tv Cybersecurity Director Discusses Mission Threats CSPAN November 1, 2021 9:28am-10:01am EDT
the sixth week of pregnancy. and whole woman's health against jackson part of the law that gives the public power to enforce it via civil suit without federal court review. at 11 a.m. united states versus texas looks at whether the justice department has the right to sue in federal court to block the law. watch the oral argument live coverage on c-span2 live or on demand at c-span.org, listen on c-span radio or on the new c-span now mobile app. ♪♪ >> get c-span on the go. watch the day's political events live on demand anytime, anywhere on our new video mobile app. listen to highlights, listen to c-span radio and podcasts all for free. crist c-span today.
>> and jen easterly talked about battling cyber threats and recruiting a talented and diverse cyber work force. this is half an hour. >> thank you, tom. so, jen, i just want to start by saying thank you for being here and thank you for your service to our country. it is a true honor to have you here today. not long ago you had the opportunity to deliver a keynote at black hat, for those of you in the audience maybe some of you saw it, i had the opportunity to see it and i thought it was an excellent
speech. not an easy speech to deliver, notoriously fickle crowd. i learned a lot and i think you did a tremendous job educating people on some important topics, but most importantly, i think you did a really nice job of creating trust with a community that's not easy to build trust with. so, kudos to you for that. i think you'll do-- that will serve you well in your agenda at cisa. i also learned three other things from your keynote. i learned that anybody cisa will be banned forever, it's cisa. and i learned that the j c.d.c. was almost named acdc and unfortunately, the lawyers got in the way and who that would have been so cool and the third thing i learned, you're a pretty good dancer and you do a mean impersonation from elaine
from seinfeld. [laughter] >> so listen, to kick things off i'd like to give you an opportunity to introduce cisa and tell us why and how cisa's sort of unique from other government agencies. >> absolutely. can you hear me. okay. perfect. well, first of all, thanks very much for the invite to be here. it's great to spend a beautiful friday morning with everybody. and with you, matt. so thank you for the introduction and thanks to my friend out there. who set this up. so let me just start with the mission of cisa, if that makes sense. we are the government's newest agency. we were set up at the end of 2018 to be the nation's cyber and infrastructure defense agency, to really fill a gap. now, our mission is to lead the national effort to understand, manage and reduce risk to the cyber and the physical
infrastructure that americans rely on every hour of every day. so, how do we get our water? how do we get our power? getting gas at the pump, food at the grocery store, money from the bank. so these are the networks and systems that we are, that basically underpin our lives and that's what we are responsible for reducing risk to. so, we have two key roles that fall out of that. the first is to be the operational lead for federal cyber security, so the protection and defense of the dot gov and more relevant to this audience corps for infrastructure, and resilience. and we know that over 85% of the critical structure is it in private hands and that's why partnerships like this are so incredibly important to the success of our mission, and that's why i'm glad to be with you here today. >> and that kind of goes back
to the trust comment we talked about. the way that cisa exists and the trust you have with the commercial partners is, you know, critical to all of us sort of moving the agenda forward from a cyber perspective. that makes a ton of sense. i was shocked when i listened to jen's speech at black hat and she was three weeks in and now 100 days. >> 100 days. >> that's a big job, she's new, but impressive to be able to have this conversation at that level of depth with you. could you share your priorities for cisa, kind of what you have been able to accomplish so far in the first 100 days and then where do you think you're going to go in the coming years and what do you hope to accomplish? >> yeah, well, first of all, i'll say, you know, i really didn't know what to expect when i took this job. obviously, it was amazing to be nominated for it and just given what's going on in the world, i
thought it was really important to come back to government to do the job. but again, i'd never served in the department of homeland security before. i was in the army, i was in the intelligence community, i was in the white house, but never in dhs and i have to tell you in all honesty, matt, this is the best job i've ever done and i think the best job in government. and i was going through the government confirmation process, a good friend of mine, used to be the deputy secretary at homeland, jane, said it's interesting in the world of national security, really the world where i spent my time, counterterrorism, intel, the army, the federal government has monopoly power. but in homeland security and really in cyber security, the federal government is just a co-equal partner with the private sector and with our state and local and tribal and territorial colleagues. it's really all about partnership which i love. and you know, every day i probably spend 60 to 70% or
more of every day meeting with partners, either in industry or at the state and local level, which, again, is incredibly fun because you're right, it's all about building partnerships, relationships, and trust. so, it's a fantastic job. you know, it's hard to think 100 days that sounds like it's been a while, but every day has been fantastic. and so, you know, i see a couple things that i'm focused on over the, whatever, three years, whatever it is, maybe four buckets i'll give you. the first is really leading the transformation of cisa, as we know it's the newest agency founded by my good friend chris krebs, and it went through a pandemic, a contentious election cycle and a whole bunch of things that happened this year that were really pretty intense work. so the transformation piece of this is not a trivial endeavor.
