Cybersecurity has become a national security imperative, with recent incidents and ransomware attacks causing cascading impacts to government, industry, and citizens alike. This panel will feature key federal and private sector leaders discussing how the community can capitalize on the momentum of the moment to stop responding—and start preventing—incidents before they occur.
>> Please welcome Bobbie Stempfley.
>> BOBBIE SEMPFLEY: Well, good afternoon. Thank you so much for joining us this afternoon. It is my distinct pleasure to have this esteemed panel here to have a conversation about cybersecurity and its national security imperative.
So this is, like, the topic of the day; right? We're in the midst of this thing called a conference at RSA. Is that where you guys are? Okay. Good. Good. Glad to have you here, and thank you all for coming and involving yourselves in this discussion. And thank the audience for coming as well. Really looking forward to a rich dialogue.
I don't think any of my panel members need an introduction.
>> CHRIS INGLIS: Good.
>> BOBBIE SEMPFLEY: But ‑‑ good. Good.
>> JEN EASTERLY: (Laughs)
>> BOBBIE SEMPFLEY: See, there you go. Love it. But what I'd like to do is to start our discussion today with the topic of roles and responsibilities. Right? For a long time we've talked about how cybersecurity requires a whole of government approach. We've got three chairs on the dais. This isn't quite the whole of government here. We need a few more chairs to be the whole of government. But if you could just expound for the audience here: What are the roles and responsibilities, and why does it seem complicated? You want to ‑‑
>> CHRIS INGLIS: Can I start?
>> BOBBIE SEMPFLEY: Please.
>> CHRIS INGLIS: So ‑‑ thanks, Bobbie. Thanks for hosting this, and thanks to all of you for showing up for this.
I think the picture may look complicated. And oftentimes the picture that's shown when somebody says, "Who's in charge of this?" it's not half as complicated as it actually is. But it's only a picture; right? You know, a flock of birds doesn't look like that's a particularly orderly thing. A picture of the Department of Defense doesn't look like that's a particularly coherent thing. It's not about the picture; it's about the video. It's about the life forces that course across a system of interest.
You need stovepipes. That's where deep and sharp expertise comes from. But you also need these cross‑cutting activities. And the sum of those actually generates a coherent organization.
Rob Joyce, deep in sharp expertise from the National Security Agency, providing a rich play of information into the private sector for the purposes of understanding what those vulnerabilities are and what they mean to the private sector.
Jen has a deep and sharp expertise in trying to bring a lot of that together so that we can push that to the private sector across a number of different critical infrastructures.
Those two things actually complement one another. It's not a choice between one or the other. We have to do all of that. But my job increasingly as the National Cyber Director is to sort out those roles and responsibilities to ensure that they all complement one another. But if you want an effective organization, it has to be by design complicated in the picture, and it has to be fluid, and it has to make sense and coherent in the video.
>> BOBBIE SEMPFLEY: So it needs to be complicated in order to be simple.
>> CHRIS INGLIS: Well, it needs to be diverse. Maybe "complicated" is not the right word. So I took the bait.
>> BOBBIE SEMPFLEY: (Laughs)
>> CHRIS INGLIS: It needs to be diverse. It's needs to have a lot of diverse capability, which means that it's going to perhaps exceed your field of vision, but when it gets moving, you'll know that it's working when actually you have some degree of fluidity and coherence and competence as it applies its talents and expertise right to the problem at hand.
Again, look at the U.S. Department of Defense. It boggles the mind why you have all of those kind of line items on that, and yet when it enters the field of battle and it essentially achieves what are called joint operations, it's mastery; right? It actually works. Deep expertise comes from stovepipes. And the employment of that in a coherent, collaborative fashion is what you want.
>> BOBBIE SEMPFLEY: Thoughts?
>> JEN EASTERLY: Yeah. I mean, I'll add in just in terms of CISA, the newest federal agency in the U.S. government, we were created at the end of 2018 to really realize the vision of the Congress, which was we needed a cyber defense agency for the U.S. And so while we were built off the back of a staff element that found its provenance in physical security after 9/11, over the past couple of years we've been growing in terms of authorities and budget and personnel, very much focused on building a cyber capability to defend the homeland and critical infrastructure.
So our mission is to serve ‑‑ to lead the national effort, to understand, manage, and reduce risk to the critical infrastructure that Americans rely on every hour of every day.
Critical infrastructure, it sounds like a terribly technical term, but it really is just the water, the power, the transportation, the communications that underpin our daily lives. And this is and has to be by design a joint endeavor with the private sector, who owns the vast majority of critical infrastructure. And so we serve a role both in terms of protection and defense of government networks, but perhaps more importantly because of that critical infrastructure piece is the national coordinator for critical infrastructure resilience and cybersecurity.
So I actually don't think it's that terribly complicated, but I think that's a function of the fact that over the past year, all of us who've known each other for a very long time have come together to try and forge much greater cohesion and coherence across our mission sets, whether it's cyber defense, foreign intelligence, cybersecurity, or investigations with our partners at the FBI.
I will say that when I was in the private sector at Morgan Stanley for four and a half years, I did look at the government as feeling pretty disjointed and incoherent and not necessarily knowing how to interact effectively. And I think between us and some of our other teammates on Team Cyber, I think we've tried to make a lot of progress on that. And you see it in things like the products that we point out ‑‑ that we put out, which are now almost always multi-seal products between CISA and NSA and FBI and usually others. And I think that, again, is emblematic of the type of coherence that we are trying to forge across the federal cyber ecosystem.
