CISA Strategic Plan for 2023-2025: The Future of U.S. Cyber and Infrastructure Security
James Andrew Lewis: Good morning. Welcome to CSIS. I hope everyone had a nice Thanksgiving. It was a bit wet, but thank you for coming and attending. And thanks to everyone watching online.
We have a pretty dynamic lineup today. The first will be a fireside chat between Suzanne Spaulding, CSIS senior adviser and director of the Defending Democratic Institutions Project; and CISA Director Jen Easterly, who I’m not going to introduce because if you don’t know her by now, what are you doing in the room? (Laughter.) We’ll follow that with a panel with some very prominent experts – I’m happy to do it – which I’ll moderate.
But with that, I think the rules are you guys talk and after a while we throw you offstage. So thank you. (Laughter.)
Suzanne Spaulding: Excellent. We’ll wait for the hook. (Laughter.)
In the meantime, we got a lot to talk about.
Jen Easterly: Yeah.
Ms. Spaulding: Jen, so great to have you here.
Ms. Easterly: Great to be with you.
Ms. Spaulding: Thank you for coming. You’ve got an awful lot on your plate.
Ms. Easterly: Yeah.
Ms. Spaulding: And we want to, you know, do a bit of a deep dive in some of your front-burner issues, and then we’ll pull back and provide some of the strategic context for that.
Ms. Easterly: Yeah.
Ms. Spaulding: But you know, between elections which are going on right now, with Election Day next Tuesday; and we’ve still got, obviously, a conflict raging in Ukraine with a very active cyber element to that and the risk of that expanding; and lots going on. So let’s go ahead and get started.
Let’s start with that most urgent, I think, you know, concern, which is around our elections. CISA has the broad mission for elections, the function that our elections are meant to serve, right? So not just the cybersecurity of the IT infrastructure, but making sure that our election is able to perform the
function we look to it to perform, which is provide for the peaceful transition or retention of power in our country, right?
Ms. Easterly: Yeah. Yeah.
Ms. Spaulding: And that’s a cyber and physical and information cognitive piece. So talk to us a bit about each of those elements.
Ms. Easterly: Yeah. Well, first of all, it’s so great to be here with you. And thanks so much to my friend Jim and to everybody who’s spending the time. It’s great. You know, I think of you as the spiritual godmother of CISA given all the amazing work you did to turn us into an operational component from a staff element and then the foundational work you did as a commissioner on the Cyberspace Solarium Commission, which really ended up elevating CISA’s status, giving us more authorities and capabilities, and gave us the JCDC. So thank you, thank you. Lovely to be here with you nearly on the verge of our fourth birthday.
I do want to just step back a little bit. I think probably everybody in the audience knows CISA’s mission, but it’s worth mentioning, you know, newest agency in the federal government. Stood up by Congress November of 2018. And the mission is to lead the national effort to understand, manage, and reduce risk to the critical infrastructure – cyber and physical – that Americans rely on every hour of every day. And it’s not some technical term, as you very well know. It’s how we get gas at the pump and food at the grocery store and money from the ATM, power, water, all of that; so critical mission, as you well know.
And then, within those two, that broad mission, as you alluded to, Suzanne, sort of two key roles, and those are reflected in the Strategic Plan, and really excited to have Val and company and our friends talk about it. But the first two pillars are ensure the defense and resilience of cyberspace, so America’s cyber defense agency very important role; and then the second, risk reduction and resilience. So that’s all about being the national coordinator for critical-infrastructure resilience and security.
We serve, as you know, the Sector Risk Management Agency for eight sectors and one subsector. Subsector is election infrastructure, right. And we are seven days out from our midterm elections. And, you know, as you know, and I think as everybody knows, the federal government doesn’t run elections, right. It’s the state and local officials that run those elections that are on the front lines of protecting democracy.
And what do we do? We ensure that they have the tools, the resources, the capabilities and the information to be able to run safe and secure and
resilient elections. And as you very well know, over the past several years we have been working hand in hand across the federal government with those election officials, with the vendor community. And I am very confident that we have done everything we can to make election infrastructure as secure and as resilient as possible. And we’ve been very clear that there is no information, credible or specific, about efforts to disrupt or compromise that election infrastructure.
You know, that said, as I know you know very well, it’s a more complex environment than I think we’ve ever experienced, right. You have cybersecurity threats from nations and from cybercriminals. You have insider threats from those who have institutional knowledge. You’ve got these horrible physical-security concerns at an unprecedented level, threats of intimidation, of violence, of harassment against election officials, polling places, voters. And then, of course, you’ve got disinformation and misinformation which can be used by foreign adversaries to sow discord among the American people, to undermine confidence in the integration of our elections, and to incite violence against election officials.
And, you know, for us who’ve served and for those in the room who’ve served, I think it’s really important that people understand these election officials are not faceless backroom bureaucrats, right. I mean, they’re people who are dedicated public servants, who live in our towns and our cities and our communities, that are people we see at the bowling alley, at the PTA meeting, at the restaurant, at church. And they are dedicated public servants who are just trying to defend democracy. They’re our neighbors. They’re our friends. They’re our relatives. And, you know, they deserve our support. Not just our support; they deserve our admiration, our respect. And for God’s sakes, they deserve to be safe. They deserve to be safe.
I don’t know if you saw the op-ed that came out over the weekend. It was by two sheriffs, one in Massachusetts, one in Colorado, different parts of the political spectrum. I was so encouraged by it, because, you know, they were coming together to say that elections are non – securing elections is a nonpartisan activity and there is no place for threats. It is unacceptable.
And at the end of the day, they’re – you know, the local law enforcement play a critical role in securing elections. You know, 90 percent nearly of threats are reported to election officials. And so that connectivity with local law enforcement is absolutely critical. So I was super-encouraged by that. And I’m hopeful that that’s emblematic of the relationship with law enforcement across the board.
You know, as you know, our physical-security mission – we have protective advisers who do physical-security assessments. We spent the last several weeks doing nationwide training about how to deescalate situations. But it is a really, really difficult physical-security environment.
And then, as you know, on disinformation, someone was picked up yesterday. And I want to just correct the record on it. I think it was something about whether we said that adversarial nations were going to have influence. That was not true at all. In fact, we are concerned about Russia and Iran and China trying to influence our elections. I think there was some reporting out on Mandiant, from Mandiant last week about this. It’s a significant concern, because you think about these adversaries that are trying to sow discord, that are trying to break us apart about Americans, that are trying to undermine, you know, integrity in our elections. And so we are very concerned about this, as I know you personally are.
I want to be really clear about what CISA’s role is in this. You know, we are not an intel agency. We’re not a law-enforcement agency. We don’t work with the platforms on what they do around content. That is entirely their decision. It is their terms of service.
And I want to be very clear about this, we do not censor information. Securing elections is a nonpartisan activity, and quite frankly, as somebody who’s worked in Democratic and Republican administrations, you know, as somebody’s who served the American people my whole life – in peacetime, in combat, sworn to defend and protect the Constitution of the United States – including, and in particular, the First Amendment – I want to be very clear, we do not censor anything. What social media platforms do, what the news does is entirely their decision.
Now, what do we do? We do three things. We make sure that people understand the tactics around disinformation and that Americans understand, you know, how to build resilience against it, how to recognize it, how to investigate it, asking about the source, questioning it, not amplifying it – all of that’s incredibly important.
We have an election security rumor versus reality website, and what does that do? It’s election literacy. You talk a lot about civics education – it’s election literacy. And so, you know, elections are super complicated. It’s information that’s out there – like, what is accurate?
And then, most importantly, we amplify the voices. We amplify the voices – of those trusted voices – state and local election officials, who are the people that people should go to. If you have any questions at all about voting, how voting works, go to your state and local election officials. Great websites – NASS.org, NASED.org. They’ve got frequently asked questions. They’ve got their own myth busters, fact versus fiction, that they’ve created. They are the best source.
