EXCLUSIVE INTERVIEW — A top U.S. cybersecurity official said Wednesday that as she prepares to leave office, China-backed attacks on American infrastructure pose the gravest cyber threat to the country. And she believes they will get worse.
Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency, called recent Chinese cyber intrusions the “tip of the iceberg,” and warned of dire consequences for U.S. critical infrastructure in the event of a U.S.-China conflict.
“This is a world where a war in Asia could see very real impacts to the lives of Americans across our nation, with attacks against pipelines, against water facilities, against transportation nodes, against communications, all to induce societal panic,” Easterly said during the Winter Summit of the Cyber Initiatives Group Wednesday.
Cyber attacks have increasingly targeted U.S. critical infrastructure — whether the attackers are seeking ransomware or aiming to do damage at the behest of America’s adversaries.
Hackers tied to Iran, Russia and particularly China have been accused recently of seeking to breach cyber defenses in the transportation, communications and water sectors — for a variety of reasons and with a range of success. And as experts often tell us, these elements of the nation’s critical infrastructure are only as safe as the weakest links in a complicated system that sits primarily in private sector hands.
Easterly spoke Wednesday to Cipher Brief CEO Suzanne Kelly in a special session of the Cyber Initiatives Group Winter Summit, about the breach known as Salt Typhoon and why the U.S. government, some six months after discovering the espionage hack believed to have been launched by China, is still struggling to help get hackers out of the systems of U.S. telecommunications companies.
Jen Easterly
Jen Easterly is Director of the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security. Before accepting this role, Easterly was Global Head of Firm Resilience and the Fusion Resilience Center at Morgan Stanley. She previously served as Special Assistant to the President and Senior Director for Counterterrorism and as Deputy for Counterterrorism at the National Security Agency.
This interview has been edited for length and clarity.
Kelly: I’m sure if there are two words you wish you had never heard, they might be “Salt Typhoon.” Both CISA and the FBI have said that spies linked to China are still inside U.S. telecommunications systems, even though it’s been six months now since the government began investigating. What can you tell us about what you’ve learned in the past six months?
Easterly: I think it’s important to recognize the trajectory of this threat from China. Many who’ve been in this business for a long time will recall that some 10, 15 years ago, even as we were looking to develop the plans for, and then to build the U.S. Cyber Command, the big threat from China was all about data theft, espionage, intellectual property theft. And certainly we continue to see that, with this latest intrusion campaign into telecommunications infrastructure.
But to me, the big story from the last couple of years that everyone should be paying attention to – businesses large and small, critical infrastructure owners and operators – is really about the actor that is known as Volt Typhoon, that has been working to embed and burrow into our most sensitive critical infrastructure. Not for espionage, but rather for disruption or destruction, in the event of a major crisis in the Taiwan Strait.
So this is a world where a war in Asia could see very real impacts to the lives of Americans across our nation, with attacks against pipelines, against water facilities, against transportation nodes, against communications, all to induce societal panic. And to deter our ability to marshal military might and citizen will.
And that is a very real, not a theoretical threat. And we know it because our hunt teams, working with federal partners and industry, have gone into certain entities. We’ve identified these actors, we’ve helped the private sector eradicate them. But we think what we’ve seen to date is really just the tip of the iceberg. And that’s why we’ve been so focused on talking about the importance of resilience.
We cannot not architect systems for complete prevention. We need to architect them for an ability to adapt, to be able to deal with disruption – to respond, to recover, and to really prepare for that.
Kelly: A recent alert encouraged people who aren’t already using encrypted messaging apps to start using them. It feels like we’re at a point where the general public really needs to have a better understanding of cyberspace and how it touches their everyday lives. How are you thinking about how to make cyber more accessible to more Americans?
Easterly: I’ve been trying to do that for three and a half years. So hopefully, there’s been some progress. When I think about the key initiatives that we’ve been focused on at CISA, there’s having those discussions with CEOs and C-suite executives and board members about the importance of corporate cyber responsibility, really embracing cyber risk as a core business risk and as a matter of good governance. That’s one piece.
