An inside look at how CISA is building an agency for elite cybersecurity talent
Editor’s note: This interview with CISA Chief of Staff Kiersten Todt first appeared on Recorded Future’s Inside Security Intelligence podcast last month and is being published with their permission (The Record is owned by Recorded Future but is editorially independent). The conversation has been lightly edited for length and clarity.
Dave Bittner: The Cybersecurity and Infrastructure Security Agency, better known as CISA, was spun up in 2018 operating under the Department of Homeland Security. In July of 2021, Jen Easterly was confirmed by the US Senate as Director of CISA, and under her leadership the organization has continued its efforts toward public-private partnerships in cybersecurity. CISA recently established the Joint Cyber Defense Collaborative, an effort by the agency to lead the development of proactive cyber defense operation plans. Kiersten Todt is Chief of Staff at the Cybersecurity and Infrastructure Security Agency, and she joins us with insights on CISA’s efforts…
Kiersten Todt: [My career started when] I actually cold called the Chief of Staff in the Governor’s Office of Connecticut and ended up interning for him for two summers when I was in college. And that really got the civil service bug in me. I graduated with a masters in public policy and then came to DC on a fellowship called the Presidential Management Fellowship and worked in the White House Drug Policy Office. And again I cold called my Senator from Connecticut, Senator Lieberman, and was told that if I called back in three months, there would likely be a position for me. Which I did. And I became Senator Lieberman’s economic policy advisor.
That was the summer of 2001, and Senator Jeffords, who was the Republican Senator from Vermont, flipped to be an independent, which flipped the entire Senate. And so it went from a Republican majority to Democratic majority, and Senator Lieberman became Chair of the Governmental Affairs Committee in the summer of 2001. And that was what I’ll call a sort of a boring committee. You know, it was post office namings, some appointments and nominations, but he asked me to join his committee staff. As Chair, he was given a lot more spots and positions. And my first assignment for him was a hearing on critical infrastructure protection that was scheduled for September 12, 2001. So 9/11 happened on that Tuesday and we were the only hearing to move forward on Wednesday. And it was obviously a very different hearing than the one we had initially planned. And in that hearing, he turned to those of us that had been working on the hearing and talked about a Department of Homeland Security, which at the time was not even words that we were putting together.
It was long before the TV show. And we ended up working on this legislation, but at a time when there were other things going on, such as the Enron investigation, and no one really thought that this would go anywhere. There was a group of us working on the legislation until June in 2002—I woke up to give a speech at the Woodrow Wilson Center and read the paper and it said that President Bush had come out with his counter to the legislation to create DHS. And so then I worked with the White House and others to negotiate the legislation which passed in ’02. And that’s really when I got very involved in cyber security, ended up co-drafting the directorates for homeland security on R&D, infrastructure protection, bio terror, and cybersecurity. And then spent time out in California working for the Governor’s Office, worked for a nonprofit, taught at Stanford for a little while, and then worked on public-private partnerships and a consulting firm.
And then I came back to DC with this nonprofit on public-private engagement, and then worked for a consulting firm on risk management and cybersecurity, and started my own company. And following that was asked by the National Institute of Standards and Technology to help their process in building out the voluntary cybersecurity framework, which was in President Obama’s executive order in 2013. Following that work I was asked by President Obama and Secretary of Commerce Pritzker at the time to run President Obama’s commission on cybersecurity.
I did that for nine months. And then during that process, some of the commissioners and myself came together with a concept to launch a nonprofit called the Cyber Readiness Institute to provide free tools and resources to small businesses focused on human behavior. And I ran that nonprofit for four years until coming to CISA two months ago. What’s particularly interesting for me when I think about this arc is having worked on the legislation to create DHS, specifically cybersecurity, to now working where it’s being executed at this level—it is a real honor and a privilege.
DB: I have to say Kiersten, it’s a shame that you can’t really hold down a job anywhere, isn’t it? How do you describe CISA to people who are not familiar with it? To outsiders, how do you describe the mission of the organization?
