Hack the Plant

Hack the Plant Episode 31: CISA’s Critical Infrastructure Protection Mission with Jen Easterly

February 2, 2024 – As America’s Cyber Defense Agency and the National Coordinator for Critical Infrastructure Security and Resilience, the Cybersecurity and Infrastructure Security Agency (CISA) leads the national effort to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every day. 

In this episode of Hack the Plant, Bryson sits down with CISA Director Jen Easterly to discuss her work on leading CISA’s critical infrastructure mission, implementing efforts to make products Secure by Design, and working with private companies to combat ransomware.

How has CISA’s role evolved since 2018? How do they advance critical infrastructure protection and cyber defense? What are Director Easterly’s priorities for 2024? And if she could wave a magic wand, what is one thing she would change? 

“We need transparency so that we can all work together to protect the ecosystem, because the actors are not ever going to fight fair,” Easterly said. “We need all the collective strength of the community to keep Americans safe and secure.”

Join us for this and more on this episode of Hack the Plant. 

Hack the Plant Season 4 is brought to you by ICS Village and the Institute for Security and Technology. View transcript.

Transcript

Bryson Bort: I’m Bryson Bort, and this is Hack the Plant, season four.

Electricity. Finance. Transportation. Our water supply. We take these critical infrastructure systems for granted, but they’re all becoming increasingly dependent on computers to function. We walk through the world of hackers working on front lines of cybersecurity and public safety to protect the systems you rely upon every day.

From the ransomware threats of Colonial Pipeline to the failure of the Texas power grid, it is clear our interconnectivity is also a significant source of risk. This season, we will continue to bring you a panoply of different insights across all of the different things happening in critical infrastructure.

In my day job, I’m the CEO and founder of Scythe, and the co-founder with Tom Van Norman of the non-profit ICS Village, where we educate people on critical infrastructure security with hands-on examples, not just nerd stuff. I founded Grimm in 2013, a consultancy that works at the front lines of these problems every day for clients all over the world. I’m also an adjunct senior advisor at the Institute for Security and Technology, a 501c3 think tank dedicated to tackling technology driven emerging security threats. 

This is Hack the Plant, brought to you by the Institute for Security and Technology and ICS Village. Subscribe wherever you find podcasts to get each episode when it drops.

Jen Easterly: Critical infrastructure is just how we get our water and our health care and our education and our transportation and our communication and how we get gas at the pump and money from the ATM. It really is the networks and the systems and the data that we rely upon every hour of every day and that power our lives.

Bryson: We discuss how creating partnerships and community has helped to alleviate critical infrastructure challenges.

Jen: We’re not a regulator, we’re not a law enforcement agency, we’re not an intel agency, we’re not a military agency. Everything we do is by, with, and through partners.

Bryson: And, focus on how CISA isn’t just identifying problems faced by resource poor industries, but providing advisory support to be a part of the solution.

Jen: We want to send our advisors out, sit down with these critical infrastructure owners, provide them the tools to understand their threat surface. But it’s not that we just provide that to them and then walk off with the, hey, good luck man, or good luck woman. This is why the field force that we’re building, which is all throughout the nation, is really there to provide advisory support.

I’m very intent on ensuring that we don’t just say, here’s your problem, good luck. It really is being able to sit down with folks and, and help them through it.

Bryson: How has CISA’s role evolved since its beginnings in 2018? How did they advance critical infrastructure protection and cyber defense? What are Director Easterly’s priorities for 2024? And if she could wave a magic, non internet connected wand, what is one thing she would change? Join us for this and more on this episode of Hack the Plant.

Jen: Hi, Jen Easterly, Director of CISA, the Cybersecurity and Infrastructure Security Agency. You know, the one thing I always emphasize, and we’ve talked a lot, but you know, we just hit our fifth birthday, set up in 2018 really to play two key roles. One is America’s civilian cyber defense agency, the other is the national coordinator for critical infrastructure security and resilience. And frankly, that’s why I was excited to spend some time with you today.

Bryson: So why did you want to take this job, right? I mean, you, this is a tough job, right? It’s a new agency, it has more remit than resource, and confirmations are not fun. What made you pick up the torch?

Jen: You know, I had spent 27 years in public service before I went to the private sector, and Morgan Stanley to be their Head of Cyber Operations and their Head of Resilience. And I had been there about four years when I was asked to serve on the transition team for the Biden-Harris campaign, and then after that was asked to do this job. 