A second piece is this idea of the need for technology vendors to design and build, test and deliver technology that prioritizes security. For decades, vendors have been pushing out products that have prioritized speed to market and features over security.
We’ve been working really hard with our partners – we had a pledge that we unveiled, and we had 68 companies sign up. We’re now at over 250. This is becoming a movement, and one that’s really, really important. I’m not so naive to think this is change that we’re going to catalyze in days, weeks, months, or even a year. But we’re getting this movement started, and getting the momentum so that companies understand what they need to do to build secure products.
We have also really tried to champion the basics of cyber hygiene. And that’s through our Secure Our World Campaign – folks might’ve seen all of our cyber Schoolhouse Rock PSAs. This is really about getting the American people to understand the basic things that they need to do to keep themselves safe, their family, small businesses.
It’s those four things: installing updates; complex, unique passwords for your sensitive accounts, ideally a password manager so you really only have to remember one complex password; making sure that your employees are trained to recognize and report phishing; and then, finally, multi-factor authentication. Those four basic things that we’ve been advocating for can prevent 98% of cyber attacks, is what the research shows. It’s the brushing your teeth, the washing your hands, of cyber.
And if you want to ensure that your communications are secure – your texts, your voice comms – it’s important for folks to understand that end-to-end encrypted comms are the best way to do it. You can pick your platform. Obviously, from an enterprise perspective, there are some rules in place in terms of data retention, so companies need to understand what the options are. But at the end of the day, the encrypted comms piece is incredibly important, particularly in a world where we know that our adversaries have attempted to, and succeeded in, exploiting our telecommunications.
Kelly: Let me ask you about ransomware. It’s still a massive problem. How are you thinking about protecting businesses from ransomware now? And I’m really interested to know how your views on it have changed since you’ve been in the director role at CISA.
Easterly: It continues to be a big problem, but until we get the cyber incident reporting for critical infrastructure into place, sometime next year, we really won’t have an idea of what the full range of the ransomware ecosystem is, because I’m sure there are a lot of entities that have had a ransomware attack and it hasn’t been reported.
It really has been a scourge. We have seen impacts that we know about on businesses large and small.
Since I came into this job, we’ve been focused on this through our stopransomware.gov one-stop shop of all the resources, to help entities understand where they may have external-facing vulnerabilities that we know are being exploited by ransomware actors, and our pre-ransomware notification initiative, where we have actually put out over 3,600 warnings to entities in the country, across the world to prevent them from having a ransomware attack. We are doing a lot of work on this.
But look, it’s very tied to this issue around secure-by-design. These ransomware actors are not using exotic, previously unknown vulnerabilities to be able to exploit these entities. They’re using well-known public vulnerabilities, generally, and essentially it’s because many of these entities are using technology that has not been built to be secure. Oftentimes, we’ll say these entities didn’t do X, Y and Z. And that’s a piece of it, depending on the entity and who they are and their level of security team and how much investment they’ve done. I’m not absolving entities, necessarily, of their responsibility to keep their customers safe, but at the end of the day, I think we should stop looking at the victims and stop saying, why didn’t you patch that piece of technology? And really ask the question, why did that piece of technology require so many patches?
Secure-by-design is not going to solve the problem, but I do think ensuring that the technology that we rely upon every day for our critical infrastructure is built specifically to dramatically drive down the number of flaws and defects, we will see a world that is much more secure.
Kelly: Since you’ve been in this role, have you seen the private sector’s willingness to share information with the government, which has always been a touchy subject, have you seen it increase? Have you seen those bonds of trust really strengthen?
Easterly: This is one of the reasons I came back into government. Looking at government from the private sector, it was very hard to discern how to effectively collaborate with the government, because we saw so many different actors telling us different things. There was a real lack of coherence. And that is something that I have really tried to champion along with my awesome teammates here.
I don’t think we can underestimate what a paradigm shift this is. At the end of the day, we are asking companies three things: First, for any business that is a critical infrastructure owner, or operator, to recognize that a threat to one is a threat to many, given the connectivity, the interdependence, the vulnerability, the underpinning of some very complex supply chains. We’re seeing that with respect to telecommunications infrastructure, certainly. And so it can’t just be about self-preservation, it really has to be a focus on collaboration, in particular with the government.