>> ROBERT JOYCE: Great. And I think, you know, as always, Chris is eloquent in his analogies and explanations; but, you know, we bring this deep expertise and a unique capability to reach into foreign networks and understand the threat, and that's, you know, something that is used extensively by CISA and other elements of the government to then figure out where we can go to disrupt and interrupt those threats.
Recently, NSA has been given some focus in the role in national security systems, where often the most important classified information, war fighting information, is housed. And so we try to bring that technical expertise into that realm as well, which also integrates to our defense department's work in the defense industrial base. And so it is this collaborative where we're working together and pulling on our strengths and the components across government and increasingly with foreign partners as well; right? We've done a really good job in bringing to bear the expertise across nations, not just individual agencies.
>> CHRIS INGLIS: Bobbie, if I could just ‑‑
>> BOBBIE SEMPFLEY: Yeah.
>> CHRIS INGLIS: ‑‑ add to all of that to say, you know, our proposition, our slogan, the bottom‑line slogan is we propose if you're a transgressor in this space, you have to beat all of us to beat one of us. That means you won a very diverse, broad front of capability and authority that's brought to bear in a collaborative fashion. And to Rob's point, in the largest possible coalition, meaning an international coalition.
>> BOBBIE SEMPFLEY: So I –- and there was several themes there that I think we should tease out a little bit. We've been talking for a long time about coherency and alignment and orchestration. And I agree with you, the collaboration is certainly much better than it has been in the past. What happens when different people are in your seats? How do we sustain that post the three of you on the stage?
>> ROBERT JOYCE: Well, I think there's an enormous amount of process already. Right? Jen talked about the multi-seal reporting and collaboration that goes into the advisories. That is not Rob calling Jen and us working on the words in those; right? That is now a very natural collaboration as those things get built and then improved across all of our different lines of expertise.
>> CHRIS INGLIS: So good or bad, culture eats organization for breakfast. So we need to make sure we establish a positive, compelling culture that essentially outlasts us.
>> BOBBIE SEMPFLEY: What are you doing to do that?
>> CHRIS INGLIS: Here we are.
>> BOBBIE SEMPFLEY: Okay. (Laughs)
>> JEN EASTERLY: Yeah.
>> CHRIS INGLIS: Hopefully.
>> JEN EASTERLY: On, that, I mean, it's particularly important separate from the collaboration and all of the important cohesion relationships we're building across all of our entities, you know, as the newest government agencies, I probably spend, you know, more than 50% of my time on building the culture of the organization, developing our core values, our core principles, ways to weave these through the fabric of the organization, and at the end of the day it's all about our people. How are we building an ecosystem that allows us to attract and retain the best talent to be able to help defend the nation in cyber? And that comes down to how we treat our people, how we develop them, how we treat other people, how we treat our partners.
And that really -- completely agree with what Chris said. You know, culture really at the end of the day is the most important thing when you are trying to build a great organization. And so I would absolutely foot stomp that.
>> BOBBIE SEMPFLEY: Well, and we talked ‑‑ I think, Chris, you mentioned and Jen certainly, the private sector as an important part this; right? One of the things that we've said a long time is the private sector can't be treated as one, you know, sort of homogeneous entity.
So there's a number of collaborative constructs being created or in existence to coordinate with the private sector. How are you extending that culture to them? Is there a rationalization of them that is happening?
>> JEN EASTERLY: Yeah. I mean, I'll start. You know, one of the things that we've really benefited from over the last few years, we, CISA, was the terrific work of the Cyberspace Solarium Commission. And, of course, Chris Inglis was commissioner there. And I've got several board members who were commissioners there.
And it was really sort of groundbreaking work for those of you who are not familiar with it or have not had the chance to read the commission report. You know, the government stands up a lot of these commissions, and some of them write long reports, and then they go away and sit on the shelf. This is one that truly off the back of a lot of work with Congress and because they had several congressional members on the commission that actually got a lot of important stuff done.
And CISA benefited by that in many ways and many authorities that came to us, but one of the most important, in my view, was something called a Joint Cyber Planning Office. And the idea was you want to bring together the federal government, the federal cyber ecosystem, NSA, FBI, CISA, DOD, DOJ, the Office of the Director of National Intelligence. We've brought in Secret Service and now Chris' office and the National Cyber Director, along with the private sector, to plan together, to operate together when it comes to cyber defense operations.
And so by law, we have the entire federal ecosystem together, working together with the private sector. And we started operationalizing this at the end of last year. Our first big test case was during Log4j, where we were able to bring together again the federal cyber ecosystem, but, importantly, the 25 biggest technology companies in the world. And why is that? Because they have incredible visibility that we just don't have.
It's not lost on anybody that SolarWinds was not discovered by the U.S. government; it was discovered by a private cybersecurity vendor. And so we want to be able to share that visibility so we can identify those dots, connect those dots, and drive down risk to the nation at scale. And we've been extending that since the war in Ukraine started, working together, planning together, implementing what we call an operational collaboration model, where we're sharing information in near real time through a very exotic technical tool called Slack ‑‑
>> BOBBIE SEMPFLEY: (Laughs)
>> JEN EASTERLY: ‑‑ that has enabled us to really share insights and information and analysis in a way that the government and the private sector has never done before. And it's starting to build momentum, but, most importantly, it's starting to build trust. And, you know, if you can't have trust in the space ‑‑ if we can't have trust in the stage, if we can't have it with our private sector partners, and trust is built through transparency, responsiveness, humility, gratitude, and everything that says we want to add value from a government perspective, and you from a private sector want to add value. Let come together and do it collectively for the defense of the nation.