I’d say a couple of things. One of the reasons that I came back was things that I saw, actually, when I was on the transition team in particular. During that period of time, SolarWinds happened. And I saw SolarWinds, both from a perspective of somebody who had been in the federal government before, but also from the perspective of somebody who is now responsible for defending a critical infrastructure owner, like a major bank.

And I had learned so much in a short period of time of how the private sector defends itself in cyber, but also how the private sector looks back on the federal government, and sees sometimes a lack of cohesion, a lack of focused effort in supporting those on the front line. Which as you know, the vast majority of critical infrastructure is owned and operated by the private sector. 

And so a part of it was just having public service in my DNA, frankly. You know, I was in the army for 21 years, I served in the Bush administration, in the Obama administration, had been in the intelligence community, in the policy community, and it gets into your blood and, you know, it becomes just part of you. And so, you know, that was a major motivating factor. But the other major motivating factor, Bryson, was just the opportunity to leverage what I had learned, and to help to make a big difference in how the federal government organizes to partner with critical infrastructure to help understand, manage, and reduce risk to the infrastructure that Americans rely on every day. 

I think the last thing I’d say is, you know, critical infrastructure and infrastructure in general, people think of that mistakenly, I think, is some sort of technical term. Oh, those infrastructure people. And as became very clear to me when I was part of a critical infrastructure company, and I think probably all of your listeners know this, but critical infrastructure is just how we get our water, and our healthcare, and our education, and our transportation, and our communication, and how we get gas at the pump and money from the ATM.

It really is the networks and the systems and the data that we rely upon every hour of every day and that power our lives. And so an opportunity to come back and help protect and defend that, I thought was a wonderful gift, to be honest.

Bryson: I love these kinds of conversations where it’s so natural, you already answered the next question organically, so you went right through that. That was great on what is critical infrastructure, which leads to: what is CISA’s mission with critical infrastructure? And how has that changed?

Jen: Yeah, so it’s interesting how it’s evolved, right? Because if you go back to the actual statute that led to the establishment of CISA in November of 2018, it talks about coordinating a national effort for critical infrastructure, security, and resilience. And so our role is really at the center of all of that, and one of the things I’m excited about is, you know, PPD 21, which was the Presidential Policy Directive focused on critical infrastructure protection, I think it was written in 2012 or 2013 before CISA even existed. That will actually help folks understand better what CISA’s mission is, which is really in the center of all of it. 

I mean, our role is to protect and defend critical infrastructure, which we don’t own, which we don’t largely operate other than the federal government, the dot gov, civilian executive branch networks. But it is, I think, one of– it’s incredibly challenging, but also it’s incredibly exciting. Because having been, as you know Bryson, in the army, you’re around other army people, around other military people, in the White House, you’re around other policy people, in classified spaces, same with the intelligence community.

In this job, and for an agency that’s all voluntary–we’re not a regulator, we’re not a law enforcement agency, we’re not an intel agency, we’re not a military agency. Everything we do is by, with, and through partners. So, partnering with industry, partnering with state and local, particularly for public utilities which tend to be very under-resourced. Working very closely across the federal government, and with what’s called the Sector Risk Management Agencies, which work with industry to help them understand and to manage the risk. It really is, it’s an incredible challenge as an operator, but even more so as a leader, because it’s all about influence leadership.

Those partnerships are based on our expertise, our technical advisories and guidance, and our experience, but also our human skills. You have to have hard skills, and you have to have human skills to be effective in working so closely with the critical infrastructure community. And I really like that challenge.

Bryson: When I think of influence leadership, I think we need a lot more carrots than sticks. At the end of the day, it is bringing value rather than bringing paper.

Jen: One hundred percent, one hundred percent. And you know this so well, but one of the things that I was so focused on, I think coming out of my Morgan Stanley experience is exactly what you just said. Be valuable, right? Be transparent, be responsive, be value added. And I talk about, you know, during SolarWinds, this was a real moment because during SolarWinds. There were different advisories coming out from different parts of the federal government. CISA had published something, NSA had published something, and one was about SolarWinds itself, the other was about VMware. And we didn’t have SolarWinds in our infrastructure, but we had VMware, but there was this disconnect because it wasn’t clear. Well, is VMware directly related to this supply chain hack? And so just being able to work so closely with our federal partners, especially NSA, and FBI, and Cybercom, and all of the agencies who have sector risk management responsibilities, and be able to put out advisories, and information that both adds a value given from a federal government. But also it is, like, cohesive, so you’re not trying to figure out what the heck is the federal government trying to tell me. So that was also really key.

