BG - An Everything Is On Fireside Chat with Jen Easterly, Director of US C.I.S.A.

uh for those of you who are ready to fill up your brain however if you still have a little room uh left after the last day and a half of conversations uh we uh would like to Jo ask you to join us in welcoming uh security bides own Ken elazari uh a senior researcher at Tel University and a founder of besides Tel Aviv uh in a conversation with Jen easterly the director the United States cyber security and infrastructure Security Agency put your hands

together you ready to do this all right all right all right so thank you so much for joining us here at bides Las Vegas J and hello to our friends watching from overseas we are coming to you direct from besid Las Vegas here in beautiful sunny peaceful but not so innocent Las Vegas so we here we have here with us I believe for the first time at bid Las Vegas director Jen easterly from the sisa agency Jen has been with the agency for two years she was appointed by President Biden and then unanimously confirmed by Senate to the position just about two years ago so a happy work anniversary woohoo and we are I am personally Beyond thrilled to have

an opportunity for a conversation with Jen or director easterly but I like to call her Jen if that's okay thank please call me Jen and I am Circa 200 or 300 of my best hacker friends that I just haven't met before so for me coming to hacker summer camp coming to these events and definitely besides Las Vegas is the opportunity for the conversations that we don't get to have anywhere else so I appreciate the opportunity thank you for being with us and I know we're going to have fun um I'm not sure we're going to take questions from the room depends on timing and if we can accommodate for that but I just want to

get started by asking you Jen if you can tell us in your own words why are you in Las Vegas this week I know it's not for the Fantastic weather or great food so why are you in Vegas this week I heard there sides yeah I heard well actually the besids but there's Katie Perry is there's a I heard about that yeah you got the Kathy so ready to the Katy Perry concert and I figured there was other stuff going on um well first of all it's great to be with you my friend we were supposed to do this at besides in Tel Aviv and then the the we was against flights and the weather got against us

so I'm so glad we could reprise it here in uh Vegas so uh why am I here because like this is our community right at the end of the day I think Roger somewhere just came up to me and said you know I love that you come to these things because it's hard necessary necessarily to um get uh time with government officials and so you know I really see the hacker Community as our community We are the champions for the cisos we are the folks that need your help your creativity your Ingenuity you know I have to say I just love that thing I don't know if one dark one is out there um but I love the design one dark one is

the designer Melanie she's been doing the design for B Las Vegas and many other security and hacker events for more than a decade so we're going to give her uh let's give her a round of applause making sure she's been making sure that hacker events and our community events get the color the passion the recognition that we want so it really helps I I I don't know if she wrote this but it's but the themes are the solar Punk themes of solar Punk demand Utopia fight dystopia like that could you resonate with that message I do resonate with that fight dystopia in particular I uh but it represents the hacker mindset self-taught curiosity do-it-yourself resourcefulness right to repair autonomy

and moral conscientiousness amen yeah is that I agree with those values and I think uh it's fantastic that you know that's I'm here I I believe you're U quite definitely one of the first uh sisa direct one of the first government officials to come out to embrace the hacker community in such a way I remember vividly about a decade ago when General Keith Alexander was the head of the NSA and the Cyber command and he came out to engage uh with the community and he said in this room right here is the talent our nation needs and people responded then stop arresting us please so a lot has changed in the past decade and I think that the role of friendly

hackers of security researchers of community initiative has been has never been as important as it is right now so Jen would you like to share with the with the room some of your thoughts about what sisa is doing to help prepare the nation and corporates from the ever evolving threat landscape hold on it's a drinking game every time I say ever evolving threat landscape I must drink it's just water don't worry it's just water mostly water okay um but then again a lot of beverages are mostly in fact all B somewhere um so sisa does everybody know what sisa is pretty much yeah okay so we're the newest agency in the federal government but uh we're

coming up on our fifth birthday uh as Karen said I've been in the job for a little over two years but you know we were created to be America's civilian cyber Defense Agency and the mission is to understand and manage and reduce risk to the Cyber and physical infrastructure that Americans rely on every hour of every day and you know when you say critical infrastructure people think it's kind kind of a technical term but at the end of the day it's the water we drink it's our health care it's our education our transportation our communication how we get money from the bank and and gas from the uh the uh uh gas station and so this really is about

