Jen Easterly
Appearances
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
say this not as somebody who knows taiwan well but as somebody who spent 21 years as an army officer being an intelligence officer where you are always trained to think like the adversary it's the adversarial empathy that i think ultimately makes me a better defender you want to take out the power you want to take out the communications you want to take out the rail lines you want to affect
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
the basic life services and hold that at risk to essentially force your adversary to give up for citizens not to have the will to fight.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
You would see clear panic. You would see clear chaos. And, you know, just on a very micro level, we saw this with the ransomware attack on Colonial Pipeline that ended up shutting off gas to the eastern seaboard for a couple of days. You saw the panic that that induced. Well, the Chinese saw that as well.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
The Chinese government is watching very closely what is happening in America and some of the fragility that they see, quite frankly, within our democratic processes.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
Well, I wouldn't choose like A or B or C. There's probably a little bit of all of the above in the scenarios and the rationales that you just painted. The Chinese government is watching very closely what is happening in America and some of the fragility that they see, quite frankly, within our democratic processes.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
And this is part of their strategy to enable them to be able to reunite with Taiwan, something that President Xi has made it clear is a strategic goal. And to your point on Ukraine, I would just comment that I think we all need to recognize that the defense of Ukraine is the deterrence of China.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
China is watching very closely whether we end up just giving up on Ukraine because it sends a message to what our political will would be in the event of an invasion or a blockade of Taiwan. And I think it's one reason why it's so important that we continue to
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
to be very forward-leaning on the support that we're providing to Ukraine along with our international partners as well as the private sector.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
So let me just go back to one thing that you said that I think is important. Colonial pipeline is always the canonical one we go back to. But frankly, think about CrowdStrike, just July of last year, when a lot of people couldn't access a lot of things. Now, that was for a short period of time.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
But think about that disruption that was not just a technology outage or a bad update, but rather a deliberate disruption that could be in place and unable to just turn back. Think about that for weeks and months on end.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
It's not an assessment from the intel community. It is evidence. not a hypothetical threat. It is a very real threat that the hunt teams that we have at CISA have identified. And we've found them in transportation and water and power and communications. But when you talk about what's the breadth and depth of the targets, the answer is we don't know.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
We think what we found to date is likely the tip of the iceberg.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
Well, first of all, they're not tiptoeing over the line. They're like way over the line, man. They're like, I mean, this was the whole point, right? This is not a theoretical threat. It's a very urgent threat where China is deep into our critical infrastructure, water, power, transportation, communication, specifically to lay in wait so they can launch disruptive and destructive attacks.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
I think that is way over the line.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
don't want to be scaring hell out of people because that's not effective when you scare people minds just close off and they really don't want to talk about horrible things happening so they'll just you know ignore and go something else and you don't want to be seen as the you know the girl that cried wolf you know you as a storyteller know that
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
The other thing is we do not talk about this threat without talking about all the things that we're doing and can do about it and what businesses large and small can do about it. And that's what I think is the important thing.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
In the military, you always talk about the most probable course of action and the most dangerous course of action. You work through the most serious, dangerous course of action and you exercise through that so that you're working through, well, what will I do knowing that these systems will come down?
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
And what do I need to do to build them to have the right workforce, to have the right architecture so that I can respond rapidly, but that I can recover within this certain time recovery time objective. So, you know, I'm not going to be down for two weeks. I can be down for three days. And you work through that very deliberately.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
Secure by Design is really focusing on technology vendors doing everything they can to prioritize security and product development. So safer, more secure products so that the burden isn't placed on customers and the end users and the small businesses or even the big businesses to have to constantly patch vulnerabilities.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
And we have to keep in mind, we had no guardrails around the creation of software. We just let it eat the world and give everybody food poison. You know, that's why we have a world where the internet is full of malware, software is full of vulnerabilities, social media is full of disinformation, and we can't make that mistake with AI.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
So those guardrails that we put in place are incredibly important for the safety and security of global citizens everywhere.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
I think if you go to what the Chinese themselves have said, what is in their doctrine, it's pretty clear that the strategy is about fighting holding U.S. critical infrastructure at risk in order to deter our ability to marshal military might and citizen will. So this is really about inducing societal panic and chaos, and that would be the result of
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
water systems being polluted or inaccessible, transportation lines being derailed, communication systems being severed, pipelines exploding. You would see clear panic. You would see clear chaos. And this is part of their strategy to enable them to be able to reunite with Taiwan, something that President Xi has made it clear is a strategic goal.