Bryson: I don’t know, I thought the federal government’s job is to make everything harder. 

Jen: We’re here to help, Bryson, we’re here to help!

Bryson: Yeah. Everyone believes it.

Jen: I’m trying, man.

Bryson: So you mentioned, PPD 21 and the SRMAs, which are defined by PPD 21. If you had your druthers, is there anything you would update to that in terms of how we define, or look at critical infrastructure sectors?

Jen: Well, the good news is, so PPD 21, I think, called it SSAs. They were Sector Specific Agencies. And when the Cyberspace Solarium looked at our National Cyber Strategy, one of the recommendations they made was actually to specifically call them Sector Risk Management Agencies, as opposed to just Sector Specific Agencies. Because the focus was really on what is the responsibility to help industry manage, and what I think is most important, reduce risk.

And so that clarification was part of the recommendations that came out of the Cyberspace Solarium Report, I think in 2020, early in the year, and then that was picked up and codified actually in the NDAA for 2021, which more specifically described both the roles of Sector Risk Management Agencies, as well as the role of CISA, in essentially being the coordinator for reducing cross sector risk.

And so, what the new National Security Memorandum, the follow on to PPD 21, I think the important thing is it will help clarify in policy what the roles are of CISA, the Sector Risk Management Agencies, and industry to work together to reduce cross sector risk. Because as you know, one sector, for example in finance, so much is invested in ensuring the security and resilience of our infrastructure, but you can’t run a bank if you don’t have communications, if you don’t have power, if you don’t have water.

So really at the end of the day, it’s about managing the cross sector risk, because there’s so much interdependencies that provide those critical services for the American people. And I’m excited because, you know, frankly, we haven’t had a new policy document on this for several years. And I think we are at such a moment in time, Bryson, in terms of the vulnerability and the fragility of our critical infrastructure to nation, to adversary nation threats, that have only become more focused on going after our critical infrastructure, and more formidable in their capabilities.

Bryson: So you, you mentioned finance, which I like to describe as having the budgets of small countries. They’re the haves, right? We don’t need the federal government, we’re good. But interdependency means you can build the relative Fort Knox, and still be vulnerable to the weaknesses that are, you’re depending on.

And so you’ve coined this term, target rich and resource poor, which I believe accurately captures who really are the folks that we need, and you have narrowed CISA’s focus to water, wastewater, K-12 education and healthcare. Can you talk a little bit more about that?

Jen: Yeah. I mean, I should give credit where credit’s due. I think Josh Corman actually had coined this term, target rich cyber poor. And that’s what I have used, but we’ve actually extended it because, as you know, we have a huge cybersecurity division that we’ve built over the past several years, but we still have responsibility for the full range of physical security as well.

And so it really is the convergence of cyber, physical resilience that we are focused on. So, you know, critical infrastructure broadly, and we talk about, it’s not necessarily resource poor when it comes to sectors. It’s because, you know, after 9/11, people built capabilities to provide physical protection.

The cyber piece is really where, oftentimes, some of these less resourced agencies have a focus. But anyway, credit to Josh Corman on this. So it’s not, to just clarify your point, it’s not that we’re just focusing on these entities, but we have a specific focus on these entities. And the reason why I asked the team–and it’s largely the field force that we’ve built over the past few years, sort of now we have hundreds of folks doing cyber security advisory work, protective security advisory work, we have a lot of great expertise now. And we had seen hospitals being ravaged by ransomware, we had seen school districts being ravaged by ransomware and, you know, the water sector is very complicated. One hundred fifty thousand utilities around the country, some of which are very, very small. And so we felt it was really important that these entities, which frankly don’t have a lot of cyber resources. were able to avail themselves of our free assessments, our cyber hygiene, vulnerability scanning, even the things like the physical security, what’s called safe security at first entry.

And I also wanted a way that we could be very metrics driven. Because as you know, we have to be able to justify our budgets. And so we needed to be able to look at, okay, here our engagements, here’s the services we’re providing. Can we say anything about trends and reductions of incidents, attacks?

That’s hard when there’s not a baseline, right? We won’t have a baseline until CIRCIA, the Cyber Incident Reporting for Critical Infrastructure Act gets implemented, end of this year, next year. And then we’ll finally sort of understand what that broad baseline is. But at the end of the day, I really wanted to be able to say, we’ve had this many engagements, we’ve added these services, and we have helped reduce risk by ensuring a better understanding of the threat, and enabling these entities to better manage their risk, and ultimately to reduce their risk.