The second point is there also needs to be a recognition that even as we’re asking the private sector to work closer with the government and to provide information, the government has to be coherent. The government has to be responsive and transparent, and for God’s sakes to provide value.
And then third, it has to be a frictionless experience, as much as possible. And that’s what we have tried to build through the Joint Cyber Defense Collaborative. We started out with 10 companies, we’re now at over 350, over 50 different communications channels where we are sharing information, enriching it with what we know from the federal government perspective, and then planning against some of the most serious threats to the nation.
I do think it’s been going well, but this is a major paradigm cultural shift. And getting companies that are sometimes competitors to work together from a collective defense perspective is going to continue to be a project. But I’ve been really pleased to see a lot of our great teammates in the private sector come to the table to focus on what they can do to ensure the collective defense of the nation.
Kelly: Transition between administrations is usually a time of target. Have you noticed anything different [since Election Day]? Have you seen an increase in state-actor or ransomware attacks?
Easterly: No, not specifically, but it wouldn’t surprise me. Threat actors are always looking for those points where there may be leadership turnover, churn, uncertainty, anxiety in the workforce. Change is hard for everybody. So it’s not a surprise.
I’ve been through several transitions. I was in the transition from the Obama administration to the Trump administration, and I was on the transition team from the Trump administration to the Biden administration. We at CISA have been looking at our succession planning for months, and I am very, very confident in my senior leaders. The vast majority of CISA is civil servants. And so we have fantastic leaders who are very experienced, and I’m very confident that even if threat actors tried to take advantage of this period of time, or to cause some sort of havoc across the larger threat landscape, that we are prepared along with our partners to be able to respond effectively.
Kelly: Does CISA need more funding to help prevent ransomware attacks on critical infrastructure in the coming years?
Easterly: We’re now at about a $3 billion budget. I think eventually there will need to be growth in both capability and capacity. In terms of ransomware specifically, I wouldn’t focus on specific funding. If I were to advocate for additional funding in the near term, it would really be about this counter-China campaign, and all of the things that we’re trying to do to reduce fundamental risks to our most sensitive, critical infrastructure. I think that’s where we need to focus.
Kelly: You have been in this role for nearly four years now. I would love to get your thoughts on how this role has changed you over the last almost four years. What are you taking away from this job and what do you hope to be able to share with whoever may fill this role under the new Trump administration?
Easterly: Well, first, whoever takes the job, please know that I am here as a resource. When I took this job, [former CISA Director] Chris Krebs was a fantastic teammate and partner. At the end of the day, CISA is a non-political, non-partisan agency. I look forward to having conversations with whoever gets named as my successor. And the first thing I’d say is, you are getting the best job in government because this truly is an amazing place to work. This has been such an absolute honor to take something that was pretty new – CISA is only six years old – and work with this incredible team to build our capability, to build our capacity, to see the budget grow and to really develop operational capacity off that.
I think the key lesson learned is the vital importance of one five-letter word, and that’s “trust.” CISA is not a regulator. We’re not an intel collection agency. We’re not a law enforcement agency. We’re not a military agency. Everything we do is by, with and through partners and predicated on our ability to catalyze trust, whether that’s with industry, whether that’s across the federal government, with state and local officials, with election officials. It’s a place we really started out with zero trust and were able to work to much higher trust.
And the only way to do that is to get out and engage with people. That’s why I spend so much time across the country, across the world, traveling, explaining what we do, the value that we add, our no-cost services, how we can help everybody across the board.
It’s really interesting when you think about the levels of trust in the federal government these days, they’re pretty low. And I think a lot of that is because we’re all in our digital world, where it’s very hard to have conversations with people where you can sit across the table and look them in the eye. Even if you really disagree with somebody politically, I think if you sit down and you have those conversations and you explain where you’re coming from, you really can start to build that trust. And that’s the only way CISA is going to be successful.
We bring incredible technical capability, but we also have to bring very high levels of emotional intelligence because if we’re not able to explain how our technical capabilities can help our partners reduce risk, we ultimately will not be successful. And so that’s been a big lesson for me.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief.