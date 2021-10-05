Director Easterly, welcome to Washington Post Live.
MS. EASTERLY: Hi, David. Great to be with you.
MR. IGNATIUS: So let's start with the latest news in the last couple of days. The world experienced a global outage yesterday of Facebook, Instagram, a service that it owns, and WhatsApp, at least in some areas. It is probably too early to say, with any precision, what happened in this outage, but can you give us a sense of what people experienced and what can be done by the companies, by the public, to prevent this kind of thing from happening in the future?
MS. EASTERLY: Yeah, great question. So from everything that I have seen this was not any sort of malicious attack or hack. It was really a configuration error. It was a technology outage.
I think it actually speaks to the point--you just showed a clip of me talking about resilience, and I think that is the key lesson learned here. You know, I spent past four and a half years in the private sector at Morgan Stanley. I went there to build our Cyber Fusion Center to be the center of gravity for how we protect the bank in cyberspace. But I ended up as the Head of Firm Resilience. And I really think that is a recognition that there are so many bad things out there that can disrupt our business, whether you are a business leader or whether you are in government and you are worried about things like critical infrastructure, as I am. And so in many ways you have to expect that a disruption will occur, and, therefore, you have to do everything you can to prepare for it, be able to respond to it, recover from it, to mitigate any damage to your nation, to your critical infrastructure, to your business model, to your customers and clients.
And so the way that environments are built these days is really what that resilience baked in, and security baked in, and that is a lesson learned for all of us, whether we are in business, large or small, or in the government, doing what we do at CISA, which is leading the national effort to understand and manage and reduce risk to our cyber and our physical infrastructure. So resilience really is the name of the game.
MR. IGNATIUS: So I am just curious what things were like yesterday at CISA, at your agency, when this outage happened. I assume that there is a kind of rush to figure out what is going on, questions asked. Were you in touch with the company and its engineers through CISA yesterday?
MS. EASTERLY: We were not directly in touch. My ops center is configured to monitor all of this information. And so as soon as we saw indications of it, we began monitoring it and, you know, late into, I think it was into the evening when we learned that it was, in fact, a configuration error. But we also monitor everything, other signs, because if this had been some sort of a major cyber incident, we wanted to make sure that we were keeping an eye on all other critical infrastructure that could be impacted as well.
So we had the capabilities in our ops center to be able to understand the environment and make sure that we are learning forward if there are incidents and we need to be able to prepare to respond to them, to help any of our partners recover, and then, importantly, to be able to take in information that will allow us to share that information broadly. And this is one of the things that I talk about, David, as CISA's superpower, which is really our ability, through statute, to be able to share many-to-many, to allow us to warn other potential victims, had it been something more serious than a technology outage.
MR. IGNATIUS: We will come back to Facebook in a few minutes, in a different context, but I want to ask you about another question in the recent news. Last month we had a session on Washington Post Live with Brad Smith, who is the President of Microsoft--I'm sure you know him well--talking about the devastating SolarWinds hack. Tell us a bit about what CISA has done in response to SolarWinds and in what ways are we safer today against such a vulnerability that can go [audio distortion] in this case to the cloud itself, which we like to think of as invulnerable. Tell us about what you've done and tell us also about the ways in which we are still vulnerable to a very deliberate, well-planned attack like this.
MS. EASTERLY: Yeah. So, you know, I was still in the private sector when SolarWinds was revealed. It was interesting, I thought, from the perspective of a global bank, and, you know, it's called SolarWinds but there were many other vectors, as I think you know. And really, at the end of the day, this was a lesson learned about how you secure identity and authentication in the cloud environment. And so, you know, I listened to Brad's interview and he is very articulate on all of these issues.
I think it is really important, if you look back at the arc from when this was discovered, in late November, revealed to the world in December, and then all of the work that has happened over the past eight months. In January, as you know, CISA was given more authority. Some of those authorities are very relevant to being able to help with this particular problem on federal networks, what we call the FCEB, the Federal Civilian Executive Branch.
We were also given more money, through the American Rescue Plan Act. We actually began advocating for that when I was serving as the cyber policy lead on the transition team. And so CISA ended up getting $650 million, and then $1 billion was given in the Technology Modernization Fund, which is very, very encouraging.
And then I only, through the executive order, which was a pretty comprehensive, and I think very important operational document, you know, CISA is responsible for leading or for contributing to 35 different taskings, with highly aggressive deadlines within that document. I am proud to say we have met all those deadlines to date.