>> CHRIS INGLIS: If I could add to that, what Jen has described is exactly right. And it's not discretionary in any way, shape, or form. It's not icing on the cake, it is the cake, collaboration.
What we've been doing in cyberspace for many years ‑‑ too many years ‑‑ is practicing what I would describe as division of effort. Everyone defends their patch based upon the limited authorities, limited insight, limited abilities that they have. No one of them, no one of us can defend themselves, let alone all of us against all perils, because they simply don't understand them. They can't see them. They can't deal them. They can't arrest them. They can't evict them.
On the eve of the Ukrainian crisis, the U.S. government, not alone, but the U.S. government was in possession of exquisite, rich granular actionable intelligence, and it provided that to the various parties that would then be the actors that had to deal with that, that had to do something about it. Now it's now kind of a public story. Provide it to allies, but also provide it to private sector partners that we thought might be on the front lines of a skirmish that if it kind of went to the cyber domain that they would need this.
That for them constituted strategic warning. It was clearly a declaration of thunderstorm on the near horizon. That's when Jen and others called for shields up, and we went full on in terms of protecting ourselves. But what everybody wanted know was when is what going to happen. I don't know. Those choices haven't yet been made. Right?
And in order to determine that, we have to actually combine all of our insights, all of our capabilities, all of our authorities because no one of us is probably going to see it for what it is. We'll have a shard, a shred, a hunch. There's some things we can only discover together that no one of us could discover alone. That collaboration that Jen described, that professional intimacy, is essential going forward if we're to get a handle on this, if we are to actually make it such that a transgressor needs to beat all of us to beat one of us. Crowdsource them the way they've crowdsourced us.
>> ROBERT JOYCE: Good. And one of the other things we've found with working with industry is that trust is also proportional to the size of the room. Right? And inversely proportional to the size of the room. So at times you need small groups where you can bring together the folks that have pieces of a puzzle.
And what we ‑‑ where we get outcomes is not throwing a single piece over the fence and saying, here, take this. Defend against this. It's the story, the context, and the interaction, and the collaboration that goes on beyond that.
So what we've found is there are elements in the private sector that have exquisite insights into parts of the Internet that bad actions are taking place, but they may not appreciate that in context. And so when we can overlay the things the government knows with the things private sector knows, often that is very revelatory.
And, again, whether it is the law, the privacy, or just the trust, there has to be some formats and some platforms that those can be brought together. Sometimes in the town hall settings and sometimes in very small, one or two, exchanges that can then build up the expertise. But it, again, comes down to you don't ‑‑ you don't get together and decide you're going to play on game day. You've got to practice and build that team well in advance.
>> BOBBIE SEMPFLEY: Well, certainly you have to know the team, right, in order to build it.
So the interesting thing is -- I'm sort of struck by this -- where we need to collaborate with many people. So there's a scale comment that's here, but that scale is the inverse of your trust building activity.
>> ROBERT JOYCE: Yes.
>> BOBBIE SEMPFLEY: And so how are you thinking about the navigation of that? Right? Because we have to do this at scale and at speed.
>> ROBERT JOYCE: Yeah. So for NSA we have the Cybersecurity Collaboration Center. We don't have the ‑‑ you know, the scope and scale of the CISA environment or the JCDC, but it's intimate, and it's trying to be at the biggest defense providers, the people who can be in the fight with expertise and data. And then, you know, the biggest companies who have the ability to not only see something, but do something about that problem.
>> BOBBIE SEMPFLEY: And that relates to JCDC?
>> ROBERT JOYCE: It does.
>> ROBERT JOYCE: So NSA has the Collaboration Center, who is focused on the defense industrial base. So that is -- the DOD is the sector‑specific risk management agency. But often the things we do there have implications well beyond the Department of Defense. So if we can help a big cloud provider or a big incident response firm take action, that will scale out into international proportions; right? But that same expertise and information is also in the CISA collaboration that we have.
>> CHRIS INGLIS: And, Bobbie, I would say that ‑‑ I'm not going to use the word "complicated."
>> BOBBIE SEMPFLEY: (Laughs)
>> CHRIS INGLIS: I would say it's bigger than that and better than that, meaning that you also have the Department of Treasury that deals with the financial sector, the Department of Energy that deals with the energy sector, and so on and so forth. You've got 16 critical infrastructures that have been formally defined, probably a couple more that are perhaps informally defined. Every one of those deserves to have an interface to the government that speaks their language, that understands in the day‑to‑day grind, bump and grind of cyberspace, something about the specifics of the extension of digital infrastructure into their space. Rob does that for the defense industrial base, and I think that then complements what Jen does, to try to bring all those strands together and serve the collective needs of the critical infrastructure.
>> JEN EASTERLY: Yeah. I'm going to add a couple things. You know, we do want to start small. We've been around, JCDC specifically, about nine months or so. And we are very aware that building trust is hard, and breaking trust is easy. And so we have started small. We started with what we call our alliance partners, which are the technology companies with the greatest visibility. Think ISP, CSP, software companies, cybersecurity vendors.
