
The Just Security Podcast
Just Security is an online forum for the rigorous analysis of national security, foreign policy, and rights. We aim to promote principled solutions to problems confronting decision-makers in the United States and abroad. Our expert authors are individuals with significant government experience, academics, civil society practitioners, individuals directly affected by national security policies, and other leading voices.
The Just Security Podcast
A Conversation with Jen Easterly: Cybersecurity at a Crossroads
In recent years, the United States has sustained some of the most severe cyber threats in recent history– from the Russian-government directed hack SolarWinds to China’s prepositioning in U.S. critical infrastructure for future sabotage attacks through groups like Volt Typhoon. The Cybersecurity Infrastructure Security Agency (CISA) is responsible for responding to, and protecting against these attacks.
How do leaders steer through cyber crises, build trust, and chart a path forward?
In conversation with Dr. Brianna Rosen, Just Security Senior Fellow and Director of the AI and Emerging Technologies Initiative, Jen Easterly, who just completed a transformative tenure as Director of CISA under the Biden Administration, unpacks the challenges, breakthroughs, and lessons from the front lines of America’s cybersecurity efforts.
- Jen Easterly
- Just Security’s Cybersecurity coverage
- Empathy Matters: Leadership in Cyber by Jen Easterly ( 2019)
Brianna Rosen: At a time when ransomware attacks are shutting down hospitals, foreign adversaries are infiltrating critical infrastructure systems, and AI is reshaping the cyber threat landscape, how do policymakers build technological resilience and maintain public trust? Few people have confronted these challenges more directly than Jen Easterly. As director of the US Cybersecurity and Infrastructure Security Agency, CISA, under President Biden, Jen led the nation's frontline defense against some of the most severe cyber threats in recent history, from the Russian government-direct attack, SolarWinds, to China's pre-positioning in U.S. critical infrastructure for future sabotage attacks through groups like Volt Typhoon and Salt Typhoon. She's built cyber defenses at the highest levels across the public and private sectors, whether at Morgan Stanley, the U.S. Cyber Command, or from inside the White House.
This is the Just Security Podcast. I'm your host, Dr. Brianna Rosen, Senior Fellow and Director of the AI and Emerging Technologies Initiative at Just Security. In this episode, Jen reflects on leading through crisis, why public private partnerships matter more than ever and preparing the next generation of tech policy leaders to deal with emerging challenges from a changed cybersecurity landscape to AI and the quantum revolution.
So Jen, you recently stepped down as director of the U.S. Cybersecurity and Infrastructure Security Agency, CISA, after serving during the Biden administration, and you've had a long career in the private sector and public service, whether building Morgan Stanley's cybersecurity fusion center, or the U.S. Cyber Command, or serving twice in senior roles in the White House, among many other positions. So, it's safe to say that you've literally seen it all.
In your view, what are some of the biggest challenges that CISA and the U.S. government more broadly are facing when it comes to tech policy, particularly in the current geopolitical climate?
Jen Easterly: Yeah, so I think it's important to ground any conversation about the policy into the threat environment. And when I look back on the arc of that career, from West Point to the White House to Wall Street and then back to lead America's cyber defense agency, one thing remains constant, and that is the threat landscape never stops evolving. And it's a landscape of danger that's really been propelled by a data revolution, and one that is being and will be further turbo charged by powerful AI. And we're already seeing that in terms of use of generative AI for accelerating spear phishing and social engineering and even creating deep fakes. We saw that certainly during the 2024 election period.
I would say, though, across that landscape, the one specific threat that really, I think, gave me pause — and that's a career of seeing a lot of very serious threats to include our work together in the world of counterterrorism — and that was this threat from nation-state hackers from China, the PLA, the People's Liberation Army, you know, colloquially Volt Bull Typhoon, although, you know, I don't love those titles. But this was a different threat than we've seen from China, which typically was all about espionage and intellectual property theft. This was about disruption, right? Embedding deeply into our most sensitive critical infrastructure, not for espionage, not for intellectual property, but rather to launch disruptive attacks in the event of a crisis in Taiwan. So, mass disruption, everything, everywhere, all at once, water unavailable, power going down, coms severed, trains derailed, all to incite societal chaos and panic and prevent the U.S. from marshaling military might and citizen will in defense of Taiwan.
