwhich is principles and approaches totechnology that is secure by Designsecure by default arguably it um istechnicalum but for those of you who are part ofthe technical community part of thecyber security Community we would lovefor you to take a look at it and toprovide us feedback We are continuing torefine it and what I hope to get to andI’ve asked the team to look at is almosta Hall of Fame so we had one of the fiveto ten things that consumers canactually look at to say this product issecure by Design secure by default soit’s much easier it’s a little bit likethe labeling piece right and so whatwe’re trying to do is get to a placewhere you have really educated consumersso they know what to ask for and thathelps to drive the market but it startswith at the end of the day the the typeof principles that we’re putting out andyou know Jeff I’m under No Illusion thatum this is going to be done next year orthe year after I am encouraged by thefact that the big technology companieswere having very good and productivemeetings with them because you know Iassume we want to assume that thesecompanies do actually care about theSafety and Security of their consumersagain there just has not been a clearMarket signal but one of the things inthe article was we talk about unsafe atany CPU speed and that of course camefrom Ralph Nader’s famous book from 1965called unsafe at any speed and that waswhen you had car crashes and everybodyblamed it on bad drivers and so it tookfrom 1965 to I think around 1983 beforeyou had legislation that mandated seatbelts many of us grew up in an era wherewe didn’t have any of that and so it itwill take a while to actually make thesechanges I’m hopeful that we can do itfaster than we did with uh seat belt andcar safety legislationyeah I remember my parentsadding seat belts as an option in a carthey bought in the 70s exactlyum I’m gonna switch gears and talk alittle bit now about election securitywe are six or seven months from thefirst primaries uh hard to believe wegot here can you give us an overview onyour preparations on your work with thestate and locals is is it now a steadystate constant effort or do you ramp itup as we get toward an election yeah sothanks for asking the question you knowSis’s mission is to reduce risk to theCyber and physical infrastructure thatAmericans rely on every day but theelection infrastructure security missionis hugely important just given thatdemocracy is is the elections or theBedrock of democracy and so hugelyimportant in particular for me as asomebody who spent 21 years in uniformso uh at the end of the day uh what wedo at sisa is to ensure that state andlocal election officials who areresponsible for managing andadministering and running elections havethe resources that they need to keeptheir election infrastructure safe andsecure so that the American people canhave confidence in the integrity andresilience resilience of electioninfrastructure so electioninfrastructure was not criticalinfrastructure until 2017 when formerSecretary of Homeland Security JayJohnson designated it as part ofcritical critical infrastructure and atthat point in time sisa was made What’scalled the sector risk management Agencyfor for election infrastructure now it’sinteresting because back then ChrisKrebs who was of course the it was nppdthen before became sisa uh and then MattMasterson who was the senior electionsecurity leadthey faced enormous pushback from stateand local election officials who reallydid not want the federal governmentinvolved in any way in elections and toChris and Matt and the team’s creditthey created incredible relationshipswith secretaries of state chief electionofficials state election director sothat when I came in in the summer of 21I inherited a lot of Goodwill betweenthe election community and the federalgovernment I think fundamentally becausethey understood that we were only theretruly to help we were there to provideresources for physical security forcyber securityfor Insider threats for the full rangeof threats that are out there and so wesince that period of time I thinkarguably Jeff to your question we’vebeen working on elections you know it’stheir elections happening at all timesand so it’s never a start uh Start FromHere type approach but obviously for2024 we had have started working withsome of the new election officialsbecause there’s been a turnover over thepast couple years so we’re in theprocess of making sure that electionofficials across the country understandthe vast amount of resources that webring as a federal government the typeof information sharing that goes on fromentities like us as well as the EI theelection infrastructure informationsharing analysis Center and the othergreat thing is there’s a now a VibrantCommunity of private sector folks thatwe stood up through the joint cyberdefense collaborative where there areresources for some of these electionoffices at the local level that are notwell resourced we talk about these asTarget Rich cyber poor entities thatfrankly get targeted a lot but don’tnecessarily have the resources to defendthemselves and so we are working veryvery hardto ensure that all of the officials havewhat they need to make elections secureand safe in 2024.you mentioned scissors physical securityMission which I think often gets lesscoverage and we were speaking before how12 13 years ago when the hill wasconceiving a a scissor-like entity theconcern was that