KT: Well, CISA is a young organization. It was started in 2018 and we actually had our three year birthday a couple of days ago. And it’s not a typical government agency. What CISA does is it is the operational lead to defend the federal government’s networks. And having been in government for a long time, I didn’t know the answer to this question, which is how many federal agencies are there? There are 102 federal agencies and CISA has the operational lead to defend the government networks. It also is responsible for understanding and reducing the threat to our cyber and physical infrastructure. And what that means is that CISA works very closely with industry collaboratively to help the private sector defend its networks, but also to work collaboratively to help the government defend its networks.
DB: And what tools do you have at your disposal to achieve that mission?
KT: It’s a great question because these tools are evolving. And a couple of weeks ago, CISA released what’s called the Binding Operational Directive to the federal agencies. And it was the first of its kind in that it listed 290 vulnerabilities which have been identified and the patches for those vulnerabilities, and made them available to the federal agencies as a means of saying: Here are vulnerabilities that you may have, that you need to be paying attention to, and CISA will help you address those vulnerabilities, help you identify where the patches are. But what’s important is that within just a few days of that, over 2,000 entities had accessed those vulnerabilities. Meaning that the private sector, which is certainly something we were hoping for as well, as well as federal agencies, accessed that information to harden their systems.
The other key piece in working with industries is an announcement that Director Easterly made in August, which was the launch of the Joint Cyber Defense Collaborative. And having worked in this space for a very long time, I was particularly excited about this effort because we talk about public-private partnerships a lot. And I think it’s really a term that has lost its meaning over time. And what this is, what the JCDC is, is it really focuses on operational collaboration between industry and government, both before an event as well as in response and recovery. And it marries the capabilities of the private sector to see what is on their networks with the capabilities of industry, to know where threats and vulnerabilities are to ensure that we are hardening our government and industry systems to be more resilient against cyber attacks.
DB: It really strikes me that since taking the reins, Director Easterly has made a point of being front-and-center, of being a public face for these public-private partnerships. It has really been an emphasis of the organization. And it seems as though the private sector is really responding to this.
KT: They are. And I ask myself a lot, having worked in this space for a while, is this a concept that could have been executed a few years ago? And it really isn’t. I think we are at a unique time. I’m always careful to talk about inflection points in history and all these different elements because we want to make sure we capitalize on them. But I do believe we are at a unique point where there is a whole of government, a whole of nation approach to cyber security. We need to recognize that no one sector, no one company can take on this threat by itself, and that we are only good as a collaborative. Director Easterly talks about cyber as a team sport. Director Inglis talks about the fact that in order to beat one of us, you have to beat all of us. And these are truly concepts that I think have been internalized by industry, government and the nonprofit sector, which allows us to work so much more effectively and efficiently together.
“I do believe we are at a unique point where there is a whole of government, a whole of nation approach to cyber security. We need to recognize that no one sector, no one company can take on this threat by itself, and that we are only good as a collaborative.”— Kiersten Todt
DB: In terms of the actual partnerships between the public and private sector, how do you envision those playing out? What sort of things are you encouraging?
KT: So one of the things that SolarWinds showed us was that the government didn’t have visibility into what was on the private sector networks. I don’t think this number is completely accurate, but there’s a statistic that 85% of critical infrastructure is owned and operated by the private sector. And so when you think about that, the government certainly doesn’t need nor want to be on those privately-owned networks. But what the government does need is visibility into what industry is seeing. And so one of the things that we have seen very effectively happen since the launch of the JCDC is that sharing of information by industry. Similarly, CISA is saying here’s what we’re seeing. Can you (in a certain industry) share this information with your partners so we can get this information out in a very effective and efficient and confidential way to make sure that those entities that are vulnerable can be patched without any type of public announcement?
I think the key phrase here is operational collaboration. How do we truly operationalize the collaboration between industry and government? And again, focusing on pre-event, the work that can be done to prevent, but also importantly, as I mentioned earlier, response recovery to ensure our systems are resilient against the attacks that do come.
DB: As a relatively new agency, does CISA enjoy the ability to be comparatively nimble?
KT: It’s a great question because one of the things that Director Easterly really talks a lot about is that we are an agile agency. So, choose your word, agile, nimble. I think it’s all part of it. It’s a hybrid entity. We’re not going to be steeped in the inability to work with industry. I think in order to be an effective partner to industry, we certainly have to be. But also the issue, the threat, demands that we are because four years ago, ransomware was not part of everybody’s vocabulary. If we think about the way that the threat evolves, if we think about how things happen, it is moving at such a fast tempo. And so we have to stay up with it. And we have to do that in a way that really demands that agility.
