U.S. Cyber Chief Trying To Get Americans To Trust Her, and Election

(Bloomberg) -- As director of the Cybersecurity and Infrastructure Security Agency, Jen Easterly helps protect election infrastructure from hacks, violence and bad faith claims intended to stoke mistrust.

The most challenging part of her job, however, is likely to begin after Tuesday, when Easterly may have to convince a doubtful and divided electorate that the outcome of the vote was legitimate. A similar claim got her predecessor Chris Krebs fired after the 2020 election, and, he has said, resulted in death threats.

Today, even though Easterly says that the US electoral system “has never been more secure,” skepticism along party lines has only grown: faith in the electoral process has fallen precipitously among Republicans to 28 percent, versus 84 percent among Democrats, according to Gallup. 

All of this puts Easterly in the hot seat at a fraught political moment. In her role leading America’s cyber defense agency, she’s worked to win the trust of fellow government agencies and private sector companies. Now, she must do the same with an even more volatile constituency: American voters.

Easterly, a former Army officer who can solve a Rubik’s Cube behind her back and strums out cybersecurity advice on her guitar, took the helm of America’s newest agency in 2021, three years after Congress signed it into existence. Having survived West Point, the White House and wartime tours of Iraq and Afghanistan, her latest role has her leading a mission many deem impossible. 

Related:The New Frontiers of Cyber-Warfare: Insights From Black Hat 2024

CISA doesn’t run US elections — that falls to more than 8,000 separate jurisdictions and the states that certify them — but it offers support to local and state officials via funding, personnel, technical knowhow and outreach. On top of that, it’s tasked with helping safeguard 16 critical sectors including energy, water and health care, and collaborating with federal agencies to do so. Yet despite its sprawling mandate, CISA has almost no regulatory heft. 

“We’re largely a voluntary agency,” Easterly says in speech after speech. That’s by design: Congress set CISA up to act as an intermediary between government and the businesses that oversee vital infrastructure. It’s a tall order, and its mission has been further constrained by coordination challenges and limited resources. Armed with so few tools, Easterly has personalized her outreach— and become something of a minor celebrity in the process.

“I want CISA to be the best agency in the world,” she said during a talk at a hacker conference in 2022 where the audience included several starstruck coders. At the same event the following year, she joined the other speakers in downing a shot, and then drank a beer up on stage while chewing through a complex history of cyber threats. 

Related:The Impact of the Presidential Election on Networks

“She’s been bucking the system ever since she was a cadet,” said Douglas Lute, a former US ambassador to NATO and an ex-Army colleague who counts himself as a friend.

Her unorthodox approach has scored some wins. Since Easterly took over, CISA’s annual budget has grown by almost a third to just under $3 billion. The agency’s workforce is now more than 3,300, about half of whom Easterly brought in. She’s focused on hiring from underrepresented groups, particularly women, and has prioritized mental health in the workplace. As she’s settled into the job, she’s also gotten more vocal about prodding tech companies to take more responsibility for securing their code.

With online threats rising, the White House released a new cybersecurity strategy last year that aims to impose minimum security standards on companies connected to critical sectors, and make software providers liable for releasing bad code. But it’s a long-term plan that relies on congressional support. Critics say the US is late to the game, and for now, CISA must rely heavily on goodwill to protect some of the country’s most vital infrastructure.

Related:Chinese Hackers Said To Have Collected Audio of American Calls

Around the time Easterly turned 50, she got a tattoo. After decades of military and government service, she had left the National Security Agency and was working at Morgan Stanley in New York. She finally decided to live an authentic life, she said in an interview with Bloomberg, adding that it’s hard to do so “when you’re like, you know, Lieutenant Colonel Easterly or whatever.” The ink encircling her left wrist, a tribute to the Japanese philosophy of Ikigai, which encourages the pursuit of purpose and joy, was a symbol of her newfound commitment.

It was a radical move for Easterly, who grew up listening to the Vietnam War stories of her father, a former Nixon speechwriter and senior Pentagon official. She enrolled at West Point in 1986 and stayed through grueling times partly out of fear of letting him down.

“I have always been really, really hard on myself,” Easterly said.

One of her first challenges upon arriving at CISA was re-energizing a workplace that was under-resourced, leaderless and “pretty burnt-out.” They had just come out of Covid, the 2020 election, and weathered a series of big hacks. Krebs, the agency’s first director, had been fired months before by then-President Donald Trump after vouching for the reliability of the election results. Having been at the NSA when former contractor Edward Snowden’s revelations about mass surveillance made the agency a pariah, Easterly had her own way of trying to turn things around.

In public, she’s made herself the face of the organization. The approach is partly tactical — “people don’t trust institutions; they trust people,” she’s observed — but it also reflects her belief that earning trust comes down to “being really honest about who you are and what’s important to you.” Easterly has publicly shared her struggles about her time at West Point and her younger brother’s death by suicide. 

On a personal level, Easterly believes that her new way of thinking is working. She is becoming, she said during an interview in Pittsburgh last year, a person who is “more comfortable” in her own skin. “Hopefully,” by learning to go easier on herself, she can ultimately go easier on others, she said.

The remark hints at the challenges she has encountered as a manager. Easterly, who believes in bringing her whole self to work, said she’s fought to become more self-aware and get better at managing her emotions. “You have to be careful as you get more and more senior, because sometimes just what you say or a look that you give can really project a lot of meaning,” she reflected.

At the same time, she’s also toughened her approach in other ways. In the private sector, she has pushed to shift the onus of cybersecurity back from consumers to boardrooms and has pressured Big Tech to plug its security holes. One company in particular often finds itself at the center of these efforts: Microsoft, the country’s cybersecurity juggernaut.