no one would payattention to cyber if it was joined withphysical I think we’re a bit at theopposite end of the spectrum but in 2022physical security of actual electionworkers was was a big issue going intothe election do you see that at the samelevel and how do you balance theresource demands of that physicalsecurity need with the Cyber with thethese are state-run the government’s notgoing to step in and run the federalgovernment step in and run the electionsfor the states yeahyou know it’s a great question I’ll stepback a little bit so we were stood up in2018 and frankly I don’t think we wouldhave been stood up as an operationalagency if not for the cyber securityMission so the idea was stand us up asAmerica’s civilian cyber Defense Agencybut we also play a role as the nationalcoordinator for critical infrastructuresecurity and resilience and thatincludes physical security and so partof cisa does things like the office ofbombing prevention school safetychemical security and so these are notthe ones that are sort of make theheadlines but they’re criticalparticularly to our stakeholders aroundthe country and in particular toelection officials where we work withthem in the run-up to the midterms toensure that they both had the ability tohave physical security assessments onthings like polling places but also todo training on de-escalation uh so wehad the power of hello and how to dealwith potentially inflammatory situationsof people coming into a polling place oran election site you know I was franklyvery I was less worried for the midtermswhich you know credit huge credit toelection officials I think went about aswell as they could have gone I was mostworried about physical threats as youalluded to Jeff about an active shooterat a polling place I mean certainlyransomware on an electionuh site uh infrastructure was also a bigconcern but you know now we don’t we’renot able to say we’re going to focusmore on one or the other right from 2017to 2020 I think arguably the focus wasmuch more on cyber security and now it’son the full range of threats and it’svery complex physical security cybersecurity Insider threats threats offoreign influence and disinformation andso we are constantly working to ensurethat election officials have theresources across all of those thingsthat they need to ensure that theirvoters and constituents can haveconfidence in the security of theirelection infrastructure and on on thelast note on the the end user so tospeak the the citizen we’ve talked aboutbriefly about cyber civil defense theidea that we’re all in this togethereveryone needs to play a roleum what do you see as the role of theinformed Citizen and how how and wherecan can she get information today areyou going to bring back the pineapplepizzacampaign or something like it to helpyou know for folks who don’t know it wasuh shows how adversaries this was a2018-19 how people will find wedgeissuesum and interesting about that campaignis the campaign itself caused a disputeover the weather so it proved itself inways that were unintended I thoughtum or do you think that now is ingrainedenough in people’s thinking where canthey go for resources is that can youCircle back to the initial question wellfirst of all having lived in Hawaii forthree years I don’t understand whypineapple pizza is a wedge issue I meanwho doesn’t like pineapple on pizzarightum is that a four or againstum there you go exactlyum so you know this issueabout voter literacy election literacyis so incredibly important and I have tosayI don’t know if I had an appreciationfor it in fact I know I didn’t have anappreciation for it before I came tocisa because elections are somethingthat you almost take for granted I Ispent most of my life in the militaryand we would do absentee balloting andso you mail in your ballot and getscounted and you know you’re excitedabout election night and issues andvoters butum at the end of the day elections areso complicated they’re complicatedthey’re Technical and what electionofficials will tell you if you’ve seenone election you’ve seen one electionthey’re very very different acrossjurisdictions across counties acrosstowns across States and so getting smarton how elections work is I think reallyimportant to being an informed voter andbeing a member of a democracy and so Iwould say we certainly have informationabout elections on Sis’s webpage but oneof the things that we always say is goto your local election officials theyall have web pages they are the ones whoare most knowledgeable about howelections are run and the rules uh thatare in place uh across a whole a bunchof things about dropboxes and absenteeballots and uh when votes are countedand and we have an election literacysite that’s called rumor versus realitythat was actually modeled off of a sitethat FEMA used for years uh Chris Krebsand Matt Masterson stood out stood it upI think in October of 2020 to help pushback on some of the things that werehappening where the Iranians weremasquerading as the proud boys and so wehave used that site to help peopleunderstand some of the myths that areout there some that are beingproliferated by our foreign adversariesbut these have now been taken up bystate and local and so you can go toyour web page and become an informedvoter the other say two other quickthings think about volunteer hearingthink about being a poll worker thinkabout working at elections it’s a greatthing to do for democracy