Bryson: Yeah, the metrics of security have been elusive for the entire industry. At the end of the day, it is the assurance of operations against an unknown thing. How do you measure that? We go into the measurements of activity, right? You’ve done sixty-seven hundred engagements with those sectors, which are a combination, as you mentioned, of assessments, vulnerability scanning, and cyber hygiene approaches. The follow on question to that, because this is the same problem we have in industry, right? Thanks for finding my problems, right? A vulnerability scan is, you found problems. I already had a full time job, we’re already doing things, how do we fix those? And in these cases where they are resource poor, I mean, I don’t even know where to start.

Jen: You know, the resource piece of it. First thing you want to understand is the problem, that’s sort of number one. That’s why we want to send our advisors out, sit down with these critical infrastructure owners, provide them the tools to understand their threat surface. But it’s not that we just provide that to them, and then walk off with the hey, good luck, man, or good luck woman. This is why the field force that we’re building, which is all throughout the nation, is really there to provide advisory support.

Now, we don’t do the work for them. You know, oftentimes they will bring in private sector companies to help them implement or improve. But being with them to say, here are the key issues you have, and then advising them on the key steps that they need to take to reduce their risk. I think that’s, you know, our field force that we’re building and that we need to continue to build, frankly, and this is, you know, a core part of where our budget should ultimately grow. 

It is really our ability to have that, you know, left of boom. I know you understand that well, that ability to help critical infrastructure owners and operators build resilience before something bad happens, and then be prepared to respond, and recover, and even to operate through disruption.

And so, you know, I’m very intent on ensuring that we don’t just say, here’s your problem, good luck. It really is being able to sit down with folks and, and help them through it.

Bryson: So one of the other initiatives that you have is pre-ransomware. Can you talk about that?

Jen: You know, back to this holy grail question of, of measurements and metrics. So one thing that the team has been working really hard on, is to move from what you talked about, measures of performance, these engagements, to measures of effectiveness. How did I reduce risk? And Eric Goldstein, who you know, who’s our Head of Cyber actually published last year his cyber security strategic plan. And if you haven’t seen it, I’ll send you a copy. But it really does attempt to lay out those measures of effectiveness, like, how are we going to tell that we reduced risk by doing X, Y, and Z? And I put that out just so people should take a look at it, one, and provide feedback or thoughts, but two, also to look at it as the kind of things that we all need to focus on to get to risk reduction.

So I just wanted to put that plug out there. On our ransomware piece, I mean, this is, as you know, a really, really hard problem. You know, the statistics show it’s still getting worse and worse. Again, I look at those as largely anecdotal, because nobody fully understands the breadth of the ransomware attack ecosystem because there are a lot of unreported attacks that happen, or somebody that pays the ransom and you know, we never find out about it. But we have something we stood up this past year, 2023, called the Pre-Ransomware Notification Initiative. And the thing that I love about this is it exemplifies the trusted partnership we’ve been able to build with one of the most talented, yet one of the most skeptical, of the federal government communities.

And this is the research community. You know, this goes back to a convo I had with Jeff Moss before I even took the job, which is, it’s all about the community. Right? You have to build that community. You have to build trust with the hacker community, with the research community. And that was a major, major focus since, you know, just a couple weeks after I was confirmed. I gave the Black Hat keynote in 2021, and that was all about, like, who we are, and how do we build that trust, build that community. And that’s why I announced the Joint Cyber Defense Collaborative. So building that trust for the community has been really key. And it’s that community, the research community, in a lot of the trust groups that’s giving us the tips of what they see in terms of ransomware actors active on critical infrastructure. And as you know, you can sort of see what they’re doing before they actually lay down that malware.

And so that information comes to us, and we immediately like, go into action. We do some basic triage and analysis, and we get that out to our field, that then finds that company, and walks them through what they need to do. And we’ve done it, I think, twelve hundred times. And we get a lot of fantastic feedback.

I mean, I see the emails. You know, very few people talk about it publicly, but people come up to me to thank me for the amazing work of the team. And Jam Farshchi, the CISO of Equifax, actually did a post on this. And which is why I always say, you know, when somebody from CISA calls, like, answer the phone, answer the email. We are truly here to help. 

But you know this better than most, like, preventing somebody from having their worst day. I was just reading an article about the impacts of companies who have experienced ransomware attacks, and like, how incredibly stressful that is, and how it’s actually impacting mental health.