During Ukraine, though, we opened up a separate channel working with our treasury colleagues of 22 of the biggest banks because of the potential vulnerability given retaliation from Russia with 38 of the biggest energy companies working hand in hand with DOE, the Department of Energy, and TSA because of potential retaliation there.
And so we are building the model deliberately, but, again, very mindful that to build that trust, we have to do it by protecting people's privacy, protecting people's data, being transparent about it, being responsive, and really adding value.
I think one of the really positive things over the past couple months is the amount of classified intelligence that has been declassified ‑‑
>> BOBBIE SEMPFLEY: Yeah.
>> JEN EASTERLY: ‑‑ and provided to add to the richness of what our private sector colleagues have, is it's Rob's point about enriching what they have both from classified information or what we may be seeing on our government networks and our civilian government networks. And I think that is a sea change certainly from what I saw in government before and certainly from what I saw in the private sector.
You know, I had my TS clearance when I was at Morgan Stanley, but, you know, who cares? If I go in for a briefing, I couldn't really share it with anyone. You couldn't really operationalize it effectively.
So there's a utility for that, but I think being able to focus on relevant, actionable, timely information that network defenders can use to actually do something to increase the security and resilience of their networks is where we all realize we need to be as a nation, because we can't do it alone. The private sector can't do it alone. It has to be a collective endeavor.
>> BOBBIE SEMPFLEY: Yeah. I think ‑‑ I know about a decade ago we were talking about information sharing wasn't for its own purpose; right? It was the currency for trust and operational collaboration.
>> CHRIS INGLIS: Right.
>> BOBBIE SEMPFLEY: And so I have to say that arc, I've really been pleased to see that play out.
>> CHRIS INGLIS: And to your point, Bobbie, information sharing, information pooling is not collaboration.
>> BOBBIE SEMPFLEY: Right.
>> CHRIS INGLIS: It sometimes is kind of a siren on the rocks that makes you feel like you've collaborated when you haven't begun to even do so.
>> BOBBIE SEMPFLEY: Yeah. Collaboration is a completely different level of interaction. And ‑‑
>> JEN EASTERLY: You know, I think of it ‑‑ I like to say not information sharing; information enabling.
>> BOBBIE SEMPFLEY: Yep.
>> JEN EASTERLY: Really. It's all about to an end to help a network defender better secure their data and their systems.
>> BOBBIE SEMPFLEY: And so to that point, your op ed yesterday on the progression of Shields Up I think I should say, I was intrigued by the idea of sharing as a tailored enterprise. So help us think about what that means in practice.
>> CHRIS INGLIS: Jen.
>> JEN EASTERLY: You know, it's interesting. The backstory on that was I was down at S4, and Dale Peterson, who some of you probably know, was interrogating me about when we were going to go shields down.
>> BOBBIE SEMPFLEY: (Laughs)
>> JEN EASTERLY: And, you know, first of all, we should never be shields down. But we were sort of playing around with, oh, should we go from shields up to shields normal. And we reached out to a very large group of CIOs and CISOs to sort of say, well, what do you all think here in the middle of this. And they said absolutely not. At the end of the day, we need to keep our shields up because this message has actually resonated not just with the American people, but it's resonated with CEOs and business leaders, who get that they need to empower their CISOs, which is one of the key recommendations we made on the Shields Up web page, and ensure that there are the resources and the investments in place to be prepared to be able to not prevent, quite frankly, but to respond and recover effectively to mitigate risk to business, and then given critical infrastructure, to mitigate risk to national security and economic prosperity and public health and safety.
So, you know, when Chris and I talked about this, where we really landed is at the end of the day, Shields Up, given the highly complex, highly dynamic, dangerous threat environment that we live in that everybody in this room is aware of is really the new normal.
Now, we all know, though, we can't sustain the highest level of alert for an extensive period of time, which is why we're thinking about, number one, what's that relationship that government needs to have with the private sector. Chris can speak very eloquently about that in the foreign fairs article he wrote on the new social contract, but also an idea about some sort of an advisory framework that can say either nationally or in a localized way what the threat is based on what we know from intelligence information, what we're getting from our partners, and make sure that that is calibrated, make sure that that is time bounded. So it's not forever. We know that our SOC analysts actually need to go on leave once in a while. But a much more thoughtful way of thinking about the threat and a much more thoughtful way, frankly, of doing what techies don't do well, which is communicating to the American people. Chris?
>> CHRIS INGLIS: I would just foot stomp the following. She said that really, really well. I would just say there will never be a time when we don't defend ourselves even in cyberspace, especially in cyberspace. We almost participate in our own defense on cyberspace. There might be greater or lesser responsibilities accorded to some of us, some organizations, maybe the government, maybe the private sector, but we're all participating in that defense.
And there's a very proactive element of we've got to actually be as specific as possible, as timely as possible, as granular as possible at sharing the information that is necessary to effect that defense.
And so when we can, when we're able, we will provide very specific information. When we simply have a general warning, that's what you'll get. And it's not because we won't tell you the rest of it; it's because we don't know. Right? We can sometimes predict thunderstorms and not lightning strikes. And so you just have to work with us to figure out how do we get this done in a collaboration.
>> BOBBIE SEMPFLEY: Yeah. The transparency has really come a long way. I remember the day where it was the belief that we were all sitting on warehouses full of information that wasn't being shared. And to see that kind of transparency and trust building I think has been particularly important.
>> ROBERT JOYCE: But we were still there in this event. Right? As Jen did the Shields Up campaign, and the government started talking about, look, you need to be ready. You need to improve your state of security because there is a real and credible threat, the assumption was we had the specific threat.
>> JEN EASTERLY: Right.
>> ROBERT JOYCE: This attack at this place on this time, and the government wasn't bringing that forward. That wasn't the case. We knew about real intentions; right? And that was the level of intel granularity.
And so it is hard to strike that balance of, you know, look, we really do know that there is bad intent out there, but we may not know the specific where it's going to strike. And I really like the storm and lightning analogy because it's very appropriate.
>> BOBBIE SEMPFLEY: Yeah. Your comment, Chris, about you're going to need to beat all of us in order to beat one of us and the characterization of the threat being complex and dynamic are really powerful.
The environment, though, is really complex and dynamic. And so, right, you have to beat all of us to beat one of us is really a statement on how complicated the ecosystem is. Is it actually possible for a single organization to do everything they need in order to defend themselves?
>> CHRIS INGLIS: No. That's why they need to ally themselves with everyone else in their ecosystem. No one of us can defend all of us or even just one of us; right? So we live in a shared world where the infrastructure underneath, right, is part of a much larger shared proposition; and the things coursing across it come from the left or the right, and you, frankly, don't know the whole of the story, what's under foot, unless you compare and contrast that to what might be known to the right of you or to the left of you.
So I think there are some organizations that can spend huge sums of money on cybersecurity. God bless them. But not everybody can. And not everybody should be expected to. We should be expected to bring to bear all of our resources, all of our capabilities, all of our authorities to effect a collective defense because that's what the transgressors are doing against us.
Ransomware kind of has organized as a syndicate. Think about that. It's a syndicate operating against us. How can we respond with anything less? It takes a network to beat a network.
>> BOBBIE SEMPFLEY: So ‑‑ please.
>> JEN EASTERLY: Yeah. I'm just picking out a couple things. I think all of us realize now the goal is not prevention. We're not going to prevent bad things from happening. We need to ensure that we are building systems and architecting infrastructure and, frankly, developing people to be resilient, to make sure that we can detect things early, that we can respond, that we can recover to be able to drive down risk.
Because the ecosystem, when you talk about the complexity, Bobbie, it's not just finance or energy or water or the DIB. All of these things are underpinned by a technology backbone. They're all connected. The attack surface is enormous. They're all vulnerable. And so it really means that we have to all work together for the collective good of the enterprise.
And that's why we've been doing some work around not just sectors, but what we call national critical functions. The most critical of the critical. We're looking at things like systemically important entities, which at the end of the day just means what are those ‑‑ what are those organizations that are most critical to the national security, the economic prosperity, and public health and safety. And they span across all sectors. And some of them include what we call target rich, resource poor entities, like small hospitals, at the end of the day.
And so we have to figure out either through our grant programs ‑‑ we just got $1 billion in grants for state and local ‑‑ or working with some of our private sector partners putting out a lot of free cybersecurity tools and resources that's actually on the Shields Up page as well, but the idea is, you know, small entities can't avail themselves of these huge security teams, but there are a lot of resources out there. And that's part of what we're in the business of doing is we do our outreach with our field forces and all of the engagement we do with private sector.
>> BOBBIE SEMPFLEY: Yeah. I hear you. Right? It's a syndicate problem. We have to have a team that goes forward. How do we set the bar, though, for what individual responsibility looks like?
>> ROBERT JOYCE: Well, I think one of the pieces is the known exploitable vulnerabilities; right? We constantly talk about the way the advanced threats and especially the ransomware actors have success, and that is often through those known exploitable vulnerabilities. So there's something to be learned there. That needs to be the base. Everybody needs to get to that base level and take care of the unlocked doors that they're coming in today.
>> CHRIS INGLIS: And when we think about resilience, especially future resilience ‑‑ present resilience is too often based upon response, responding to two- and three‑alarm fires. And we can reduce the char and what results if we respond really quick, but we actually want to get to a place where we're inherently resilient and robust in ways that we aren't today.
And when we think about that, we often think about the technology. Of course, the technology is a piece. Software, hardware, the composition of those things, supply chain, open‑source software, all of that comes quickly to mind. But we ought to also think about practices, the people piece. Are our people actually resilient and robust, right, in the face of these threats? And we ought to give a lot of time and attention to roles and responsibilities. Do we have the roles and responsibilities properly assigned?
Think about how it works too often today, which is at the end of some supply chain, you have some poor soul who's inherited the risk that nobody has bought down. They're at the end of a supply chain where something was built simply to achieve some primary function. It was then integrated into a set of other things and so on and so forth, and down the line it goes. And this poor soul, maybe running a small business out in the Midwest somewhere, finds themself toe to toe with a ransomware gang, and they have no idea what they're up against. They have no capability to defend themselves because what they have has no inherent resilience and robustness built in.
The answer in part would be we want to give them something that's inherently resilient and robust, but we're only going to do that if we address the roles and responsibilities. What is the responsibility of somebody who builds the piece parts? What is the responsibility of the other members of that supply chain who essentially then pass that on, integrate that into successively more complicated kind of things? What's the responsibility of government? What's the responsibility of the private sector so that this person doesn't stand alone in this skirmish with the cyber transgressors?