it also helpsyou learn how elections work and theother thing that I have becomereally focused on whenever I’m aroundelection officials is saying thank youand showing that gratitude you know inthe military when you’re in uniformpeople always say thank you for yourservice but I will tell you electionofficials who are working incrediblyhard on the front lines of democracysome of them are dealing with threatsand harassment which I think isabsolutely horrific but they’re doingthis at very little pay because it’s theright thing to do for the nation theyabsolutely deserve our respect uh andour gratitude so make sure when you goto the polling place you think the folkswho are there helping elections happenyeah that last point is essential thatthe I think the average age of the pollworker continues to climb and we’re it’sgoing to be hard to backfill if ifpeople are worried for their personalsafetyum I want to Pivot from electioncritical infrastructure to talk morebroadly about critical infrastructureum in the months leading up to Russia’sFebruary invasion of Ukraineum U.S governments is in particular leda both high profile and closed-dooreffort to improve the security of thenation’s critical infrastructure andspeaking just for myself the things thatyou know being on the inside then that Isaw both government doing and theprivate sector doing were things thatfor 15 years both sides had said well wecould never do that so a couplequestions about that but the first ishave you been able to turn that type ofrelationship into more of a steady stateso that we can make those engagementsshare information see the private sectortaking security steps not just whenthere’s an immersion threatum it’s one of the things that I’m mostproud of of the teamum but I’m also really grateful to theintelligence Community you know I grewup as a military intelligence officerand uh was at NSA for many years and uhwhat the intelligence Community underthe leadership of Admiral Haynes did tobe able to take very classified Inteland get it so that we could share itwith the private sector was justincredibly important and I think a greatmodel for what we need to do to ensurethat while we’re still protecting thesources and methods of our mostExquisite Intel we’re getting it topeople who need it so that they can useit to reduce risk to our nation and soyou know in the in the earlyum in the late fall of 2021 uh the IntelCommunity came to us to tell about signsof potential Invasion and very quicklyon we realized that what we needed to dowas to figure out how to inform criticalinfrastructure so that they could bothunderstand the threat as well as dosomething about it so not only tell themwhat the threat was but actually givethem best practices that they couldurgently Implement so so again theycould mitigate risk to the nation andthat’s was our Shields up campaign andit started with briefings to all of thesectors at varying levels ofclassification arm and arm with thesector risk management agency soTreasury and energy and HHS andeverybody across the board so that folksreally understood what the PotentialThreat was from malicious Russian cyberactivity and retaliation for anythingthe U.S might impose in the wake of aninvasion and I do think that is a reallygood model going forward in that weunderstand that we need as a governmentto be value-added to the private sectorfor years and years we talked aboutpublic-private partnership and I sawthis frankly from Morgan Stanley hadbecome a little Hackneyand government was not acting ascohesively as it should have been so oneof the things that we really tried to dowas to bring together the federalgovernmentum and in particular the federal cyberecosystem NSA FBI uh cisa cybercom thesector risk management agencies to beable to operate on one platform we stoodit up based on new authorities that theCongress gave us coming out of a greatidea from the cyberspace Solariumcommission it was the joint cyberplanning office we called it the jointcyber defense collaborative andessentially that was the platform weused to reach out to the private sectorand to talk through the threat and whatactions needed to be taken we actuallycreated a Ukraine tensions plan weexercised it for several hours betweenthe U.S government and the privatesector so we could talk about how do wereact how do we respond how do wecommunicate in the event of asignificant attack on the Homeland and II think the the great thing about thatwas is you know in cyber security you’reso much pushed into a reactionary uhposition as you know Jeff and so thiswas really the first time how can we beproactive about working together andadding value to the private sector andbeing responsive and being transparentuh and really coming together as acommunity so I think it was a high watermark and I think it has set the stagefor how we need to deal with the wholerange of threats to include uh really Ithink the epoch defining threat of Chinait seems there’s often been a disconnectbetweenthe information the government actuallyhas and what the private sector believesthe information has and could share andI know you’ve seen both sides of it doyou think the experience of Ukraine andthen in the middle of that log 4J andmaybe you can talk about how how youkept the JC DC people alive during thosetwin stresses but do you think there arewe is there are we closer to a meetingof the minds in terms of what thegovernment actually has not what it canshare but what it can what actually hasand how that can help the private sectorcloseness right because this at the endof the day is a it is a transformationyou know having been in this world for areally long time we are trying tosignificantly shift how we work with theprivate sector and it’s not an easything because you know frankly it’s it’sall about trust buildingum you have to believe that thegovernment is going to be transparent isgoing to be responsive is going to bevalue-added and so we talked a littlebit about this in our article in foreignaffairs this idea of persistentoperational collaboration and it’sreally three things first of all it’s adefault to share where everyonerecognizes that a threat to one is athreat to manyit’s a co-equal partnership between thegovernment and the private sector wherethere’s reciprocal expectations oftransparency and value-added andresponsiveness and where industry doesnot have to fear punitive sanction ifthey share information about an incidentand then third making the interactionand engagement between government andIndustry is frictionless as possible sothat you are on shared platforms you areable to have analytics that can beshared among the entities that can helpyou understand the threat put the dotstogether and drive down risk to thenation I think law for log 4Juh was the first time where we reallytried to operationalize that and I thinkgiven the urgency of it we were reallyable to get ahead of it I mean we stillneed we still worry a lot but I ampleased that we did not see more damagequite franklyum and you know credit to not justindustry and government but the amazingcommunity of researchers that are outthere sometimes researchers getoverlooked uh but frankly I mean youknow this from your time in Commercethey play such an important role and sowe had some fabulous people coming to uswith some great ideas that helped toinform the GitHub site that we put outthe website that we put out so that wasgreat and then Ukraine and then franklywe have pivoted to using these uhplatforms for the fight againstransomware and so it is a transformationbut it’s one where I feel like and thisis based on the feedback that I get notjustum from industry not just from thetechnology companies but frankly fromall industry that I think we are makingsome progress but it is something thatwe will continue to work at and we haveto approach it to be honest withhumilityknowing that the government cannot dothis Missionum but you know it has to be a jointEndeavor of collective defenseyou keep setting up my next question sothank youum I want to stick on criticalinfrastructure but you talked aboutChina and the partnership I want to talka bit about a recent Microsoft report ona campaign uh a group they called volttyphoon for those unfamiliar Microsoftdescribed this as a stealthy andtargeted set of malicious activity aimedat critical infrastructure organizationsacross the U.S now CIS of put out ajoint advisory with FBI NSA all of ourfive ice partners and I believe youattributed to the PRC or were you notingthat Microsoft had attributedum I I didn’t mean to push on the spot Ithink it said PRC yeah I mean certainlyuh PRC actors have been in the spotlightfor years and years I think the keydifference here was PRC actors have beenthe focus has been Espionage we talkedabout Decades of intellectual propertytheft and the grade this transfer of ofof intellectual wealth and history butwhat we are starting to seeum and this was captured in the ic’sannual threat assessment was targetingthat is less about Espionage and moreabout disruption and destruction I thinkyou only have to read the annual threatassessmentum the page on China cyber where it saysthat in the event of a conflict whichanybody who’s been studying what’s beenhappening under the leadership ofPresident XI in the event of a conflictChina will almost certainly useaggressive cyber operations uh to goafter our critical infrastructure toinclude pipelines and Rail lines todelay military deployment and to inducesocietal panic and so this I think isthe real threat that we need to beprepared for and to focus on and tobuild resilience against and that’s whythe product was very focused on thethings that we need to do to deal withthe specific tactic of what’s calledliving off the land which is essentiallythreat actors using the native processesof your computers to be able to get afoothold and so the that’s important butat the end of the day it’s all of thethings that we need to be doing from acyber security perspective and then morebroadly I think given the formidablenature of the threat from uh Chinese uhState actors given the size of theircapability given how much resources andeffort they’re putting into it I thinkwe it’s going to be very very difficultfor us to prevent uh disruptions fromhappening which comes down to resilienceyou really we as an American people needto understand not just cyber resiliencebut the imperative operationalresilience and the importance ofsocietal resilience a great example isjust look at Ukraine and I think you seethat pretty clearly I worry frankly thatwe’ve lost a bit of societal resilienceif you just look at the reaction toColonial pipeline you look at the recentreaction to the High Altitude balloon Ithink we need to be prepared to be ableto respond recover learn fromdisruptions and to be able to moveforward in a way that we can continue tooperate our critical servicesand