Jen Easterly, President Biden’s nominee to become the next director of the Cybersecurity and Infrastructure Security Agency (CISA), delivered a sobering assessment of the rising threats faced by Federal and private sectors networks and pledged at her June 10 confirmation hearing to strengthen the agency’s capabilities to defend and secure networks.
The nominee faced relatively easy questioning from members of both political parties at today’s Senate Homeland Security and Governmental Affairs Committee confirmation hearing. Easterly pledged to work with committee members on a variety of their legislative efforts, and the committee’s mission to provide oversight of CISA.
Easterly’s qualifications for the job – including serving as the White House’s senior director for counterterrorism from 2013 and 2016, and work on standing up U.S. Cyber Command – were not questioned during the hearing.
Rep. Michael Gallagher, R-Wis., a member of the Cyberspace Solarium Commission, introduced the nominee to the committee by saying that Easterly’s qualifications to head CISA are “well above and beyond” requirements and that she will make up part of a “great” Federal government cybersecurity team along with Chris Inglis, the nominee for National Cyber Director.
Cyber Threat Focus
In discussing modern-day cybersecurity threats and her commitment to confront them if confirmed to the CISA post, Easterly drew a firm connection between the 2001 terrorist attacks on the U.S. and the importance of the government being prepared.
“As noted by Tom Kean, Co-Chairman of the 9/11 Commission, ‘We were unprepared. We did not grasp the magnitude of a threat that had been gathering over a considerable period of time. This was a failure of policy, of management, of capability, and, above all, a failure of imagination,’” she said.
“If the past year has taught us anything, it is the obligation we have as leaders to anticipate the unimaginable,” Easterly said.
“While the digital revolution of the past several decades enabled unprecedented growth and innovation, the increased connectivity also introduced great peril: nation-states and non-state actors alike now leverage cyberspace with near impunity to threaten our security, our privacy, and our physical and digital infrastructure,” she said.
“Our adversaries combine hacking with malign influence operations to interfere in democratic processes,” she continued. “They breach major corporations to steal capital and intellectual treasure, target industrial control systems to disrupt critical infrastructure, and incapacitate entities large and small with the scourge of ransomware.”
Finally, she warned of the potential for ever greater consequences from future attacks, saying,
“Even as we contend with the billions of daily intrusions against our networks by malicious actors, I believe that as a nation, we remain at great risk of a catastrophic cyber-attack.”
Ransomware, Incident Reporting, Workforce, Elections
Fielding questions from committee members on specific cyberattack vectors, Easterly said ransomware is “clearly a scourge,” and constitutes a “national threat” that requires “an all-hands-on-deck” interagency response from the government.
CISA’s goal, she said, “is to prevent people from having to make the really difficult decision to pay a ransom or not,” and to provide resources to organizations “to make sure they are prepared to defend themselves in this very complex environment.”
Asked whether critical infrastructure companies should be required to inform the Federal governments when they get hit with cyberattacks and ransomware demands, Easterly replied, “it seems to be that voluntary standards are not getting it done.” In those cases, she said that companies should have to notify CISA, because “we have to be able to warn potential victims.”
Easterly further pledged to make it a “very early priority” to build the necessary relationships so that CISA continues to play a primary role in providing election security assistance.
Finally, she promised to work hard on building CISA’s workforce using a similar approach to the one she employed while heading security operations at Morgan Stanley in recent years. Building workforce culture, she said, is “foundationally important,” and includes building “inclusion, innovation, empowerment, and ownership.” She added, “it’s a real passion of mine.”
Quarterback Role
If confirmed to the position, Easterly said she would focus on several areas including “making sure that we have capacity for the mission,” including enough funding and authority, but “mostly people.” Other primary focus areas would include ensuring that CISA has “the operational and technical visibility that it needs,” and the “right partnerships” for success.
Easterly also framed the position of CISA Director as the “quarterback” role in Federal cybersecurity, with the overarching duties of managing and mitigating risks, and working with all levels of government and the private sector to ensure security and resilience of critical infrastructure.
“Within the federal cyber ecosystem, CISA is the ‘quarterback,’ charged with protecting and defending federal civilian government networks; leading asset response for cyber incidents; and ensuring that timely and actionable information is shared across federal, non-federal, and industry partners,” she said.
“The best quarterback, however, can’t win a game alone; cyber is and must always be a team sport,” Easterly said. “CISA fulfills its lead operational role for national cyber and infrastructure resilience in collaboration with other agencies at every level of government and with our industry and international partners. A critical element of this ecosystem is the National Cyber Director, who will ensure a coherent and unified federal effort as the President’s principal cyber advisor,” she said.