CISA Director tells new Advisory Committee she wants more than just talk

The Cybersecurity and Infrastructure Security Agency’s new Cybersecurity Advisory Committee kicked off Friday with a meeting that focused on the importance of building functional cooperation between the public and private sectors to defend U.S. networks.

“I welcome this group creating action,” CISA director Jen Easterly told the group, adding that she didn’t want it to just be a “talking club.” Instead of lengthy white papers, Easterly said she hopes the committee will produce short action plans that can be implemented. 

Easterly announced the committee's twenty-three members, which are largely drawn from the private sector, at the beginning of December.

Mastercard chief security officer and committee vice-chair Ron Green emphasized how much of infrastructure related to protecting the U.S. is in private hands, as did chair Tom Fanning—the chief executive of major gas and electric utility Southern Company. 

“We have to reimagine in America the notion of national security,” Fanning said. “The battles of today and in the future are going to be fought partially on our financial systems, our electrical grids, and so many other systems we aren't used to,“ he added. 

Easterly noted how her agency was already working to prioritize addressing this challenge—including through the creation of the committee and a Cyber Talent Management System aimed at recruiting technical talent to the agency, as well as the Joint Cyber Defense Collaborative with major companies announced at the Black Hat security conference in August. 

The director cited her attendance there as part of an effort to “ignite” the hacker community and noted the inclusion of Jeff Moss, the founder of that conference and DEF CON who is also known by the handle Dark Tangent, in the committee. 

During the meeting, Moss said the government needed to do a better job providing on-ramps for altruistic hackers who want to help contribute to global safety. But he also cautioned that there’s a lot of resistance within that community to being associated with the U.S. military or intelligence operations, so the group should be thoughtful in their outreach.

“We should be very careful in using non-military language. You’re not a cyberwarrior, you’re not on the cyber kill chain, you’re not dropping digital bombs–you’re protecting civil society,” he said.  

Many hackers still would be unlikely to trust CISA as an institution, but over time the agency could build its reputation by bringing in individuals who already have the trust of that community, Moss said.

(Disclosure: Niloofar Razi Howe, a member of Recorded Future's board of directors, is a member of the advisory committee.)