So we don’t want anybody to go through that if it is something that can be prevented. That’s why we updated our Ransomware Guide. It would be great to get that out as well, so people see that. It actually walks through the key steps, a lot of them grounded in the cybersecurity performance goals that companies should do to ensure their safety, to prevent ransomware attacks, or to mitigate the risk if they have such an attack. Things like backups, the obvious things. But I’m really, really proud of the team, frankly. A lot of hard work and, you know, this becomes a 24/7 thing, because this happens all the time. But when you prevent somebody’s worst day, that’s a really good feeling.

Bryson: Yeah. Ransomware dipped precipitously in ‘22, and in ‘23 it more than doubled coming back. I have my hypotheses on why, I’m not going to go into it here. But. to that note, yeah frankly, Jen, I don’t think CISA has shared enough detail about that.  I think those are case studies. I think those are testimonials.

I know there’s twelve hundred. There’s two high level items of a Fortune 500, and something in transportation, there’s no detail, right? I think those are where we should have folks saying, hey, you know what, this happened, this was great. And I know everybody’s afraid to do that cause that also kind of probably makes you a little bit more of a target, so there’s a balance. But I think this is an area where we need to put the faces to the stories to make it much more real.

Jen: I wish we could, like, take the stigma off being a victim, right? There should not be victim naming, or shaming, or blaming. Something bad happens, there is disruption, you learn from it, and you get better and better. And I know people worry about lawsuits, but at the end of the day, from a CISA perspective, again, not a regulator, not law enforcement. We want to, if there’s an incident, obviously we want to prevent an incident from happening, but if there is one. 

And this is why the CIRCIA, the incident reporting, comes to CISA. Number one, we can help. If you, if you haven’t gone to a private sector IR provider, we can be helpful, but most importantly, we can take that information to protect the larger ecosystem. I wish people were more public about this, because if you know that somebody in your industry and your sector was tacked using this–and we try and do this with advisories–but the more public people are, the more we can protect. It’s like a neighborhood watch. The more we can protect that ecosystem. 

You know, one example, Boeing, when they had this recent ransomware attack with the Citrix Bleed vulnerability. They immediately came to the federal government. They worked with us. They worked with us on the advisory, they were public about it, they said we can acknowledge them. I mean, that’s what we need. We need the transparency so that we can all work together to protect the ecosystem, because the actors are not ever gonna fight fair. And we need all the collective strength of the community to keep Americans safe and secure.

Bryson: So you mentioned CIRCIA earlier, which has been met with skepticism initially, right? We have to mandatory report things to the government. And the way I’ve always tried to reframe that is well, yes, I mean, we’re all in this together. And two, wouldn’t you want federal government to be more data driven in their policy development, which is how I’ve tried to push this. And CIRCIA gives us the data to then drive iterative policy development and understanding not to be the stick.

Jen: No, I think that’s exactly right. I mean, this was legislation that came into being, I think, in March of 2022. I think part of the impetus was the Colonial Pipeline hack in May of 2021, as well as the Ukraine war. And so you know, this came as, essentially, it’s CIRCIA, Cyber Incident Reporting for Critical Infrastructure Act.

There have been lawmakers who’ve been trying to do this for years and years. It never happened, I think, between Colonial and Ukraine they were finally able to get support for it. We have had to go through, because of how the legislation was crafted, we’ve had to go through a full, what’s called a rulemaking process.

We were very consultative. We did, you know, a dozen plus listening sessions. We had an RFI, Request For Information, with hundreds of comments that came back so that we were crafting this rule in a way that did not place a significant burden on a company already under duress because they’ve had a significant cyber incident.

To be clear, this is about two things. It’s about getting the information so we can be helpful, and getting that information so we can protect others from being hacked. And this again, is about collective cyber defense and keeping the community safe and secure. You know, I oftentimes get the question about, well, what about the SCC?

What are they doing with their new rule on cyber incident reporting? Just to be clear, you know, they’re independent. What we’re trying to do for the non independent part of the federal government is to harmonize the various requirements that come in so you don’t end up–that’s the good thing about what we’re trying to do, is be at the center of that.

You send it to CISA, we’ll make sure the other federal partners get it so you’re not burdening, I need to talk to these 10 people. The focus of our rule is all about cyber defense and being proactive on protecting others. Of course, the role with SCC is all about shareholders, protecting shareholder values.

So two different focus areas, but you know, the coordination there is important because we, again, I know there’s been concerns about multiple reporting to the federal government. So once our rule gets in place, we are working hard to harmonize any impacts on industry and you know, having been in industry, I understand this very well.

So I’ve been very keenly focused on ensuring that that is the case.