To Catch a Thief: China’s Rise to Cyber Supremacy
Ep 9: The New Frontline
The thing that is so different and so serious is that this particular threat is not just about espionage. This threat is about being able to launch disruptive and destructive attacks in the event of a major conflict in the Taiwan Straits.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
There's a lot there. Yeah, it's a lot to unpack. So let me just go back to one thing that you said that I think is important. Colonial pipeline is always the canonical one we go back to. But frankly, think about CrowdStrike, just July of last year, when a lot of people couldn't access a lot of things. Now, that was for a short period of time.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
But think about that disruption that was not just a technology outage or a bad update, but rather a deliberate disruption that that could be in place and unable to just turn back. Think about that for weeks and months on end.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
So I think that's a good mindset actually to take CEOs and boards and key leaders into the boardroom when you have that very important conversation that Bipul was talking about. At the end of the day, given the complexity, the interdependence, the inherent vulnerability of the technology that we rely upon for businesses large and small,
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
it is increasingly difficult to prevent bad things from happening. So you have to architect your systems, your infrastructure, train your people, prepare to be able to understand, prevent, but to respond, recover, and then learn continuously from the various incidents.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
And to your point about the target rich cyber poor entities who didn't really have security teams or much vendors that they were working with, we made a deliberate effort to work with hospitals and water facilities and K through 12 to help them understand the steps that they could take in a material way to reduce risk to their infrastructure.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
So most folks are familiar with the NIST cybersecurity framework, great tool, but if you're at a big firm like Morgan Stanley, you can use that and you can actually say, I'm aligning with the NIST cybersecurity framework. If you're a rural hospital, the NIST cybersecurity framework becomes shelfware.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
Don't have the team to really go through that and understand how to align your security organization. So one of the things that we did was do a distillation, kind of an extract of that document to less than 40 things that a hospital or a water facility or a K through 12 school could do, and they were characterized by cost, complexity, and impact.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
And so you could do that in a way that could take advantage of your relationships with MSPs or vendors, but also the fact that you didn't have a lot of resources. And then some of our field forces at CISA would work with entities and sit down with them and walk them through those cybersecurity performance goals to help them again materially reduce risk.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
Now, to your point about what's happening on the inside of CISA, I've been gone for, I think it's two months today. And from what I've heard and what I've been reading, there have been layoffs, largely the probationary folks. Now, we built CISA from about 2000 to about 3500 when I left. As you said, we hired over 2000 amazing, amazing people.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
And I understand that they have let probationary folks off, but now they're rehiring them. Look, at the end of the day, my key message is the type of firings that are going on
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
are really going to discourage the talent that the federal government needs to be able to defend and protect the American people from joining the federal government, whether it's CISA, whether it's the intelligence community. And I know people are sort of dismissive to this idea of joining the federal government. I spent most of my life in the federal government.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
What I would say is these are not bureaucrats, which has frankly been used as a pretty pejorative term. These are public servants who want to defend their nation, who willingly raise their right hand to support and defend the Constitution of the United States of America against all enemies, foreign and domestic. They're doing it because they believe in America.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
They want to defend the American people and democracy. And my one message to anybody currently in the government is, yes, preserve the capability for us to be able to defend the nation, but also make sure that you are taking care of your workforce and your troops because they are there to take care of America.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
Yeah, I do want to make the point, yes, obviously it's a huge issue, some of these Chinese manufactured routers, switches and firewalls, but it's not just a China issue. Frankly, one of the things that we focused a lot on at CISA was the fact that the technology and the devices and the software
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
that we rely upon for critical infrastructure is frankly inherently insecure because for decades it's been produced for speed to market, for driving down costs, for features, not for security. And so these can be clearly taken advantage of by China, but there are all kinds of technologies that are, some are created by US companies,
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
other companies around the world that are just inherently insecure, that are unpatched or have default passwords, or essentially make it very, very easy for an actor, whether it's a sophisticated nation state or a cyber criminal, to be able to exploit that infrastructure. And so this really comes down to, we talk a lot about villains, right?