So, that was very much a different threat in kind that mandated that we take a different approach. And we really took, you know, a very interagency approach to include, you know, working very closely with the private sector, which of course, owns and operates the vast majority of critical infrastructure. So, when you think about that threat, different in kind, when you think about the response that that required, both in terms of collaboration with the private sector, working with the Department of Defense to marshal a credible deterrent in terms of cost and position, working on things like sanctions and export controls, working on things like norms — that really shows you sort of the policy aspects of that. And I think it's important to sort of look at that contextually as we move forward and figure out how to more effectively manage the threat environment going forward.
Brianna: You mentioned Salt Typhoon and Volt Typhoon, and of course, you were also in office during Solar Winds and a wave of ransomware attacks on critical infrastructure such as U.S. hospitals. And so these are, you know, very serious attacks where literally lives are on the line, or could be put at very serious risk. I just wonder, how do you think about leading through these times of crisis, or if a very like serious cyber-attack were to occur that literally impacts human lives, what are some lessons that you can offer to those still in public service now about how to lead during times of crisis?
Jen: I think first thing, we cannot — any leader has to work hard not to suffer a failure of imagination. This was a lesson I took from my time when I was a young army major working for Condoleezza Rice in the wake of 9/11. I was there in the White House from 2002 to 2004 and then with her as she testified before the 9/11 Commission. And I told this story a lot, because it is very meaningful to me and had a real impact on my career. And you know, the vice chairman of the 9/11 Commission, a guy called Tom Kane, former governor of Virginia, talked about on that day, we were not prepared for a threat that had been gathering for some significant amount of time. It was a failure of policy, a failure of management, a failure of capability, but above all, a failure of imagination.
And so, when I talk to, whether it's policy makers, whether it's junior analysts, whether it's businesspeople, I talk a lot about the importance of embracing imagination, because you have to be able to understand the best and worst of the threats that can happen. In particular the worst-case scenario, to plan for it, to prepare for it, to train for it, to exercise against it, to practice crisis communications around it, which is incredibly important, but really, to expect disruption. Leaders should not be surprised by the range of threats that can impact business and frankly, in a highly connected, highly vulnerable world, disruption, in my view, is inevitable.
So, the more that we have thought about the range of threats and prepared for them, the more we will be effective in making sure we can respond faster, recover faster and emerge stronger, what I typically call not just bouncing back, but really bouncing forward, bouncing forward in a more resilient way, so you can be better prepared for the next disruption.
Brianna: Yeah, and I suppose, if you talk about the failure of imagination, I suppose that's one of the skills that's not really taught in federal government service, or that can be quite difficult to teach and to learn. So, I wonder if you have any just brief reflections on what are some of the tools to strengthen that capacity for imagining, kind of, and responding to that?
Jen: Yeah, I give a whole talk on this several years ago at the Grace Hopper conference, and a lot of it is rooted in my upbringing, which I grew up in this family that was all about games, very competitive, card games, board games. I loved videogames.
Brianna: You're well known for your Rubik's Cube.
Jen: Exactly, and so, you know, that hit the world when I was 11, and I got obsessed with solving it, and once I was able to solve it, or really get it under two minutes, and this was the pre-YouTube days, so it's pretty hard.
Brianna: Pretty impressive.
Jen: And so, I would go around to the toy stores in the area, and I would make this bet with the clerk or the toy store owner. It was all brick and mortar back then, toy stores, you know. And I would make a bet, if I can solve that Rubik's Cube in less than two minutes, will you give me a free one? So, I amassed this great collection of Rubik's cubes.
Brianna: Now we know why you have so many.
Jen: Exactly, I've been doing it my whole life. But you know, what I really took away from that was, just, I was ten, right? Ten, 11 years old, little freckles, and, you know, little kid. And there was just this shock and amazement of this little girl solving this seemingly incredibly, you know, impossible puzzle. And to me, it taught a lot about, look, if you believe in yourself, if you imagine something, you can achieve it. And that's been a thread that I've pulled throughout my entire career that was, you know, further emphasized when I heard those words of Tom Cain, but to me, I think there are a couple of things you can do to train yourself. First of all, I think reading is really, really important. You know, reading all kinds of things, whether it's science fiction or literature, but also history. We need to understand history and, as you know, history doesn't necessarily repeat itself, but it does rhyme or it does plagiarize. So, we really need to understand history to be able to set good policy going forward.
