Jen Easterly has her work cut out for her. As only the second director of the US government’s Cybersecurity and Infrastructure Security Agency (CISA), she must contend with a historic onslaught of ransomware attacks and disinformation campaigns. Easterly is a different kind of bureaucrat, however. She exhibited as much at the Black Hat cybersecurity conference in August, where she introduced new policy initiatives to an AC/DC-backed dance while wearing a “Free Britney” shirt and dragon-emblazoned jeans.
Her breezy style, though, isn’t for lack of experience. The retired Army officer previously served in the National Security Agency and helped the Department of Defense establish its cyberspace operations. She also acted as special assistant to President Obama on counterterrorism before migrating to the banking sector, where she headed cybersecurity at Morgan Stanley.
In conversation with WIRED contributing editor Garrett Graff at the RE:WIRED event Wednesday, Easterly related a big shift in cybersecurity to Douglas Adams’ Dirk Gently paradigm, where “everything is connected, everything is interdependent.” This interconnectivity is the product of our digitized world. “So the attack surface has grown, and the volume and variety and velocity of data has grown exponentially.” The result: There’s a cyberattack every 40 seconds and one in 10 of the internet’s 1.8 billion websites leads you to malware. “So the big thing that has changed is cybersecurity has become a kitchen table issue.”
At CISA, part of the Department of Homeland Security, Easterly must shift from the more offensive role she played in the Army, NSA, and intelligence community to defense. She says her past experience helps her understand how her adversaries operate and, in turn, develop a sense of empathy for them. “You have to have adversarial empathy,” she explained, “to really understand how the adversary operates, through the tactics, techniques, and procedures they use, to be able to be the best defender you can be.”
To put on the best defense, Easterly will have to enlarge the size of the US government’s newest department. That’s part of why she went to Black Hat and Defcon—to reach out to the private hacker community. “That’s my community, man,” she said. “We want to ignite the power of hackers and researchers and academics because, at the end of the day, the world is full of vulnerabilities, and I feel the offense is dominating the defense. So I want to make sure we are tapping into the brilliance and the goodness of those communities to help us identify and close those vulnerabilities. So please partner with us and bring it on.”
For all the technology involved, Easterly says the hardest part is “about people and human behavior and getting people to change how they operate, and implement the basics of cyber hygiene, through authentication, patching, and software upgrades.” More than 90 percent of vulnerabilities exploited for ransomware attacks, she said, have patches associated with them. So many of us are failing at the very basics of cybersecurity.
She is, however, optimistic about our government’s path forward. “I’m an optimist but I’m more optimistic than I’ve ever been about how we can work together, in the government, as a team sport and with the private sector as trusted partners.” Through this partnership, she hopes to “create a common picture of the operating environment,” in order to “plan and exercise in peace time so that we’re ready to work together in war time.”