Friday, August 06, 2021

BLACK HAT FASHIONISTA
Top US cyber official makes debut calling for more 'ambitious' defenses and wearing a 'Free Britney' shirt

By Geneva Sands, CNN 

In her first major speech since taking office, Cybersecurity and Infrastructure Security Agency Director Jen Easterly sought to elevate the young agency, pushing for more cybersecurity talent across the US and announcing a new initiative collaborating with the private sector on ransomware and other issues.
© Black Hat 2021 Conference

Easterly made her debut not in a suit before a Washington policy audience, but directly to the cybersecurity community, wearing a partly covered up "Free Britney" shirt and introducing policy with dance moves, music and a reference to the long-running sitcom "Seinfeld."

Speaking virtually to the Black Hat cybersecurity conference, which provides security consulting, training, and briefings to hackers, corporations, and government agencies, she told the audience that CISA needs to be more "ambitious" when it comes to building up the cybersecurity workforce in the United States and federal government.

She made a plea to the cybersecurity community to help build up the nation's cyber workforce, pointing to the more than 500,000 unfilled cybersecurity positions in the US.

'Much more ambitious'

Easterly, who took the helm of the agency in mid-July, said CISA is already undertaking multiple efforts, including a program to retrain non-cybersecurity federal professionals and a K-12 program that provides cybersecurity curricula to teachers.

Despite a host of programs aimed at growing cybersecurity talent, she said, "I believe we need to be much, much more ambitious about this and innovative about figuring out how to inform and educate and really inspire the next generation of cybersecurity professionals from the youngest of ages," offering a glimpse into her thinking as director.

She also urged people to come work for CISA -- an agency housed within the Department of Homeland Security that was established during the Trump administration. During her speech, she provided a QR code for people to join "team CISA."

"My goal is to make CISA the world's premier cyber and infrastructure defense agency," she said.

Easterly is making her push as a new Senate report released Tuesday found that key agencies across the federal government continue to fail to meet basic cyber security standards, with systematic failures to safeguard data.

Pressed by Black Hat founder Jeff Moss on whether she will be successful at hiring the right talent, she said, "I am going to be relentlessly focused on this."

"If I don't get it done, it won't be for lack of effort. The government hiring process is Byzantine and really kind of a mess," Easterly said, acknowledging that there is "huge competition" from the private sector when it comes to recruiting talent.

Setting the announcement to music that referenced the rock band "AC/DC," Easterly also unveiled a new effort to ramp up cyber defense planning at the agency called the "Joint Cyber Defense Collaborative" or "JCDC," which will coordinate planning and operations between the federal government, local officials, and private companies.

She made the virtual announcement while dancing to the so-called "Elaine dance" from "Seinfeld."

The collaboration will initially focus on combating ransomware and cloud provider incidents with companies such as Crowdstrike, Palo Alto, FireEye, Amazon Web Services, Google, Microsoft, AT&T, Verizon, and Lumen.

'Strong encryption'


Easterly said the goal is for the government and private sector to work together closely "before an incident occurs to strengthen the connective tissue and ensure a common understanding of processes," in prepared remarks.

Easterly also appeared to take a swipe at those in the US government, such as law enforcement, that have called for the weakening of digital encryption in order to peer into the otherwise scrambled communications of terrorists and criminals. Critics of encryption have said the technology — which safeguards all businesses and consumers — can allow bad actors to "go dark."

Asked to weigh in on the matter, Easterly came out forcefully in favor of "strong encryption," a term typically used to mean encryption that does not permit secret "back door" access for law enforcement. Law enforcement critics have said that allowing back doors into encryption would create vulnerabilities that would be targeted by hackers and would undermine everyone's security.

"We have to have strong encryption to be able to ensure the defense of our networks. It's foundational, as everybody in this audience knows," Easterly said, in a response that drew a rare round of applause. "I recognize there are other points of view across the government, but I think as the CISA director and me, personally, I think strong encryption is absolutely fundamental for us to do what we need to do."

Easterly, who is only the second Senate-confirmed CISA director, was part of the team that built US Cyber Command before going on to work at the National Security Agency on cyber and counterterrorism issues and serving as senior director for counterterrorism in former President Barack Obama's National Security Council.

She was scheduled to appear in-person at Black Hat, along with Homeland Security Secretary Alejandro Mayorkas, but the DHS team decided to participate virtually "out of an abundance of caution," due to the latest Covid-19 concerns, a DHS spokesperson told CNN.