Bryson: And on community and private public collaboration, that’s where you stood up JCDC. I think the JCDC’s initial focus was more in the traditional pieces. So how does critical infrastructure now tie into JCDC?

Jen: I think you know, but maybe your audience doesn’t. So this came out of another thing out of the Cyberspace Solarium Commission. They suggested that there be one platform, because they had been hearing a lot from industry about, like, what is it all, what are all these different actors, what are they doing. And I’m getting a ton of outreach, and there’s all these different advisories.

So they said one platform for cyber defense, planning and operations, and so it was called the JCPO within the Cyberspace Solarium Commission Report. I thought that acronym was a terrible acronym, and that’s where I ended up with the Joint Cyber Defense Collaborative, because I, of course, love rock and roll. So the JCDC–

Bryson: JCPO also sounds very military,

Jen: It also sounds, if you say JCPO, it sounds like skin disease, so I really didn’t want it.

Bryson: I’m glad, I’m glad you got that ointment for your JCPO. 

Jen: Exactly, I was not into that. So JCDC was cool. But when we first stood this up, it was really in law and it’s the only entity in law that says you must bring together CISA, FBI, NSA, Cyber Command, DOD, DOJ, ODNI on one platform for cyber defense planning and operations. And so again, bringing together the federal cyber ecosystem, but then working with industry to reduce risk to the overall ecosystem.

We started out bringing in the big technology companies and cyber security providers because they have such visibility, right? When you’re thinking about critical infrastructure owners and operators, a lot of them work directly with the cyber security companies. A lot of them, you know, we all depend upon big technology providers.

So starting with that layer because of their visibility, what they see and what they can, by virtue of the capabilities that they provide, the cybersecurity, what they can help reduce. But since that period of time, we started with, I think 10, we now have over two hundred companies, which are largely all of the big critical infrastructure owners and operators coming together to focus on sharing information in real time. That’s why they had these, sort of multiple Slack channels. And then planning against the most serious risks. And, you know, as an Army guy, most probable, most dangerous courses of action, reducing, and then being prepared for any sort of serious incursions.

And we’ve done, you know, different groups. Whether that’s working with pipeline companies, working with rail companies, and really begun evolving our ability to branch out. You know, we had JCDC ICS for industrial control systems. We are standing up JCDC.ai  to be able to work with the generative AI companies to reduce risk, the AI risk to critical infrastructure.

So it’s been a model that I have seen evolve in a really positive way. You know, there’s still more work to do, but it’s all been predicated on three things. First, you know, the fact that we had all this episodic collaboration. We want real time collaboration. We want the government to be transparent, responsive, and to your earlier point, to add real value, right?

We see enormous things across the government. We see it from the federal civilian executive branch, industry has a view on things. We want to come together and share that information directly, and because of the 2015 Information Sharing Act, where you have really robust information, intel sharing, information sharing, where we don’t have to provide that information to anybody, we can anonymize and protect the privacy, and the anonymity. So that’s super important. 

You know, the second is this kind of equal understanding of responsibility on the government to provide information, and on industry to provide information. So we both have this, you know, responsibility to protect the ecosystem. And you know, the last piece is really to make it as frictionless as possible.

There’s enough friction and bureaucracy in the government. That’s why using something, as like, simple as Slack where you share the information and there’s an expectation, particularly in an ongoing incident that the information that the government will be responsive. And, you know, I hold my team to account. And, you know, we’re not perfect humans make mistakes, but I think they’ve evolved in a really positive place and, you know, working with the JCDC, and then working with other entities across government. Obviously, Energy is stood up under CESER, They have an energy similar piece of this. The NSA has the Cyber Security Collaboration Center. So the key is to ensure that all of these elements are working closely together. So again, the private sector, state and local, the election officials that we work with to help them protect election infrastructure, see the government as a unified, cohesive entity.

Bryson: So we’re both former army officers and you mentioned physical security earlier. And I think all too often this space is automatically assumed. I mean, broader in industry, I see the same problem in cybersecurity. Everybody focuses on the technical, and we have a lot of what I call nerd solutions for nerd problems, but there are other components.

There’s the people side, which you addressed with hygiene, but you also have an initiative on explosives against critical infrastructure. Can you talk about that?

Jen: Yeah, under our physical security team we have, and I’m glad you’re asking because people don’t often ask about this, we have our Office of Bombing Prevention, so you and I were in Iraq, right? So I was in Afghanistan also. I was twice in Iraq, where we dealt with the IED issue, improvised explosive devices, and know how dangerous and how destructive they can be. And so, you know, ensuring that we have a capability to deal with attacks like that, which hopefully we will never see in a widespread way, but preventing bomb threats and ensuring that people understand how to react to them.