And you know, I’ve been talking to these election officials for the past several months, and they have confidence in the integrity of the vote. They are concerned about some of these physical security disinformation, and they asked me to give a message to the American people, and to the media. I think this is really important.
You know, there are going to be errors. There are going to be glitches. It happens in every election. But that’s why there are multiple layers of security controls and resilience built into this system.
And so, to the media, I would really like to ask for everybody’s help because these things are going to happen. And we can’t – you know, somebody will forget their key to the polling place; a water pipe will burst – these are not – these are normal things. They’re not nefarious, and I think it’s super important that folks get the word out on how elections work.
And mostly, as you well know, elections are not over when the polling places close. There’s so much work to be done to ensure that there is reconciliation of provisional ballots, counting of absentee ballots, military votes, there’s canvassing at the state local county level, and so sometimes it takes days, sometimes it takes weeks, to certify those elections.
And we all need to be patient. We all need to let the machinery of democracy work. We are all in this together. You know, elections are the golden thread that’s woven through the fabric of our democracy, and if that unravels, our republic is at risk. And so we all need to come together to protect what is most sacred.
So I just – you know, seven days out I’m very passionate about making sure that Americans can vote and have confidence that the vote that they cast is counted, and so again, I’m grateful for everything that you’ve done to set us up into this place where we can do that mission hand in hand with election officials.
So thanks for letting me get that out, but I just think it’s so important.
Ms. Spaulding: Yeah, it’s absolutely vital, and that was a terrific explanation of the way that CISA fits in to what is a national effort here led by state and local officials, as you say.
But I think particularly the points about, you know, combatting disinformation so important because we’re seeing reports that our adversaries are stepping in and amplifying domestic voices and creating their own disinformation around things as fundamental as the time, place, and manner of voting, right?
So putting out disinformation that there are no absentee ballots being accepted this year – you know, the sort of classic kinds of things. Polling places being closed. Election day being moved. All of these kinds of disinformation that is designed to get people to not exercise their right to vote, to dampen turnout, to create a fertile – even more fertile field for disinformation after the fact about illegitimacy of the election process. And it really does, particularly in this highly-charged partisan environment create the potential for even more violence – political violence.
Ms. Easterly: That’s what I really worry about.
Ms. Spaulding: And so it’s never been more important. And I’m so glad that you’re there and leading the tremendous men and women at the DHS on this important mission.
Ms. Easterly: Thank you. Thanks for your partnership.
Ms. Spaulding: And I think it’s also very indicative of the very operational role that CISA has, and you and I have talked about this a bit that, you know, when I was leading what was then called NPPD –
Ms. Easterly: Right. Right.
Ms. Spaulding: – National Protection and Programs Directorate, which I always thought was a terrible name, you know, we were considered a headquarters component and part of our big push was not just to change the name but to be recognized for the operational component that we already were at that time.
And, you know, most folks don’t have any sense, really, of why that’s important, right, what is the difference there between being considered a headquarters component and really being recognized as an operational resource for the secretary, for all of our stakeholders within DHS across the federal government and across the country.
But you have really taken that transition from headquarters to operational component that we fought so hard for and made it – really, taking it to a new level –
Ms. Easterly: Yeah. Thank you.
Ms. Spaulding: – with the operational work that you’re doing around elections all across the country, with the operational work that you have – are doing with the private sector, you know, really making great strides, and one of the most obvious examples of that is the JCDC.
So I wanted to give you a minute to talk about the Joint Cyber Defense Collaborative, and then that came about right about the time that you implemented – started implementing Shields Up in response to Putin’s decision to march into Ukraine and attempt to take over a sovereign country.
And so I want to hear a bit about the JCDC. I’d love to hear about how we’re doing on Shields Up and both, you know, a lot of questions about how sustainable is that over the long term.
Ms. Easterly: Yeah. It’s really important.
Ms. Spaulding: I mean, already it’s been up for a long time. What parts of that, you know, will – are sort of operational tempo that cannot be sustained indefinitely and then what are things that have come out of that Shields Up collaborative effort that you hope will be enduring, that you expect will be enduring?
Ms. Easterly: Yeah. Yeah. So it’s a great question.
You know, in the Cyberspace Solarium Commission you all – that was one of your recommendations that actually got put into law with the 2021 NDAA. I think you called it the JCPO – the J-C-P-O, the Joint Cyber Planning Office – and when I heard JCPO I was, like, oh, that doesn’t sound very good. And if you –
Ms. Spaulding: Sort of like SICI. You didn’t like SICI, systemically important critical – (laughs).
Ms. Easterly: Yeah, I didn’t like SICI. I mean, the Solarium Commission was so great, but the worst acronyms. The worst acronyms. So, yeah, JCPO.
But, you know, when I read the legislation, Suzanne, it actually was much more about – it was much more than planning. It was a lot of how do we bring together all of the cyber-defense operations and do it in a coherent way.
And so we thought, JCDC, because it does sound like AC/DC, but also because it is more indicative of the fact that it’s about defense and that is collaboration, at the end of the day. I mean, one of the – you know, I spent most of my career in the Army and the intelligence community at the White
House where you could argue that, you know, the federal government has monopoly power. In Homeland Security – cybersecurity – we’re a partner. We’re a partner.
And so, you know, in particular, when you’re – when you have a mission to protect and defend critical infrastructure and you don’t own the vast majority of it and you’re not a regulatory agency, by and large, you need to develop really robust partnerships.
So I love the fact that the JCDC early on allowed us to create a platform, a platform to bring together our federal partners – so FBI, NSA, CYBERCOM, Defense, Justice, ODNI, Secret Service, the National Cyber Directorate – on one platform to work with the private sector and the first thing that we did, which then paid a lot of dividends with both Log4Shell, if you’ll remember the very serious open source vulnerability and then, of course, Shields Up, was we developed what we call the Alliance, which are the 20, 25-ish biggest technology companies in the world – the ISPs, the CSPs, the backbone infrastructure, the cybersecurity vendors.
Why? Because everything’s a technology company these days. Critical infrastructure is all underpinned by technology and these are the companies that have the most visibility into what is happening in terms of suspicious activity on our infrastructure.
And so that has been terrific to work together, to share this information with these companies, in a way that’s real-time collaboration. It’s not just about let’s have ad hoc sporadic collaboration where we meet at the field office once a month.
And so we built this Slack channel. We brought in all the agencies. We have technology partners, separate ones for finance and energy because of the concerns around potential Russian attacks or retaliation. And it has really, I think, been a game changer in terms of developing trusted, collaborative, real-time, responsive, transparent partnerships with the private sector.
It's the same thing about – I say about elections. You know, great, come learn about it. Be transparent about it. That’s what we want to be. We want to be transparent, responsive, and add value. If we’re not providing information that doesn’t add value to defenders, then, you know, what we’re doing is not making a difference.
And so we’ve gotten a lot of great feedback from all of our partners in terms of the work that we’re doing. And in Shields Up, you know, we developed this – we wanted to have almost, you know, a tagline that everybody could
remember. Shields Up, of course, comes from “Star Trek.” But the idea was we all need to be prepared for this threat. We all need to come together to share pieces of information that can help us proactively get ahead of that threat, and then reduce risk and mitigate it. And so we’ve gotten tremendous feedback from all of our partners on the fact that we leaned really far forward.
And big credit to the intel community, that worked hard to make sure that we could provide as much strategic warning as possible – and, of course, tactical warning as well – so that everybody could be prepared.
And then, you know, mitigations that anybody can take up, whether you’re a small business, whether you’re a CEO, empower your CISOs; whether you’re a member of the American public, enable MFA, update your software, use a password keeper, be careful about clicking on suspicious links, all the things we’ve talked about extensively during Cybersecurity Awareness Month.
But it has been, I think, a real rallying cry. We’ve received great feedback from CISOs all around who say it has given us the ability to raise the bar on our cybersecurity, to get a lot done.
And you know, to your very good point, I do worry about burnout. I worry about mental health of the workforce – you know, a lot of people working really hard. And frankly, we need a way, as you know – as you’re part of the Cybersecurity Advisory Committee – to calibrate that better in terms of regions, in terms of sectors. And that’s what we’re working on, almost like a national cybersecurity alert system so that we can be more clear about the levels of urgency.
I will say, though, now, given what’s happening in Russia, what’s happening in Ukraine, some of the rhetoric that’s coming out of the – out of Russia, it’s not the time to put our shields down. We need to be prepared for potential activity – disruptive/destructive activity. And you know, going back to our point on elections, that’s what foreign adversaries want. They want to have disruption. They want to sow discord. They love the partisan rancor. They love the, you know, tearing apart America. And so we need to have our – up our game, reduce our risk, create resilience, and be prepared for the full range of threats – cyber threats, technology incidents, manmade weather events as you know, terrorist threats, and things that sow discord.
And so it’s been a successful campaign. I’m really looking forward to continuing to grow the JCDC. Eric Goldstein, who you know well, and team – our head of cyber – has done fabulous work. But you know, at the end of the day I think the point I would make is it’s a partnership platform. Our role
there is just as important as our FBI partners, our NSA partners, our CYBERCOM partners, the other sector risk-management agencies – Treasury, Energy. It’s about bringing together the government in a coherent way.
And that’s why I love so much what Chris Inglis is doing as the national cyber director. This is the other innovation that came out of the Solarium Commission. He’s been such a fabulous partner in helping to create coherence and just such a great teamwork atmosphere across the entire government. Now we have our other friend Nate Fick coming in as our cyber ambassador. So, you know, great team, but a lot of hard work to do.
Ms. Spaulding: Yeah. And you talk about the – you know, you’re starting to look at a kind of national cyber alert and trying to learn lessons from the terrorism advisories that went through from color-coded to more nuanced advisories. But one of the challenges in that environment was always I remember being at so many meetings within the department about how to articulate the current posture and then when can you ever draw it back down.
Ms. Easterly: Yeah.
Ms. Spaulding: And I think you will find the same thing, obviously, in the cyber context, and you’ve talked about the fact with Shields Up now is definitely not the time to draw it back down. It’s a little hard – I mean, there will always be something happening.
Ms. Easterly: Yeah. Yeah.
Ms. Spaulding: So it does seem to me that one of the biggest challenges is to find ways to take what is a stepped-up what I talk about, operational tempo, that is – that risks sort of burnout and work with that collaborative to say: How do we institutionalize this stepped-up level of hardening in a way that is sustainable? Because the reality is, you know, there will never be a time when we can just, whew, well, we don’t have to worry about cyber anymore, right?
Ms. Easterly: A hundred percent. A hundred percent.
Ms. Spaulding: And so I wonder if you’ve got any examples of things that happened maybe for the first time either with the standup of JCDC, maybe in the Log4j, but – or more particularly in the Shields Up, something that you think is now maybe institutionalized. And maybe it is the intelligence community having a whole different mindset about leaning forward and sharing intelligence. That often happens in a crisis and goes away when we’re back to day to day. How do we lock it in?
Ms. Easterly: It’s such a great point. You know, and Chris Inglis and I have written about this, really, Shields Up as the new normal. And that’s all about raising the bar in a way that we’ve never had a full focus across the country, and that’s so important that we all realize the basics around cyber hygiene, you know? (Laughs.) There are going to be various levels, as you said, to calibrate, but we’re never going to be able to put our shields down. That has to be the new normal.
But I am excited at the unprecedented level of operational collaboration, people who have come forward to share information because they realize that we are responding to it. We’re being absolutely transparent about what we’re seeing and we are looking to add value.
You know, the JCDC is not just private sector; it’s our state and local partners, it’s our international partners, and of course our federal partners. And we’ve never had that together on one platform. So I’m incredibly excited about that.
You know, you ask about how do we institutionalize. I think there’s two really important things. You know, we’re talking all about strategy, the two huge strategy things over the next year that I really want us to move the ball on.
One is: How do we get these big companies really to institutionalize cybersecurity as a governance matter – not just a tech thing, but actually something that is about good governance? We had a great meeting last week with General Motors where I was so impressed by how they manage cyber risk. The CEO is actually the chair of the cybersecurity risk governance committee and it is – it is all about governance. And so we are thinking about – we know all about CSR, corporate social responsibility. We’re thinking about corporate cyber responsibility and, really, that as a governance matter. My chief of staff, Kiersten, who you know well – Kiersten Todt – has done some great thought leadership on this as well. And so it’s something where I really want to move the ball on because I think companies are embracing this, but actually having it as a governance matter. And then using metrics like ESG metrics have been done for CSR, but metrics to drive down risk.
I’m particularly excited about using the new Cybersecurity Performance Goals that we put out last week, which are essentially high-priority, high-risk things that can be done to drive down risk and build resilience, simple things in terms of how we can do it with respect to cost and complexity and impact. You know, they are – they are complementary to the NIST Cybersecurity Framework, which is great for if you have a lot of resources and can build a
comprehensive program. But if you’re a small business, what are those 40-ish things that you need to do to drive down risk? And then, if you do it – do it in terms of high impact/low cost, you can actually put out your roadmap to get stuff done. And that’s why I’m excited for big companies to say: Wow, we’ve got thousands of vendors in our supply chain; how do we actually help them reduce risk?
And I think the Cybersecurity Performance Goals – which, by the way, we had tremendous input from our partners all across the private sector to help build those things. You know, I am all about treating feedback as a gift and I love to crowdsource great ideas. So a lot of great input. We’re going to continue to evolve those. We’re going to build sector-specific ones. But I think this idea of corporate cyber responsibilities and then using tools like the CPGs to drive down risk within the supply chain that are populated by small and medium businesses, I’m excited about that.
And the second thing I’m excited about is technology companies embracing secure by design and secure by default, because technology companies are the bedrock of our critical infrastructure. And if software and products are coming off the line rife with vulnerabilities, we will never solve this problem. We have to have them FAO by default. We can’t charge extra for security logging and SSO. We need to ensure that we’re coming together to really protect the technology ecosystem instead of putting the burden on those least able to defend themselves; so very excited about what I’m seeing from the technology companies.
And as you know, Bob Lord and I have called for radical transparency in things like statistics, around implementation of non-phishable MFA; and so a lot of exciting things going on. But it all starts with this fabulous Strategic Plan that Val Cofield led, along with our entire team, and then all of what we’re going to do to measure our ability to get those objectives done that will ultimately result in reducing risk to America’s critical infrastructure.
Ms. Spaulding: Yeah. Terrific. I spent a lot of time talking to CEOs, corporate CEOs and boards, of course, when I was the undersecretary at DHS. And now I’m seeing it from the other side, serving on boards. And it is really interesting.
But I think your point about corporate cyber responsibility is consistent with – part of, as you said, my big issue these days is reinvigorating civics education in this country as a way of building resilience against disinformation, but also as a way of strengthening a sense of civic responsibility, right. So before we can even instill a sense of corporate responsibility, we need to remind Americans about that sense of civic
responsibility that you owe something to your community, that you are part of something bigger, and you therefore have this responsibility.
You know, you probably – I don’t know if you’ve experienced this. You just did a lot of traveling for Cybersecurity Awareness Month. When I would go around talking to audiences, my talking points always had in it the bullet cybersecurity is a shared responsibility. And I would say that and I would get all these blank looks from the audience, like, you know, people just didn’t – it didn’t resonate, because there was – I think we have failed to really, you know, in a strong way, inculcate that sense of responsibility, so for businesses to understand.
