BG - An Everything Is On Fireside Chat with Jen Easterly, Director of US C.I.S.A.

uh for those of you who are ready to fill up your brain however if you still have a little room uh left after the last day and a half of conversations uh we uh would like to Jo ask you to join us in welcoming uh security bides own Ken elazari uh a senior researcher at Tel University and a founder of besides Tel Aviv uh in a conversation with Jen easterly the director the United States cyber security and infrastructure Security Agency put your hands together you ready to do this all right all right all right so thank you so much for joining us here at bides Las Vegas J and hello to our friends watching from overseas we are coming to you direct from besid Las Vegas here in beautiful sunny peaceful but not so innocent Las Vegas so we here we have here with us I believe for the first time at bid Las Vegas director Jen easterly from the sisa agency Jen has been with the agency for two years she was appointed by President Biden and then unanimously confirmed by Senate to the position just about two years ago so a happy work anniversary woohoo and we are I am personally Beyond thrilled to have an opportunity for a conversation with Jen or director easterly but I like to call her Jen if that's okay thank please call me Jen and I am Circa 200 or 300 of my best hacker friends that I just haven't met before so for me coming to hacker summer camp coming to these events and definitely besides Las Vegas is the opportunity for the conversations that we don't get to have anywhere else so I appreciate the opportunity thank you for being with us and I know we're going to have fun um I'm not sure we're going to take questions from the room depends on timing and if we can accommodate for that but I just want to get started by asking you Jen if you can tell us in your own words why are you in Las Vegas this week I know it's not for the Fantastic weather or great food so why are you in Vegas this week I heard there sides yeah I heard well actually the besids but there's Katie Perry is there's a I heard about that yeah you got the Kathy so ready to the Katy Perry concert and I figured there was other stuff going on um well first of all it's great to be with you my friend we were supposed to do this at besides in Tel Aviv and then the the we was against flights and the weather got against us so I'm so glad we could reprise it here in uh Vegas so uh why am I here because like this is our community right at the end of the day I think Roger somewhere just came up to me and said you know I love that you come to these things because it's hard necessary necessarily to um get uh time with government officials and so you know I really see the hacker Community as our community We are the champions for the cisos we are the folks that need your help your creativity your Ingenuity you know I have to say I just love that thing I don't know if one dark one is out there um but I love the design one dark one is the designer Melanie she's been doing the design for B Las Vegas and many other security and hacker events for more than a decade so we're going to give her uh let's give her a round of applause making sure she's been making sure that hacker events and our community events get the color the passion the recognition that we want so it really helps I I I don't know if she wrote this but it's but the themes are the solar Punk themes of solar Punk demand Utopia fight dystopia like that could you resonate with that message I do resonate with that fight dystopia in particular I uh but it represents the hacker mindset self-taught curiosity do-it-yourself resourcefulness right to repair autonomy and moral conscientiousness amen yeah is that I agree with those values and I think uh it's fantastic that you know that's I'm here I I believe you're U quite definitely one of the first uh sisa direct one of the first government officials to come out to embrace the hacker community in such a way I remember vividly about a decade ago when General Keith Alexander was the head of the NSA and the Cyber command and he came out to engage uh with the community and he said in this room right here is the talent our nation needs and people responded then stop arresting us please so a lot has changed in the past decade and I think that the role of friendly hackers of security researchers of community initiative has been has never been as important as it is right now so Jen would you like to share with the with the room some of your thoughts about what sisa is doing to help prepare the nation and corporates from the ever evolving threat landscape hold on it's a drinking game every time I say ever evolving threat landscape I must drink it's just water don't worry it's just water mostly water okay um but then again a lot of beverages are mostly in fact all B somewhere um so sisa does everybody know what sisa is pretty much yeah okay so we're the newest agency in the federal government but uh we're coming up on our fifth birthday uh as Karen said I've been in the job for a little over two years but you know we were created to be America's civilian cyber Defense Agency and the mission is to understand and manage and reduce risk to the Cyber and physical infrastructure that Americans rely on every hour of every day and you know when you say critical infrastructure people think it's kind kind of a technical term but at the end of the day it's the water we drink it's our health care it's our education our transportation our communication how we get money from the bank and and gas from the uh the uh uh gas station and so this really is about protecting the networks and the systems and the businesses that we rely on every day and you know frankly the vast majority of it is owned and operated by the private sector and sisa is not a regulator we're not an Intel collector we're not a law enforcement agency we're not military we are a voluntary partnership