I think it's really important to be a good writer, and you become more creative when you actually have to put pen to paper. You know that because you do a lot of writing. I think, you know, the third major thing is really actively being a good storyteller. And this is also important in cybersecurity. And I found this out when I was at Morgan Stanley, and we brought a lot of clients to the cybersecurity fusion center. And if you talk to people who are not technical, who are not familiar with cybersecurity, about threats in a way that just scares the hell out of them, their brains will shut down, and they'll want to run away and go sit in a dark room by themselves, right?
You need to be able to make the story of cybersecurity come alive in a positive way where, yes, you can talk about the types of threats but talking about them in the way about how we are actually defending against these threats, protecting businesses, protecting families, protecting communities, and, you know, people. That's sort of the history of the world. It's all about stories and so, you know, if you actively work to be able to tell stories and to embed what you're trying to teach in powerful stories, I think that will also help to hone your imagination.
Brianna: And of course, part of being a good storyteller is being a good listener, being a good active listener and being able to connect those historical threads that you mentioned. So, what are the lessons learned from cyber that apply to AI, that apply to quantum? We’re not reinventing the wheel every time. I think that's such an interesting point that's so often underappreciated in a highly technical space in particular.
You touched a bit on the importance of private-public sector collaboration. I know that's a key theme running throughout your career, and you've built very significant relationships across state and local governments and with the private sector to respond to cyber threats, whether it's election-related threats or critical infrastructure threats or others. I wonder if you could just walk us through a little bit how these partnerships have helped in responding to major cyber incidents, and what more do you think is needed going forward to really strengthen coordination?
Jen: Yeah, you know you mentioned SolarWinds. I was actually still at Morgan Stanley during SolarWinds, or when it first was discovered. It was interesting. I was on the transition team for Biden-Harris, but I was also at Morgan Stanley at the same time. So, I actually saw it from a policy because I was head of cyber policy. So, I saw it from that perspective as well as in my job at Morgan Stanley. Really interesting.
And one of my observations was that the government was sending mixed signals to the private sector in a really unhelpful way. I mean, I remember right after news of SolarWinds broke, we saw one advisory that came from CISA specific to Orion, which was the software platform that was co-opted by Russian hackers. And then a couple of days later, there was a separate product coming out from the National Security Agency that was about VMware, and it talked about identity compromises, but it wasn't clear that these were at all related. And, you know, there were no double seals or and so it was, you know, confusing to the private sector and Morgan Stanley. We didn't have SolarWinds, but we had a lot of VMware.
And it was one of the reasons that sort of motivated me to come back into government. Because, you know, I knew I'd been in the government for 27 years before I went off to Morgan Stanley, I knew the power of the federal government across, you know, the White House, across the intelligence community, across the Department of Defense, across Department of Homeland Security, and that can be an incredibly powerful support for the private sector, which owns the vast majority of critical infrastructure. So, if you can operate coherently, you can add a lot of value. If you're operating in sort of tribal, disconnected, fragmentary ways, you can actually do a lot of damage.
Now, fortunately, the Cyberspace Solarium Commission had just came up with a bunch of recommendations that had been instantiated in law to include this idea of a joint cyber planning office, which we stood up as the Joint Cyber Defense Collaborative. And the idea was one platform for the Federal cyber ecosystem, CISA, NSA, FBI, CyberCom, and then the, what's called the sector risk management agencies, so for the financial sector, Treasury, for Energy, the Energy Department, but bringing them together in a coherent way, so that you can then work together with industry, and not just industry, though, with over 100 international partners, with state and local partners, and even to some extent with nonprofits, as we were working on things on the secure our world side. How do you proliferate cyber hygiene?