Easterly initially treaded lightly, but her indictment of Microsoft became more pronounced over the course of 2023. In February of that year, she unfavorably compared a Microsoft security protocol to one of Apple’s in a public speech, as part of a broadside against large technology companies providing unsafe products. By August, she was suggesting that Microsoft specifically should “recapture the ethos” of what company co-founder Bill Gates called “trustworthy computing.”

Then, in April, her agency published what she later described as a "jaw-dropping" report into lax security at the company. The very next month, Microsoft announced an overhaul. It would put security first, and even make bonuses contingent on progress.

Microsoft is not the only company Easterly is pushing: she half-jokes she wants to put the entire cybersecurity industry out of business, saying it only exists because vendors continue to sell old and unsafe code. “Software vulnerabilities” should be better known as “product defects,” she has stated.

While big tech is, in theory, now game to collaborate — since August, she’s convinced nearly 200 companies including Amazon Web Services, Google and Microsoft to sign a commitment promising to design safer software — without the ability to enforce her demands, the jury is out on whether Easterly will be able to elicit much more than lip-service.

Meanwhile, her boss is warning there is no time to spare.

Alejandro Mayorkas at the White House on Oct. 1. Photographer: Yuri Gripas/Abaca/Bloomberg

At the Munich Cyber Security Conference in February, Alejandro Mayorkas, secretary of the Department of Homeland Security, which houses CISA, said that fast-evolving cyber threats demand “both regulation and individual responsibility,” and later cited “concern” about how years of voluntary strategies have failed.
His warnings were reinforced by major cyberattacks around that time that crippled key nodes in critical sectors of the economy: a software system central to many big banks and a company that connects medical providers and pharmacies with insurance companies. The attacks wreaked havoc on Wall Street and rippled throughout the US health-care system, two of the 16 critical sectors. 

Part of CISA’s mandate is to identify businesses that sit at key chokepoints within those sectors. The agency had not done that effectively, according to a US official familiar with cyber issues who asked not to be named discussing sensitive matters, adding that it risked becoming irrelevant.

The agency has said it is working on this in part by developing a non-public list of about 500 companies that it plans to provide with additional resources, watch more closely and — ideally — hold to higher cybersecurity standards. Mona Harrington, assistant director for CISA’s National Risk Management Center, told Bloomberg in an emailed statement in March that the agency is “conducting further analysis” to pinpoint chokepoints that could have cascading effects if cut off. CISA declined to comment on progress since. 

None of this fully satisfies Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, a think tank focused on national security. He said the US needs to establish minimum cybersecurity standards for those 500 companies, while offering them a carrot of some sort, such as additional intelligence. The wide-reaching impact of the health care and bank hacks is “proof positive” that significant single points of failure exist, he added. 

Montgomery is a longtime CISA cheerleader. He believes Easterly has done “a good job on Microsoft” but sees the agency’s performance as “inconsistent” when it comes to supporting other government departments on cybersecurity and collaborating with the private sector. Inspector general reports have highlighted CISA’s weaknesses in dealing with dams, the energy and water sectors as well as in detecting and fixing cyber intrusions. The agency is overburdened, Montgomery said, with too many competing number-one priorities. He lays responsibility for that problem at the feet of Congress, rather than Easterly.

For his part, in an emailed statement, Mayorkas credited Easterly with “achieving an unprecedented strength of partnership with the private sector in advancing our nation’s cybersecurity,” saying she “has led CISA to new heights.”

CISA has in hundreds of instances warned companies of imminent cyberattacks and helped with threat hunting and incident response, but the young agency still has a long way to go, according to officials and advisors. Easterly’s pet project, a collaborative cybersecurity platform started in 2021 named JCDC — a tribute to AC/DC, her favorite rock band — has suffered from “growing pains,” the official in charge acknowledged in August. With more than 340 members and an emerging reputation for prioritizing policy talk over action, her advisory committee has suggested it should focus more on active incidents. 

But on the most pressing topic facing both CISA and the country, Easterly has had more success. With early voting underway, Easterly is loudly proclaiming that the country’s voting systems are prepared and resilient. All 50 states have signed up for free cybersecurity tools provided by the CISA-funded Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), and the agency has appointed ten regional election security advisers and run a big election security exercise in the past year. 

Despite “threats and challenges that far exceed anything that election officials and administrators had to face in decades past,” she told a conference in Detroit last month, “election infrastructure has never been more secure.”

At the same time, with more than 3,800 member organizations the EI-ISAC is still far short of representing the total universe of more than 8,000 election jurisdictions. Marci Andino, the organization’s vice president, said she still hears from some local election officials that they don’t trust the federal government. That’s one reason why Easterly is so keen to amplify the voices of frontline election workers: because people in the communities know them.

It’s a delicate dance — and the most difficult phase could well lie ahead. Easterly has warned that bad actors may seek to undermine confidence in the vote as ballots are counted and audited, referring to influence operations directed by Russia, Iran and China. But in a video on CISA’s YouTube channel, she’s also indicated that the biggest dangers don’t always come from abroad. Discussing the physical threats that emerged after 2020, Easterly said that they stemmed “largely” from unfounded claims that the outcome didn’t represent the will of the American people.

Easterly is realistic about all the ways things could go wrong. But most of all, she wants the electorate to be prepared for a waiting game. She’s cautioned that it could be “days to weeks” before the final result of elections are known, and that rumors are likely to abound in the interim. If that’s the case, America’s future may turn on her favorite, hard-to-come-by commodity: trust.