But if you look at that it really addresses all of the issues that we saw in SolarWinds, that I think, to some extent, came out of an after-action review that was conducted. So there's a piece on information sharing, changing some of the regulations to enable contractors to share more information when there are incursions that affect the dot-gov, the FCEB. There is a whole piece on there about modernizing networks that's incredibly important, because whether you are in industry or certainly in the federal government we are living with tech debt. So ensuring that we are moving to secure cloud, and a secure piece of that is absolutely critical, and zero trust environment, very important.
There is also a whole section around visibility. How do you implement what is called EDR technology, endpoint detection and response? How do you have the right login capabilities? How do you have the right analytics? Because, you know, if I were to bumper-sticker it, David, SolarWinds was largely about a lack of visibility, and if we can't see it then we can't effectively defend.
And so those components, as well as making sure that we have an incident response playbook, and then that we set up a cyber safety review board that allows us to look at all of these significant incidents and make sure that they do not happen again, whether it is in industry or across the dot-gov.
So we are hard at work making those changes. I will tell you this is not something that is going to happen next week or next month. But I think we actually have a really solid roadmap to make some significant change that will hopefully also be bolstered by FISMA reform, that is working its way through the Congress now as well.
MR. IGNATIUS: So, Jen, as you know, Brad Smith argues that we need what he calls a digital Geneva Convention, a set of rules of the road to protect us against severe disruptions like this. What do you and the Biden administration think of that idea?
MS. EASTERLY: I don't want to speak specifically for the administration because I don't think we've articulated a position at this time. Certainly I agree and have always thought that it's incredibly important that like-minded nations come together and have an understanding of what those norms are of responsible behavior in cyberspace. Certainly if you look back at the group of government experts in 2015, they laid out some principles. I think those were recently revalidated.
But we should think about things that we would say were off-limits in terms of cyber behavior. So, in particular, attacks against critical infrastructure, attacks against public health care, attacks against first responders, attacks against emergency communications, attacks that would, you know, lead to civilian deaths, collateral damage.
So I think there is a whole class of things that we could think about, and certainly Brad and his company have done some work. I know they were supportive of the Paris call. And I think, you know, norms are very important. The problem, as we both know, is norms are very hard to ultimately enforce. But I do think it's important to have a clear message out there about what is and what is not responsible behavior in cyberspace.
MR. IGNATIUS: [Audio distortion] a question, but it has very practical implications. There has always been a question about whether we need a White House cyber czar--forgive the term. You are the administration's cyber lead, but we have Anne Neuberger, your former NSA colleague [audio distortion] director. I am just wondering still whether it would be useful to have somebody who has command authority in the [audio distortion] or whether the system that we've got is adequate. What do you think?
MS. EASTERLY: Well I think, first and foremost, David, that cyber is a team sport, and it always has to be a team sport. We have very talented people across the entire federal cyber ecosystem. It is pretty cool for me because I know and have worked with many of these people. Whether it's folks at NSA or CYBERCOM or folks here at the Department of Homeland Security or colleagues from the FBI, those relationships are very strong and they need to be.
You know, with respect to cyber czar, I would point you to--which I think was, you know, you can talk about the Cyberspace Solarium Commission as a really valuable contribution to cyber doctrine, cyber strategy, cyber operations, and I think one of the good things that came out of it was the instantiation of a national cyber director in Chris Inglis, somebody I have known for 15 years, worked closely with, a great friend, somebody who is very articulated and experienced on these issues. And I think what Chris brings, because he is really genetically wired to be a collaborative team player, is an ability to create even greater coherence across the federal cyber ecosystem.
A friend of mine sort of likened where we are today in cyber to where we were back in 2003, 2004, when we were trying to bring the counterterrorism community together, and I spent a bunch of time in Iraq and Afghanistan, in that mission. And I think we are probably a little advanced from that, because there are very good trust relationships.
But I think Chris can do a bunch of things. One is to help create the coherence. Two, I think, importantly, he can help to make sure that all of the things that we are looking to implement through the executive order, which ultimately will require department and agency heads to invest in their budgets to make sure that they have the resources they need to modernize and create visibility in their environments, I think Chris' position is well postured for that. And then, of course, within the National Security Council their role is to coordinate the interagency process on policy and strategy. So the executive order was a good example of the type of thing that is very useful and then gets implemented through the operational agencies.
