The next leader of the nation's top cybersecurity agency will inherit a bevy of crises.
“Cyber attacks [and] cyber operations are getting bigger and more complex,” said Camille Stewart, a former senior policy adviser at the Department of Homeland Security who is now global head of product security strategy at Google. “And CISA definitely has to scale its operations, its technology, to meet that challenge.”
CISA said this weekend that it's “engaging” with other government agencies to respond to a ransomware attack on one of the nation's largest fuel pipeline operators. And the agency is also still dealing with the fallout of the SolarWinds cyberattack, which the Biden administration has blamed on Russia.
Running CISA will be no small task.
The agency launched two and a half years ago with a wide mandate, from shoring up critical supply chains to managing risks to U.S. election infrastructure. And the pandemic has introduced new challenges, as hackers found novel ways to prey on Americans spending more time online and targeted things like complex vaccine distribution.
The United States is on “the cusp of a global digital pandemic driven by greed,” former CISA director Chris Krebs told Congress last week. The crisis, Krebs said, is a “digital dumpster fire.”
Nine former U.S. officials, most of whom worked in top roles at CISA, weighed in on what Easterly will need to prioritize if she is confirmed. Building the agency's workforce in the wake of hacks will be a top priority, officials said.
The SolarWinds hack alone compromised nine federal agencies and about 100 private firms. At least 30,000 organizations were affected by a vulnerability in Microsoft Exchange software, which was disclosed in March and allowed Chinese government-linked hackers to steal data. The agency is also dealing with a barrage of ransomware attacks.
“You've got a workforce that has been working their tail off, just grinding away on these large issues,” said Matt Masterson, a nonresident policy fellow at the Stanford Internet Observatory who was a senior cybersecurity adviser focusing on election security at CISA.
“And so, certainly, I have no doubt one of Jen's priorities is to come in and assess sort of the state of the workforce and where she can prioritize boosting support to them,” he said.
But at the same time, the agency has to be agile.
“The good news is: From the top, they're not looking at CISA as an aircraft carrier you have to turn in a lake,” said Matt Hayden, a former assistant secretary for cyber, infrastructure, risk and resilience at the agency. “They're looking at it as a start-up that just really needs to just keep pushing the gas in all the directions they can, and it falls to the leadership just to keep fueling the engine.”
Easterly, Hayden said, has “a great eye for this, especially coming from the finance sector.”
Easterly has management experience that could uniquely prepare her to tackle these challenges.
She already has signaled she recognizes the importance of addressing workforce issues.
At a 2018 cybersecurity event, Easterly said she spent 60 to 70 percent of her time in her role at Morgan Stanley on talent management.
At the same event, Easterly was asked how the United States should prepare for the next decade. “I’ll be boring,” Easterly said, agreeing with another panelist, “and say: Continue to invest in human capital, because it’s the most important thing that we can do.”
“It’s not about code, and it’s not about computers; it’s about people,” Easterly said on a podcast last year.
Lawmakers think CISA needs more funding to address its growing mission.
Rep. John Katko (R-N.Y.), the top Republican on the House Homeland Security Committee, has asked Congress to give CISA a $5 billion budget, more than double its current funding.
Such spending is key to supporting CISA, which is tasked with protecting critical infrastructure, said Rep. Jim Langevin (D-R.I.).
“It's got a huge mission and if you look at the level of resources, for example, that we put into our law enforcement activities or that we put into Cyber Command or into our intelligence activities, I still think it's not aligned properly,” said Michael Daniel, the president and CEO of the Cyber Threat Alliance who was the White House cyber czar under President Barack Obama. “We need to increase the amount that we're putting into CISA and what it does both in cyberspace and in the physical world.”
Other officials in the Biden administration who have cyber portfolios will have to work closely with Easterly.
She’ll also have to collaborate well with Biden’s pick to be the national cyber director, Chris Inglis; and Anne Neuberger, the deputy national security adviser for cyber and emerging technology. Easterly, Inglis and Neuberger worked at the NSA alongside one another.
Inglis, like Easterly, will have to be confirmed by the Senate.
“[Chris Inglis] starts off day one wanting to work with Jen to find ways in which he can empower, not undermine or undercut, CISA,” said Suzanne Spaulding, a senior adviser at the Center for Strategic and International Studies who led the predecessor to CISA at the Department of Homeland Security. “But I think it has to be a priority because there are lots of ways this could go wrong.”
Inglis, who was a member of the Cyberspace Solarium Commission along with Spaulding, will enter his job “with the idea that his goal is to empower CISA to do CISA’s mission, not to do CISA’s mission,” Spaulding said.
A future-looking vision will be critical, officials said, for CISA to be successful.
“CISA has been an agency that's suffered from sort of myopia, sort of a short-term view: What is the thing that we need to tackle in six months?” said John Costello, a former senior adviser at CISA who is now an adjunct senior fellow at the Center for a New American Security. “To do this right they're going to need to take a longer view, and right now is the time to do that.”