And so, the idea was one platform, scalable ways of sharing information, not this sort of episodic, transactional, bilateral emails. But you know, whether it's tools like Slack, but an ability to share information to focus on planning against significant threats and then defensive operations. And you know, we put this we stood that up in August 2021, and pretty soon we had to put it in action against a real threat stream, which you'll remember, Log4j, one of the worst software vulnerabilities in the world that emerged in early December of 2021. And as I think you'll recall, we had, certainly at CISA, but across the community, a significant concern that we were going to see businesses, large and small around the world, suffer devastating cyber-attacks. But it didn't happen. And I think one of the reasons why it didn't happen is we had built this community, a community with partners around the world, but also with security researchers. And the researchers were coming up with ways that Log4j could be weaponized by different threat vectors, they would share that information. That information would then be shared widely through our convenings and coordination and partnerships, and then companies would be able to build cyber defenses against those specific threat factors. And that happened over and over and over again. So, it's sort of a canonical example of the network effect of operational collaboration and action. And then we put that into play a couple months later with the Shields Up campaign, right, you know, where we work to help protect businesses across the world from the, you know, scourge of Russian retaliatory cyber-attacks.
And so, at the end of the day, it's really, it's a hard thing, because you're asking companies to share information, but you are also trying to get the government to add value in a way that really is manifestly helpful to the private sector. And so, you know, there was a lot of work that we did on it, but a lot of it is, you have to suspend disbelief that the government is, you know, they are just to regulate you or to slow you down, right? We were a voluntary agency. We weren't law enforcement, we weren't a regulator, we didn't collect intel, we weren't military. We were all about adding value, but making sure that companies understood that prospect — because we were also a very new agency, about two years old when I came in, two and a half years old — and so, you know, that was the other challenge.
And it's an ongoing challenge. And, you know, I think we've seen that there's been some loss in capability and capacity at CISA. There's been an exodus of some of the best technical talent during the Trump administration. You know, cyber doesn't work if it's not rooted in collaboration and trust. And as we know, people don't trust institutions. They trust people. And so, having people out there who have not just the right technical skills, but the right collaborative skills, people who you want to work with, is really, really important. So, I hope when my successor, who's been named, gets into the job, they will continue to push and catalyze those trusted partnerships across all elements, whether it's international, state, local, private sector.
Brianna: You talked about the importance of systematic and sustained information sharing mechanisms between the public and private sectors as being key to that continued collaboration, and I know one of the things that's been on your mind recently is the announcement by Microsoft and CrowdStrike about this new strategic collaboration to improve cyber threat sharing, specifically by aligning threat actor taxonomies. I wonder if you can walk us through for a lay person, why this is so important for cyber defenders, and how it will actually help security professionals speed up the attribution and response process?
Jen: Yeah, well, I think, I welcome collaboration among cybersecurity companies. I think that's really important. And frankly, CrowdStrike and Microsoft were plank holders for the Joint Cyber Defense Collaborative. As I mentioned, it started in August of 2021 and so, you bring together the power, the talent, the research capabilities of the big cybersecurity vendors. I think that is a net positive for the world of cyber defenders. I think anybody that's listened to things that I've said I think realizes that I think we should call villains. You know, these are nation state hackers, China, Russia, Iran, North Korea. They're cyber criminals focused on stealing our data, locking it up and forcing us to pay for it, and in some cases, as I described earlier, disrupting the critical services that we rely upon every day, you know, but yet we give them names that imply power and charisma, whether it's Fancy Bear or Nemesis Kitten or the Lazarus Group, Midnight Blizzard, Volt Typhoon. I think we should call them things like Scrawny Nuisance or Weak Weasle, Feeble Parrot, or my personal favorite, Doofus Dingo.
But we use names that imply, you know, that we're in awe of these characters, even advanced persistent threats. We talk about, you know, sophisticated exploits or the dreaded zero day, like, at the end of the day, I think we give these villains too much credit, and we should refer to them as villains. Or, you know, I've heard other people refer to them as dirtbags. But whatever we do, we shouldn't give them these, you know, names that imply great charisma. That's sort of number one. I think we should actually call them what they are, the Chinese People's Liberation Army, Russian intelligence, right? I think that's important for people to understand who they are going up against and who is going after us.