You know, I often sometimes get asked about, well, what do you do and what do they do? I think CISA's mission is very clear, right. We are the nation's cyber and infrastructure defense agency. We lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure. And we have two primary roles. One is to be the operational lead for the dot-gov, that federal network, and two is to be the national coordinator for critical infrastructure, resilience, and security.
So I think those operational roles are very clear. But again, I would say it is a team sport and it all comes down to relationships and trust.
MR. IGNATIUS: So let me ask you about one thing that seems very clearly your authority as the head of CISA, and that is election security coordination and the cyber component of that. Your predecessor, Chris Krebs, got fired back in November for daring to say that he thought that the election had been secure, the results had been accurate. Since then, we have had a lot of activity that could affect the way America votes in 2022 and 2024.
Let me ask you what CISA is doing, and can do, working with state and local election authorities as it did before the [audio distortion] that our election results are dependable and inspire the trust of our citizens.
MS. EASTERLY: Yeah. You know, hugely important mission. As a retired military officer, as someone who throughout more than 30 years raised my hand to support and defend the Constitution, it is a mission that I am proud to support with respect to election security. We are the sector risk management agency for election infrastructure, and as we know, free and fair elections are really the bedrock, the foundation of our democracy.
So what does that actually mean? As we know, elections are run by state and local officials. The federal government does not run elections. So our job is to ensure that those state and local officials have all of the resources--the training, the assistance, the information that they need--to ensure the safety, the security, and the resilience of critical infrastructure.
You know, I was a private citizen during 2020. I watched CISA from afar, and my great friend and predecessor, Chris Krebs. I think the whole team did an excellent job in working with that election community, to help them make sure that those elections were--that they were secure, that the infrastructure remained resilient. And since I came in as director in July, that was only confirmed by all of the meetings that I have had at the National Association of Secretaries of State, with the election directors. They have all echoed how helpful, how collaborative the relationship with CISA was. And, of course, we also had an election task force working closely with our FBI, our NSA, and our CYBERCOM colleagues.
So it was another example of cyber as a team sport--in this case protecting election infrastructure is absolutely a team sport--and we are focused on moving forward. There are, in fact, elections going on all the time, as election officials remind me. And so there are a couple of gubernatorial elections coming up and some primaries coming up here in November. We are focused again on making sure that officials have the resources that they need to ensure that they can support security of their election infrastructure.
And then we are looking at 2022. We have got a great team here, and I am excited to bring on a new election security lead that I hope to announce in the coming weeks. But a real A-team of folks to help us continue with this mission.
MR. IGNATIUS: I want to ask about what has been identified as a principal threat from abroad to our election security and that is Russia. President Biden raised this issue directly with President Putin at their summit meeting in Geneva in June.
I want to ask you, have you seen anything that suggests the Russians have taken action in a meaningful way to follow through on what sounded like assurances that they took this issue seriously and would make sure that they were more aggressive in dealing with their own hackers and the people who would interfere in our elections, in our infrastructure, in a range of cyber problems?
MS. EASTERLY: I have not seen any significant, material changes. We have seen ransomware gangs that seem to have gone offline for a period of time. That's not terribly unusual. We have seen that in the past, where infrastructure will come down and then it will re-emerge, the ransomware gang will be renamed.
This is a difficult, complicated problem, and I think, to your point about the President's conversation with the Russians, I think this really has to be a whole-of-government effort. You know, with respect to where CISA is, we are all on what I would call a focus on left of boom. We are in the space of helping build resilience to ensure that everybody--businesses large and small, critical infrastructure, owners and operators--understand the steps that they need to take so that they are not a victim of ransomware. We, of course, help to respond, we can assist in recovery, and then we share that information to prevent future victims.
But, you know, we are very much focused on creating that resilience. It is one of the reasons, I'm sure you know, October is Cybersecurity Awareness Month. We are very focused on making sure that everybody, all over the country, really all over the world, from what I like to call K through gray, knows what they need to do to help protect themselves in the very complex world of cyberspace. And, you know, I think that what we've seen over the past several years, even more so as more people went to work remotely and thus were more vulnerable because they weren't in their business or office enclave, is that no one is really immune from these ransomware attacks, and, thus, everybody needs to understand the basic cyber hygiene steps that they can take to protect themselves.
So, you know, when I was bringing clients in Morgan Stanley, when I have an opportunity to talk, I would point people to the basics. Over 90 percent of successful cyberattacks start with a phishing email, an illegitimate email that people click on and then they get malware on their computer. They could get ransomware. So if people are just much more vigilant about making sure they are thinking before they click.