protecting the networks and the systems and the businesses that we rely on every day and you know frankly the vast majority of it is owned and operated by the private sector and sisa is not a regulator we're not an Intel collector we're not a law enforcement agency we're not military we are a voluntary partnership agency and we know that the currency of partnership is trust and so every day it's about creating trusted Partnerships across the federal government but more importantly with all of the owners and operators of critical infrastructure the research Community the hacker Community the threat uh the threat Intel Community State and local and so that's what we do every single day to help uh protect the nation and

you know frankly one of the things that we are very focused on during our time at black hat and uh Defcon is resilience so when you think about the evolving threat landscape oh you want some of my drink maybe you'll drink you'll better off with that trust me the Evol when you think about the evolving threat landscape um it is my belief given the interdependence given the vulnerability given the connectiveness everything is digitized now frankly it becomes more and more difficult to prevent bad things from happening to prevent disruption from happening and so we're doing a couple things on this first we are really trying to catalyze a revolution to go Upstream so we're not bolting on

Security Solutions but actually creating technology that is secure by Design so that is the only way I think we can get ahead of threats that are becoming more and more sophisticated well resourced and criminals where the bar to entry is getting lowered and lowered but I also think we need to recognize even as we catalyze this secure by Design Revolution bad things are going to happen disruption is going to happen so the most important thing we can do is to be resilient to it what is that mean it means that we expect and anticipate that bad things are going to happen we build our plans to expect and anticipate bad things are going to happen so that we

can respond effectively and recover to mitigate risk to our businesses to our networks and frankly to our country just knowing some of the threats that are out there and I'm very excited in a couple hours I'm going to be doing a keynote at black hat with my Ukraine counterpart Victor Zora and I hope he talks a lot more than me because he has so many Fantastic things to say about what the ukrainians have been doing to build their resilience and not just cyber resilience but their operational resilience as they're dealing with an onslaught of Cyber attack but frankly barbaric kinetic attacks from the Russians and they're able to continue to keep going and frankly societal

resilience right I mean this is a people that have stayed unified incredible courage incredible focus on beating the adversary absolutely and I do hope you have a chance to catch this keynote later this afternoon speaking about Ukraine we can learn so much from what's Happening so of course we should help or do what we can to help but some of the phenomena that I been tracking is uh or are things like the Ukrainian cyber Army which is basically a partisan group of hackers and volunteers helping defend Ukraine from Russian attacks helping spread the in helping fight this information and spread accurate information online and through a variety of other ways supporting what's happening there so this is very

important now Jen I'd like to come back uh to the conversation here can you tell us a little bit more about secure by Design because I think this is it's not just a slogan this is this is a very important initiative that you're driving and I believe Security Professionals need to be aware of that yeah thanks for asking let me just set this up a little bit because I think everybody in this audience and can people hear me I don't know if this thing's working can you hear me in the back all the way in the cheap seats in the back I'm kidding there are no cheap seats it's a sold out event so I meaned it's a very

sophisticated audience so look we know go back 40 years sort of the short history of the internet and let's pick 1983 when tcpip was implemented so computers could talk to each other right since that time security was never ever ever thought about for the internet right it wasn't created it wasn't designed to be secure as Dan Kaminsky said that the internet was designed to move pictures of cats and it's very good in moving pictures of cats so from the early days security was not thought of and then you had the explosion of software and that was all about speed to Market and driving down cost and cool features it wasn't about security right so you now have an internet full of

malware you have software full of vulnerabilities then we had the age of social media where everybody thought it was cool to move fast and break things I'm okay with breaking things but frankly we also have to fix things we have to build things right and that's what I like love about hackers is they're not just about breaking they want to break into things so that we can also fix things right where you talked about in your Ted talk about the internet's immune system absolutely right you break things with that me mindset to get things better and better but we had social media which was never supposed to be secure right and so now we have a lot of misinformation

disinformation and quite frankly and I say this as a mom we have a lot of mental health issues for our kids from some of the issues around social media and here we are going into the world of artificial intelligence and there's a lot being t talked about this week on artificial intelligence but it's the same thing you know everyone's rushing now that we've got this incredible capabilities coming the explosion of large language models three times the speed of Mo's law so moving incredibly quickly but how can security into that think about building Security in on the front end this is about Innovation but it's about responsible Innovation so to sort of set that up we were talking at