agency and we know that the currency of partnership is trust and so every day it's about creating trusted Partnerships across the federal government but more importantly with all of the owners and operators of critical infrastructure the research Community the hacker Community the threat uh the threat Intel Community State and local and so that's what we do every single day to help uh protect the nation and you know frankly one of the things that we are very focused on during our time at black hat and uh Defcon is resilience so when you think about the evolving threat landscape oh you want some of my drink maybe you'll drink you'll better off with that trust me the Evol when you think about the evolving threat landscape um it is my belief given the interdependence given the vulnerability given the connectiveness everything is digitized now frankly it becomes more and more difficult to prevent bad things from happening to prevent disruption from happening and so we're doing a couple things on this first we are really trying to catalyze a revolution to go Upstream so we're not bolting on Security Solutions but actually creating technology that is secure by Design so that is the only way I think we can get ahead of threats that are becoming more and more sophisticated well resourced and criminals where the bar to entry is getting lowered and lowered but I also think we need to recognize even as we catalyze this secure by Design Revolution bad things are going to happen disruption is going to happen so the most important thing we can do is to be resilient to it what is that mean it means that we expect and anticipate that bad things are going to happen we build our plans to expect and anticipate bad things are going to happen so that we can respond effectively and recover to mitigate risk to our businesses to our networks and frankly to our country just knowing some of the threats that are out there and I'm very excited in a couple hours I'm going to be doing a keynote at black hat with my Ukraine counterpart Victor Zora and I hope he talks a lot more than me because he has so many Fantastic things to say about what the ukrainians have been doing to build their resilience and not just cyber resilience but their operational resilience as they're dealing with an onslaught of Cyber attack but frankly barbaric kinetic attacks from the Russians and they're able to continue to keep going and frankly societal resilience right I mean this is a people that have stayed unified incredible courage incredible focus on beating the adversary absolutely and I do hope you have a chance to catch this keynote later this afternoon speaking about Ukraine we can learn so much from what's Happening so of course we should help or do what we can to help but some of the phenomena that I been tracking is uh or are things like the Ukrainian cyber Army which is basically a partisan group of hackers and volunteers helping defend Ukraine from Russian attacks helping spread the in helping fight this information and spread accurate information online and through a variety of other ways supporting what's happening there so this is very important now Jen I'd like to come back uh to the conversation here can you tell us a little bit more about secure by Design because I think this is it's not just a slogan this is this is a very important initiative that you're driving and I believe Security Professionals need to be aware of that yeah thanks for asking let me just set this up a little bit because I think everybody in this audience and can people hear me I don't know if this thing's working can you hear me in the back all the way in the cheap seats in the back I'm kidding there are no cheap seats it's a sold out event so I meaned it's a very sophisticated audience so look we know go back 40 years sort of the short history of the internet and let's pick 1983 when tcpip was implemented so computers could talk to each other right since that time security was never ever ever thought about for the internet right it wasn't created it wasn't designed to be secure as Dan Kaminsky said that the internet was designed to move pictures of cats and it's very good in moving pictures of cats so from the early days security was not thought of and then you had the explosion of software and that was all about speed to Market and driving down cost and cool features it wasn't about security right so you now have an internet full of malware you have software full of vulnerabilities then we had the age of social media where everybody thought it was cool to move fast and break things I'm okay with breaking things but frankly we also have to fix things we have to build things right and that's what I like love about hackers is they're not just about breaking they want to break into things so that we can also fix things right where you talked about in your Ted talk about the internet's immune system absolutely right you break things with that me mindset to get things better and better but we had social media which was never supposed to be secure right and so now we have a lot of misinformation disinformation and quite frankly and I say this as a mom we have a lot of mental health issues for our kids from some of the issues around social media and here we are going into the world of artificial intelligence and there's a lot being t talked about this week on artificial intelligence but it's the same thing you know everyone's rushing now that we've got this incredible capabilities coming the explosion of large language models three times the speed of Mo's law so moving incredibly quickly but how can security into that think about building Security in on the front end this is about Innovation but it's about responsible Innovation so to sort of set that up we were talking at the end of last year with some of my team Ates jack cable well-known security researchers some of you might know him Bob Lord on my team was the siso for Twitter and