CISA is going to “really need an investment in a new generation of leaders and supporting those leaders, and professionalizing those leaders,” said Ware, CISA’s former assistant director for cybersecurity.
“I do think she has a great opportunity to kind of take it through that next stage of scaling it up and professionalizing it,” Ware said.
Colonial Pipeline said some of its operations are still offline as it responds to the hack.
The company said in a statement the “smaller lateral lines between terminals and delivery points are now operational,” although mainlines remain offline. The company added that it is creating a plan to restart its systems and is “in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations.”
Colonial says its 5,500 miles of pipelines transport 45 percent of the fuel consumed on the East Coast. White House press secretary Jen Psaki tweeted that a Department of Transportation exemption would “allow flexibility for truckers in 17 states” as the Biden administration “works to mitigate potential disruptions to supply.”
American and British security agencies said that Russia’s intelligence agency looked for vulnerable Microsoft email software.
The advisory from the U.K.’s National Cyber Security Center, CISA, the FBI and the NSA came just two months after Microsoft revealed the flaw in its Exchange software, which the company initially said was exploited by Chinese hackers.
It represents continued scrutiny by the U.S. government of Russia’s SVR spy agency. The Biden administration last month formally accused the SVR of being behind a hack on SolarWinds and other software.
“For many of the attacks against cloud environments, the SVR took advantage of misconfigurations or weaknesses in customer implementations of their cloud environment,” the FBI told CyberScoop’s Sean Lyngaas. “By taking advantage of these implementation errors, the SVR was able to accomplish their goals without the use of malware which may have been detected by endpoint monitoring systems.”
The CIA was able to get a leg up on Iran’s spymaster after bugging cellphones at a market.
The move worked and at least one of the phones was used by someone who was often in the same room as Quds Force commander Qasem Soleimani, Yahoo News’s Jack Murphy and Zach Dorfman report. Soleimani was eventually killed in a U.S. airstrike in Iraq.
In the hours before Soleimani boarded his flight to Baghdad, where he was killed, he switched cellphones three times. U.S. Special Forces officials worked with Israeli officials to track Soleimani’s cellphone usage, and the Israelis gave their U.S. counterparts Soleimani’s phone numbers to track. The Israeli Embassy did not respond to a request for comment.
The CIA’s infiltration of the cellphone supply chain drew comparisons to the SolarWinds supply-chain compromise and “The Wire,” an HBO show. Eric L. Robinson, an associate at law firm Arnold & Porter:
The Barksdale Crew working I-95 for burners :: IRGC-QF working the Gulf for burners— Eric L. Robinson (@UticaEric) May 8, 2021
Dmitri Alperovitch, the executive chairman of the Silverado Policy Accelerator, and John Sipher, who ran the CIA’s Russia operations:
Were they really victims? You know that US intel isn’t interested in collecting on random civilians. Yes, some small way this is like Solar Winds but you also know it is not the tactic that matters but on behalf of whom. Cops and robbers both use guns but they’re not the same.— John Sipher (@john_sipher) May 8, 2021
So what is the threshold for the number of systems/phones that you can compromise before it becomes unacceptable? 100? 1000? 10000? And who decides?— Dmitri Alperovitch (@DAlperovitch) May 8, 2021
Securing the ballot
- Rep. Mike Gallagher (R-Wis.) speaks at a Heritage Foundation event on defense supply chains today at 1 p.m.
- Deputy national security adviser for cyber and emerging technology Anne Neuberger speaks at the 2021 Future Strategy Forum today at 3:45 p.m.
- Erin M. Joe, the director of the Cyber Threat Intelligence Integration Center, speaks at the CyberSatDigital conference at 9:20 a.m. on Tuesday.
- Acting CISA director Brandon Wales testifies at a Senate Homeland Security and Governmental Affairs Committee hearing on improving federal cybersecurity in the wake of the cyberattack on SolarWinds and other software on Tuesday at 10 a.m.
- Reps. Jim Langevin (D-R.I.) and Don Bacon (R-Neb.) speak at a Hudson Institute event on the U.S. military and the electromagnetic spectrum on Tuesday at noon.
- Lt. Gen. Vincent Stewart, the former director of the Defense Intelligence Agency and former deputy commander of U.S. Cyber Command, speaks at an event hosted by the Intelligence and National Security Alliance on Wednesday at 4:30 p.m.
- Morgan Adamski, who leads the National Security Agency’s Cybersecurity Collaboration Center, speaks at the GovConWire Defense Cybersecurity Forum on Wednesday at 2 p.m.
- Gen. Paul Nakasone, the commander of U.S. Cyber Command and director of the National Security Agency, testifies before a House Armed Services Committee panel along with deputy assistant secretary of defense for cyber policy Mieke Eoyang on Friday at 11 a.m.
- Steve Luczynski, who leads CISA’s coronavirus task force, speaks at 4:15 p.m. on May 17, the first day of the RSA Conference.