And then I think also what I have found is that boards are intimidated by this issue. It becomes technical very fast. And so talking about it as a COOP COB, as a continuity-of-operations, continuity-of-business issue, they’re more comfortable with that. And one of the things I was so impressed with the cyber-performance goals, Jen, was that they do emphasize that resilience piece, right. It’s not just all about threats and vulnerabilities. Focus on consequences. That’s consequences to your business. And that’s what boards get. They get that piece, right. So I think that’s really important, really critical.
You know, you mentioned at one point largely not a regulatory agency. One of the things I know that you guys also have on your plate that you’re working on now is implementing the cyber-incident reporting authority that you’ve been given. And a lot of folks are wondering, you know, what’s that going to look like in terms of how regulatory is that going to be. And I wanted to give you a chance to address that.
You know, a lot of folks don’t realize CISA does have a small regulatory program, right, CFATS –
Ms. Easterly: CFATS.
Ms. Spaulding: – the Chemical Facility Anti-Terrorism Standards.
Ms. Easterly: Yeah.
Ms. Spaulding: And my sense has always been that that regulatory authority has coexisted with what is predominantly, overwhelmingly a voluntary partnership with business, as you say, that’s based on that trust.
Ms. Easterly: Trust. It’s all about trust. It’s all about trust.
Ms. Spaulding: And so a lot of interest in how you’re going to approach this cyber-incident reporting in a way that maintains that sense of trust with business, and then also how you’re going to take that data and turn it into actionable, useful – you know, if we don’t add value, why are we here? – products for all defenders to use to up our game.
Ms. Easterly: Yeah, great question. So CFATS, as you said, Chemical Facility Anti-Terrorism Standards, goes back to, I think, like, 2009. And it covers about 3,300 facilities. I’ve been amazed. You know, you’ve got this great chemical-security team that’s in our Infrastructure Security Division. And the relationship with the chemical sector that we serve as the Sector Risk Management Agency for, they are very welcoming of those standards.
We were just at the Chemical Security Summit. And that community are very close partners. And so I think it’s a model for how we need to work together. Now, I have no interest in being a regulatory agency. I think your word, trust, building trust for partnerships, is incredibly important. But what we’ve learned with that very small authority and the relationships that we’ve developed with the chemical sector, I think, are instructive for what we are doing as we build the cyber-incident reporting rulemaking process. So we’re doing listening sessions around the country. Brandon, our executive director, is up in Boston today, hearing from the community. We have a request for information out there. Why? Because we want to make this a very consultative process.
This is all about how do we – you pointed out collective; you know, it’s your responsibility – how do we build collective cyber defense for the nation? We’re not in the business of naming or shaming or hurting anybody’s reputation or stabbing the wounded. We’re all about you report to us. We take that information. Do you need assistance? First and foremost, what can we do to help?
Now, we know many companies, even small, go to, you know, incident-response providers in the private sector. That’s fabulous. But if they need help, we’re there. Most importantly, that information can be used in a way that protects privacy, protects the company, because of our expansive information-sharing authorities that protect the victim, that can be used in a way that we can share it with others to prevent them from getting hacked. And so it’s all about protecting the ecosystem.
And it’s almost like if you’re in a neighborhood, right, and your neighbor gets robbed, you’d want to know that, because your level of vigilance goes up. And you want to know how did it happen? What can I do to harden the infrastructure, to make my home safe? And so it’s really taking this sort of neighborhood-watch approach to the whole cybersecurity ecosystem. How
can we make each other stronger? And I think that’s, you know, incredibly, incredibly important.
So we’re going through the rulemaking process. It’ll probably take about two years or so. For me, I would say the most important thing in this process, besides transparency of the process, is harmonization. There’s so much out there the government is asking from the private sector. We need to ensure that we’re not adding one more rock to that rock sack that’s causing a burden to the private sector, particularly when they’re trying to manage something under duress.
So two things that were in the legislation that people don’t talk a lot about, the Cyber Incident Reporting Council that is bringing together all of the people who have a dog in that fight to say we need to make sure that we’re harmonizing what we’re asking from the private sector; really important. And secondly, also the Joint Ransomware Task Force was part of that same legislation. We’ve stood that up. I know there’s a whole counter-ransomware summit going on with our international partners. But we’re really excited to play a role. But getting CIRC right will be incredibly important.
I do want to pick up on one really great thing you said, and, you know, people’s eyes glaze over and it gets really technical. You know, we need to do a better job of explaining cybersecurity so that everybody understands we all have a role to play, from K through gray, right. And so, you know, we use these terms like – multifactor authentication is the worst term for something that’s so important – (laughs) – the most important thing, which is why we try and come up with you’re more than a password.
But at the end of the day, be able to explain this in terms that people understand what they need to do to keep themselves safe, their families safe, their kids safe, their businesses safe, I think is part of the responsibility. How do we become those cyber storytellers in a compelling way that resonates with everybody across the community, you know, whether we call it cybersecurity or data care or cyber safety. We just need to come up with a way that, just like ransomware has become a kitchen-table issue, cybersecurity, cyber safety needs to be that same kitchen-table issue so that everybody does understand they play a part.
Ms. Spaulding: Yeah. You know, I always say, with disinformation, we need to do a better job of making the stigma that is attached with spreading false information greater than the prestige of being the first one to share. And similarly, in the secure-by-design context, right, we need to make the cost of putting out blatantly unsafe, you know, devices or software, or whatever it might be,
greater than being – a penalty greater than being the first – than the reward of being the very first one to market with something, right. We’ve got to flip those incentives; and similarly for the broader public then, right, the shame, if you will, the stigma of having, you know, complete negligence with regard to online safety needs to be heightened, and the reward and the value and the appreciation for doing it right.
Ms. Easterly: Yeah. It’s the incentives.
Ms. Spaulding: So somehow we’ve got to – right.
Ms. Easterly: It’s the incentives, yeah.
Ms. Spaulding: We’ve got to get those incentives at every step of the way.
Ms. Easterly: Yeah. One thing that’s funny. You know, you talk about incentives. You know, it has been about costs and features and performance, and so security. I’m excited. We have a lot of the technology companies we work with very closely, and, you know, they’re the heartbeat of innovation and imagination and ingenuity, and such great security teams. I am very confident that they’re going to embrace this for a safer and more secure technology ecosystem. So I think there are good things that we need to come together and make a real difference, but we all need to make that, as you just said, a priority.
Ms. Spaulding: Yeah. Yeah, we’ve got get the market to be more efficient and effective in that regard.
Ms. Easterly: That’s exactly right.
Ms. Spaulding: And I think having technology analysts include a column when they’re rating the newest device, not just all of its features but there’s a column on security –
Ms. Easterly: Yeah. Security, yeah.
Ms. Spaulding: – so then consumers get that sense that that’s something they should look for, right?
Ms. Easterly: Hundred percent, baked in. Baked in.
Ms. Spaulding: Yeah. Yeah.
Ms. Easterly: Yeah.
Ms. Spaulding: Well, Jen –
Ms. Easterly: Is it over?
Ms. Spaulding: Yeah. (Laughter.) It’s been great to talk to you.
Ms. Easterly: Good to talk to you.
Ms. Spaulding: I would say just a little plug. For those of you who are particularly interested in cyber-incident reporting, the chair of that Cyber Incident Reporting Council, Rob Silvers, undersecretary for policy –
Ms. Easterly: Yeah. Great friend.
Ms. Spaulding: – was my guest last week, and you can find our fireside chat online. Look there.
But, Jen, it’s been such a delight to get a chance to sit down and catch up with you.
Ms. Easterly: Thank you.
Ms. Spaulding: And you know, I told Jen when we – when we talked before this that she has made CISA cool – (laughter) – which is wonderful. As somebody who, you know, worked hard to bring CISA into existence, it’s just such a treat to see it in such capable hands. You and Chris Krebs before you have really brought that agency along and matured it tremendously –
Ms. Easterly: Thank you.