So we've got to get those roles and responsibilities right. And, frankly, candidly, transgressors think about those in that order, the reverse order. They think about roles and responsibilities. If they're weak, I'm coming at you. And think about people skills. If they're weak, complacent, I'm coming at you. And if I have to, I'll try to find some vaunt to zero‑day vulnerability and come at you through technology. But the first two doors are so wide open that they, frankly, don't have to come through the third door very often.
>> JEN EASTERLY: Yeah. I mean, just because this is, as you know, one of the things I'm most obsessed on, when you talk about individual things, yes, of course, if a highly sophisticated nation‑state actor wants to break into your systems, they're going to do it. But at the end of the day, I do think it's the individual responsibility ‑‑ it's also business responsibility, government responsibility ‑‑ but at the individual level, there are some not very complicated things that we can do to protect ourselves, whether that's password hygiene and a password keeper, updating your software, making sure that you are checking twice on links that might look suspicious, and then my obsession of implementing multifactor authentication.
But the problem is we just don't communicate these concepts very well. So when you say "multifactor authentication," which research shows can make you 99% less likely to get hacked, people say, oh, my God, it's so technical. Their eyes glaze over, and they ignore you. So what we need to do is to figure out how to communicate these things better.
We kicked off a campaign on social media yesterday. It's basically just more than a password. Right? And it's cool because it sounds like "More Than a Feeling" by Boston, which I like. But, really, being able to communicate these things to the American people in ways that they don't find it to be too complicated, too confusing, too technical. And then on the other side, demanding a lot of our technology companies to ensure that they are by default implementing things like multifactor authentication. So it's going to be two sides of it, the individual responsibility and then also as we work with our partners to help shape the technology ecosystem.
>> BOBBIE SEMPFLEY: Making doing the right thing easier than doing the wrong thing, putting a usability component into it.
>> JEN EASTERLY: Absolutely.
>> BOBBIE SEMPFLEY: And default activities. Right? The auto update. One of the easiest way to knock down a whole swath of threats; right? That changed a whole ‑‑
>> CHRIS INGLIS: Right. But more than that. Removing the ambivalence of the moment, which is there are all sorts of people that now would look at this space, cyberspace, and say, my goodness, there's a problem, and there's smoke issuing forth from some closet, and then fold their arms and say, "Somebody should fix this." Right?
>> BOBBIE SEMPFLEY: (Laughs)
>> CHRIS INGLIS: It turns out that that's us, all of us. Individuals have responsibilities, organizations, businesses, sectors, governments, plural, have responsibilities. You need to figure out what all of our responsibilities are.
We've done that in other domains of interest. You participate in your own physical defense. You probably didn't leave the keys in the ignition of your running car. You probably didn't leave your iPad on the dash of that car. You probably looked both ways when you cross a busy city street, and so on and so forth. We just need to figure out how do we lift and shift that best human practice into this space.
It's, to Jen's point, relatively straightforward but not well done; and, therefore, we've made it seem like it's harder to do than it is.
>> BOBBIE SEMPFLEY: And since we're talking to a security conference full of people who are supposed to be thinking about it in that way, I think the lesson here is make it more understandable; right? Communicate to my grandmother about what the things are that they need to do.
>> CHRIS INGLIS: And to Jen's point, when you buy a car, you don't ask for an air safety bag as an addition. It should be in there. Right?
>> BOBBIE SEMPFLEY: Right.
>> ROBERT JOYCE: And that's the point. I think there's two aspects. One is make it simple; nut, two, make it the default.
>> BOBBIE SEMPFLEY: Right. Absolutely. Absolutely. So we talked a little bit about people. And I know one of the passions we all have is for the workforce in this space. Not just the workforce in the security domain, but the workforce more ‑‑ awareness more broadly, cyber acumen more broadly. Is this an achievable goal? How do we need to think about this?
>> CHRIS INGLIS: It must be. But we're not on the right road; right? So NIST, the NICE, right, the National Initiative for Cyber Education, today released updated statistics on the number of jobs that have cyber or IT in them that are unfilled; whereas, last fall I think they would have said it was something in the high 550,000s, 550,000. Today they say it's more like 770,000. Dramatic increase in the number of people who need to fill those jobs.
We're still, good news, is filling about 66% of that job ‑‑ of those jobs. So we're actually keeping pace with the curve, but we're not bending towards that curve. When I say that we're not where we ought to be, it's not that we haven't filled those jobs; we probably haven't properly specified those jobs. We probably don't know what's supposed to be in those jobs. We need to reexamine those jobs and understand which part of those is people attempting to substitute for technology. Let's move that over to technology. Let's automate that. Let's routinize that.
What then remains, let's kind of take a hard look at those jobs to make sure that that's what people should be doing. And it might not be that every one of those needs a computer science degree or an electrical engineering degree. Companies have done this in the past, and they didn't so much go to the lowest common denominator; they essentially pushed the job up to a plateau where they had actually a much broader population that was available, eligible to take those jobs. But let's examine that destination again.
Let's then look at the other end of that and make sure that we've kind of opened these possibilities to the broadest possible population. The first competition, which has robotics, essentially in grade schools, middle schools all across the nation, has done a wonderful job teaching science, technology, engineering, math. Of course, that's not what the kids think they're doing. They think they're building robots to kill other robots.
>> BOBBIE SEMPFLEY: (Laughs)
>> CHRIS INGLIS: Let's do something like that in grade schools, where kids get excited about cyber or information technology, and get them along that path. Transition them from aspiration to destination.