So the Office of Bombing Prevention works very closely with local law enforcement and the FBI to help people be able to manage potential explosives affecting critical infrastructure, but also, you know, how do you respond and recover from that. So they’re a really fantastic team. The other teams there are chemical security, school safety, our school safety team, and that’s also linked to our earlier focus on K-12.

You know, Bryson, I was just down in Parkland, Florida. So I went down there at the request of the parents from Marjory Stoneman Douglas High School, where that horrific massacre occurred on February 14th, 2018, and was asked, along with the Secretary of Education, Secretary Cardona, to walk through the actual school where the shooting occurred, where 17 people were killed, 17 wounded,.And the school is basically untouched. It’s a time capsule from the day of the attacks, where you see glass, you see the blood of people who were killed. And it was very, very affecting to say the least. But out of that incredible tragedy came the development of our School Safety Task Force, the School Safety Clearinghouse on schoolsafety.gov that we work with HHS, and DOJ, and the Department of Education, and 600 resources focused on physical security, as well as cyber security for schools across the country. And part of that is leveraging some of the capabilities of the Office of Bombing Prevention, because of course we’ve seen these horrific bomb threats be called into schools and colleges across the country. So that’s an incredibly important mission to me, both as director of CISA, but obviously as a mom.

Bryson: So you know, how we end the show. We always have the two questions and you’re one of the few people in the world who’s actually had this, these questions more than once. So hopefully you don’t remember your previous answer so it feels fresh. If you could wave a magic, non-internet-connected wand, what is one thing you would change?

Jen: I feel really strongly about this and I’m glad you asked. I don’t remember what I said last time, but if we could change one thing, it would be to ensure that the technology manufacturers and software producers that are building the software that we all rely upon every day, because we are all digital citizens that are in a digital society and that critical infrastructure is underpinned by a technology base, I want that technology, that software to be designed, built, tested and deployed with security as the top priority. And this is our Secure by Design Initiative under the great thought and leadership of Bob Lord, and Jack Cable, and Lauren Zabrick, and Eric Goldstein’s team. This is really about technology safety.

And for the past few decades, security has been a bolt-on. It’s why we have a multi billion dollar cybersecurity industry. And these companies have to ensure its security first. You know, we cannot deal with a world where, and we’ve seen even recently, you know, again, these attacks happen because the technology itself is defective.

I don’t want to use words like, you have a technical audience, but when you say things like vulnerabilities, you know, people like, oh, it’s a defect. It’s a flaw. And that’s what’s coming off the line, and we’ve normalized it. And if there’s one thing we could do differently is to ensure that technology manufacturers put security and safety first.

Bryson: So how do we do that in critical infrastructure, where we’re looking at capital acquisition and 20 to 30 year life cycles?

Jen: So the legacy piece of this is obviously a huge issue. I’d say first and foremost, anybody producing new software or updated versions of software again, it shouldn’t be about speed to market, or competition, or driving down costs, or cool features. It has to, has to, has to be about security. So the question is, how do you incentivize that?

And in a world where there has never been regulation against the big technology companies, because the argument was always, well, if you regulate them anyway, it’s going to crush their innovation. There is in fact a way to have regulations and to continue to responsibly innovate, but we will likely never be in a world where technology is regulated.

So how do you change the incentives? One, more informed customers. It’s some of the work that the White House, Anne Neuberger, the FCC commissioner are doing with Cyber Trust Mark. So I at least will know, is that product that I’m buying, is that in fact something that’s been built with security top of mind?

And as you know, Bryson, we’re never going to get to perfect security. What we want is defensible, resilient infrastructure that is underpinned by technology that has been built with security as a priority. But a lot of this is about changing the economic incentives, it’s about a more aware customer, it’s about how we signal to customers and frankly, to producers, you know, what the quality of that product is. 

And the other thing I’d say is, you know, these big technology manufacturers, software producers, they don’t want to produce bad, insecure products. And so again, what we want to do is work with them as a partner to help them understand the things that they need to do, you know, the big companies do, but there are several software manufacturers out there that maybe don’t, and that’s why we’ve published our Secure by Design Guidelines. The first one was in April of last year, we published one in November. We’re doing it with our international partners. We’re getting a lot more granular on what Secure by Design looks like. We did a red pen session at DEF CON so that we got good feedback from the community on it. 

