Jen Easterly
Appearances
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
There's a lot there. Yeah, it's a lot to unpack. So let me just go back to one thing that you said that I think is important. Colonial pipeline is always the canonical one we go back to. But frankly, think about CrowdStrike, just July of last year, when a lot of people couldn't access a lot of things. Now, that was for a short period of time.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
But think about that disruption that was not just a technology outage or a bad update, but rather a deliberate disruption that that could be in place and unable to just turn back. Think about that for weeks and months on end.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
So I think that's a good mindset actually to take CEOs and boards and key leaders into the boardroom when you have that very important conversation that Bipul was talking about. At the end of the day, given the complexity, the interdependence, the inherent vulnerability of the technology that we rely upon for businesses large and small,
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
it is increasingly difficult to prevent bad things from happening. So you have to architect your systems, your infrastructure, train your people, prepare to be able to understand, prevent, but to respond, recover, and then learn continuously from the various incidents.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
And to your point about the target rich cyber poor entities who didn't really have security teams or much vendors that they were working with, we made a deliberate effort to work with hospitals and water facilities and K through 12 to help them understand the steps that they could take in a material way to reduce risk to their infrastructure.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
So most folks are familiar with the NIST cybersecurity framework, great tool, but if you're at a big firm like Morgan Stanley, you can use that and you can actually say, I'm aligning with the NIST cybersecurity framework. If you're a rural hospital, the NIST cybersecurity framework becomes shelfware.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
Don't have the team to really go through that and understand how to align your security organization. So one of the things that we did was do a distillation, kind of an extract of that document to less than 40 things that a hospital or a water facility or a K through 12 school could do, and they were characterized by cost, complexity, and impact.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
And so you could do that in a way that could take advantage of your relationships with MSPs or vendors, but also the fact that you didn't have a lot of resources. And then some of our field forces at CISA would work with entities and sit down with them and walk them through those cybersecurity performance goals to help them again materially reduce risk.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
Now, to your point about what's happening on the inside of CISA, I've been gone for, I think it's two months today. And from what I've heard and what I've been reading, there have been layoffs, largely the probationary folks. Now, we built CISA from about 2000 to about 3500 when I left. As you said, we hired over 2000 amazing, amazing people.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
And I understand that they have let probationary folks off, but now they're rehiring them. Look, at the end of the day, my key message is the type of firings that are going on
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
are really going to discourage the talent that the federal government needs to be able to defend and protect the American people from joining the federal government, whether it's CISA, whether it's the intelligence community. And I know people are sort of dismissive to this idea of joining the federal government. I spent most of my life in the federal government.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
What I would say is these are not bureaucrats, which has frankly been used as a pretty pejorative term. These are public servants who want to defend their nation, who willingly raise their right hand to support and defend the Constitution of the United States of America against all enemies, foreign and domestic. They're doing it because they believe in America.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
They want to defend the American people and democracy. And my one message to anybody currently in the government is, yes, preserve the capability for us to be able to defend the nation, but also make sure that you are taking care of your workforce and your troops because they are there to take care of America.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
Yeah, I do want to make the point, yes, obviously it's a huge issue, some of these Chinese manufactured routers, switches and firewalls, but it's not just a China issue. Frankly, one of the things that we focused a lot on at CISA was the fact that the technology and the devices and the software
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
that we rely upon for critical infrastructure is frankly inherently insecure because for decades it's been produced for speed to market, for driving down costs, for features, not for security. And so these can be clearly taken advantage of by China, but there are all kinds of technologies that are, some are created by US companies,
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
other companies around the world that are just inherently insecure, that are unpatched or have default passwords, or essentially make it very, very easy for an actor, whether it's a sophisticated nation state or a cyber criminal, to be able to exploit that infrastructure. And so this really comes down to, we talk a lot about villains, right?
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
We blame victims, but I think we don't talk enough about the vendors. because vendors really need to be held accountable to ensure that they are building, designing, testing, and delivering products and software and devices that specifically are meant to be secure. And that's the way you could make a real difference in terms of advancing a sustainably secure ecosystem.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
And it's one of the most important things that I think we need to focus on.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
Pitbull?
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
Yeah, so we should stipulate that there are a lot of risks with respect to this new technology and some of the work that we did at CISL was working with the labs to ensure that they were red teaming their models, that they were putting in place security to be able to ensure that they were also by design. But I have to say,
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
I am increasingly encouraged and excited about the prospects of what powerful AI can mean for cybersecurity and cyber defense in particular. I was actually rereading, some of you may have seen Dario Amadeus, the CEO of Anthropic, wrote a piece called Machines of Loving Grace, and it focused very much on health and neuroscience and poverty reduction.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
But I actually think there's a lot to be said there about cybersecurity how this technology can fundamentally change what we're trying to do to secure infrastructure. I know Rob can talk about this as well, but the use case that I'm most excited about going back to my tirade on insecure technology, a lot of it is because you have insecure codes.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
So two-thirds of software vulnerabilities are because of memory safety vulnerabilities, things like SQL injection or cross-site scripting or directory traversal. They've been around and frankly have been solved for 20 years. But if you're writing in C or C++, you're going to continue to have these types of vulnerabilities.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
So there's a lot of companies now that are looking to write code prospectively that is much more secure in languages like Rust, which is memory safe. But if you could use powerful AI to refactor insecure legacy code at scale to remove whole classes of vulnerabilities, that can advance a much more safe technology ecosystem.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
So that's what I think is the most exciting use case of some of the AI capabilities coming down the line. Okay, Robyn.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
Yeah, so great to be here with everybody. I think it's important to understand how serious, urgent, and different the threat that we're talking about has evolved into. You know, as Rob alluded to, for years and years, we really focused on China as a threat of espionage, data theft, intellectual property theft. And over the past few years, we actually saw a threat that was different in kind.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
We saw Chinese threat actors that were not looking to steal data, but rather to burrow deeply into US critical infrastructure so that they could be prepared to launch disruptive or destructive attacks in the event of a major conflict in Taiwan. So this was really a deliberate effort by the Chinese Communist Party to hold US critical infrastructure at risk.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
So imagine a world where there is a conflict in the Taiwan Straits, And at the same time, you see mass disruption here in the U.S. So you see effects on communications being severed, transportation networks. You see effects on power grids. You see effects on water systems. In a way, we used to call it everything, everywhere, all at once.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
So in a intent by Chinese doctrine specifically to incite societal panic and chaos across the US and to deter our ability to marshal military might and citizen will. And that was a threat that we started to really get our arms around working with our intelligence community partners, our FBI partners and industry.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
And then based on that information, started working with a variety of victims where we would show up, CISA and FBI, let them know that we think that their networks had been penetrated. and then work with them to actually hunt for those actors to attempt to shut down the access points and then to help them harden their infrastructure.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
But we had done this across multiple sectors with multiple entities. And I'll tell you the way that I've always talked about this is we believe what we were able to find when we were at CISA was really just the tip of the iceberg. And it's a full range of targets. One actually was just out there publicly for the first time. We obviously don't talk about targets because we protect victims.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
But one target actually talked about this publicly. I think it was in the record. It was a very small water and power facility up in Littleton, Massachusetts. I think they serve about 15,000 citizens of Littleton and Boxborough. And they were one of the victims. So think about what China is doing.
To Catch a Thief: China’s Rise to Cyber Supremacy
BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange
They're doing this opportunistically, looking for vulnerabilities, looking for access points in multiple places across multiple sectors across the U.S., again, to be able to get in to cause disruption and or destruction in the event of a conflict in Taiwan.