Yahoo Finance Cybersecurity burden falling ‘on consumers,’ not companies: CISA director
Cybersecurity and Infrastructure Security Agency Director Jen Easterly speaks with Yahoo Finance tech editor Dan Howley at CES 2023 in Las Vegas about how the agency can better protect U.S. public, why CEOs need to better embrace corporate cybersecurity responsibilities, and how the cybersecurity industry is diversifying.
Video Transcript
[AUDIO LOGO]
[MUSIC PLAYING]
DAVE BRIGGS: Biggest names in tech are in Las Vegas this week for CES. That includes one agency that works to defend the US against cyber threats. Yahoo Finance's Dan Howley got to speak with the CISA director, Jen Easterly.
JEN EASTERLY: We're one of the newest agencies in the federal government. We've been around now for just over four years. And we were built to be America's cyber defense agency. So our mission is to work with all of our stakeholders and shareholders to make sure that we can understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day.
And when we say things like critical infrastructure, people think it's super technical. But as you know, critical infrastructure is just water and power and transportation and communication and healthcare and education. So my main message here is not necessarily about cybersecurity.
My main message here is about cyber safety because we live in a world, as you just said, of massive connections where that critical infrastructure that we rely upon is all underpinned by a technology ecosystem that, unfortunately, has become really unsafe. And so it's incredibly important that us, as consumers, that businesses, that all of our partners come together to ensure that we can drive down risk to the nation and make us all safety as consumers.
DAN HOWLEY: So what-- when you look at the kind of hacks that we've seen in recent-- the recent past-- there was the JBS ransomware attack, the, obviously, meat producer. We had the Colonial Pipeline hack. That was absolutely massive. We were talking about potential fuel shortages. And we continue to see these attacks on smaller municipal governments.
During COVID, the peak of COVID, hospitals were a big target. I guess, how do you talk to these kinds of groups and agencies to say we have to be more preventative? Or what kind of advice do you provide to them to ensure that these kinds of hacks can-- they're never going to stop, right? But to minimize them.
JEN EASTERLY: Yeah. So, look, at the end of the day, we are in an unsustainable position. We cannot have the same sort of attacks on hospitals and school districts that we've been seeing for years. We have to get out of this do loop, and we have to create a sustainable approach to cyber safety. And that's the message that I'm bringing to CES because at the end of the day, we've essentially accepted as normal that technology is released to market with dozens or hundreds or thousands of vulnerabilities and defects and flaws.
We wouldn't accept that in any other critical business in society. We've accepted the fact that cyber safety is my job and your job and the job of my mom and my kid. But we've put the burden on consumers, not on the companies who are best equipped to be able to do something about it. And that's a real problem.
And so the message is sustainable cybersecurity is three key things, Dan. It's about technology companies creating products and software that is secure by design and secure by default. Secure by design-- what do I mean? I mean that they're creating products with a minimum number of vulnerabilities and flaws.
And by default, they have those safety features baked in. It's like when you buy a car, you wouldn't buy a car without airbags and seatbelts and crumple zones and anti-lock brakes. We, as consumers, have to demand that from our technology. So secure by design is all about cyber safety.
Second, corporate cyber responsibility, and that's really about CEOs and board members actually embracing cyber risk as something that's a matter of good governance. They have to work to drive down cyber risk. They have to own it. It can't be that the IT people or the chief information security officer is responsible for cyber risk. CEOs have to embrace CCR, Corporate Cyber Responsibilities, just as they've embraced corporate social responsibility as a matter of good corporate citizenship because cyber is a social good. It's about societal resilience.
And my last message is, we need to fundamentally change the relationship between government and industry, which over the past few decades, we've been talking about public-private partnerships. It's become really hackneyed because the relationship is episodic. The relationship is unidirectional. And there's not a lot of trust there.
And so over the past year and a half, we've really looked to try and transform that relationship and make a paradigm shift in something where there's a default to share information, where the government is much more transparent and responsive and value added, and where we're seeing this as shared responsibilities.
This isn't a problem the government can fix. It isn't all on the back of the technology companies. It isn't all in the back of citizens. We all have to look at this together to ensure that we are a cyber safe world.
DAN HOWLEY: So it's a kind of a grouping thing. I guess, just as far as getting more people into cybersecurity, you know, I believe it was earlier this year, you had mentioned that you wanted to have CISA's workforce be about 50% women by 2025, you were hoping, I believe. How do you get more women, young girls, gender non-conforming people into cybersecurity? What's the kind of way to push them towards that or engage them with that?
JEN EASTERLY: Yeah, so first of all, not just CISA because we're well on our way to 50%.
DAN HOWLEY: Oh, wow, OK.
JEN EASTERLY: But all of the cybersecurity industry, I think, has to be 50% women or non-binary people by the year 2030. Now that's aspirational, but I think it's a goal that we can all get behind. We can actually make it happen. How do we do it? Well, first of all, we have to start with the youngest among us.
We have to ensure that cybersecurity is integrated into the curriculum from kindergarten all the way up to 12th grade, so that earlier on, we're getting people who wouldn't think about tech because it sounds scary and complicated more interested in technology and cybersecurity, again, from the youngest of ages. It also helps our kids be more cyber safe because even as they play on all their devices, they're thinking about, OK, what do I need to do to ensure that I'm safe from all of the bad actors that are out there? So that's hugely important.
The other thing that we're doing is working with the Girl Scouts and Girls Who Code and the Cyber Warrior Foundation and Empower, giving them grants, so that we can get out there and expose more young women and girls to the fact that cybersecurity is a fantastic career. It's why I spend a lot of time trying to inspire and inform young women about how great it is to be in cybersecurity as a career.
So it's something that we all have to take responsibility for. Be aspirational. Believe in the transformation of the cybersecurity workforce. And I think we can get there. It's a tough goal because I think we're about 24% right now. But you got to aim high.
DAN HOWLEY: All right, Director Easterly, thank you so much for joining us. We really appreciate it.
JEN EASTERLY: My pleasure. Thanks so much, Dan.