But secondly, while I absolutely welcome and applaud the collaboration between competitors, in this case, Microsoft and CrowdStrike. I do think we need to get to one naming convention, and I think that that actually is much more helpful for cyber defenders not to have to, you know, there's no Rosetta Stone that says, you know, this Fancy Bear is whatever it is on the Microsoft side, but let's just have one set of naming conventions. And I welcome the fact that they were going to put a working group together, so hopefully that is the end state. But I don't buy the argument that because of, you know, the way they do attribution, or the different telemetry, they can't come up with one unified mechanism, naming convention. We've done it in all kinds of other fields, and maybe there's a role for the government in this.
And you know, it's good that private sector companies, through their enormous resources, can help drive government attribution to be faster and more agile, but this, I think, requires a community approach.
Brianna: Of course, we'll delve more into what the public sector can do and what that might look like in your forthcoming article with Ciaran Martin and Just Security. But I think the point about calling out a lot of how a lot of these state-sponsored groups are actually cyber criminals, and emphasizing the criminal nature of the activity is a key point.
Jen, we're sitting here in Oxford in the United Kingdom. I wonder if you could briefly offer any thoughts or advice for key U.S. allies and partners that are trying to now work with this new Trump administration on strengthening not just cybersecurity, but AI security, preparing for the next quantum revolution. Are there any words of wisdom that you might offer to policymakers in key allies, particularly in the transatlantic setting?
Jen: Yeah. I mean, it's, you know, well, a lot has gone on over the last four and a half months. I guess it still is relatively early days. I think we've seen some signs of how technology policy is going to shift. There was just recently a new EO that was put out around cybersecurity. I think there's some, you know, shift in focus on AI security and standardization. So, you know, partners should keep a close eye on what the administration is saying.
I think at the end of the day, this is where I hope things end up because, you know, cyber security certainly is not political. It's not a partisan issue. It really is all about national security, and I think we politicize cybersecurity at our peril. The other thing, I would say is, as opposed to some of the other levers of power, whether it's sanctions or norms or offensive in particular, you know, cyber defense is very similar in the U.S. as it is here in England, as it is in Europe, as it is in partners around the world, which is why we have these incredible, incredible partnerships with over 150 countries, right?
Brianna: And many of them have set up CISA-like organizations.
Jen: Absolutely. And we tried very hard, going back to my earlier point about different products in the wake of SolarWinds, you would look at CISA products, and we always try to multiseal because, you know, cyber defense is the same here, generally as it is in other countries around the world. So, it's great, whether it's a secure by design or an AI secure document having, you know, the NCSC and the Canadian Cybersecurity Center and ACSC and countries in Europe and Singapore and Israel all signing on to that, so you have that coherent, unified approach to how you can drive down risk to your critical infrastructure. I always thought that was incredibly important, and I hope that continues.
And frankly, you know, I watch closely the products that come out from across the cybersecurity community, and I've seen continued products from CISA that are all multi seal. There was just one recently on secure AI. And I find that to be encouraging. So, I think, you know, you'll see some rhetorical shifts certainly.
I think the one thing that gives me a little bit of pause that I think our allies should really track closely is, you know, we took a very multifaceted approach by design. You know, you could read the 2017 article from Professor Joe Nye on deterrence and dissuasion in cyberspace, and he talks about deterrence by threats of punishment, deterrence by denial, deterrence by norms, deterrence by entanglement. And when you look at the response, for example, to Volt Typhoon, you know, it was about deterrence by denial, strengthening defenses. It was working with State Department on norms. It was working with DoD and Treasury on the cost imposition things like sanctions, and then work done by Commerce and Treasury on the economic entanglement. I think, you know, just over the past four months — and I don't want to cartoon it, because I'm sure there's much going on that I'm not paying close enough attention to — but I think we've seen, you know, a little bit of the dismantling of parts of CISA, a budget that was at $3 billion I think, has gone down to $2.5 billion, which is still considerable, but it's also lost, you know, a considerable amount of the top technical talent that we hired, so that that undermines the ability to deter by denial and resilience. I think we've seen an erosion of norms. I think we've seen a move from entanglement, certainly economically, to more of a coercive approach. And then rhetorically, from a policy perspective, you hear a lot about taking the gloves off and punching back.