But that's actually the few jobs that are unfilled, 770,000 at the moment. There are many professions, right, which lawyers or CEOs or all manner of other folks who make decisions every day that implicate our cyber futures. They need to know more about cyber than they do from what they get in an MBA program or a certificate program. Let's invest in those.
And then there's everyone, every citizen, every person who uses cyberspace doesn't know enough about cyberspace just by being raised in its proximity. We teach kids more about hot stoves than we teach them about the Internet; right? So we ought to get serious about that. How do we actually make it possible to cross the digital cyber street with some degree of safety? Well, again, technology should do what it should, but the people component of this is really, really important.
>> JEN EASTERLY: Yeah. I mean, absolutely, I agree with everything Chris said. Within society, you know, we're growing. We are hiring a lot. The thing that I hate the most, having come back from the private sector, is just, you know, government is just a bureaucratic beast. So everywhere I go, I try and kill the bureaucracy because it just takes too long to hire people. And so we're trying to be really creative with what we're doing.
First, we received new authorities last November, the Cyber Talent Management System, that allows us to hire ostensibly much more agilely. It's had a little bit of a rocky start, but we've now, I think, hit our paces and should actually be able to accelerate this in a positive way. But it allows us to bring in people faster.
And then, you know, in terms of degrees, my most talented technical person at Morgan Stanley didn't have a college degree. And, frankly, if you have the aptitude and the right attitude, if you're a good cultural fit for our organization, we want to bring in raw talent and help to develop you, but we see that as a responsibility to build a full spectrum talent management ecosystem of how do I attract, effectively onboard, integrate you into the culture, mentor, coach, give you mobility opportunities, promotion opportunities, and then be as flexible as possible.
We have 2,000 or so positions that are remote work or telework. The new authorities allow us to pay a lot closer to market. We very much welcome people coming into CISA for three years at a time and then going back in the private sector and maybe part of critical infrastructure, and that's part of collective cyber defense.
So we are trying to be much more like the private sector. We're actually going to bring in a Chief People Officer to help us implement creative ways to develop our workforce, a workforce that is going to be working day in and day out with the private sector. And so those relationships are incredibly important.
We actually kicked off something today that I'm super excited about called the CISA Cyber Innovation Fellows, which was inspired by, for those of you who are familiar with Industry 100 from our brethren and sisters at NCSC in the UK, essentially we're bringing in private sector technical expertise for a couple days a week for four‑plus months at a time to embed in our threat hunting team, our incident management team, our vulnerability management team to work with us to help us learn from them to learn what the government does to really cross‑pollinate that talent. So we're really excited about programs like that.
And the other thing that I think is so incredibly important is that we all focus on building a more diverse workforce in cyber. And when I say "diverse," very broad. Neurodiversity, diversity of gender identity, sexual orientation, race, national origin, age, background, because all of that equals diversity of thought. So we are doing a lot to tap into very diverse populations to include HBCUs, setting up a neurodiversity scholarship, and really trying to build a workforce that looks much more like America so we have that diversity of thought to solve really hard problems. You know, to paraphrase a very important famous line, I think the arc of the cyber universe is long but bends toward diversity. And I think that's really important.
And the last point I'll make, I was having an interesting interesting conversation with Ron and Cyndi Gula on this. They recognized that there are some underserved parts of the population that hear the word "security" and they bridle at it.
So there are actually ‑‑ and I think this is kind of cool ‑‑ they're actually starting to call cybersecurity data care, like health care. And that appeals to some minority populations that just don't like the idea of cybersecurity or those who think it's too complicated, too technical. And we need to really create this workforce as a village of skills, not just the computer scientists. And I think we need to, again, think about the language that we use if we are trying to make this as inclusive and as diverse as it needs to be to help us defend the nation.
>> BOBBIE SEMPFLEY: Yeah. So impact ‑‑ oh, please, Rob.
>> ROBERT JOYCE: So Chris had talked about the early end of the developmental spectrum. I'm very passionate about the latter end. You can go through a four‑year university today and come out with a computer science degree without ever having been trained how to do cybersecurity and secure coding, and I think that's a travesty.
Now, that's a long arc, another long arc that we have to invest in, but we've got to be looking at how we get into every degree program, whether it's a two‑year degree, four‑year degree. And I recognize not all our programmers are coming through those degreed programs, but if you're going to be, you know, wearing a hat of a computer scientist and blessed by a university, you should come out having had a course in how to make software that doesn't have vulnerabilities.
So you'll see our Centers for Academic Excellence, which are trying to certify schools and programs, saying this is the best cybersecurity program you can go through, we need to have that as a core fundamental element of that. And it's going to take time because the universities have to build that into their curriculum, but every journey starts with the first step. And so I would ask you out in industry, start asking your university recruitment pipeline to ask for those things of the universities. Because what they tell us is, you know, the demand signal is that recruiting résumé. When we're filtering for the things we want out of the university, they're trying to build that for what we're asking for. And most of that is not the government; it is the industry itself. So please help advocate for cybersecurity in computer security.
>> BOBBIE SEMPFLEY: Yeah, absolutely. Right? If we can get industry to make that demand push and then technology companies further teaching software developers their secure development activities almost as a license before they get to write their first line of code in the product, that helps us move closer and closer to the secure by default in the environment. So that supply side and demand side impacting both.
>> ROBERT JOYCE: Yes, please.
>> BOBBIE SEMPFLEY: Yes, absolutely. Absolutely there.
