The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Jen Easterly wants to cut the nerdspeak

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Here we have the latest evidence that horrifying mascots are the absolute best.

Below: Internal documents show how a gaming giant reckoned with doing business in China and Italy is investigating a purported ransomware attack on its tax agency.

More than words: CISA’s director makes her case to workers, consumers

To the average person, cybersecurity can be a subject overflowing with technologically dense, often impenetrable terms and concepts. 

The head of the federal government's cyber agency, Jen Easterly, says that in her one-year tenure she has spent the most time establishing her organization as one that people want to come work at, and she also wants to convince everyone else to take better care of their own computers and phones — which means cutting out the “nerdspeak.”

Easterly, head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), is trying to demystify cyber with different messages and terminology, whether she’s talking to a K-12 student or a company chief information officer.

“Every engagement that I have, I am incredibly deliberate about the messaging and the communications behind that,” she told me in a Monday interview. “People who are technical and in cyber, I think, are not as deliberate as they should be about being good storytellers.”

  • Maybe that means using a song by ’70s rock band Boston to sell consumers on a key security technology. Like with CISA’s “More Than a Password” campaign to convince people to adopt multi-factor authentication, which involves verifying a sign-on with a second device such as a code sent via text message. But the phrase “multi-factor authentication” makes “eyes glaze over,” Easterly said.
  • Or maybe — even though the word is in the name of her agency — it means reevaluating whether to call “cybersecurity” something else altogether. She cites the push from tech investors Ron and Cyndi Gula, who have advocated instead for calling it “data care” in job postings to evoke the concept of health care, and thereby make it more relatable to women and communities of color who might be turned off by the term ”cybersecurity” and its evocation of war or law enforcement.

Easterly was a long-time federal government national security pro before leaving for a stint in the private sector at Morgan Stanley in 2017. At the financial giant, Easterly brought cyber experts together for a project with Academy Award-winning moviemakers with the goal of helping people understand the subject and get inspired to work in the field.

“This has been a major focus area for me, and it was very much informed by looking in from the outside once I left government and went to the private sector and not thinking that this was done terribly well,” she said.

Cyber future

Touting CISA as a place to work, as well as CISA's evangelism about good personal cyber practices, is more than a marketing exercise. A top White House official said major tech execs estimated last year that multi-factor authentication could head off 80 to 90 percent of all cyberattacks. But figures on how many people use it vary wildly. Twitter said last year that only 2.3 percent of users enabled it, while password management service LastPass said 57 percent of businesses worldwide use multi-factor authentication.

And qualified personnel are at the core of heading off the next major cyberattack, or writing any innovative cybersecurity policy.

But marketing isn’t enough by itself, Easterly said. Creating a culture to establish a diverse workforce that wants to stick around for a while requires constant maintenance and proof in practice, like listening sessions, psychological safety workshops and recruitment at historically black colleges and universities. 

Easterly reminds that Enron, the energy giant now synonymous with accounting fraud after a scandal in the 2000s, stated its values as “Respect, Integrity, Communications and Excellence.”

“You can’t just be talking the talk; you have to walk the walk, and it has to come from me,” she said.

As of last month, CISA had approximately 150 cyber vacancies among its more than 2,700 full-time personnel. A much-ballyhooed DHS system for bringing cyber employees on quickly and with better pay has gotten off to a slow start

Average Joe

But Easterly doesn’t want to put all the pressure on average consumers to defend themselves.

“There’s responsibilities on both sides and I’d like to see companies more and more be enabling things like multi-factor authentication by default,” she said, citing a critical infrastructure company she’d spoken to earlier in the day who had done just that. “They just fully implemented MFA and you see it with some of the Big Tech companies. Salesforce just mandated it and so we're going to get there slowly.

“But in the interim, I want to make sure that my son is protected, my mom is protected, anybody who gets any sort of technology knows how to protect themselves and keep themselves safe and secure online,” she said. “So we have to make it as simple as possible.”

The keys

Italian IT firm denies that country’s tax agency was hit with ransomware

Italy’s tax agency said it had asked Sogei, a firm that is owned by the country’s economic ministry, to investigate after ransomware gang LockBit said the tax agency was hacked. Sogei said in a statement that “no cyberattacks have occurred or data stolen from the financial administration’s technological platforms and infrastructures,” the Record’s Jonathan Greig reports.

LockBit initially claimed it had almost 80 gigabytes of data from the ministry and gave the ministry less than a week to respond. The group now claims to have around 100 gigabytes of data and has moved the deadline to Aug. 1.

“LockBit, a ransomware-as-a-service operation that began in 2019, overtook Conti in June as the most prolific ransomware group in terms of publicly claimed victims,” Greig writes. “The group recently rebranded and launched attacks on a small town in Colorado, French mobile phone network La Poste Mobile, a Foxconn factory, a Canadian fighter jet training company, and a popular German library service.”

Gaming platform Roblox prepared for potential hacks by Chinese partners, leaked documents show

An internal Roblox document warned that the company could “expect that hacking has already started,” and to “expect it to ramp up after a deal is signed, possibly even by partner.” The company eventually announced a partnership with Chinese tech giant Tencent, though there’s no evidence that Tencent hacked Roblox, Motherboard’s Joseph Cox reports.

  • The company also warned that Roblox should “expect hundreds of people working on reverse engineering the code” on Chinese servers, Cox reports.
  • The slide that warned that Chinese partners could hack Roblox “was from 2017, before we had a formal joint venture relationship in place,” a Roblox spokesperson told Motherboard. “As normal for a company entering into a new market, we consider risks and opportunities and plan for them.” The company’s policy “is to comply with the laws of the regions in which we operate, including China,” the spokesperson told the outlet.
  • Motherboard decided to publish information from the documents “despite them being obtained by a criminal hacker because of the overriding public interest in understanding the highly controversial steps major companies might take in order to break into markets in authoritarian countries,” Cox wrote. Roblox previously told the outlet that the “stolen documents were illegally obtained as part of an extortion scheme that we refused to cooperate with.”

Securing the ballot

2020 election deniers seek out powerful allies: County sheriffs (The New York Times)

Hill happenings

Senate Armed Services Committee concerned about DOD's cyber mission force (FedScoop)

Cyber insecurity

Staff data compromised in Cedar Rapids School District security breach (KCRG)

On the move

  • Camille Stewart Gloster has joined National Cyber Director Chris Inglis’s office as deputy national cyber director for technology and ecosystem security. Stewart Gloster most recently worked at Google as its global head of product security strategy.
  • Jay Healey has also joined Inglis’s office, where he plans to help draft Inglis’s cyber strategy. Healey is on part-time detail from CISA.


  • Arizona Secretary of State Katie Hobbs (D) speaks at a Brookings Institution event on election integrity today at 10 a.m.
  • The Atlantic Council hosts an event on ransomware today at 12:30 p.m.
  • The House Intelligence Committee holds a hearing on the national security risks of spyware Wednesday at 10 a.m.
  • The Committee on House Administration holds a hearing on disinformation Wednesday at 10 a.m.
  • A House Homeland Security Committee panel holds a hearing on U.S. Customs and Border Protection’s use of facial recognition technology on Wednesday at 2 p.m.
  • Deputy national security adviser Anne Neuberger speaks at an event hosted by the Center for a New American Security on Thursday at 11:30 a.m.
  • A House Science Committee panel holds a hearing on cybersecurity of space systems Thursday at 10 a.m.
  • The House Judiciary Committee holds a hearing on the Justice Department’s National Security Division on Thursday at 10 a.m.

Secure log off

Thanks for reading. See you tomorrow.