And I think at the end of the day, we should be really, really mindful of the stark societal asymmetries of just over-rotating towards offensive cyber operations, because certainly when it comes to China, Xi and the Chinese people arguably have a much higher threshold for pain. And so, I want to — my hope is that working with our foreign partners, moving forward, you will see more of a reverse to using all levers of power, because I think that's the most effective way to actually marshal a credible deterrent to adversary attacks, in particular on critical infrastructure.
Brianna: As you said, it will be crucial for allies and partners to watch closely where the U.S. is headed, not only to align key strategic approaches, whether on AI security or quantum or learning lessons from past cyber cooperation, but also to potentially fill key gaps that might emerge if the U.S. steps back. Where can other countries like the U.K. be?
Jen: I mean, I think a good example of this is some of the legislation that Europe is putting in place to include the Cyber Resilience Act, which I think is important. You know, I am not somebody who loves regulation. I came from a highly regulated industry at Morgan Stanley and I saw things like fragmentary, duplicative regulation, risk becoming box checking, operational risk reduction. And so, I've argued strongly for, like, a harmonious, harmonized approach. You know, one of the things that I found extremely annoying when I was at CISA was the SEC had come up with this other cyber incident reporting, which, while CISA was going through rulemaking for the CIRCIA, the Cyber Incident Reporting for Critical Infrastructure Act. And so, you know, the private sector looks at this and it's just confusing. And I know that, having been in the private sector.
I do think if regulation is done right, it can actually have a lot of benefits, and we've seen that from GDPR, right? We don't have a national privacy regulation in the U.S., but at the end of the day, a lot of the multinational companies that operate in Europe have had to adhere to privacy regulation, which, you know, I think everybody should, like, look at the importance of privacy in your data.
And I think that the CRA which, from a technical perspective, is very consonant with some of the principles that we had articulated within the Secure by Design campaign, I think that that will be good in sort of setting those global standards. And as I've argued, publicly testified, I think at the end of the day, we need to have some sort of a software liability regime that holds vendors accountable for not following secure development practices, but also has safe harbor provisions that will protect those companies who do responsibly innovate using secure development practices. And so, I'm hoping that we can sort of see this move towards a global set of standards that ultimately is designed to protect the customers of software, which is all of us.
Brianna: Jen, you've inspired an entire generation of cybersecurity leaders, particularly women in cyber and national security, more broadly, including myself. If you could go back to your first day at CISA, or indeed even back further to your early days in government, what would be the one piece of advice that you would offer yourself?
Jen: Well, you know, there was a famous old-time actress in the U.S. named Mae West, you probably are too young.
Brianna: I remember.
Jen: Yeah, and she has this great line: “You only live once, but if you do it right, once is enough.” So, in most experiences in my life, and certainly CISA, I would tell myself, make the most of every second of the day, because, you know, most of my life has been about leadership, and that's a real responsibility. Whether you're responsible for the lives of your soldiers, you're responsible for, you know, the counterterrorism policy of the nation, you're responsible for the cybersecurity of a top financial firm, you're in charge of the cybersecurity of the nation. It's a huge responsibility, and you can make a very positive difference in the lives of others. But it's also a sacred trust, and so, part of this is being true to yourself, but also, you will be good at things if you are enjoying them. So, make the most of every second of every day. Don't take yourself too seriously. Take the mission seriously and stay true to who you are.
Brianna: And maybe do something, one thing that scares you every day.
Jen: That's a good way to do it, too.
Brianna: Thank you so much for sharing your insights with us, and indeed, for your public service and everything that you've done to keep the U.S. and the global community safe from cybersecurity attacks.
Jen: Fantastic. Thanks so much, Brianna
Brianna: That was Jen Easterly, former director of CISA, military veteran and a true rock star in the cybersecurity world on what it takes to lead through complexity, crisis and change. This episode was hosted by me, Brianna Rosen, and produced by Maya Nir. Special thanks to Jen for sharing her time and insights and to you for listening in. For more on cybersecurity, emerging tech and national security, visit us at our website, justsecurity.org, and if you liked this episode, please leave a five-star review on Apple podcasts or wherever you listen. Until next time. This is the Just Security podcast.