So we only have a few more minutes. I am intrigued by the fact that it's been just over a year and a couple of weeks since the supply chain executive order, the cybersecurity executive order. How do you feel that's gone? What's next to do? What's ‑‑ you know, sort of grade yourself on that.
>> CHRIS INGLIS: So I think you're referring to Executive Order 14028. I know everyone's got that ‑‑
>> BOBBIE SEMPFLEY: Absolutely, 14028.
>> CHRIS INGLIS: ‑‑ on the tip of their tongue. Essentially a response to the SolarWinds kind of experience. But a broad range of other experiences would say that the federal government believes that it needs to get its own house in order. So we specified for ourselves what are the various practices and attributes that we must install in our own architecture.
It was fairly bold. Kind of had ideas in there that said we're going to have 100% multifactor authentication installed across the federal enterprise. We're going to encrypt data at rest, data in transit. We're going to do various things at the end points that heretofore had not been done universally across the system. And so it was both about the attributes and the practices.
And to my way of thinking, I think that we've done extremely well at making a demonstrable difference to the inherent resilience and robustness of those architectures. I think by one measure of merit we're maybe 82% of the way there.
Now, we would like to get the last 18%. We might be approaching the knee of the curve. We're using compensating controls to kind of understand when and where we can't address these things because the systems are unreachable or they're beyond any ability to upgrade those. How do we wrap those in a place where we reduce the attack surface?
But the long story made short is that the government is trying to put its money where its mouth is and driving these practices into the supply chain that feeds the government.
What comes next? Zero‑trust architecture. I know that's a much-maligned term. It's a 40‑year‑old term recoined, rephrased. Now, but essentially it says: What are those practices going forward that are mandatory, not discretionary, mandatory in our architecture so that against all of the talking we've been doing up here on the stage, we have an actual digital architecture comprised of technology and people and practice, doctrine, right, that essentially is defensible that then we might actually defend?
>> BOBBIE SEMPFLEY: So thank you for saying that zero‑trust architecture is a process; right? It's not a product.
>> CHRIS INGLIS: It's not.
>> BOBBIE SEMPFLEY: You can't go down to the show floor ‑‑
>> CHRIS INGLIS: It's not a thing.
>> BOBBIE SEMPFLEY: ‑‑ and pick one.
>> CHRIS INGLIS: Right? So...
>> BOBBIE SEMPFLEY: That's a well ‑‑ a poorly understood construct in that way. Anyone else want to comment?
>> JEN EASTERLY: And, you know, the executive order was really focused on what we call the FCEB, which the dot-gov, the Federal Civilian Executive Branch. And we serve as the operational lead for that.
You know, there is good process being made, but it's incredibly complicated. It's 101 separate departments and agencies. Some are huge departments. Some are small agencies. And so what we're really trying to accelerate progress on is ensuring that we have the visibility that we need so that we can manage the FCEB as an actual enterprise. That's not the way it was architected, but I think we can get there given the mandates that were in that executive order under the auspices of Chris and then working very closely with Chris DeRusha, who's the federal CISO.
I do think we've made progress. It's probably not as quickly as I would like, but that's a common theme for me. But I do think that there's some other things in there that have been real value added in terms of what we've been doing in terms of software and the software bill of materials work, the playbooks work that we've done. We've stood up the Cyber Safety Review Board that both Rob and Chris are part of. And so this is just a matter of continuing to ‑‑ continuing to signal that this is a priority. And the administration, I think, has done that very effectively.
And then it's also a signaling mechanism to our vendors, which I think is really important. That's part of important government purchasing power. But, also, a signal of best practices. You know, Rob mentioned the KEV, the Known Exploited Vulnerabilities list, which I get a lot of feedback from the private sector, even though it's actually only binding on the dot‑gov, that that has been one of the most helpful things that we've done to actually show prioritization in the thousands of critical vulnerabilities that we're all managing based on active exploitation in the wild.
And so some of the signals that we're doing to the dot‑gov that are then extensible and a signaling mechanism for critical infrastructure in every business I think are helping to raise the bar in the entire ecosystem.
>> ROBERT JOYCE: So that executive order really pushed for us to do the things we know we should be doing; right? That's the fundamental. But the other part that it does is it tries to make sure that we know the network so we can defend the network. And that is the foundational aspect of a lot of this. If you don't know it, if you don't know how it's configured, where it is, what it is, there is no chance that you're going to lock it down and defend it. And so the executive order really is about doing those basic things that we're asking all of you to do too. So it's a good roadmap.
>> BOBBIE SEMPFLEY: Yeah. It's a -- I have many, many more questions, and we are, like ‑‑ in our dwindling seconds. So the team, right, the collaborative team, public, private, international activity, it strikes me that there's hope there that perhaps we hadn't -- you know, a decade ago we could see but weren't quite at that point. So I appreciate all of your time and energy in that space.
I'll take your point on complexity. We can argue about that one a little bit. But a diverse set of team members is an incredibly important element from the individual all the way through the team participants that are there. And so I appreciate all of your time and energy and service to the nation in this space.
>> CHRIS INGLIS: Thank you, Bobbie.
>> JEN EASTERLY: Thanks, Bobbie. Thanks, guys.
>> BOBBIE SEMPFLEY: Thank you all for coming.
John "Chris" Inglis
Office of the National Cyber Director, Executive Office of the President
Policy & Government Risk Management & Governance
governance risk & compliance privacy ransomware innovation cyberattacks
Share With Your Community