with Aaron Schaffer
But, at this point, government has only limited power to ensure that companies are doing what’s necessary to protect against such attacks.
“We cannot allow avoidable cyber disruptions to cost human lives,” Easterly said.
She added that “CISA was created to be something very different, not just another lumbering government bureaucracy, but really something much more akin to a hybrid public-private collaborative.”
Timed to the speech, Easterly announced a Joint Cyber Defense Collaborative — essentially an effort between CISA and companies including Microsoft, Amazon, AT&T and Verizon to spot and mitigate cyber problems before they turn into catastrophes. (Amazon founder Jeff Bezos owns The Washington Post).
The appeal comes after a checkered history of government-industry cyber collaboration, marked by industry complaining that government is too bureaucratic and won’t share enough of what it knows and government concerns that industry isn’t heeding its advice about the best cyber protections.
“There have been a lot of examples where the collaboration and information sharing, I think, has not been where we would want it to be,” Easterly told me in an interview. “I am really trying to take all of the lessons from my time in government and my time in the private sector … and trying to make some fundamental changes to that.”
Easterly also called for audience members to apply for jobs at CISA, touting a fast-track hiring system for government cyber workers that will offer wages that are more competitive with the private sector.
Department of Homeland Security Secretary Alejandro Mayorkas echoed those calls in a closing keynote. “We cannot answer these questions alone and want you to join us,” he said.
Easterly’s speech got broadly positive reviews from the cybersecurity pros in attendance at Black Hat.
The virtual speech leaned into her own biography, which included a childhood love of puzzles that propelled her into a lengthy computer security career at the Army, National Security Agency, White House and Morgan Stanley before she was confirmed as CISA director last month.
Also a big hit were Easterly’s outfit (jeans with a dragon design embroidered on the legs and a “free Britney” T-shirt) and her affect (fiddling with a Rubik’s Cube during part of her speech, dropping a comic book reference, and breaking briefly into a move she described as the “Elaine dance” from “Seinfeld).”
“For me, it's all about building relationships. And I think that starts with making yourself a little vulnerable … and letting folks into your world a little bit,” she told me.
Easterly and her agency are up against immense challenges in the coming years.
The U.S. government and industries have been pummeled by cyberattacks this year including the Kremlin-backed hack against Solar Winds that enabled the theft of immense amounts of data from government agencies and ransomware attacks that threatened to upend the pipeline and meat industries.
The government is surging its effort to combat such attacks, including CISA developing voluntary cyber standards for critical industry sectors. The White House has also floated the idea of making such standards mandatory if Congress gives it the authority to do so.
“I think through his words and his actions and the people he has put in place, [the president] has really shown that cybersecurity is, in fact, a national security imperative,” Easterly told me. “I think we are at a unique moment in time where we have the right talent, the right team across the board and the right priority focus to make a real difference in this space.”
The government also remains at odds with the cybersecurity community on some key points.
Easterly got a round of applause from the in-person Black Hat audience after she endorsed “strong encryption” during a question-and-answer session with Black Hat founder Jeff Moss.
“As CISA director and me personally, I think strong encryption is absolutely fundamental for us to be able to do what we need to do,” she said.
She later clarified, however, that she wasn’t specifically endorsing end-to-end encryption, which cybersecurity experts say is a vital protection against hackers but also prevents law enforcement from accessing the content of such communications with a warrant.
The issue has sparked a years-long battle between the cybersecurity community and top officials at the FBI and Justice Department who say such systems allow criminals and terrorists to “go dark” online. Other government agencies, including CISA, have generally steered clear of the going-dark debate.
"It's always been the position of CISA that we support strong encryption,” Easterly told me, adding, “I have no intent to pick any fights with my colleagues.”
Correction: This post has been updated to correct the name of Easterly’s previous employer.
Apple will scan iPhones for child pornography, raising surveillance concerns.
Apple will scan images stored on iPhones to identify the pictures, Reed Albergotti reports. The company says there is a less than a 1-in-a-trillion chance per year of incorrectly flagging such photos.
The company will scan the images’ hashes — which are strings of numbers that represent the images — looking for hashes that match known examples of child pornography and other child sexual abuse imagery. If they detect numerous matches, they will only alert law enforcement if Apple manually verifies that the images depict child sexual abuse.
Apple says it will launch the program in its upcoming operating system. The company also told TechCrunch that it initially plans to roll it out in the United States, where Apple has long resisted calls by law enforcement to weaken its encryption technology. Google, Facebook and Microsoft also have systems to detect known child pornography.
Some privacy advocates are critical of the plans. “It’s impossible to build a client-side scanning system that can only be used for sexually explicit images sent or received by children,” the Electronic Frontier Foundation said. “As a consequence, even a well-intentioned effort to build such a system will break key promises of the messenger’s encryption itself and open the door to broader abuses.” Matthew D. Green, an associate professor at the Johns Hopkins Information Security Institute, also criticized the program:
Whether they turn out to be right or wrong on that point hardly matters. This will break the dam — governments will demand it from everyone.— Matthew Green (@matthew_d_green) August 5, 2021
And by the time we find out it was a mistake, it will be way too late.
Washington-area local government agencies are vulnerable to ransomware.
Hackers going after the federal government are inadvertently targeting D.C.’s city government infrastructure, District chief technology office spokeswoman Nina Liggett told Karina Elwood. Mayor Muriel E. Bowser proposed $8 million for cybersecurity in her 2022 budget, but local governments in Maryland and Virginia have outdated systems and less money allocated for cybersecurity.
It’s not clear how many local government agencies in the area have been hit by ransomware. “There’s a PR element to all this,” said George Thomas, vice president of innovation and strategic initiatives at Connected DMV, an organization that serves the District, Maryland and Virginia. “Some agencies, schools, banks, especially the private [sector], don’t want to ever say they are vulnerable, because they think then people will not bring business to them.”
A hacker leaked files belonging to a major group in the tea party movement.
The leaked documents reveal the funding structure behind the group dubbed Tea Party Patriots, the Intercept’s Micah Lee reports. The conservative group has called itself one of the largest grass-roots organizations on the right. Documents reveal that it was bankrolled in part by salsa billionaire Christopher Goldsbury; David Gore, whose parents founded Gore-Tex parent W.L. Gore; and real estate billionaire Sanford Diller, who died in 2018.
Tea Party Patriots did not answer Lee’s questions about the breach but provided an email co-founder Jenny Beth Martin sent the group’s members about the hack. The group contacted law enforcement and “will take every step possible to find and help prosecute these criminals who have broken into our electronic home and stolen proprietary and confidential information,” Martin wrote.
Attendees praised Easterly's Black Hat keynote. Operation: Safe Escape director Chris Cox:
Easterly's predecessor as CISA director, Chris Krebs:
CNN's Alex Marquardt:
To recap - senior Biden administration official wore a 'Free Britney' shirt in first public speech— Alexander Marquardt (@MarquardtA) August 5, 2021
Cybersecurity Dive reporter Samantha Schwartz:
Jen Easterly doing the Elaine dance during Black Hat..my heart!— Samantha Schwartz (@SamanthaSchann) August 5, 2021
- The Senate confirmed Rob Silvers as undersecretary of homeland security for strategy, policy and plans. Silvers worked as assistant secretary for cyber policy in the Obama administration.
- CISA Director Jen Easterly, Homeland Security Secretary Alejandro Mayorkas and CISA executive assistant director Eric Goldstein speak at Def Con today.