CISA Director Easterly’s remarks at the Atlantic Council: The Role of the Private Sector in Warfare

Watch the Speech

Thanks so much for the opportunity to kick off this important discussion on the critical role of the private sector in safeguarding the security of our nation. As many of you know, CISA is the newest Agency in the Federal government, established a little over five years ago to play two key roles. We serve as America’s civilian cyber defense agency and as the National Coordinator for critical infrastructure security and resilience. Our mission is to lead the national effort to understand, manage, and reduce risk to the cyber and physical infrastructure Americans rely on every hour of every day for water, power, transportation, communications, healthcare, education, and so much more. In essence, we protect and defend the systems and the networks that power our daily lives, but as you know, the vast majority of that infrastructure is owned and operated by the private sector. And CISA is not a regulator, or a law enforcement agency, or an intelligence agency, or a military agency—we are a partnership agency; we operate by, with, and through partners, and our success is predicated on our ability to catalyze trusted partnerships with our stakeholders, whether that is the private sector, our colleagues across the federal government, or at the state and local level. 

While I spent some 27 years in government—the military, the White House, the intelligence community, the most important preparation for my role as Director of CISA was the 4.5 years I spent at Morgan Stanley, building and leading our global cybersecurity fusion center, and then serving as the Firm’s Head of Resilience. And being Director of CISA has only reinforced to me how absolutely critical the private sector is to the security of our nation in both peacetime and wartime—something the report highlights and why I was excited to be here with you today and provide a few framing thoughts.  

Broadly, I really appreciated the thoughtful recommendations—I won’t go through each but rather highlight a few that resonated most strongly, particularly given ongoing work at CISA. First, in some ways, the key recommendation around the establishment of a CI Wartime Planning & Operations Council builds upon the excellent work of the Cyberspace Solarium Commission, in particular its recognition of the need for a Joint Cyber Planning Office, which we established as the Joint Cyber Defense Collaborative, or JCDC, in August 21.  

Now some may discount what a transformational idea the Joint Cyber Planning Office was: a many-to-many platform for information sharing, cyber defense planning, and operations. And as we’ve evolved the JCDC, we’ve encountered not unexpected complexity—stemming from companies who compete on business not always wanting to work with one another on security, or companies who make money off selling threat intel who see what is provided for free as undercutting their business model, or companies used to working with the government through lawyers and government affairs reps now being asked to bring their technical and ops folks to the table as well. And of course, we are also asking companies to shift their focus—we want companies to actively join us in planning for incidents, not just responding to them. 

The good news is, though, over the past three years—we’ve worked to overcome these natural pockets of friction and forged an increasingly effective model for multilateral sharing of cyber threat info and for cyber defense planning. JCDC now comprises over 320 companies and has 39 distinct communications channels with industry on specific priorities and lines of effort. Each channel has an average of 54 participants which helps maintain trust among members, although the number of participants is higher for broad topic channels, like Threat Intel and Ransomware. JCDC has published 93 joint products, including cybersecurity advisories, guides, and fact sheets, increasingly with private sector enrichment, and has produced 14 cyber defense plans to date, focused on how the cybersecurity community will work together to defend against specific threats and strengthen the cybersecurity posture of a particular critical infrastructure sector or community. 

I emphasize this work because even though we didn’t refer to it as a Critical Infrastructure Wartime Planning and Operations Council per se, we’ve been leveraging the JCDC to play key aspects of that role. We first called upon the JCDC in this way in late 2021, when indications of a Russian invasion of Ukraine sparked concern that Russia would consider initiating cyberattacks against U.S. critical infrastructure in retaliation for US support to Ukraine. In January 2022, 22 companies and 8 U.S. government agencies came together to develop a multi-phase plan to address possible Russian attacks on critical infrastructure. The result was a 20-page plan which laid out 5 operational phases aligning to 8 planning objectives, with specific lines of effort, actions, and thresholds for activation, all of which were exercised in an extensive tabletop exercise and fed into our broader Shields Up effort. And while we thankfully did not experience major retaliatory attacks, the mere act of planning and exercising across government and industry was incredibly valuable. As General Eisenhower once exclaimed, “Plans are nothing; planning is everything.” 

Today, our sights are set on China. We are working with our government and industry partners to understand and mitigate risk to our critical infrastructure from Chinese cyber actors—known broadly as Volt Typhoon—that are intent on unleashing mass disruption on the US in the event of a major conflict to induce societal panic and deter our ability to marshal military might and citizen will. CISA teams are continuing to partner with critical infrastructure entities to hunt for these actors across multiple critical infrastructure sectors, including aviation, water, telecommunications, and energy. We have had success in detecting and eradicating these PRC actors, and what we have found leaves us deeply concerned about widespread PRC pre-positioning on our critical infrastructure. The PRC appears to be pursuing an “everything, everywhere, all at once” approach that would allow it to disrupt multiple critical infrastructure sectors simultaneously. 

Defending against, and preparing for, that possibility will require a nation-wide effort to improve security, build resilience, and ensure we have the playbooks in place if such a mass disruption scenario comes to pass.  As was shown to be the case in 2022, the value of such efforts is not the actual plans, especially since no plan survives first contact. But the planning itself, bringing companies and the government together to talk through preparation, and to exercise response, continuity, recovery, and communications is critical to the cyber defense and resilience of our nation. We must exercise in peace to be ready in crisis. The JCDC is already focused on this goal, working with critical infrastructure owners and operators from specific sectors and sub-sectors and their ICS/SCADA vendors to build and execute network defense and resilience plans aimed at ensuring these networks can continue to operate in the face of the Volt Typhoon threat. 

