CISA Director: US has lessons to learn about anticipating threats, disruption

LAS VEGAS — U.S. residents and businesses need to be better prepared for inevitable disruptions caused by cyberattacks, according to the head of the country’s cybersecurity agency.

Speaking alongside Ukrainian cybersecurity chief Viktor Zhora at the Black Hat cybersecurity conference, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said Americans need to mirror Ukraine’s resilience in the face of an onslaught of damaging cyberattacks.

“We know, given the state of networks today — the connectivity, the interdependence, the vulnerabilities that persist because technology is not secure by design — we are very likely to see attacks that cause great disruption, so [we are] learning from you about the resilience of cyber, operational resilience of cyber,” Easterly said before turning to Zhora.

“[Ukrainians] have demonstrated, in a shining example of unity, how to fight on to be able to achieve victory,” Eastery said. “This is something Americans really need to stand firm on in the face of threats from adversary nations.”

Read more: Ukrainian official touts country’s wartime cyber intelligence efforts

Using the Colonial Pipeline incident and the alleged Chinese spy balloons as examples, Easterly went on to tell the crowd that she does not see the same level of resilience with Americans in terms of how the country responds to potential threats.

She said people “should anticipate threats, we should anticipate disruption” while working to build resilience by identifying what's most important, running exercises in advance and collaborating to make sure critical services can continue to be upheld in the face of disruptions.

Americans have to be unified in an effort to maintain not just cyber resilience but operational resilience and societal resilience, Easterly explained, adding that more people also have to take a longer-term view of what could affect the country over the next four to five years.

Easterly touted the Shields Up campaign, saying it was integral in catalyzing a response from critical infrastructure operations and “raising the bar” for cybersecurity across the country.

“We have not seen significant attacks, although we're very aware of planning for those attacks by the Russians, and part of that is deterrence by escalation and punishment, given the very serious concerns that [President Biden] articulated to President Putin. But I think part of that is also determined by denial and resilience. There was a huge effort to raise the bar on cybersecurity,” she said.

She added that CISA has recently sought to increase pressure on business leaders and CEOs to take responsibility for managing cyber risk and investing in IT security beyond the current measures. While there are still significant issues, she noted the massive progress made since 2014, when there was “no cooperation in the U.S. or working together in a persistent way.”

“It's not just us, it's the rest of the international community. It's the private sector. In a way it's really in my view transformational because it's a recognition that there's no default to share. If there's a threat to one, there's a threat to many,” she said, adding that companies now have to know that sharing information will not result in punishment.

International partnerships closer than ever

Easterly noted that one of several positive developments over the last year has been the increased cooperation internationally when it comes to cybersecurity.

While the U.S. has always had close ties with its Five Eyes partners — the U.K., Canada, Australia and New Zealand — the work the U.S. and its allies have been doing over the last year “is probably the closest we've worked operationally speaking with any foreign partner.”

“This is in terms of how we’re thinking about sharing information with our CERTs, the Computer Emergency Response Team, and then enriching it with what we're both getting from the private sector, other international partners, and what we're seeing in the government networks,” she said. “That piece has been better than I've ever seen in terms of being able to fill out the threat picture.”

The comments come after revelations reported by the Washington Post this week that the U.S. sent several top cyber officials to Japan repeatedly after discovering that Chinese hackers had deep, wide-ranging access to senior defense department systems in the country.

Gen. Paul Nakasone, the head of the NSA and U.S. Cyber Command, and Matthew Pottinger, who was White House deputy national security adviser at the time, both went to Japan in 2020 and when President Joe Biden took office, the deputy national security adviser for cyber, Anne Neuberger, was also sent to Japan to discuss the issue.

Easterly mentioned the threat posed by China, noting that in an annual threat assessment from the intelligence community, she was given a “pretty stark warning of threats from China.”

“In the event of a conflict in the Taiwan Strait, China certainly would consider aggressive cyber attacks against U.S. critical infrastructure, whether that's oil and gas pipelines, transportation,” she said. “I think that's something we really need to internalize frankly.”

In May, Microsoft released a report about a Chinese government campaign to infiltrate the critical infrastructure of U.S. military bases on Guam.

The New York Times reported two weeks ago that the campaign went beyond just espionage and involved malware that could be potentially destructive, causing outages that would slow down the U.S. military but may also have knock-on ramifications for the communities around U.S. bases.