the end of last year with some of my team Ates jack cable well-known security researchers some of you might know him Bob Lord on my team was the siso for Twitter and the DNC Grant Dasher joined us from Google Lauren zck joined us from Harvard so basically you're building the Justice League of security we are the Justice League you're missing Wonder Woman oh maybe you're Wonder Woman by the way I think you're Wonder Woman by the way I am also here to do some recruiting so definitely come see us at our booth is that what's on your hand the there recr Q Bar work sis I've even tattooed myself because I love sis look at this commitment to recruiting haers

to you are to to that's never been I don't think that's ever been done on this stage ex it's fantastic so you have these amazing talented individuals they can't they really catalyzed this so they came up with this um principles and approaches to secure by Design secure by default we rolled it out in April I gave a big speech just before we rolled it out at Carnegie melon which is fantastic and I have to tell you the response that we've gotten from the community to include industry has been incredible and so we've done a lot of listening sessions for all you out there we're doing a red pen session at Defcon so please please please stop by we really

want feedback hold on Jen what is a red pen session it's not a red team session it's not a pentesting session okay so those are the terms our hackers and security researchers are familiar with what is the red pen session are you Red teaming and Pen testing a document red lines it's actually you take a red P actual red pen okay can you like cross out what you don't like and maybe check mark what you do like right so this sounds like a very interactive opportunity to actually influence red team and P you you're testing a pen you're testing the pen so that's literal so but this is an actual opportunity an interactive opportunity for you to

influence exactly what what sisa and what Jen and her team are pushing so what time is this happening again it's out there I don't but I will now post it somewhere in the Galaxy there's Gala exactly so let's talk about more opportunities for hackers feedback right like res it goes back to like your whole thing about immunity right the more crowdsourcing we can have of smart people who are you know intellectually curious who are resourceful who want to solve problems we can be better together at the end of the day and so I mean one of my operating principles in life is to treat feedback as a gift now like I don't really like if you're going to be

an about feedback I don't love that but if it's like legit and constructive then I'm good with that as well so we really do continuously want feedback on our advisories on the products we do you know there's some stuff that's been done with our work that I think has made it better and better and it's been sort of pivoted around in ways that I think can be more useful to the community so please give us feedback even if you're not in the red pen session please take a look at the principles on the website and give us um your thoughts she has what she has the time for you all right what time is it Saturday at 11: Saturday at 11: where

at black hat at Defcon at Defcon it's a Defcon I think you had to like truth and lending I think you had to sign up for it ahead of time so I'll be there you can come we'll like get more people in there is over so let's talk about ways that hackers thank you very much so let's talk about ways that hackers can interact not just with the recommendations and guidelines but with the actual vulnerabilities that are out there in the world by finding vulnerabilities you know there's a um a law is it Linus's law given enough eyeballs or bugs are shallow have you heard this one before I hope I got the quote correct like lus from Lu no it's

lus from Linux so okay yeah uh the originator of the Linux operating system so uh uh but Linus and Lucy is like a Snoopy thing or a peanuts okay different different okay different different American cartoon that I did not grow up on uh but we grew by the way we grew up in Israel on American cartoons but like 10 years later so we we got stuff like in delay which is why I'm do you know do you know Schoolhouse Rock yes I we know Schoolhouse Rock Schoolhouse Rock yeah awesome my passion cyber Schoolhouse Rock cyber Schoolhouse Rock my post J all right school is in session rockers so how can hackers report vulnerabilities directly interact with

what the agency is doing what vendors and companies are doing when we still have so many of the Fortune 500 companies that don't have a vulnerability disclosure program or they don't have a security. text document somewhere on their website that gives out the details on who to communicate with I know that as part of secure by Design you have some of the language or that originated with my sister's work on legalizing bug research and decriminalizing the work of hackers so can you tell us a little bit more about that because by the way uh Jen mentioned earlier jack cable for those of you unfamiliar with Jack cable he started his path as a security researcher with

the hack the Pentagon program where he won all three of their challenge coins before he uh was a senior at high school so it literally changed his life protected his Nation created a trajectory for him to become a security researcher a fellow with uh the defense Security Agency a team member at cisa you know so these types of programs I believe these types of interactions each person here in this room can be that next hero that you need to recruit into the Justice League or to just use their talent to identify vulnerabilities so what can you do what can we do to help them help everybody yeah first of all is Jack out there I know he's in Vegas well