our networks and our businesses evenunder the threat of Chinese State actorswho want to hold that criticalinfrastructure at riskkeep calm and carry on as they saidbecause we are in factplaying the adversary’s game when weoverreact or react aggressive youmentioned the dni’s threat assessmentfor those who don’t know it was in inFebruary I believe it came out and thepassage was exactly as the Director saidum I was stunned to read that in apublic documentum but I haven’t seen much coverage ofit is it wrong to see the statement thatboth of that China would likely launchaggressive cyber operations againstcritical infrastructure and that theyalmost certainly are capable of doing sothat to me was a quite a strongstatement for the US government to putin public but it seems not to haveresonated as it might I’m I guess I’masking is do you see that as a seachange in the way we’re publiclydiscussing uh the China issue well I wasreally pleased to see it becausefrankly I think it’s really importantthat businesses of all sizes theAmerican people the technology producerswho are working with to ensure that oursoftware and our technology is as secureas possibleum take note of that I mean I think thethe issue we live in a world Jeff whereit’s become news of the dayit’s very hard for a lot of this tobreak through I was quite happy that theshields up campaign uh did end upbreaking through a bit but of course youknow Russia Ukraine was the big issuethat we were all riveted around theworldum I think that this is the mostimportant issue for anybody who runs oroperates critical infrastructure is thatwe need to be prepared for disruptiveattacks now I hope that doesn’t happenum but quite frankly uh criticalinfrastructure is part of NationalSecurity it’s part of Economic Securityit’s part of public health and safetyand so there is an obligation to ensurethat they are taking all the stepspossible to drive down risk and thatgoes back to our point about sharinginformation with the sector with thegovernment boards and CEOs embracingcorporate cyber responsibility as amatter of good governance and franklyworking within their communities to helpthem drive down risk to everything thatwe Rely Upon Our hospitals our water oureducation these are criticalinfrastructures not some technical termit’s everything that we rely upon to runour daily lives and it’s up to all of usto take note of situations like that andto ensure that we’re doing everything wecan to mitigate risk it’s correct and tosee the Vault typhoon CSA as part of theeffort to challenge or address the Cyberthreat and is that it sounds like you’remaking that a key part of sizz’s missionand can you talk for a minute if you canabout how you see that rolling out howyou address that publicly directly withthose those companies yeah so we sincethe publishing since we published theCSA we have done similar to what we didfor the shields up campaign we’ve beenreaching out to sector Partners usingwhat’s called CPAC which is the criticalinfrastructure partnership advisoryCouncil which allows us to reach out tosectors to ensure that they are aware ofthe threat and so we’ve had engagementswith I think three or four sectorsalready and we will be engaging moreover the summer again to have themunderstand the things that they need todo at the Tactical level with respect tothe specific tactics called out in theCSA but more broadly all of the otherthings they need to do to drive downrisks to build resilience and to makesure that they can take advantage of allof the resources that we have inparticular for some of the businessesthat areum that are vulnerable to targeting butdon’t have the resources that they needand you think about big criticalinfrastructure owners and operators theytypically are well resourced but theyalso have very complicated very vastSupply chains where you might have partsthat are produced by smaller mediumEnterprises and so we have to look atthis as a threat to the nation and thatwe all have a part to play and so youknow ultimately I I suspect we’ll see aShields up campaign extended to what wesee from China but it’s really aboutensuring where is safe and secure andresilient as a nation as we possibly canbegreat I want to turn to our last topicbefore questions and I want to thank youfor not having said AI before now Ithink we’ve probably set a 2023 recordfor how long a cyber Tech panel can gowithout talking about AI but for thoseof you who have it on your bingo cars AIum so generative AI really has capturedthe public imagination dominated theheadlines but stepping backand thinking about it more long term andyou’ve been been at this for for a whiledo you see it as something that is trulyrevolutionary or is it an evolution newtechnology building on things that we’vealready been doingum I think it’s a little bit of both Imean I think it’s an evolution of thingsthat we’ve been doing from a machinelearning perspective but I think thesecapabilities will have revolutionaryimpacts on our societywe should just stipulate like thecapabilities that are being built nowand are evolving will enable us to doamazing thingsthey will make our lives easier andbettermy concern Jeff is I see how fast allthis is moving large language models areprogressing three times the speed ofMoore’s Lawso doubling every six months Vice every18 months so moving very very rapidlywhen I see that I very much worry thatthese types of capabilities can be usedby threat actors