This is the thing that’ll make the most difference, to be totally honest, and so we just need to inform consumers. We need to get producers to really focus on it. And then if there is some sort of a push for things like software liability, and other regulations that will go in place internationally, like with NIS 2 and the Cyber Resilience Act in Europe that again can help incentivize companies to really focus on security. I think that’s key. And I think we’re starting to see it. 

You know, one example, obviously,you know, a technology company that we rely upon, the federal government, is of course, Microsoft. And bringing back the Trusted Computing Initiative from the early 2000s and their Secure Future Initiative, I think they recognize that they need to take a different approach. And they deal with a lot of the legacy, as you said, but I have seen over the past couple of years, people seeing the importance of this and then starting to make those changes. The importance is the sustainability of this campaign. So and this is, by the way, this is really hard, this is really, really hard. You know, when Ralph Nader talked about Unsafe at Any Speed in 1965, he wrote the book about, you know, cars because people are like, oh, the car crashes are the fault of bad drivers. Actually, no, it’s the fault of the cars that are not created safe. And then, you know, it wasn’t that we had seatbelt regulations until many years later. 

But we don’t have that much time, and we haven’t talked about AI, but when you think about the technology creating AI, and the power, and the speed, and the unpredictability of those capabilities, they also must, must, must be putting security and safety before everything.

And so this has to be something that everybody in our community, Bryson, really, really reinforces with anybody that’s producing technology or software.

Bryson: Well, that is definitely a magic wand. And so for the final question, we break out the crystal ball.

Jen: Huh! Oh, the crystal ball!

Bryson: Your five year prediction, one good thing, and one bad thing that’s going to happen.

Jen: I mean, I really hope in five years we live in a world where ransomware is a shocking anomaly, where the technology that we rely upon every hour of every day is designed, built, tested and deployed to dramatically reduce the number of exploitable flaws and defects that threat actors can take advantage of.

So that is my optimistic prediction for five years. And as part of that, is that every digital citizen, and that’s all of us now, from K through gray, understands the basic steps that we need to take to protect ourselves. And that’s our Secure Our World campaign that I will shamelessly get you to promote.

It’s, you know, really, really important. And we were trying to make it fun so it’s not this nerd speak thing. It’s like, what are the basics you need to do to keep yourself safe from multi-factor, to passwords and a password manager, to updating your software, to recognizing and reporting phishing.

Just do those, those four things. Basic cyber hygiene prevents ninety-eight percent of cyber attacks. So that’s why we’ve done a real big push on Secure by Design. We’re done a huge push on Secure Our World, on basic online safety. And so, five years from now, the ecosystem will be safer, and critical infrastructure owners and operators will have measurably increased the security and resilience of the services that Americans rely on every day.

Bryson: What’s an incident that you can hypothesize?

Jen: Well, I think it’s bigger than that. We are looking very seriously at attempts by China to reunify with Taiwan. If that is a military activity, then I think we can very likely see activity, conflict be paired with attacks in the U.S. And this has been out there publicly from the Director of National Intelligence Threat Assessment.

We actually have an open hearing next week with the head of NSA, the head of FBI, and the National Cyber Director on Chinese threats to critical infrastructure. And I think there is a serious chance we could see that. And that’s why again, my message to everybody who owns and operates critical infrastructure: we have to build resilience.

Yes, we have to obviously improve our security, we need to invest in our security. We need to have that as a CEO, or as a leader, focus can’t just be delegated down to your Chief Information Security Officer and then fire them if something bad goes wrong. There has to be a top level focus.

Bryson: I’m sorry, what is the CISO for then? I thought that was our fall-person.

Jen: I mean, it’s really sad, right? And these are all our friends. I mean, it’s unacceptable. There needs to be corporate cyber responsibility where CEOs manage cyber risk as a matter, as a business matter of governance. So that’s key. This Care by Design is key. But, you know, at the end of the day, we have to expect disruption.

Take a page out of the book of the Ukrainians. We have to expect disruption. We have to be able to respond to it, and recover in a way that reduces risk. And so really building our systems, our capabilities, our people, our processes in a way where we expect that disruption, and we are prepared for it.

So I think that’s likely to happen, and that’s why we are really working hard to ensure that people understand this threat, but more importantly, understand what they need to do to mitigate the risk of these attacks here in the homeland.

Bryson: This is Hack the Plant, a podcast from the ICS Village. Catch us at an event near you. Subscribe wherever you find podcasts to get episodes as soon as they’re released. Thanks for listening.