we went through a big reorganization and now we have to make sure we have number one, most importantly, the people, the technology and the process to set us up to are success in the coming, 10, 20, 50, 100 years, and we can talk about that from a work force perspective. all of that is work that we have to do on federal cyber security. so you know the executive order that came out in may. there are about 35 different tasks that either cisa is part of or cisa leads and so, a ton of work there that i think is really fundamental to ensuring that we can better protect and defend the dot gov and we're central to the organizational lead there. >> and the third is the cyber security with the national coordinator so a lot of work to build and strengthen those partnerships, but specifically we're doing 100 day sprints
with several sectors, the pipeline sector, the electricity sector, coming up is the water sector, and we're also laying out performance goals and standards that was, you know, came out of the white house national security memorandum, so a lot of good work so that we can baseline and really harmonize a lot of the work going on out there in terms of cyber security performance goals and finally, it's partnerships. all about partnerships. and i talk a lot about that at black hat and that has to be underpinned by trust, whether it's a business relationship or a marriage. it's all about the foundational trust, but one of the things that i'm excited about, we've done over the past few months, we can talk more about it. jcdc. i'm excited about the people things and set up a partnership with gold-- we have a partnership with them and we are focused on
diversity, which is a personal passion of mine and i would say for those of you who don't know, it's share the mic in cyber day. so my own twitter account cisa jen is being taken over by my teammate, so please check that out today. so a lot of people-- >> and it would have your twitter account. >> and my lawyers are what are you doing? i'm stupe excited about it so please check that out. these opportunities for the work force, i'm the director of cisa, but i think of key roles, the chief transformation officer and the chief recruiting officer and i told my chief i'm the chief belonging officer. because i believe strongly that we need to build a culture that
collaborates, teamwork, ownership, empowerment and if you build an environment at the end of the day is psychological safety where you have people coming from all backgrounds and bringing different perspectives to enable us to solve our most difficult problems, then that's an environment of belonging and that's what i've done throughout my career, i build organizations. and so, you know, huge focus on culture as well. >> yeah, it's a complicated, complicated puzzle that you're describing and i know you like to solve puzzles. >> i do, yeah. >> i mean, it makes for success and listening to you talk, it just reflects on the jcdc, and the last letter is collaborative. inside, it's outside, it's public, it's private. it takes a communities to collaborate to sort of, you know, move the agenda forward with respect to improving the
nation's cyber security so kudos to that. >> thank you. >> the theme of the national security cyber summit is bridging the gap between policy and practice. can you tell us a little bit more about the jcdc that was announced recently in april. >> yeah. >> and tell us what cisa is doing to kind of take that forward? >> i'd love to. and there's good policy out there and i was in the white house for two tours and that's the center of gravity for policy, but at the end of the day, you have to figure out how to actually operationalize that policy. and you know, being at the cutting edge, being being at the operational lead for things in the cyber world, it's fun to do that. >> and jcdc, where did that come from? the niac, the national
instruction advisory council. and i can't say enough good things about the solarium commission. at the end of the day there are a lot out there that the government does, but very few have actually and able to come up with recommendations that found their way into law. and certainly, this one did and you know, to be honest, that's before i was even nominated, benefitted a lot from what was in the nda. one of those things, matt, was the jcpo, the joint cyber planning office. and the idea behind this is really bringing people together from the government and from the private sector to plan proactively against major threats to the nation. but if you actually look at the legislation, it's much more than planning. it's creating a common operating picture. it's planning, it's exercising and implementing cyber defense plans. and so, when i came on board,
you know, being a retired military officers and somebody who has done a lot of planning in my life. i just thought this was a fabulous opportunity to do something early on, to really be that signal on both. we're going to be proactive not reactive. >> right. >> and we're going to be that agency that's not another lumbering government bureaucracy, but something much more akin to the private sector, this idea of a public, private collaborative. so i pointed to unique things and people also ask, well, how is this different? so, it's the only federal cyber entity in statute, in law, that combines the power of the federal government, so by statute you have cisa, nsa, fbi, cyber com, dod, doj, all of those agencies that really bring the full force of the u.s. government when you're thinking of cyber defense operations, and the magic and
ingenuity and creativity of the private sec to are to come together to solve the feesability issue, to be able to plan and exercise against the most serious threats and then to implement those plans. and the second thing is, you know, cisa has a super power. it's our very expansive information sharing authorities. so where some agencies can share bilaterally, we can share many to many. and so we've already brought in more than 15 partners, our alliance partners. cf p's if p's and vendors to solve that issue. but we've been able to use that to the benefit of all of our partners as we're able to get information that is seen globally on other infrastructure and then share that with other partners and so you probably saw the joint c we did on nsa and black matter and that was by some of our jcdc
partners. and i am hoping that the paradigm of information sharing to true information enabling, i think we can seize this moment in time to make us substantive material difference for the nation. >> yeah, and then as the organizing committee for this year event, we were sort of collect our thoughts collected. there's a lot going onnen the government side, the policy side, a lot going on on the industry, the side of practice and as i listen to you talk, it's healthy for me to imagine that something like jcdc exist and be the bridge between policy and practice and ultimately has to get to practice really quickly, really efficiently and with agility and all the things that we know are important. i'm personally excited where it
can go as a bridge of policy and practice into the future. >> can i just make one comment. >> yes. >> and having the last four and a half years at morgan stanley, it's interesting, right, two observations and remember, i spent about 27 years in government before i joined the private sector. when i was looking back at the government from the private sector, it's often came off as incoherent. not well-organized, to be able to support the private sector and again, that's why i think having an entity that has all of those organizations is so important to be able to share, to your point, in near real-time. we have to be able to move at the speed of cyber. we know that our adversaries are and again, that's why i think that coherence, the cohesion, across all of the cyber system can make a real difference.
>> yeah, yeah, in the wild stuff, critical to success, as you know. speaking of perhaps not failing fashion, but maybe love to get your thoughts on president biden's executive order on cyber security. it was issued in may. just two months later you were confirmed as director of cisa. given the very limited amount of time that we have here today, i'd love just to kind of get your thoughts on two specific fronts that are know are front and center for me personally and probably for many in this room and bridging the gap between policy and practice, sort of the commercial side of this, this collaborative that we're talking about. the first thing i'd like your thoughts on, is the zero trust security model. specifically the eo instructs agencies to quote, assume breaches are inevitable or have already occurred. how do you-- how should we be thinking about that and how do you think about zero trust and how does that
sort of play into this concept of public-private partnership in the bridge to policy and practice. >> that's funny we talk about the importance of trust and now the importance of zero trust. >> unpack that. >> exactly, exactly. to the eo, i would say it was a great contribution and my teammates at cisa before i arrived worked very closely with the inner agency and the white house. and i think the detail, the sense of urgency that is encapsulated in that order is really, really important. now, it's mostly focused on federal, cyber security. but much of what's in there is really a signaling mechanism to the community, to critical infrastructure that these are really important things that you need to do to modernize your infrastructure, to enable you to have greater visibility and to that infrastructure, to develop incident response
playbooks. another thing there. to ensure that you're doing after acts and reviews, that's another thing on the cyber security review board and then logging. all of that stuff is very expensable to every space in cyber security. and with all the experts here, there's a lot of talk about zero trust and it's hugely important when you think about the whole concept of assuming that. trust nobody, verify everybody. we don't live in a world anymore where perimeter is okay. we need to be able to create arc tech tours that allow us to defend in depth. so at a very high level. that's really the theory of the case for zero trust and what we've done in cisa is a couple of things. because if you read that paragraph it's about modernization and talks about secure cloud and trust. omb put out a zero trust strategy and what we did we
followed up with a zero trust security model that we issued and put out for comments. we want comments on everything we do and we want feedback because we understand this is all about a community and there's a huge amount of experts out there. so we did that and we also put out a cloud, technical reference, architecture. again, two things we're saying, move into the clouds and substantiate the principles that allow us to be better, to be safer and more secure throughout the full network. and so, a lot of work done there. and a lot of expertise that we're tapping into across the federal government and a lot of this is worked with our teammates and teammates at omb ap new teammates at national cyber director office and the order is all about software, supply chain, now, that we saw
with solar winds, but that was not isolated. we've been looking at the supply chain attacks forever and even at morgan stanley. we were very focused on securing the supply chain and making sure that all of our vendors were vetted and were secure because as you know, we can suspend a billion dollars at a big bank, but we're only secure as our weakest link and that's why at the end of the day, this collective defense principle is so critical to all of us, because everything is connected and everything is interdependent and everything is vulnerable. the software supply chain on this was the software built-- >> on comment on that, and called f-bomb. >> and we acronyms that only sound like '80s rock bands. and software materials and when
you say what's in the bill of materials, doesn't mean it's all secure, but it's a good way to incentivizing knowing what's in your products and inventory and liening leaning into the software splay chains and we have those because we're now the global lead in global supply chain. >> dr. alan friedman. >> yes, alan friedman just came offense and great talent. i'm excited about that executive order because it really puts us in the lead for a lot of things that i think, i hope, i intend will help us make a real difference in federal cyber security and i don't think anybody can look at that and say the status quo is acceptable. it's not. so in addition to everything in there we're working with congress on reforming, the federal information security modernization act and einstein
and our diagnostic and mitigation program which are incredibly important as well. more to come, but it's an exciting space and a lot of great priorities in the coming years. >> yeah, 100% and tectonic shifts in the world and the cloud, in the commercial side of this policy to practice bridge, it's so transformative and to see it sort of of in, you know, clear detail with respect to the eo, i think it's another healthy indicating that it's a collaborative between public and private. so, good stuff. so finally, you've talked a lot about the importance of work force and it's a priority of yours. you even mentioned earlier in this conversation you consider yourself the chief recruiting officer at cisa. could you share what you're doing more specifically to build cisa's employee population, its talents,
diversity and how do you see that sort of diversified pool of talent sort of being critical to cisa's success? >> yeah, so, you know, the things that i've written and what i've told the work force and what's been out there publicly, it really is for me all about peoplement cyber security is not about technology, it's ultimately about people so ensuring that we have a talent management ecould he eco system that cannot just attract, but remain the best in world, cisa wants to come to work and that's what i'm looking to build with my team. and that really starts out with the build of that eco system. what i mean by that, matt, it's not just great recruiting, but it's onnen-board-- on-boarding, integration, coaching, reward, recognition,
allowing for rotation and having a succession plan. so we are really looking at that employee experience in a very private-sectoring way. much of what i'm doing a lot of what i learned about people operations when i with as in the private is he can to are. what i'm really looking to do is cut down on a lot of the bureaucracy that we deal with in the hiring world and trying to accelerate the ability to tap into great talent, diverse talent pipelines and bring them onto team and get nem them contributing as rapidly as possible. so that's sort of the big strategic picture. from a more tactical perspective i'd mention a couple of things, first the focus on diversity, i mentioned our partnership with growth through code, and we also this week released a new grant, a million dollar each to cyber warrior foundation and end power which focus on developing
unreal lied talent in underserved community, that's fabulous. we're tapping into the groups that wouldn't necessarily think about cyber security as a profession and so i'm excited about other opportunities like that and the other things i'm super motivated about, we're finally going to implement some new authorities that we got seven years ago, to enable us to hire and pay much more flexibly. so this new authority is called the cyber talent management system and essentially, it takes people off the government scale, the gf scale. >> right. >> it allows us to hire operate two most important to me, aptitude. i don't care what your degrees are, great, often, but at the end of the day i care about with aptitude. one of my most technical smartest people at morgan stanley had no college degree. it's really about the puzzle solvers, intellectual curious,
relentlessly genetically wired to be clab rah -- collaborative people that we're looking for. so aptitude and attitude. bringing in people more way and pay them closer to market and allow us to bring people in and out of industry. some people want to come dwent our nation and for everyone that wants to, reach out to me, and if you know anybody that wants to join cisa. at the end of the day not everybody wants a career in government. and we have people who come in a year, couple of years and we'll kick off a program in a couple months, i'm not going to give it all away here, but we're trying to increase opportunities to strengthen the connective tissue between the public and the private sector because that's all about understanding each other and that brings us trust. so very exciting stuff. >> well, it's interesting to think about the bridge from
policy to practice in the context of human capital and talent. can the private sector sort of, you know, feed the public sector from that bridge for a period of time? i mean, temporal talent and the right job at the right place at the right time is good for everybody and i love the way you're thinking about the problem. it's clear that you are bringing a private sector view to this and i ultimately think that will, you know, serve our country well, it will serve cisa well and it will serve you well as well. so thank you for that, really, appreciate those perspectives. i've been in the software business for a long time and like the software is easy and the people that can be messy. if we just cared for our people the same way we cared for our code bases, we might be well-served by that. great to hear your thoughts. >> and technology easy, people hard. >> and listen, it's an absolute
honor to be with you here today and behalf of everybody at nvtc and the community. thank you again. tremendous things. . [applause] >> thank you very much, jen. thank you, matt, what a great conversation and thank you for serving the country and we appreciate that very much. ♪♪ . >>. >> download c-span's mobile app and stay up-to-date with the events. live streams at the house and senate floors and key congressional hearings with the supreme court and washington journal where we hear your voices every day. c-span now has you covered. download the app free today. ♪♪
♪♪ >> monday morning, the u.s. supreme court is set to hear two oral arguments on the texas abortion law the first is a challenge brought by health care providers. the second case is brought by the department of justice. here is live coverage on c-span2 and reminder you can also watch on c-span.org or with our new video app, c-span now.