to do very bad thingsum you know my career is about 30 plusyears of cyber security intelligenceoperations and counterterrorism and soit’s really through the lens of both thepower of imagination and the failure ofimagination and I want to be sure thatfrom a security perspective we can takeadvantage of the great capabilities thatthat these new generative AI largelanguage models can provide to Americansbut to do so in a way where we can alsoensure the safety and security ofAmericans and I worry that we’re movingso fast in the same way that we move soso fast with social media and the waythat we created the internet and the waythat we created software in the earlydays this is just another flavor of thatwe’re moving fast we’re breaking thingsand I worry about the downsides of thatif you even look at the statement from350 expertson AI they talked about the importanceof mitigating risk to from Extinctionand the need to make that a globalpriority those were just 22 words thatsaid nothing more I actually think it isthe responsibility of anybody involvedin creating AI or advancing thesecapabilities to help us make sure thatwe are putting the right regulation andguard rails in place to ensure that theyare not used for malicious purposes byvery serious threat actorsaccepting for the sake of argument thatit will probably be very hard if notimpossible to get technology companieseven if we could slow down U.Stechnology companies Global Drive willgo forward are there a couple of thingsyou have in mind that you really want usto be doing today to help sear us in abetter direction or is a lot of itreally just understanding the moral andlong-term implications as opposed towhat is the next evolution in yourtechnologywell I think part of the problem ispeople don’t even the experts will saythey don’t understand this fully andthere arethere are outcomes that are happeningtoday from these capabilities that werenot expectedand so I think that uncertainty and thatlack of understanding of what uh theoutcomes may be in an unrestricted uhuse I think should give us all pause tosay let’s make sure that we are doingthe right thing with these capabilitiesso there is a bit of a moral imperativethere as you suggested Jeff you knowthere is no absence of ideas out thereabout things that we need to do and ofcourse the the US government has leaningis leaning forward the meeting with vicepresident Harris the AI risk managementframework from your old colleagues at uhat Commerce the AI Bill of Rights fromostp all of these are good and usefulcontributions I think ultimately therewill have to be and even industry issaying this there will have to be somesort of Regulation to govern uh thelicensing and the use of thesecapabilitiesuh the issue is we have you knowcreating regulation is very bureaucratictakes a very long time and so I thinkthere needs to be some self-regulationin the interim until we can cometogether and ensure that we have theright type of regulation in place that’sgoing to allow these capabilities to bedeveloped for good uh not to crushInnovation but make sure that we areprotected uh in America and across theworld so people are talking about theaiai theum the equivalent of the world AI agencyunder the UN similar to the one that’screated for nuclear weapons there is theEU AI Actwhich I know industry here in the U.Shas significant issues withum but frankly if you look at the euaiact I don’t think it’s that differentfrom the AI risk management frameworkexcept it has teeth to it so I think weneed to have this discussion and I sawthere was some discussions this morningabout bringing China into the into thediscussion if we can have aconversations with our adversaries aboutnuclear weapons I think we probablyshould think about having theseconversations with our adversaries on AIwhich after all will be in my view themost powerful weapons of the century andthe big difference between nuclear andAI is of course nuclear was created anduh protected by uh countries and AI iscreated by companies whose fiduciaryresponsibility is to maximize profit fortheir shareholdersum so big big problems big issues theidea of somevoluntary regulation given how slow theU.S regulates but to your point deu ismoving and we need to keep upum we have about 10 or 12 minutes leftwe take a few questions just ask pleaseidentify yourself and who you’re withand we will move around the room let’sno one ever goes to the Back Row firstso let’s start with the back row todayuh yes uh good morning my name is Rogercochetti I am an editorial contributoron technology policy for the hillnewspaper and spent about 25 years withIBM verisign CompTIA Tech as a businesspolicy not a technical executive so myquestion is about emerging issues andI’m delighted you talked about two ofthem but I wanted to ask you ask aboutyour thoughts on another emerging issuewhich is probably the Next Generationafter Ai and and China and all thesetoday’s emerging issues and that is whatI would call immersive uh uhimmersive computerized experiences wellsometimes called artificial reality it’sclear the industry from the events ofthe past month or so or it’s moving andputting major investments in this and itraises I think security issues whichrequire that you widen your aperturejust like with AI a little bit more thanyou know sort of Defending from foreignattacks or something so is anyonethinking about or and by the way if youimagine immersive experiencedsupercharged