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
We blame victims, but I think we don't talk enough about the vendors. because vendors really need to be held accountable to ensure that they are building, designing, testing, and delivering products and software and devices that specifically are meant to be secure. And that's the way you could make a real difference in terms of advancing a sustainably secure ecosystem.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
And it's one of the most important things that I think we need to focus on.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
Pitbull?
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
Yeah, so we should stipulate that there are a lot of risks with respect to this new technology and some of the work that we did at CISL was working with the labs to ensure that they were red teaming their models, that they were putting in place security to be able to ensure that they were also by design. But I have to say,
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
I am increasingly encouraged and excited about the prospects of what powerful AI can mean for cybersecurity and cyber defense in particular. I was actually rereading, some of you may have seen Dario Amadeus, the CEO of Anthropic, wrote a piece called Machines of Loving Grace, and it focused very much on health and neuroscience and poverty reduction.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
But I actually think there's a lot to be said there about cybersecurity how this technology can fundamentally change what we're trying to do to secure infrastructure. I know Rob can talk about this as well, but the use case that I'm most excited about going back to my tirade on insecure technology, a lot of it is because you have insecure codes.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
So two-thirds of software vulnerabilities are because of memory safety vulnerabilities, things like SQL injection or cross-site scripting or directory traversal. They've been around and frankly have been solved for 20 years. But if you're writing in C or C++, you're going to continue to have these types of vulnerabilities.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
So there's a lot of companies now that are looking to write code prospectively that is much more secure in languages like Rust, which is memory safe. But if you could use powerful AI to refactor insecure legacy code at scale to remove whole classes of vulnerabilities, that can advance a much more safe technology ecosystem.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
So that's what I think is the most exciting use case of some of the AI capabilities coming down the line. Okay, Robyn.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
Yeah, so great to be here with everybody. I think it's important to understand how serious, urgent, and different the threat that we're talking about has evolved into. You know, as Rob alluded to, for years and years, we really focused on China as a threat of espionage, data theft, intellectual property theft. And over the past few years, we actually saw a threat that was different in kind.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
We saw Chinese threat actors that were not looking to steal data, but rather to burrow deeply into US critical infrastructure so that they could be prepared to launch disruptive or destructive attacks in the event of a major conflict in Taiwan. So this was really a deliberate effort by the Chinese Communist Party to hold US critical infrastructure at risk.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
So imagine a world where there is a conflict in the Taiwan Straits, And at the same time, you see mass disruption here in the U.S. So you see effects on communications being severed, transportation networks. You see effects on power grids. You see effects on water systems. In a way, we used to call it everything, everywhere, all at once.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
So in a intent by Chinese doctrine specifically to incite societal panic and chaos across the US and to deter our ability to marshal military might and citizen will. And that was a threat that we started to really get our arms around working with our intelligence community partners, our FBI partners and industry.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
And then based on that information, started working with a variety of victims where we would show up, CISA and FBI, let them know that we think that their networks had been penetrated. and then work with them to actually hunt for those actors to attempt to shut down the access points and then to help them harden their infrastructure.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
But we had done this across multiple sectors with multiple entities. And I'll tell you the way that I've always talked about this is we believe what we were able to find when we were at CISA was really just the tip of the iceberg. And it's a full range of targets. One actually was just out there publicly for the first time. We obviously don't talk about targets because we protect victims.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
But one target actually talked about this publicly. I think it was in the record. It was a very small water and power facility up in Littleton, Massachusetts. I think they serve about 15,000 citizens of Littleton and Boxborough. And they were one of the victims. So think about what China is doing.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
They're doing this opportunistically, looking for vulnerabilities, looking for access points in multiple places across multiple sectors across the U.S., again, to be able to get in to cause disruption and or destruction in the event of a conflict in Taiwan.