DB: Looking at the list of partners who have signed on here, it is certainly an impressive list. How do other people get on board if they want to take part in this, what’s the best way to connect?
KT: On our website, there is information about how to join not just the JCDC, but how to be one of our information sharing partners, a partner with whom we will share information and develop exchanges with. So all of that is on CISA.gov, and we’re really obviously reaching out and encouraging engagement in different forms. The JCDC is not the only vehicle for collaboration with us. And certainly we are only as good as the entities and the collaboration that we have. And so we’re certainly encouraging businesses to reach out.
DB: You know, it strikes me that cybersecurity is one of the few areas right now that really enjoys true good faith bipartisan collaboration in Congress. What part does CISA play in informing the members of Congress? What sort of things are going to be helpful in terms of regulation, in terms of legislation?
KT: Well, I think certainly with the NDAA that was passed this year and the additional authorities and responsibilities that were delegated to CISA, our partnership, our relationship with Congress is going to be very important. Just this week we’ve had our senior leaders testifying twice, and I think being able to work with Congress on both sides of the aisle—and we certainly have tremendous leaders on both sides of the aisle who are working with us to determine what are those processes, what are the approaches that are going to help, not just CISA do its job better, but importantly, keep the nation secure. And this, again, it’s certainly a whole of government, whole of nation approach. And so it’s about us working collaboratively with our partners. I mentioned director Chris Inglis earlier and certainly the Office of the National Cyber Director, the National Security Council, and then all of the agencies, we are all working together to do this work and to do it well.
“Cybersecurity is about solving problems and building solutions. And in order to be innovative to do that, we have to be bringing in diversity of thought.”— Kiersten Todt
DB: As you look toward the horizon, what sort of things do you see in the organization’s future? Where do you see it going?
KT: One of the key priorities of the Director and of CISA right now is to build out our talent workforce and to really make CISA an elite agency for attracting and retaining top-tier talent in cybersecurity. Recently, we announced the launch of the cyber talent management system, which gives us different types of hiring authorities to really bring in the best and brightest in cybersecurity. But internally we’re also looking at how do we make the workforce effective and importantly, how do we create the talent pipelines that don’t just go to the usual sources. But if we are truly focused on diversity of thinking… as we look at cybersecurity, cybersecurity is about solving problems and building solutions. And in order to be innovative to do that, we have to be bringing in diversity of thought. So when we talk about building out diversity, equity, inclusion, and accessibility at CISA, we really mean this in going into the grassroots level, going into communities that are underserved, helping individuals both reskill and upskill, and looking at diversity of thought.
So bringing in not just mathematicians and scientists, but historians, economists, sociologists, psychologists, helping people understand that various capabilities and aptitudes really feed into the work that we need to do at CISA. Because that will ensure that we’re being innovative. I worked on the Cyber Moonshot, which was an effort by President Obama a few years ago. And one of the key pieces to that was looking at how we innovate. And we brought in an individual from USAID, who talked about the work that they did in building out the Ebola suit. And they essentially had done auditions around the country to bring in designers. And they turned this woman away at the door who ended up actually being a key part of their team and she was a wedding dress designer. And the idea there was that she knew breathability. She knew how to move in difficult fabric, and that kind of thinking was going to be important in how they built and designed the Ebola suit.
That is really the importance of diversity of thinking. And going to different types of universities and colleges—we’re developing partnerships with community colleges, vocational schools, historically Black community colleges and universities. All of these elements become so important. And the other piece that I want to share is that I’m particularly proud of the fact that CISA is going to be the second agency working with MITRE on a neurodiversity project. And we’re going to have three individuals with autism who are going to be coming to work at CISA. Again, diversity, not just for diversity’s sake, not as a check the box, but truly valuing what diversity means.
DB: What is the call to action here, for folks who want to be on board, who have their jobs in cybersecurity, how do we support your efforts?
KT: Well, I would encourage folks to go onto our website and to look up the cyber talent management system, CTMS, as well as our vacancies. We have a lot of vacancies right now, and we’re making these as accessible as possible on our website to be able to access them and to apply for jobs.