by artificial intelligenceI don’t even know where we go I mean butbut later in this decade I believe itwill be a significant issue sociologicalsocial every otherwise is anyone lookingat this or do you have any thoughts atthis early stage about immersivecomputerized experiences thanksyeah thanks for the question umwe are not currently looking at it atsisa right now I’m sure there are otherparts of the US government maybe DARPAthat are looking at itum you know as I said I’ve been intechnology for a really long time Ibelieve very strongly in the power ofTechnologyum and the power of innovation I I thinkit is a responsibility of leaders thoughto also understand that as we have theseincredibly powerful Technologies not tosuffer yet another failure ofimagination and so as you think aboutthe evolution of Information Technologyas I talked about with the internet andsoftware and social media and now thedirection we’re going on with AI andultimately withum uh as you talked about AR VR I thinkwe have to keep security it’s the sameprinciple of security by Design we needto build in security and safety byDesign to ensure that we are able tokeep the American public saferightum let’s go to the front row here realquick we’ll go to the back the leftsinging good morningum I’m Marco raymondi from the Silveradopolicy accelerator thank you Vivian Jefffor putting on another great event anddirector from comingum about a month ago I was at MIT withabout 150 peopleum it’s a forward-looking gatheringwhere we spend the morning getting thelatest briefings from the technologistsworking on AI machine learning Quantumcomputingand giving us the capabilities and thetimelines when they’re going to startcoming on we spent the afternoon of thisgroup of policy Techacademics looking at what we need to donow to start being continuing as safe aspossible in five years nist and sisa gotvery high marks putting out guidance Ibelieve you co-post Quantum Computingum where it gives a road kind of apath for companies to start and it saidit’s going to be the mostchallenging and timely and costlytransitionnobody seemed to think there was a lotof companies getting high marks foractually following that guidance rightnow or having those discussions with thec-suite the boards Etc so in your listof endless concerns where does that fitthank you yeah thanks for thanks forraising it usually you have Quantum comeup before soum it is it is another good example Markof where the government has cometogether to try and be as proactive aswe possibly can be in addressinga complicatedlonger term longer not you know longum 50 years but probably about a decadethat can have very very seriousconsequences for the safety of ourcritical infrastructure and so we’vebeen working closely as you said withnist with NSA we have a post-quantumInitiative for how to transitioncritical infrastructure uh to make surethat systems are uh safe and secure theit you know to Jeff’s earlier pointuh we are engaging with criticalinfrastructure we are making sure thatthey understand uh the implications ofthis but a lot of the challenge that wehave as you well know from your time ingovernment is how to communicatearound these very technical andcomplicated issues so that they landwith the business communityright because at the end of the daycyber security the transition to postQuantumum are cost centersand how you turn that into somethingwhere Business Leaders really understandtheir responsibility in protecting thenation is one of the things that we’rereally trying to focus on when we talkto CEOs and when we arm cisos and cioswith the ability to talk to their CEOsin business terms about what they needto do to keep their businesses safe Imean folks should read that principlesand approaches to secure by Designbecause the top three principles therewe put Business Leaders speak they’renot in nerdspeak it’s about technologycompanies need to own the securityoutcomes for their custom customers weneed to all call for radicaltransparency and Business Leaders needto recognize their role in keepingAmerica safe by driving down risk totheir infrastructure and so at the endof the day I I think being able to putthis in as clear terms as possible forthose who own the budgets and you as acommunicator can probably help with thisas well as Dimitri can help us with thatbecause I think it’s part of thechallengepost Quantum crypto is not the sexiesttopic it’s not to raise other questionswas there one over hereSophia if we could bring a mic upum hi Christian Vasquez from cyberscoopI was wondering if you can give us anupdate on a systemically importantentities uh and how sister is reallythinking about our prioritizing prior Inever say that word the first timeprioritization around criticalinfrastructure especially as the youknow the grid becomes more complexdigitizationum interconnectivity manufacturing AllThat Jazz like how are you thinkingabout it yeahum so as you probably know this was anidea that was incubated by thecyberspace Solarium commission theycalled it the systemically importantcritical infrastructureuh we’ve been working for the past yearand a half on systemically importantentitiesuh and we’ve been working it as aninitiative through the fslc the federalsenior Leadership Council which werejuvenated uh over the last year inNovember of last year to ensure that wecould really effectively do the rolethat Congress asked us to do which wasto coordinate the national