he might be uh watching us a discret location and so on the cvd stuff Ian dies is my teammate out there somewhere so he just gave way back so he just you know one of the things I love about bides is this Proving Ground um thing you can do new stage for new gave his like first Proving Ground talk on our coordinated vulnerability disclosure so we run that for the government and essentially we work between researchers and vendors certainly if they can't come together and that happens a lot um to essentially work through that whole process to make sure that the uh vulnerability is disclosed responsibly that there's a patch we look at timing obviously because we want to make sure

that there's not excessive uh exploitation once the vulnerability is disclosed uh one of the other really cool things that we did that I think is one of the most important things that that the team did is is what we call binding operational directive 2201 which is our that's a catching name Bing operational dir this is the government so what we did was instead we called it the Kev the Kev the uh known exploited vulnerabilities catalog has anyone heard of that known exploited vulnerabilities catalog the Kev that sounds like a person I like to meet the Kev yeah exactly Kev right and so the Innovation here was we all know that there's a ton of vulner and frankly that's what we're

trying to do with secure by Design we should stop accepting that technology products come off the line full of vulnerabilities like we've normalized that in some crazy way and it is unacceptable so we want to make sure that actually we're lessening that but as we catalyze that Revolution the thing that we're focused on here is ensuring that people uh know in a prioritized way how they patch the most severe vulnerabilities so the Kev is essentially vulnerabilities that we know whether it's through Intel or other sources that are being exploited in the Wild by threat actors and so it really helps with prioritization now it's only binding on the.gov that we the operational lead for but a lot of

private sector have taken that and uh looked at it and used it for prioritization so I think it's really important it's becoming adopted thing I think a lot of people yeah I'm I'm chatting with h Patrick G from nuclear security another security researcher who did this cool thing I posted it on social media he took the Kev and he did it in terms of like anyone know pet mandre is's a Dutch painter yeah I put like a whole like painter thing and I'm I'm a frustrated art historian So Okay cool so it's like the Art and Science so check it's got cubes and stuff in it Cube thing yeah big the biggest ones are did he use any AI to create that I don't

know he might have so that's why uh I brought up AI because I want to talk about AI okay yeah it was a very elegant segue so uh it's kind of impossible to not talk about Ai and um I'm really am Keen to hear our perspective and cisa's perspective uh I know you're also tasked with election security which is an area you have a a new um member of your team focused on that with your senior adviser K Conley yes uh so can you tell us a little bit more about Ai and generative Ai and how can we trust the information how can we trust the devices the technologies that we interact with and what sisa is doing in that front yeah so

I don't think we can trust it and I think that's part of the issue frankly this is all happening so fast these are powerful tools it's another form of technology which is why you think about the internet software social media AI it's another technology that we need to focus on building in a secure way so a lot of work going on to try and ensure we can trust it but frankly I think this is early days and that's why so much work is happening both in the US but around the world in terms of getting our arms around trust and Safety and Security from a sisa perspective we're very focused on three things F first of

all how do we responsibly use these capabilities for cyber defense okay uh how do we assure AI systems I think that's very important to have uh an understanding about how to audit how to test some of these new capabilities wherever they're implemented and instantiated particularly as people start putting this in everything and then you know finally we're looking at the full range of threats to critical infrastructure because that's obviously our Focus but both physical threats and cyber threats and again stipulate that these capabilities can do amazing things but they can also do amazing things for very bad people who I think will be able to use them for cyber attacks for chemical attacks for biological attacks

so we have to cost that into what we're doing now my concern is incredible capabilities but they can also be used as incredible weapons indeed and it's not governments that are building these things and securing them it's Private Industry who at the end of the day are fiduciary responsible for making money yeah to their shareholders to their investors so this is why the White House is looking to bring together the big companies and they've made voluntary commitments but voluntary will only take us so far and frankly even if the big seven companies are responsibly innovating a lot of this is already out there in open source so I think we have to assume that there are going to be