Asked how she will differentiate herself from CISA's first director, Chris Krebs, Easterly said she will focus on putting the right processes in place to be able to take CISA into our next five and 10 years.

Shortly after the November election, then-President Donald Trump fired Krebs, who rejected Trump's claims of widespread voter fraud.

"I think there's the founder, right. And then there's the next CEO that comes in and transforms, continues the transformation of the organization," Easterly said.

Black Hat: New CISA Head Woos Crowd With Public-Private Task Force

Author:Tom Spring
August 5, 2021 

Day two Black Hat keynote by CISA Director Jen Easterly includes launch of private-public partnership with Amazon, Google and Microsoft to fight cybercrime.


LAS VEGAS – Just weeks after the U.S. Senate confirmed Jen Easterly to lead the Cybersecurity and Infrastructure Security Agency (CISA), the new director spoke at Black Hat USA 2021 on Thursday, albeit virtually, announcing a major public-private partnership to fight cybercrime.

Called the Joint Cyber Defense Collaborative (JCDC), Easterly said 20 cybersecurity firms have already joined the effort. They include Amazon, AT&T, Google Cloud, Microsoft, Palo Alto Networks, Verizon, Crowdstrike and FireEye Mandiant.

She said ransomware will be the group’s initial focus, along with creating a framework to respond to incidents affecting critical U.S. cyber-infrastructure.

“The whole idea of JCDC is to bring together our partners to do four key things. First, to share insights so that we create a common operating picture, shared situational awareness of the threat environment so that we understand it better, and to develop national comprehensive cyber-defense plans to deal with the most significant threats to the nation threatening our critical infrastructure,” she said.

JCDC would also call on federal agencies that include Department of Defense and its cyber-command partners such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) to “make sure that we are aligning operations, talents and capabilities to support the nation’s cyber-defense activities,” she said.

Who is the New CISA Director?

Easterly is a former NSA deputy for counterterrorism and has a long history within the U.S. intelligence community. She served for more than 20 years in the Army, where she is credited for creating the armed service’s first cyber battalion. More recently she worked at Morgan Stanley as global head of the company’s cybersecurity division.

Easterly replaced CISA acting director Brandon Wales after the agency’s founder and former director Christopher Krebs was fired by former President Trump in 2020.

“I hope to build on Chris’s great work,” Easterly said. “Chris did a fantastic job. He founded the agency and he shepherded CISA through some turbulent times, with the [2020] elections and COVID.”

She likened her new position to that of a new CEO, fulfilling the spirit and mission of Krebs. “I’m going to be focused on how we put the right processes in place to be able to take CISA into our next five and 10 years,” she said.

For Those About to Hack, JC/DC is Gunning for You

Borrowing liberally from the design motif of the rock band AC/DC, Easterly debuted a tongue-in-cheek logo of JCDC (or JC/DC).

She said JCDC represents a move by CISA to up its ante in working with the private sector. Several examples already this year – SolarWindsKaseyaPrintNightmare and ProxyLogon – are examples of the private sector aiding the federal response and helping shape cybersecurity policy.


She singled out Victor Gevers, chair of the Dutch Institute for Vulnerability Disclosure, for helping the agency understand the chain of vulnerabilities that led to the exploitation of Kaseya. During the height of the SolarWinds attack, Easterly said, Trimarc founder Sean Metcalf was instrumental in helping CISA understand the byzantine nature of identity management. She also thanked Will Dormann, a vulnerability analyst, for helping government security researchers understand “the pathways of interconnectedness” associated with the PrintNightmare bug.

In CISA We Trust?


Perhaps Easterly’s biggest challenge in her new role will not be heaping praise on the cybersecurity community. Rather, it will be earnings its trust. During a question-and-answer session, the CISA director scored points with the audience by stating that she supported strong encryption.

“I realized that there are other points of view across the government, but I think strong encryption is absolutely fundamental for us to be able to do what we need to do,” she said.

Strong encryption is jargon for what some call “warrant-proof” encryption. Many in the law enforcement circles believe ironclad encryption helps criminals “go dark”, in that it shields their communications.

While acknowledging distrust within some segments of the cybersecurity community, Easterly urged the audience of security professionals to trust people first.

“We know some people never want to trust an organization,” she said. “In reality we trust people – you trust people. … When you work closely together with someone to solve problems, you can begin to create that trust.”

(Image of Jen Easterly, courtesy of Jen Easterly’s Twitter feed)


No comments:

Post a Comment