Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, visited Seattle to listen and build bridges, not to point fingers or rattle cages.
Easterly, a U.S. Army veteran, two-time Bronze Star winner, and former National Security Agency counterterrorism deputy, explained Thursday that the agency focuses neither on regulation, intelligence, nor law enforcement, but rather on partnerships — describing cybersecurity as a “team sport.”
“Cybersecurity is not a problem to be solved,” Easterly said during a visit to Amazon’s headquarters. “It’s a risk to be reduced by working together with the federal government, state and local governments, with our private industry colleagues to ensure that we are collectively driving down this risk to the nation.”
During her Seattle visit this week, Easterly met with a variety of companies and agencies in the region, discussing issues including infrastructure and election security.
Her stop at Amazon focused on the cybersecurity talent gap, the shortage of workers needed to help businesses, nonprofits and other organizations find employees with the ability to keep their systems secure.
Steve Schmidt, Amazon’s chief security officer, highlighted the pressing nature of the problem at the outset of the meeting by noting that his division of the company currently has 1,200 open positions to fill.
“We have to work continuously to ensure that we’ve got the right skills, the right people, and the right pipeline,” Schmidt said, describing Amazon’s initiatives to educate the public and retrain its own workers.
Easterly listened and took notes during the roundtable discussion as educators, administrators, and local government officials offered ideas for addressing the long-term talent gap by getting kids in grades K-12 engaged and involved in cybersecurity, boosting the chances that more of them will ultimately choose careers in the field.
Their ideas ranged from the practical, such as getting tech companies more engaged in developing curriculum; to the novel and creative, such as an initiative to create a new cybersecurity superhero.
Easterly cited research indicating that people in underserved communities, particularly Black communities, have a disproportionately negative connotation of the word “cybersecurity,” associating it with law enforcement. She noted that some in the industry have started using the phrase “data care” to better reflect the nature of the field.
But CISA (commonly pronounced siss-uh) also has unique insights into the flaws in software and cloud services that are commonly exploited by attackers, as the agency responsible for the U.S. government’s Coordinated Vulnerability Disclosure Process.
Easterly, who also visited Microsoft during her Seattle trip, addressed the need to hold tech companies accountable in response to questions from GeekWire. Continue reading for edited highlights from her comments.
“It is unfortunate that we’ve now accepted this cultural norm that software just comes with a ton of vulnerabilities.”
CISA Director Jen Easterly
Software vulnerabilities: “One of the things I talk a lot to our technology teammates about is the increasing need to create technology that is secure by design. … It is unfortunate that we’ve now accepted this cultural norm that software just comes with a ton of vulnerabilities. And so we need to work together to ensure that technology companies take accountability for building things that don’t put the risk on those least prepared to be able to accept it.”
Multi-factor-authentication by default: “I often talk about MFA as the seatbelt of the information superhighway. And you wouldn’t buy a car without seatbelts and airbags. It’s really, really important that all of the technology companies — and I think this is moving in the right direction — are building and engineering their products and their software so that security is baked in. At the end of the day. I can tell people over and over again — and I do — that they should enable multifactor authentication, but it should come so you don’t even need to worry about it.”
Holding tech companies accountable: “There’s three levels of how these things happen. Enlightened self-interest; it’s the right thing to do. Market forces, because there’s competitive pressures. And then there’s regulation.”
Using the bully pulpit: “I am certainly not a proponent of regulation, because we’re a voluntary agency. And part of the magic of our model is that we create trust and partnership with the technology companies to put the pieces of that puzzle together. All that said, I will continue to use my platform and my voice and the bully pulpit of CISA in the U.S. government to call for technology companies to take greater accountability to build security into their products.”
Tech as critical infrastructure: “This is not a problem that’s just about Microsoft or just about Amazon. This is something that all of the companies who are building software and products need to internalize, because, whether they’re officially called critical infrastructure or not, they are the backbone of all critical infrastructure. In some ways they’re probably the most critical infrastructure and so it’s incredibly important that they take accountability for their role in our national security, our economic prosperity, and our public health and safety.”