Ms. Spaulding: – and provided great leadership for the tremendous men and women who work every day in that agency.
Ms. Easterly: Yeah. Fantastic workforce.
Ms. Spaulding: So thank you. Thank you for what you do and thank you for being with us.
Ms. Easterly: Thank you for – thank you for you, everything you’ve done. Very grateful. (Applause.) And now the next part of this should be super exciting. I’m going to stay for it, actually.
Ms. Spaulding: Yeah. Yeah, indeed.
Ms. Easterly: Thank you.
Ms. Spaulding: Thank you, Jen.
Dr. Lewis: Yeah. I neglected to say at the beginning that I was really happy about this because we had the last NPPD director and the latest CISA director, and so that was really cool. But thank you. Great job.
Ms. Easterly: Yeah.
Ms. Spaulding: Thanks, Jen.
Dr. Lewis: And now we’ll take a brief period where they rearrange the furniture, and then we’ll go to the panel. If the panelists can get ready.
Dr. Lewis: Great. Thank you. We’re good to go. Let me introduce our panelists and let me again thank Jen and Suzanne for their discussion.
To my left is Val Cofield. Val is CISA’s chief strategy officer. She led the development of the strategic plan, which actually is pretty good so you should take a look at it. (Laughter.) Don’t say that about all strategic plans. Prior to joining CISA, she spent a long time at the FBI. So that’s a remarkable skillset.
To her left is Grant Schneider, who most of you know. He’s now the senior director for cybersecurity services at Venable. He was the chief information security officer for the White House and the National Security Council’s cyber policy director. And prior to being CISA – CISO – (laughs) – this is going to be hard, isn’t it? (Laughter.)
Grant Schneider: So many acronyms.
Dr. Lewis: Yes. More coffee.
He was the first deputy CISO and also the DIA chief information officer, which is a huge job.
Finally, to Grant’s left is Ron Green, chief security officer for Mastercard, a special agent in the Secret Service, a former Army officer. It turns out he and Jen were classmates at West Point, which is just wild. He chairs the Financial Services Sector Coordinating Council, vice chair of the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Advisory Committee, and is chair of the Secret Service’s Cyber Investigations Advisory Board.
And I’m Jim Lewis. I work at CSIS.
So let’s start – I told the panelists we would have a few questions largely to react to what we’ve heard, but also to get their views on some things. Let me start by asking them – I like the strategy. I like the strategic plan. What leaps out to you? And Ron, why don’t we start with you. What’s your favorite part?
Ron Green: Yeah, I think one of the things that really stands out to me within the strategies that they focus on – enabling partnerships. Like, I think CISA has done a great deal to create just environments where they – you get mutual respect. It’s – they’re always engaging.
There’s, like, just a free flow environment that they’ve been able to enable. Transparency and partnership – I think the strategy helps to just to continue to foster that and make sure that CISA – CISA is able to achieve its objectives, which are helping the nation secure its infrastructure, so.
Dr. Lewis: Grant, you’ve done a strategy or two, what was your favorite part in this one?
Mr. Schneider: I think – along the lines of what Ron talked about, I think pillar four really resonated with me because it’s focused on the internal operations of CISA, which are so critical for CISA to be able to meet its objectives, to reduce risk, to work with critical infrastructure, federal agencies, state and local – all the partnerships that we heard about this morning.
And so I think that that is really critical of having a team of people – having the processes and the procedures and really being able to institutionalize the work of CISA, as it has grown so much. I mean it was a billion-dollar agency not too long ago. It’s a $2.5 billion agency today. And that’s a lot of growth, and just a lot of moving parts that all need to be synchronized in order to achieve its objectives.
Dr. Lewis: Val, it’s really not fair to ask you since you were – (laughter) –
Mr. Schneider: Which is your favorite child, as well. (Laughter.)
Valerie Cofield: Yeah, I know. That’s exactly the –
Dr. Lewis: It’s like asking a parent which is their favorite child, so we won’t do that. (Laughs.) But maybe you can make a few comments on –
Ms. Cofield: Yeah, I mean it was such an honor to be able to develop the first strategic plan for CISA. And I think what’s important – what was really important to me, and I know it was really important to Jen – is that as a growing agency
it’s really – and coming from an agency like the FBI where, you know, there’s not a lot of influx of new people – CISA’s really in this interesting intersection of being on the operational front edge of things, and yet growing at a tremendous pace, right.
And it’s really hard to keep continuity, to really feel a sense of mission, when you’re new, right, and your leaders are new, you know. And everyone’s, you know, just – actually most of the leadership team when I joined CISA was less than a year old. So it’s really been – it was really important to me with the strategic plan to make it simple so that everyone in the agency could see themselves in it, and for it to be one that they can memorize.
And I really want to quiz everyone in the agency. I know Jen’s not going to let me, but – you know, everyone should be able to remember our four goals. It’s – the first goal is cyber defense. Our second goal is risk reduction and resilience. Our third goal is operational collaboration, and our fourth goal is agency unification, as Grant mentioned.
And you know, it’s just important that as we grow – and to your point, Grant, because if I did have to pick a favorite child, I would have picked that because I do think that that is so – it’s so crucial and key, right. It’s kind of ironic where we are the agency that has to build and protect – well, protect the nation’s infrastructure, right, both on the digital side – the cyber side as well as the physical side.
But then in our agency it’s really important that we protect and build our own infrastructure, and that’s so key. And to your point, we won’t be able to keep sustaining and growing at mission speed without having that backbone and that infrastructure to keep it together.
Dr. Lewis: I’m tempted to ask, Val, if it’s hard to answer questions with your boss sitting 10 feet from you. (Laughter.) But we’ll skip that one.
CISA is a big departure. Cybersecurity was an afterthought for DHS, and I got to brief one of the secretaries fairly early on, who gave me their top five priorities. Cybersecurity was not one of them, right.
So there’s been a remarkable change, in part because the infrastructure is something that’s important but in part because of all of the hard work that Suzanne and others and Chris and Jen have done.
But when you look at CISA, for me, lots of progress. Still a work in progress, though. What do you think the big challenges are for them? What would you say should be – and this is your big chance with Jen right there – what would
you focus on beyond implementing the strategy? What’s the thing that seems to be an obstacle or a challenge for CISA to move ahead?
Ron, we’ll start with you again.
Mr. Green: Yeah. I think one of their biggest challenges is just finding the right team members. Like, they’ve done tremendously, just – but that’s despite a lot of the friction and headwinds that they have as a government agency when it comes to bringing talent on board.
Now, the cybersecurity workforce is an issue that’s a national issue. It’s across the federal government, it’s across all the private sector agencies, and it’s across CISA as well. And, you know, I happen to chair the Cyber Workforce Subcommittee for Jen as part of the CSAC and, you know, we really are spending a lot of time thinking about how to help reduce that friction. Like, on average, it’s, like, 18 months for, you know, someone to say, hey, I’m interested, and you go through all of the processes and say, come onboard.
Now, when you think about, like, just an average citizen trying to find a role or a job, CISA’s got to compete with organizations like mine. And, like, I thought, like, our 90-day thing was, like, long, but then you hear about 18 months and it’s, like, a person going through that process, it’s hard because they got to be devoted to the mission. Because if they got to care for their family, if there are other things that are weighing in on their life, that period of time of waiting to transition into the organization, that’s a little too long.
So working with them on smoothing that out, and then also helping to bring more people into the pipeline for them to have an opportunity to hire.
Dr. Lewis: So your focus is, really, workforce and expanding?
Mr. Green: Yes.
Dr. Lewis: Ok.
Mr. Schneider: I think – and Jen mentioned earlier the need for trust and the need for trust between CISA with all of CISA’s stakeholders, and there’s so many stakeholders, right. We have Congress. We have critical infrastructure. You have federal agencies. You’ve got IT providers. You’ve got state and local governments. You’ve got education.
Like, there’s just so many different stakeholders out there and it’s really hard to scale trust, right. Trust is something that’s built at – on kind of an intimate level and on a very personal level. And so I think, you know, CISA has the attention of all of the stakeholders, which is great, both from Congress all the way through state and locals and the nation understand or at least are aware that CISA is out there, to a large degree.
My mom might not know, but many people are. (Laughter.) And, yet, you know, they now need to build that trust, grow the trust, and really deliver on – and I think the strategy does a good job of this – having really concrete deliverables, stay pretty laser focused on those, and go deliver on them.
It’s very easy to get distracted by whatever tomorrow’s headline is going to be and cyber is now everywhere, right. Cyber is an aspect of almost everything that happens and it’s so influential and consequential.
But I think it’s going to be a challenge to stay focused on what are the things we can deliver on, how do we build our trust there, continue to grow it, and then scale that trust across all the stakeholders.
Dr. Lewis: Great. Thank you.
Ms. Cofield: I think one of our challenges is actually something that I think we’ve progressed on in many ways but I think we still have a long way to go – and I know this is a real priority for our director – is getting the CISA brand name out there.
It’s funny. To your point about whether your mom knows about CISA or not, I’ll have to admit that my parents – I’m from southern California, so far from the – you know, grew up far from the D.C. Beltway. All my parents probably know about where I work now is that it’s not the FBI. You know what I mean? (Laughter.)
And so we have – we do have a long way to go of just promoting the agency but also, more importantly, as we do that promote cybersecurity and I think this goes back to what Suzanne was talking about earlier about how important, you know, civics education is.
Well, how important cybersecurity education is, and, really, we’re working at CISA on that. We have initiatives to help starting as early as K through – you know, through 12, as well as partnering with academic institutions, colleges, and really making sure that our society understands that cyber technology – we’re not going back, right. It’s just going to continue to be ever intertwined with our lives and we really have to be more cybersecurity literate.
Dr. Lewis: Yeah. I’ve been doing this for so long I tend to overestimate how much people actually know, which is a drawback, because it’s, like, oh, the Chinese spy on us. Really? You just found out?
But let me go back to something Grant said, which is you said build trust, right, and that’s hard to do in the current environment when trust in institutions, generally, and including the federal government is eroding, sometimes rapidly, sometimes at a reasonable pace.
But what would you do to build trust? What would be things that CISA could do? I think that actually you’ve done a pretty good job so far, Val and Jen, but what more could you do?
So, Ron, we’re just going to keep doing the same order, so you – (laughter) –
Mr. Green: Yeah. And, again, the work that they’re doing to enable – it’s not dictating these are the requirements that you should adhere to or, like, even the Cyber Performance Goals. It was actually a very collaborative effort between, you know, various private-sector organizations to just get feedback on what would work, what makes sense.
So they spend a lot of time just hearing from people that are practitioners that have to do this stuff. And that collaboration – rather than dictating, rather than just laying down a law, being collaborative about how to come up with the right thing to – and their mission is hard because it’s not, hey, we’re just going to work with the Fortune 500. They’ve got critical infrastructures in large organizations. They got – also, they think about small business as well and they think about just the average citizen. That’s, like, huge. That’s everyone, which means when they speak, especially broadly, they got to deliver a message that can get to the lowest common denominator.
And so when they bring things like the Cyber Performance Goals forward there’s things for the corporate, there’s things for the small business, and there’s things for just the average person to think about, which is all really good stuff and that – all of that effort to pull that together in a way that can be communicated helps build a lot of trust.
I think there are other things that – you know, they can continue to drive on different initiatives. One, I think, that might be helpful is something like a cyber training regime that, you know, helps people go – again, goes from that K to gray, helping to pull that together to bring people into their organization but also to bring people into the broader marketplace as well.
Dr. Lewis: Grant?
Mr. Schneider: I think transparency, and transparency both on objectives and outcomes and the things that are in the strategy but also process transparency of, you know, what should any of the stakeholders expect when they engage with CISA.
What is that going to look like? What’s it going to feel like? What are, you know, turnaround times? All those things that – you know, when people think there’s an issue is when they start to get that divisive and they start to get distrustful.
And so, you know, it’s going to be a challenge of kind of bending over backwards to be very transparent on what is taking place, where the agency is focused, where are its resources going, all of the things that, you know, someone is going to come ask about, and that is going to just, you know, help build those partnerships.
The other thing is that I think trust is built out of a whole bunch of different engagements, right. Every time you engage with someone you build a little – you build or, I guess, you can dissolve some trust. But, you know, having more engagements with the stakeholders so that you can continue to let them know where you’re headed, what your objectives are, what their role is, and what you’re going to do for them.
Dr. Lewis: Great. Thank you.
Ms. Cofield: I think – I mean, I agree with all the points made here and, you know, one thing I will go back to that, I think, is important as a new agency and as we are trying to build this trust is really producing results, right.
We are on the receiving end of so many new authorities, so many resources, and we’re – you know, we are actively – it’s something that keeps me up at night, of really implementing the strategic plan so it’s not just this book that’s going to, like, lay on a – you know, as a table weight somewhere, but that it’s actually something that we live and breathe in our agency and that we will see results from it. And that we are – and we need to be very transparent about those results, and sometimes those results won’t be great, right? Like, sometimes we’ll have to tweak things and readjust. But it’s really important that we are in the business of really showing the American people, showing Congress, showing our stakeholders that we are here and we’re here to provide a service and we’re here to deliver results.
Dr. Lewis: I was smiling while Ron was talking because I was thinking my kids and all their friends don’t seem to have any trouble jailbreaking their devices or hacking “Grand Theft Auto.” So there’s an untapped talent pool out there that we got to figure out how to get into. (Laughter.)
But let’s come back to the question of trust because one of the issues that I think will appear in the National Cybersecurity Strategy that Chris Inglis is putting out is the move away from a purely voluntary approach, a move to some mandatory requirements. And some of us think that’s long overdue. Others, of course, are not entirely pleased with it. But where does CISA fit into this? I mean, CISA – originally, some of us thought maybe CISA should be the uber-regulator. That lasted about 12 minutes. (Laughter.) And then we thought, well, you should be the conductor for the orchestra of sector-specific agencies, and that has a little more staying power. But what’s the relationship here to trust and to CISA’s role as we move towards – and by the way, we’re the last country in the world – the last developed country in the world to impose mandatory requirements. As we move towards that, what’s CISA’s role?
Mr. Green: So I see them as more of that coordinator. And the reason I don’t see, like, regular – being a regulator an opportunity for them, that would be a detractor. I’m in a sector that’s heavily regulated around the globe. And although the regulations are a little bit different – and everybody tells you that they’re – (laughter) – like, 80 percent the same, but after a while the 20 percent are lethal, right? They’re just a burden. And so adding more regulatory isn’t necessarily helpful.
What would be helpful is very thorough – super thorough regulations, but that are harmonized, right? I can’t tell you just how much effort it is for our teams just to take the different regulatory requirements and analyze them and check a box against a set of controls that they have to manage against. And that actually doesn’t deliver security.
So the way that they’re operating as a partner, providing guidance but also receiving feedback and adjusting, and then working with regulators – you know, providing some guidance to regulators and not being a regulator themselves, so they’re still open to be that collaborative partner. Because the relationship with an organization and a regulator, there’s a difference. It’s the regulated and the regulator. The way they are now, they’re a partner.
Mr. Schneider: Yeah, I – so I completely agree on the harmonization, and I think – I think it’s going to be a balance. And I think it’s going to be a difficult balance because, you know, to Ron’s point, it’s kind of hard to be a partner and a regulator. And I think CISA definitely wants to, and I think it’s in the nation’s best interest for CISA to be in the partner mode.
That said, there are more regulations coming out in this space. The need for harmonization of them is really important. And I’m concerned that if we get too much regulation in this space that cybersecurity could potentially become a divisive thing in our nation, because regulations kind of are to some degree and cybersecurity has enjoyed being, you know, nonpartisan/bipartisan, you know, an area where, you know, leaders can come together and work on the overall good for the nation. And so I think that balancing what we do in the regulatory space is going to be really important to not, you know, slide into where cyber somehow or the regulations around cyber can be used, you know, against each other and therefore against cyber, which would really be detrimental for the cause that we’re trying to get to.
So I think the harmonization’s going to be really important. I think that’s going to be a challenge because CISA has the council and, you know – but no real authority came with the council other than we think you should go work to harmonize things. So that’s going to be a bit of a challenge.
Ms. Cofield: Yeah. I think harmonization definitely is one of the key things that we need to work on. But collaboration – and I feel like collaboration, though, in the sense of CISA being able to be a great translator for the regulators on what the private sector’s issues are, I think that’s, you know, a very unique role that CISA can play because we do have that cybersecurity expertise and many of the regulators do not. And we’ve been seeing that, too. They lean on us for input and advice.
And so I do think it is going to be a hard tightrope to walk in certain senses, but I do think that it’s important. And we – you know, it’s one of our third goals, is operational collaboration. And so we really do want to work together with industry, you know, to strengthen cybersecurity, as well as with our regulators to rationalize and harmonize whatever regulation might be coming down the pike.
Dr. Lewis: I’d note that harmonization is really hard. And we tried here a few years ago with the Monetary Authority of Singapore and the Bank of England to come up with harmonized standards just for the financial sector, and it turns out everyone’s position is always you should harmonize to mine, right – (laughter) – which doesn’t scale.
On that note, though, one of the big changes this year – again, a place where the U.S. – I said this before. We tend to come up with really good ideas and then we tend to be the last to implement them. So, finally, incident reporting, right? And, Val, you probably knew when you were in the FBI that the way most people knew they’d be hacked was that someone – an FBI agent came
to their – and knocked on their door and said, oh, by the way. What’s going to change with incident reporting? And this links back, I think, to some of the – it will create pressure for some mandatory actions, but what’s going to change with incident reporting? What do you think about thresholds? We’ve got a lot to talk about here.
Mr. Green: (Laughs.) I think it’s a – reporting is another thing that could really take advantage of harmonization. I think it’s great that we now have a vehicle for CISA to receive information when organizations are compromised. And it’s handled in such a way that the organization has a degree of confidentiality in what it shares with CISA in order to get the right attention and the right help to the organization.
It's an awesome start. I do think there’s, again, that opportunity to, you know, whisper in the regulator’s ear to try and get some alignment. And not just with federal – like, federal or local; international would be awesome because, as an organization that has an international footprint, we have teams of people that, if something happens, you have to analyze it under the different sets of rules of how to respond to this particular thing. Which is – again, that’s a lot of toil and it’s, like, a lot of extra work that’s not really helping anyone.
So it’s good that they have it, the more harmonization that can drive. And then getting, like, more clarity on definitions of, you know, what is an incident, and you know, just being – giving them an opportunity to help provide clarity as we – as they continue to drive and implement that I think will be awesome things that can then just reinforce that trusted partner that they are and help, you know, those within the private sector, those within the critical infrastructure do the right things to help the nation.
Dr. Lewis: I’m tempted to ask Ron which is the most annoying jurisdiction to work in, but I won’t put him on the spot. I will put him on the spot in that: What do you notify to your board when there’s an incident? What’s your threshold internally? How does that work? And you don’t tell everything because there’s so many.
Mr. Green: Yeah.
Dr. Lewis: What do you notify?
Mr. Green: You know, certainly, well, we tell them quite a bit, a lot of things that wouldn’t raise to the level of a notification to CISA as a requirement. But a lot of times we share with other financial institutions and other enforcement
agencies the things that we’re seeing, and I would say that’s actually below the threshold that we report to the board.
I think – well, for things that we report to the board, certainly material things. Like, those are – those are given. But anything that’s new or interesting or just abnormal that’s – because there’s, like, millions upon millions of attacks or attempted attacks that we see. But things that are interesting or unique, we’ll discuss it with them. One, it helps to educate them. Our board members are – like, they’re board members for us, but they’re board members in other places. And it helps them to think about it when they go to the other boards to think about it, to just share what they now know. And then lets them know that, look, we’re on game; we’re looking for these things, and we want to make sure that you know that we are on game.
Dr. Lewis: Maybe we can come back to that. But let’s ask Grant about incident reporting first.
Mr. Green: Sure.
Mr. Schneider: Yeah. So in my current role I get to work with industry groups, technology companies, as well as companies that have been victims of cyberattacks. And I’m working with a number of different organizations on the CIRCIA, you know, RFI and responses. And I think it’s – what most organizations that I run into aren’t concerned about – you know, many have concerns about what they share with the federal government.
But a lot of that, particularly from a victim’s standpoint, you know, they’re worried about the legal liability that may come to them because of information that they share. Is that going to become discoverable in a court case? Is that something that their investors are going to get hold of and they’re going to, you know, find a liability or something that they did wrong that essentially was the cause of the incident? They’re not concerned with sharing, you know, even what happened in details of it with the government.
And so the legislation provides some protections for information that’s going to be reported to CISA, which I think is really, really important. And I think we’re going to see, you know, most organizations get it and understand and are going to lean forward. And they want to find the right balance. They want to be able to be sure that, you know, the definitions are something where they have some kind of, like, materiality, where they have some ability to look from a risk management and from their business operations, when is the threshold met, and be able to do that.
I think the other really interesting thing for me out of CIRCIA is going to be – and Jen and Suzanne talked about this – what comes out of the reporting that goes to CISA, right? What comes back to – you know, maybe the company that reported it, but certainly the ecosystem writ large, and how is that information going to be helping, you know, the greater good? How is that going to help the nation? Because I think as we get good examples and the ability to say, hey, we got these things reported, we were able then to stop four more, you know, malicious activity. That’s going to be really powerful, because people feel good – hopefully will feel good about I helped stop something; I helped prevent something. And we need to, I think to Suzanne’s point, make that more beneficial than, you know, I hid this from everyone because I was scared about it.
Dr. Lewis: Yeah, I think something Jen said, where if you’re in a neighborhood and your neighbor gets robbed, you want to know just so you can be more conscious of the risk. That will be a good mechanism to work out.
Mr. Schneider: But if I left my doors unlocked, I might be embarrassed to tell my neighbors that I didn’t lock my door or I left a window open, right. I mean, there’s another side of that that is understandable. And so we have to find a way that you can provide that and not have it be shameful or liable.
Dr. Lewis: You’re not embarrassed that your password is password12345? (Laughter.) And a dollar sign. I’ll never figure that out.
Mr. Schneider: Exactly.
Dr. Lewis: Val.
Ms. Cofield: You know, we really think at CISA that CIRCIA is going to be a game changer. And it’s funny, because we live in an age where we have all of this data, but when it comes to cyber incidents, it’s really an incomplete picture. And, you know, when you look at what’s – you know, the recent spate of – well, it’s still ongoing, right – of ransomware and how, you know, we have rallied, I feel like, over the 10 years that I’ve been doing this type of work, as an interagency community, really taken this threat very seriously and tried to think about creative ways to mitigate against the threat, but really for us to know if any of our mitigations have had any great impact. It’s hard to really tell, because we have a – we don’t have a complete picture, right. We need that data. And so, you know, I know that I’m excited. I know our agency is really excited for the rulemaking process to – (laughs) –
Mr. Schneider: You said that out loud.
Ms. Cofield: (Laughs.) I know. You know, when we see –
Dr. Lewis: We’ll excise that from the transcript. (Laughter.)
Ms. Cofield: But, you know, when we actually finally see the results, right, the fruits of the CIRCIA legislation, which will be a few years from now. But we do think that that will be so important.
And to Grant – to add to Grant’s point, you know, I think what is going to be really interesting is the analysis, the reporting that we could hopefully provide, you know, to help companies, citizens, protect themselves better. I think that’s going to be just really a game changer. So we’re excited.
Dr. Lewis: I have a ton of questions, and we’re just not going to get to them. We have time for one more. And I don’t know which one to pick, so I might try and blend them both, right? (Laughter.)
One of the things that’s been interesting to me this week is the ruling in the court case about what qualifies as an active war for insurance purposes, and this touches back on the issue of materiality.
One of the things that we learned from the unhappy experience of an SEC requirement to notify is that it was set – it had to be material, and it turned out that for many companies back then most cyberattacks weren’t material. Because if your SONY pictures and you lose a few million dollars, it’s just not a big deal, right, and that was a shock to me.
What’s materiality – one more try. What’s – (laughs) – two more tries. What should we be looking at now? Because we need to get a clearer picture in our heads. We’re talking about changing the market, changing public views. What would you tell people here’s what you need to worry about? And it can’t be the millions of attacks that we see daily.
Mr. Green: Yeah, materiality is – there’s no set definition of what that is, right? We have a group within the organization that thinks about what – we express this is the incident, and then they think about materiality and how that relates to, you know, our standing within the marketplace.
You know, I’ve had discussions with people that have been working with the chairman of the SEC, and it – materiality is different by organizations, right. If you’re a large organization, a small thing with, you know, tens of millions of – it’s not material, right?
But for a smaller organization, the mere fact that something happened – it might not be multimillion dollars, but because it impacts so many of your customers – like it affects a lot of your customers, and if those customers are
all attacked or affected, that will, you know, cripple you. A small remediation on your side, but the impact of your customers now places a different level of what materiality is for you.
So if you’re asking me what the definition is, you have to have a good team on board that can look at the – because it’s a case-by-case analysis to determine what materiality is. So I didn’t actually answer your question, but you’ve got to be thinking thoughtfully about it.
We’ve tried to define it in like a set term, goal, and it just – it’s hard to work out because there’s so many nuances depending on the particular situation.
Dr. Lewis: No, I know that from the U.N. It’s never define something. But how does this affect what CISA should be doing? The issue of materiality, how does it affect what they should be thinking about?
Mr. Green: I actually don’t think they should be thinking about materiality. In fact, the level of reporting – there was something we talked about when we started the Shields Up. It’s just lower the reporting thresholds. So it’s not – we’re not thinking about materiality, we just thinking about something happening. Something unusual happened, and we just want to let everybody know.
Because alone it may mean nothing. You know, it’s just a thing that happened to us, and you know, it’s not that big of a deal. But if they see it, perhaps it is something that’s more systemic, more large-scale.
So materiality isn’t – I don’t think that should be their focus. It’s just getting as much information as they can because then they can have a better picture of what’s actually transpiring or taking place.
Dr. Lewis: Great. Grant? You’re at a law firm. You should have a strong view.
Mr. Schneider: I should have views. (Laughs.) No, I agree with Ron. I don’t think materiality is the right threshold for CISA. It makes sense for the SEC looking for what’s a public disclosure, you know, someone as a potential ambassador in a company would want to understand. There that makes sense.
But I think for CISA – where you’re looking at what information can you turn back around, right, what can you get back out and try to prevent future incidents – I think it’s a different calculous because, you know, someone having their Windows XP box compromised and you know, a hundred million people’s information go out the door, I mean that’s bad.
But it was their Windows XP box, right? I mean, that’s not a novel thing. That’s not something that – I mean, yes, CISA could put a new alert out on Windows XP, but that’s not necessarily going to help the ecosystem. I think understanding, you know, when is there something new or distinct happening? When –you know, what type of information do we need to collect so that we can see trends, so that we can see something that, you know, maybe was a known vulnerability, but it wasn’t on the KEV list, it wasn’t a known exploited vulnerability. But now we’re seeing it shift onto there. How do you get ahead of that so that you can update that list to get that type of information out? So I think it’s more of around the what is happening than the consequences of what happened, for CISA’s reporting.
Dr. Lewis: And, Val, your background, particularly at the FBI, probably gives you some unique perspectives on this. So when you hear this, what do you think of thresholds? What would be a good threshold for reporting, for action?
Ms. Cofield: I mean, I think, you know, from my FBI background, you know, there were obviously thresholds that the FBI had to consider as a federal law enforcement agency on whether they would – it would be use – a better use of their resources to investigate a certain crime, or, you know, whether that would be sent to state and locals. But I think when I look at my role here at CSIA, and what we’re – the mission of CISA, I tend to agree with what Grant and Ron and saying, where, you know, what CISA’s really trying to do is we want to be preventative, in as much as we can be preventative in this world. And so I feel like, in that sense, we do need to see everything, right, or as much as we can, because we don’t know when that piece that we see today will be connected to something that we see tomorrow. And then is that going to be a growing trend?
And I think that’s where, you know, it was so important for us, like you mentioned during Shields Up, for us to make sure that we lowered the thresholds of when we would share information with each other, whether that was within the federal government or with the private sector. And, you know, we wanted to be able to make sure that we could have as complete a picture as possible, again, even though we know that we have an incomplete picture that we’re working with. And so I agree that it’s more that we need to have this ability to be able to ingest information at mission speed, and analyze it, and get it back out as soon as we can to our partners.
Dr. Lewis: Great. We’re actually at the end of our time. And the topic today was CISA’s strategic plan. I think we covered it, but any final remarks that you want to make about it? As I said, I like it. Which I don’t like all strategies, so this is good. (Laughter.) What do you think? Is the way head – what’s the way ahead?
Mr. Green: Just on the strategy itself, I think it’s awesome that they have one, right? (Laughter.) So often you can go and just drive and not really have a plan of how you’re going to get from point A to point B, but now there’s a plan for point A to point B. And, you know, things change, people change. And the mission can continue because they have that plan. And I think they have one. Just keep pushing on it and execute.
Mr. Schneider: I want to go back to something – the workforce that Ron talked about earlier. And I think having a plan is great. Getting the people, getting them on board, getting them on board in a timely fashion so that by the time you’re – the government’s giving them a job offer, they haven’t, you know, had two different jobs, which I’ve certainly seen in my career. But I think getting that workforce and getting the workforce excited about the mission, and I think, the strategy, gives them, you know, something to help get the workforce both current and future workforce, excited about.
Ms. Cofield: Yeah. I mean, I would make a plug for everyone to read the strategy. The strategic plan is really an easy document to read. I mean, that’s one of the – some of the feedback that we’ve gotten from numerous people, is that you don’t have to be a techie to be able to read our strategic plan and understand what we’re trying to do and where we’re trying to go over the next three years. So I encourage everyone, go to cisa.gov and read our strategic plan.
Dr. Lewis: Yeah, you were right. It’s simple and readable. So I actually thought that was congratulations for doing that.
I’ll close with a story from 2012 when we were pushing legislation on the Hill. It was the Lieberman-Collins bill. And a Democratic senator, who’s still serving, walked up to me and said: You want to give all these new authorities to – for cybersecurity. Who would you give them to? And I kind of weaseled out. I said, well, the administration position is to give it to DHS. And he just shook his head and walked away. (Laughter.) That was 2012. No one would do that now. And so it’s a tribute to the work that’s been done in the last decade, really, to build this into an organization. Still work to do, but great path, great strategy. Thank you for being on the panel.
Mr. Green: Appreciate it.
Ms. Cofield: Thank you.
Mr. Schneider: Thanks. (Applause.)