The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has a new leader after an eight-month gap without one. The Senate on Monday unanimously confirmed Jen Easterly as the new CISA Director.
Easterly joins CISA at a time when the agency desperately needs strong leadership to navigate the constantly changing landscape of cybersecurity.
All of the high-profile cyber incidents in the last year—including SolarWinds, Colonial Pipeline, JBS Foods, and most recently Kaseya— have highlighted the need for CISA to be more involved in protecting the critical infrastructure in the U.S., as well as privately owned businesses.
Who is Jen Easterly?
Some say that Easterly is uniquely qualified to be the head of one of the most important cybersecurity agencies in the world.
After graduating from West Point, she went on to work for a variety of U.S. government security agencies, as well as Morgan Stanley.
Politico summarizes her exceptional background:
"At the NSA, Easterly worked in the elite hacking unit known as Tailored Access Operations, led the Army's information warfare battalion and served as a cyber adviser to NATO forces in Afghanistan. In 2009, she was one of four officials tasked with establishing U.S. Cyber Command, the military unit that works closely with the NSA to disrupt adversaries' computer networks.
She later spent more than two years as the No. 2 official in the NSA's counterterrorism division, followed by three years as a special assistant to the president and senior director for counterterrorism at the National Security Council under former President Barack Obama.
In her most recent role, as head of resilience for Morgan Stanley, Easterly witnessed firsthand how U.S. businesses have dealt with an increasing barrage of cyberattacks. The connections and experience that she developed working for the financial services giant may aid Easterly as she takes the helm of CISA."
Secretary of Homeland Security Alejandro Mayorkas had high praise for the newly appointed director:
"I congratulate Jen Easterly on her confirmation as Director of CISA. Jen is a brilliant cybersecurity expert and a proven leader with a career spanning military service, civil service, and the private sector. I am proud to welcome her to the DHS team and look forward to working together to protect our country from urgent cybersecurity and physical threats."
How will Jen Easterly help CISA?
CISA currently faces a number of complex issues that Easterly will have to sort out. One of the bigger concerns is how she will choose to handle the situation with Russia.
Biden has called on Putin, twice now, to stop hacking U.S. organizations. The two presidents met a couple weeks ago to discuss the current cyber situation. Biden gave Putin a "no hack" list, which included 16 critical infrastructure sectors. But since then, Russian-based hacking group REvil has attacked IT management company Kaseya with ransomware, seemingly disregarding Biden's warning.
Easterly's background with the NSA and military will certainly come into play as the U.S. weighs its options on how it wants to respond. Keep in mind, NATO announced a month ago that cyberattacks can be met with a military response.
[RELATED: NATO Says Cyberattacks to Be Treated as Military Attacks]
Another hurdle she will have to clear is the current trust factor with regard to CISA, which was highlighted by the Colonial Pipeline incident.
The CEO of Colonial elected to notify the FBI instead of CISA about the ransomware attack, fearing that public exposure would damage the company's value. This led to a delayed response from CISA to a situation in which time was critical.
New CISA head wants mandatory incident reporting
CISA has recently been granted some new power to look for vulnerabilities and intrusions in other agency's networks. Lawmakers are even considering a bill that would mandate private sector reporting to the government on cyber incidents, which Easterly supports.
Here is what she said in the confirmation hearing:
"There probably is some sort of role for making some of these standards mandatory, to include notification. I do think it's important that if there's a significant cyber incident, that critical infrastructure companies have to notify the federal government, in particular CISA. We have to be able to warn other potential victims."
Easterly is certainly well qualified for the role of CISA Director, but the challenges she currently faces are unprecedented. All eyes will be on her in the coming months as the agency makes decisions that will have far-reaching implications.
