Jen Easterly hopes to change your dinner table conversation.
Ransomware – malicious software that can lock users out of their device or files – has made it to the list of table-talk topics but, somehow, cybersecurity has not.
Easterly, director of the federal agency for cybersecurity, wants to change that. “I think it’s really important that cybersecurity equally become a kitchen table issue,” she said.
Easterly visited Seattle this week as part of an effort to connect with local governments, businesses and educational institutions around the country. She stopped by Boeing’s headquarters in Renton, the Space Needle and Amazon’s HQ in South Lake Union to discuss how to prepare local governments to prevent cyber attacks and get the next generation of cybersecurity professionals excited to take on the task.
Easterly heads the Cybersecurity and Infrastructure Security Agency, or CISA, and is responsible for leading the agency’s efforts to understand, manage and reduce risk to the cyber and physical infrastructure we rely on every day. She was appointed in July 2021 and has spent the past year working to cut the “nerdspeak” from cybersecurity. She likes to talk about her role as “cyber storytelling,” and hopes to put the industry into context that both a young kid and her mom could understand.
Seattle is home base for CISA’s Region 10, a zone that spans 918,630 square miles and covers Alaska, Idaho, Oregon, Washington and 271 Tribal nations. The agency is a part of the Department of Homeland Security. In September, DHS committed $1 billion for cybersecurity grants over the next four years for state, local and territorial governments.
CISA focuses on how individuals can protect themselves — like the recent social media push to use “more than a password” to log in to personal devices — as well as national efforts. It’s responsible for improving supply chain security, protecting against cyber threats from the rollout of 5G and enhancing election security. The cybersecurity agency tapped Washington’s former secretary of state, Kim Wyman, to lead CISA’s election security efforts.
Some CISA personnel focus on maintaining communications during emergencies and others advise and assist facilities with hazardous chemicals on how to prevent those chemicals from being weaponized. And, some work with the Department of Homeland Security on protecting critical infrastructure.
Easterly says most people shy away from the term “critical infrastructure” but really, it’s just “how we get gas at the pump, food at the grocery store, money from the ATM,” she said. “It’s our water. It’s our transportation. It’s our power. It’s our communication. It’s the networks, systems and data that underpin our daily lives.”
Seattle faces an “ironic juxtaposition,” Easterly said. On one hand, the local institutions are working to defend public utilities and help people understand how to protect themselves online. On the other, major tech companies that have an enormous influence on the nation’s digital infrastructure are based here.
“America has incredible companies, [an] incredible heart of innovation here on the West Coast, and it’s really important that these technology companies play a role in helping to shape the technology ecosystem,” Easterly said.
To do that, tech giants have to design products and services with security in mind. Just like consumers expect seat belts and air bags in a car, they should expect security to be built into products.
As companies like Amazon and Microsoft grew, security wasn’t required, Easterly said. She hopes market forces and their own self-interest will continue pushing them toward it. The next step, though, would be federal regulation.
CISA is not a regulator and Easterly said the agency is collaborating with Amazon, Microsoft and other tech companies to focus on security.
In August 2021, the cyber security agency launched a new initiative, dubbed the Joint Cyber Defense Collaborative, to strengthen the public-private collaboration in the industry. Amazon Web Services, the company’s cloud computing arm, and Microsoft were among the initial industry partners.
Outside the federal department, businesses and educational institutions in Seattle are adopting the same mindset as Easterly. They are working to demystify cybersecurity and increase awareness, education and resources — from college to elementary and middle school. On a panel Thursday, many attendees suggested tapping into gaming culture or designing contests around cyber education. That could be an escape room focused on misinformation, or a short-story contest where the heroine is a cyber professional, or a TEDX series highlighting the cyber world. Easterly suggested creating a “cyber schoolhouse rock.”
Stealing a word from the social media hype today, James Poland, director of cyber intelligence for the University of Washington, said he considers himself “first and foremost, an influencer.”
Conversation around cyber security has already started to escalate in the last year and a half, Easterly said. Some of it is happening naturally as the agency “comes into its own” four years after its creation, but “some of it is recognition and realization that the threats we are dealing with are only getting more complex and more dangerous,” she said.
In the immediate future, the agency plans to spend the next month hyper focused on the midterm elections.
Before Easterly took over the agency, it was tasked with risk management for election security. At that time, there was a lot of resistance to the federal government playing a role in what had historically been handled by state and local election officials.
This week, Easterly visited the King County election office to see how it secures ballots.
“We want to make sure that election officials have what they need,” she said Thursday.
“We’re very focused on the next 43 days” until the midterm elections, she continued, “and then on 2024.”