CISA’s Easterly does it her way — and it’s working
The director of the U.S. Cybersecurity and Critical Infrastructure Security Agency proved her many detractors wrong and put in motion important programs that should outlast the current administration.
OPINION By DAVE DEWALT
The chief of the federal government’s civilian cybersecurity agency rang in the new year strumming chords on a Les Paul electric guitar and reciting some resolutions: “A is Automate your software updates,” she said in a video. “C: Complex, unique passwords and use a password manager. D: Don’t fall for the phish ... Super easy.”
Jen Easterly’s engaging, informal, even bohemian personal style, impeccable credentials and credibility among tech leaders have made her the strongest emissary for cyber resilience the country has seen since the dawn of the Information Age. Before serving as the second director of the U.S. Cybersecurity and Infrastructure Security Agency, she served as an intelligence officer in the U.S. Army, in the White House and in the intelligence community. She also led Morgan Stanley’s resilience efforts. All that has enabled her to bridge gaps between the government and the private sector, drive initiatives in government and rigorously implement executive orders to augment cyber resilience across the federal government.
As we approach the 2024 election, we should mark the progress under our current cyber leadership. While a presidential transition doesn’t necessarily require changing top cyber officials, it does warrant reflection on the legacy of the past four years as we move forward into a new administration.
With a comparatively tiny budget of $3 billion, CISA has carried out many of the foundational policies of 21st century cybersecurity, while issuing a stream of security alerts, technical documentation and best practices for corporations, local governments, educational institutions and private citizens. It’s a tall mission but an essential one. Within months of taking office, the Biden administration issued a cyber executive order that declared, “Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector.” The order removed barriers on information sharing and launched a process to establish basic cybersecurity best practices for the software supply chain, among other measures.
The White House’s October 2023 executive order set the framework for a governing artificial intelligence policy and called for “a society-wide effort that includes government, the private sector, academia, and civil society.” CISA has been tasked with major responsibilities in every recent executive order and White House directive, not to mention the legislatively mandated Cyber Incident Reporting for Critical Infrastructure Act of 2022. It has solidly delivered on each of these missions.
Under her leadership, CISA has helped government agencies strengthen cyber resilience, enhanced the resources it provides to critical sector companies, and greatly improved its ability to help stakeholders respond to cybersecurity incidents.
Among the changes Easterly brought about is an effort to shift the risk created by poorly written software from the customer to the manufacturer. Participants in the agency’s Secure By Design program pledge to “prioritize the security of customers as a core business requirement, rather than merely treating it as a technical feature.” CISA’s secure design guidance holds that software must be delivered to users with certain baseline security features, such as multi-factor authentication, logging and single sign-on. In short, Easterly’s campaign will ultimately ensure that faulty software and hardware are no longer normalized, and the industry will be forced to invest in developing secure products.
Under Easterly’s tenure, CISA launched two major public awareness campaigns directed at individuals and families on how to improve cybersecurity practices. In true Easterly fashion, she promoted one campaign, called “Secure Our World,” by singing about it on stage with a full rock band.
Tech companies have long been wary of federal agencies. But with U.S. cyber infrastructure under constant attack from hackers, cooperation isn’t a nice-to-have, it’s a must-have. “CISA is not a regulator, we’re not a law enforcement agency, we’re not an intel agency, we are not a military agency,” Easterly said at the Atlantic Council this spring. “We are a partnership agency. We operate by, with and through partners, and our success is entirely predicated on our ability to catalyze trusted partnerships with our stakeholders.”
With initiatives including the Joint Cyber Defense Collaborative and the Cybersecurity Advisory Committee, on which I serve, Easterly meaningfully brought agency stakeholders, including software developers, critical sector companies, state leaders, investors and peers at other federal agencies, into the fold. Laying this groundwork for public-private collaboration will be indispensable as we seek to understand what happened on July 19 when an update to a widely used CrowdStrike product unintentionally crashed the computer systems of tens of thousands of companies worldwide. The strong foundation of public-private cooperation that Easterly has established with private sector partners means these won't happen in a vacuum but rather within battle-tested, multi-stakeholder bodies designed for the exact purpose of reviewing and learning from such large-scale information technology incidents.
Some of her critics have implied that Easterly’s high profile distracts from the agency’s mission and that her theatrics are unseemly for the head of one of our nation’s most important security agencies.
Yet she is unapologetic and unafraid to call out the industry and force change, largely by using positive incentives. It turns out tech chieftains, consumers and senior federal officials can be led and rallied by a leader who wears embroidered bell bottoms and black biker jackets to work. Haters should take note, and other government leaders, especially in national security, should take a lesson.
The change of administration in 2025 could mean that Easterly will leave her post. If that occurs, we would thank her for her service and do whatever we can to support the incoming Director. None of us should want to let CISA’s progress and undeniable momentum grind to a halt. Chinese attack campaigns like Volt Typhoon and Russian ransomware gangs won’t take a time out to allow a change in leadership in Washington and it’s imperative we continue the good efforts made and charge forward because, unfortunately folks, time ain’t on our side. No, it ain’t.
Dave DeWalt is founder and CEO of NightDragon, a venture capital and advisory firm. He’s a four-time CEO who has held more than 40 board of director roles at companies such as Delta Airlines, Optiv, Five9 and Mandiant.