effort forcritical infrastructure resilience andsecurity and so while we serve as eightsrmas eight srma for eight sectors inone sub-sector we alsoum importantly play this Nationalcoordinator role and so we’re in theprocess of creating those lists and Ithink it’ll probably be less than 500entities and working it through withboth the srmas as well as with industryso we have a list where there is acertain level of comfort that these arethe most important entities for NationalSecurity for Economic Security and forpublic health and safety I do not expectthis list to be delivered as the HolyGrailI expect it to be iterative quitefrankly and I expect that it will evolveas we are able to exercise it because Ithink really understanding as youalluded to Christian the innerconnectivity so you have defensecritical infrastructure for example buta lot of that is dependent upon civilianuh water or there may be civilianhospitals and so it’s that innerconnectivity that I think has been theum the the big Focus area the thingthat’s taking us the longest to makesure that we can get that in a spacewhere you can really understandcascading impacts to a to an event thathappens to critical infrastructure andyou know this is all hazards it’s notjust cyber it’s it’s physical threatsit’s threats of terrorism it’s threatsof weather events and so we want to makesure that the first issuance of thislist lands well really as a platform fortalking about howum how we can address the most seriousthreats to the nationwe have time for one last question if wecan keep it very quickforeignthanks so much Amanda with SouthernCalifornia Edison as you know we’re amajor electricity provider in the LAregion intrigued by what you said aboutexcept expecting possibly uh Chinafocused Shields up is there anything youwould recommend for criticalinfrastructure providers to do bettermore differently next time around as youknow our company we were fully resourcedand supportive of the Russia Focuscampaign thank you yeah and um your CEOis terrificuh and and frankly was one of I thinkthe the really leading voices in helpingto ensure that industry took thosewarnings seriously you know I’ve alwaysbeen very impressed by the energyCommunity because when you have meetingswith certain industries sometimes it’sthe cios that come to the tablesometimes it’s the cisos when energycomes it’s typically at the CEO leveland I sawum a huge influence wave coming out ofthat that was really really helpful forother sectors you know at the end of theday The Shield’s up for Ukraine I don’tthink is going to look thatfundamentally different if we dosomething Shields up for China it’sreally about the basic steps that can betaken to reduce risk to yourinfrastructure now there are tacticsthat Russia may use that China may usethat we want to be able to respond tothat critical infrastructure should knowlike living off the land that was in therecent CSA but all of the other thingsthe steps that need to be taken morebroadly whether it’s a for smallbusiness moving to the cloud whetherit’s implementation of Enterprisemulti-factor authentication whether it’sthe implementation of zero trustarchitecture all of these things aregeneralized across the space and so Isuspect it will be more of that but whatwe want to do to the earlier point aboutyou know this this statement that was inthe annual threat assessment that wasactually so glaring that didn’t sort ofland in in a big way we want to bringgreater attention to that and so we’reexcited to partner across all sectors tohelp us make sure that the Americanpeople and then businesses large andsmall understand the imperative of whatwe need to do to keep the nation safethank you director easterly thank youagain for taking the time out of yourday to join us and hopefully we can dosomething similar in the future awesomethank you thanks so much Jeff
Earlier this year, CISA Director Jen Easterly and Executive Assistant Director Eric Goldstein argued that “[w]hat the United States faces is less a cyber problem than a broader technology and culture problem.” That observation is consistent with what the general public increasingly sees everyday – cyber is a component of many major geopolitical, technological, and business challenges facing the United States today.
To better understand how cyber fits into the broader geopolitical and cultural landscape, and how the US government is working to respond, we sat down with CISA Director Jen Easterly for a one-on-one conversation. She discussed US government efforts to promote technology that is secure-by-design and secure-by-default, CISA’s work to increase cyber resilience in the runup to Russia’s invasion of Ukraine, election security, and how generative AI could change how we think about security.
{"includes":[{"object":"taxonomy","value":"134"}],"excludes":[{"object":"page","value":"202271"},{"object":"type","value":"callout"},{"object":"type","value":"form"},{"object":"type","value":"page"},{"object":"type","value":"article"},{"object":"type","value":"company"},{"object":"type","value":"person"},{"object":"type","value":"press"},{"object":"type","value":"report"},{"object":"type","value":"workstream"}],"order":[],"meta":"","rules":[],"property":"","details":["title"],"title":"Browse More Events","description":"","columns":2,"total":4,"filters":[],"filtering":[],"abilities":[],"action":"swipe","buttons":[],"pagination":[],"search":"","className":"random","sorts":[]}