And then what we are focused on in this month is ensuring that people are implementing what we call multi-factor authentication, because those who have it are 99 percent less likely to get their account hacked. So, David, if you don't already have MFA I am happy to give you a tutorial on it. It is very easy.
MR. IGNATIUS: Got it, but the tutorial would be useful for all of us.
Before we run out of time I should ask you, because it is Cybersecurity Awareness Month, we have an audience question that focuses on that. Kim from Washington asks, "What is the single most significant action a business or governmental entity can do to secure its cyber system?"
MS. EASTERLY: Oh, what a fabulous question from Kim. So we have tried to break it down and make it easy, right. This is not for the CISOs or the technologists. This is really for people who are trying to understand what are the basics that they can do. And I am going to overachieve on this question and then kind of come back and answer it.
But we talk about four things. One is updating your software. You get all those alerts that say update your software, on your phone, on your table, on your computer. Do that. You can even set up auto updates, which is great. Make sure that you have strong passwords, and even better, get a password manager that allows you to generate strong and complex passwords for each sensitive account that you have. Make sure that you are thinking before you click. Threat actors like to take advantage of the fact that we all have a lot of email, we are tired, we are distracted, and they are just trying to get us to click on something that will then allow them to own our information.
And then finally, the one thing is implementing multifactor authentication, which is just another step that you can take to ensure that your bank, your social media, your email can verify that it is actually you logging into your account. And as I said, 99 percent less likely to get hacked if you implement MFA. We are doing it across the government. I would advise that all businesses do it and that all individuals do it. Easy to do. And you'll learn more about it if you tune it to our cyber summit, which is broadcasting every Wednesday, and we will put out more information on our website or on the Twitter account.
MR. IGNATIUS: Okay, folks. You got it from our government's leading cyber authority. It is like getting a checkup from Dr. Fauci. Thank you for that.
MS. EASTERLY: Very helpful.
MR. IGNATIUS: I want to ask about another initiative. You announced in August--we mentioned it in the introduction--the launch of the Joint Cyber Defense Collaborative. Tell us what that is and how it is helping to enhance the country's cybersecurity.
MS. EASTERLY: So one of the things I'm most excited about, you know, again, thanks to the Cyberspace Solarium Commission, they came up with this idea of a joint cyber planning office, so an ability to bring together folks in the federal cyber ecosystem and folks in the private sector to create a common operating picture of the threat environment, to plan and exercise against the most serious threats to the nation, and then to implement those cyber defense operations to drive down risk to our critical infrastructure.
And so we kicked this thing off in August. We've already brought in 15 what we call "plank holder" partners. Those partners are ISPs, the cloud providers, as well as the cybersecurity vendors. And the reason that we brought them in, David, was to help get at this visibility issue. Much was made of SolarWinds and the Microsoft Exchange vulnerability, the Hafnium events, where the issue was we did not have that visibility on domestic infrastructure. So you don't want the U.S. government operating on domestic infrastructure. What you want is to bring those who have visibility on global infrastructure together with the federal government to help in an anonymized way understand what the trends are. So that is one great thing, is creating that visibility.
Two is bringing, by statute, the power of the federal cyber ecosystem. As I said, CISA, FBI, NSA, DoD, DOJ, ODNI. It's the only federal cyber entity that brings all of these agencies together to drive, at scale, a reduction of risk. And so we've already started putting some operations into play. We are focused on ransomware, of course, the word on everybody's lips, but then also creating a framework to deal with incidents on cloud providers. As everybody moves into the cloud, we want to make sure that not only are we moving there securely but that we have a common framework to be able to respond to incidents.
So I am very excited about it. It was great after I announced this at Black Hat we had outreach from about 120 other entities. And so we are going to be moving forward to bring on new partners and to do new sprints, in particular with critical infrastructure owners and operators. So we are focusing on pipeline companies, we are focusing--working with finance, working with energy, and excited to really operationalize this new capability to help reduce risk to the nation.
MR. IGNATIUS: Well, Jen Easterly, I'm glad that you shared with Washington Post Live some of the ideas you shared with Black Hat, which is the nation's hackers convention. We are really grateful to you for taking time to explain these really important issues. Thanks for being with us.
MS. EASTERLY: Great. Thanks so much, David. Enjoy the day.