As we’ve been evolving the JCDC, we’ve also been building regional resilience collaboratives, consonant with another of the report’s recommendations. CISA’s existing regional footprint is based around 10 national regional offices, associated field staff of cybersecurity and protective security advisors, and local information sharing and coordination mechanisms. While not presently focused exclusively on wartime planning, our regional model, as well as FEMA’s and those of other federal agencies, is now focused on building national preparedness and emergency management for “all hazards”. 

Today, with our partners at DoD and FEMA, we are working to retune this system from the post-9/11 and Hurricane Katrina-era focus on terrorism and natural disasters to better serve this new era defined by geopolitical tensions and persistent cyber threats. The good news is that our regional resilience architecture is flexible and can adapt to meet these new challenges. 

Those resilience efforts are not just focused on ensuring the safety and security of our civilian critical infrastructure, but also in supporting our partners in the U.S. military. At the more operational level of regional collaboration, we have been leading an effort known as the Critical Infrastructure Resilience Planning Areas initiative, or CIRPA, which we started last year at the request of DoD. This effort builds off our long-standing cooperation with DoD, including the National Guard, and the civilian emergency management community and is focused on organizing and executing truly collaborative, intergovernmental, and public-private sector field work to reduce the risk to, and enhance the resilience of, defense critical infrastructure, or DCI. These are systems that are determined by DoD to be essential to perform its mission though DOD has limited insight into the security and resilience of the civilian critical infrastructure enablers of DCI. This is just one of the reasons that Congress codified our role as the National Coordinator for Critical Infrastructure and Resilience in our 2018 CISA statute, a role in managing and reducing cross sector risk that will be reinforced in the updated version of PPD-21 which will be released by the Administration in the near future. Just in the past few weeks, we have expanded our CIRPA work in additional locations that are strategically significant to INDOPACOM and NORTHCOM. In the coming months, we will continue rolling out CIRPA projects across other key locations across the country, engaging the private sector closely during steady state, but more importantly, preparing them to protect key assets in the event of heightened geopolitical tensions or war. 

As I know folks are excited to hear from the panel, I’ll just touch on two other recommendations in the report—first, the idea of a cadre of cybersecurity providers. At CISA, we’ve had a lot of discussions about this—in particular, ensuring we have the capability and capacity to respond to mass cyber-enabled disruption or destruction of systemically important critical infrastructure entities. While we, as a new agency, continue to evolve in our ability to support critical infrastructure partners with incident response services, there are existing, and potentially new and novel Defense Production Act and National Emergencies Act authorities, for leveraging private sector incident response providers in extremis. We are exploring such existing policy tools further to determine how to apply them to new areas of risk. 

Separately, to the recommendation regarding DOD “hunt forward” operations for US critical infrastructure, I want to take the opportunity to highlight a capability—one of our truly world class teams—that we don’t often talk about. Indeed, as our teammates at the Cyber National Mission Force have been growing their hunt forward teams to engage with partners overseas, CISA has grown our own threat hunt teams to engage with partners here at home. Bolstered by authorities and budget received over the last 3 years, these hunt teams have conducted 97 engagements—in FY23 alone—across federal, state, local and private critical infrastructure entities across multiple critical infrastructure sectors including communications, water, power, and transportation. These engagements allowed our teams to evict nation-state actors affiliated with China, Russia, and Iran from American networks, rapidly share information to protect other victims, release impactful public advisories that drive risk reduction at scale, and enable our U.S. government partners, including of course DOD, to take action more effectively against our adversaries. If needed, however, we have a mechanism in place to request technical assistance from CNMF teams under Defense Support to Civil Authorities.  

A few closing thoughts about mutual expectations around operating effectively in the sixth domain. Just as the private sector should expect government to be coherent, responsive, transparent, and to add value as opposed to friction—industry, in particular critical infrastructure owners and operators—should be expected to regularly collaborate with government, recognizing that a threat to one is a threat to many, with CEO’s and Board’s treating security risk as a business risk and a matter of good governance requiring significant investments in resilience. 

Finally, the burden of securing our infrastructure cannot fall to CISA and the cybersecurity community alone. Technology underpins our nation’s critical infrastructure and economy—it provides the necessary connectivity to fuel innovation, ideas, production, and service delivery. Unfortunately, much of our technology is dangerously insecure at the time of sale, enabling even the most basic cyber intrusions into critical infrastructure at speed and scale and putting us all at risk. That’s why technology manufacturers must assume responsibility for securing their products from the design and development phases. In line with the National Cybersecurity Strategy, CISA’s Secure by Design movement seeks to drive the adoption of the principles outlined here to ensure that technology products are designed and built in a way that reasonably protects against malicious cyber actors successfully exploiting product defects. This has been and will continue to be, one of CISA's highest priority efforts to bend the trajectory of security in a positive direction for decades to come.

Thanks again for the report, and for the opportunity to frame today’s discussion. I look forward to hearing how it goes and to our continued partnership and collaboration with all of you.