risks that end up happening which goes back to my early point the resilience Point resilience exactly right so what I want to uh go to now is we are almost at the end of our session and I regret that we may not have time to take everybody's questions but I do want to tell you that Jen and her team um they're going to answer your questions online at least I'm not I'm not promising for Jen but you can certainly reach out and interact with sisa in more than just in person right here but what I wanted to talk about is with regards to Ai and Trust one of the mechanisms to establish trust is to demand accountability and

transparency right so we can trust what we can see what we can look at we can trust and one of the problems with the untrustworthiness if that's a word untrustworthiness of existing AI is that a lot of it is Opa you it's a black box you don't know how it works you don't know how it reaches the conclusions so transparency can be a tool and I know that one of the things you've been working on is uh radical transparency in technology do you want to say a few words on that and then we'll go to the CL principles so there's three principles if you look at the document and we we didn't what do you mean the

document the document that is principles and approaches for secure by Design it's on our website cisa.gov secure by Design so the principles that Jack and others created they're not technical principles right what we wanted to do was put this in the language of business because at the end of the day that the the imperative has to come from the senior level to Resource the engineers and the technical people to ensure that they're creating safe Tech so it's all about business owners owning the outcomes for security so not placing the burden of security on small businesses on individuals on app developers really at the end of the day you have to think about the Frameworks that are being put in place so that the

big technology manufacturers who are creating these Frameworks in the big Tech that they understand that they own that responsibility for security outcomes two to your point Karen radical transparency you know as my great friend Jeff Moss always says transparency creates trust and I'm a huge believer in that right always shining a light on what you're doing uring that people understand and that's part of the problem with some of these AI models is they're not transparent they are a black box and that's why it's incredibly important that we as a community very loudly call for that radical transparency and we're starting to see that from some of the big companies who are saying this is where we're at in

terms of implementing Enterprise uh MFA this is where we're at in terms of a road map for memory safety so we are calling for specific things please do look at that document because I would love love love your feedback um and so all all of these business outcomes the last one is that the these outcomes need to be owned by senior Business Leaders again that is where the decisions get made and the resource decisions uh get done so we really need this to be taken on by the business community so they can support the Tech Community to ensure that we're building Security in from the beginning absolutely so uh just about this AI topic there is going to be at

Defcon a generative AI versus hackers hacking event or challenge uh I believe that's happening on Friday or Saturday Amit knows the details but check out the AI Village at Defcon if you are interested to become an AI security researcher and you don't know where to start I think that's a good place to start because that's not a job that's going to go away uh unless AI makes all of us redundant in which case we have other problems to uh to contend with so uh just to close this off before they throw us off the stage uh thank you spam and thank you DT for hosting us kindly last you know last two minutes I want to

talk about Workforce and I want to talk about how we can multiply uh we're definitely going to need all the humans that we can get whether it's to work alongside the AI systems or help defend the humanity that's left in us uh so besides I think is a big Community for bringing new people in there's the hiring ground there's The Proving Ground in Israel and besides we do a lot of recruitment efforts we recently did the hacker Riot event to bring 300 women into cyber security roles into their first cyber security job can you tell us a little bit about how you and the agency are looking at the workforce issue if there's anything that you want

people to know and maybe you want to remind them about your tattoo again yeah so look we hired 1330 people I think over the last two years not 1337 oh you already had maybe it was 1337 be a good that's going to be a good number so how do we do it because it's hard to hire technical talent in the government we don't want to be like the government right at the end of the day we want to have the kind of culture that attracts people who are intellectually curious who are problem solvers the hackers right and we do that go to our website and look at our culture it's all about flexibility it's about creativity

it's about inclusiveness because we believe everybody can contribute to solving the hardest problems for our nation so we've got multiple ways to join sisa uh you can join through our cyber Innovation fellow program you can live anywhere in the country and join us you can work on really hard problems so please come to our recruiting booths yes you can check out our QR code and takes you to very specific uh jobs that we've got open this week we're hiring I think 200 more and we'll be almost we'll be closing out our hiring so please do join us um and if you have any questions at all and all seriousness I'm happy to stay after and and answer I have one

final question for you Jay do the people work for you get to wear cat ears and have like fun colors in their hair and their nails like like props props to DT because I saw somebody walking around with cat ear and I almost stole him from him and he like found me some thank you for preventing federal crime by exactly all right so thank you everybody thank you Jen thank you so much