the DNC Grant Dasher joined us from Google Lauren zck joined us from Harvard so basically you're building the Justice League of security we are the Justice League you're missing Wonder Woman oh maybe you're Wonder Woman by the way I think you're Wonder Woman by the way I am also here to do some recruiting so definitely come see us at our booth is that what's on your hand the there recr Q Bar work sis I've even tattooed myself because I love sis look at this commitment to recruiting haers to you are to to that's never been I don't think that's ever been done on this stage ex it's fantastic so you have these amazing talented individuals they can't they really catalyzed this so they came up with this um principles and approaches to secure by Design secure by default we rolled it out in April I gave a big speech just before we rolled it out at Carnegie melon which is fantastic and I have to tell you the response that we've gotten from the community to include industry has been incredible and so we've done a lot of listening sessions for all you out there we're doing a red pen session at Defcon so please please please stop by we really want feedback hold on Jen what is a red pen session it's not a red team session it's not a pentesting session okay so those are the terms our hackers and security researchers are familiar with what is the red pen session are you Red teaming and Pen testing a document red lines it's actually you take a red P actual red pen okay can you like cross out what you don't like and maybe check mark what you do like right so this sounds like a very interactive opportunity to actually influence red team and P you you're testing a pen you're testing the pen so that's literal so but this is an actual opportunity an interactive opportunity for you to influence exactly what what sisa and what Jen and her team are pushing so what time is this happening again it's out there I don't but I will now post it somewhere in the Galaxy there's Gala exactly so let's talk about more opportunities for hackers feedback right like res it goes back to like your whole thing about immunity right the more crowdsourcing we can have of smart people who are you know intellectually curious who are resourceful who want to solve problems we can be better together at the end of the day and so I mean one of my operating principles in life is to treat feedback as a gift now like I don't really like if you're going to be an about feedback I don't love that but if it's like legit and constructive then I'm good with that as well so we really do continuously want feedback on our advisories on the products we do you know there's some stuff that's been done with our work that I think has made it better and better and it's been sort of pivoted around in ways that I think can be more useful to the community so please give us feedback even if you're not in the red pen session please take a look at the principles on the website and give us um your thoughts she has what she has the time for you all right what time is it Saturday at 11: Saturday at 11: where at black hat at Defcon at Defcon it's a Defcon I think you had to like truth and lending I think you had to sign up for it ahead of time so I'll be there you can come we'll like get more people in there is over so let's talk about ways that hackers thank you very much so let's talk about ways that hackers can interact not just with the recommendations and guidelines but with the actual vulnerabilities that are out there in the world by finding vulnerabilities you know there's a um a law is it Linus's law given enough eyeballs or bugs are shallow have you heard this one before I hope I got the quote correct like lus from Lu no it's lus from Linux so okay yeah uh the originator of the Linux operating system so uh uh but Linus and Lucy is like a Snoopy thing or a peanuts okay different different okay different different American cartoon that I did not grow up on uh but we grew by the way we grew up in Israel on American cartoons but like 10 years later so we we got stuff like in delay which is why I'm do you know do you know Schoolhouse Rock yes I we know Schoolhouse Rock Schoolhouse Rock yeah awesome my passion cyber Schoolhouse Rock cyber Schoolhouse Rock my post J all right school is in session rockers so how can hackers report vulnerabilities directly interact with what the agency is doing what vendors and companies are doing when we still have so many of the Fortune 500 companies that don't have a vulnerability disclosure program or they don't have a security. text document somewhere on their website that gives out the details on who to communicate with I know that as part of secure by Design you have some of the language or that originated with my sister's work on legalizing bug research and decriminalizing the work of hackers so can you tell us a little bit more about that because by the way uh Jen mentioned earlier jack cable for those of you unfamiliar with Jack cable he started his path as a security researcher with the hack the Pentagon program where he won all three of their challenge coins before he uh was a senior at high school so it literally changed his life protected his Nation created a trajectory for him to become a security researcher a fellow with uh the defense Security Agency a team member at cisa you know so these types of programs I believe these types of interactions each person here in this room can be that next hero that you need to recruit into the Justice League or to just use their talent to identify vulnerabilities so what can you do what can we do to help them help everybody yeah first of all is Jack out there I know he's in Vegas well he might be uh watching us a discret location and so on the cvd stuff Ian dies is my teammate out there somewhere so he just gave way back so he just you know one of the things I love about bides is this Proving Ground um thing you can do new stage for new gave his like first Proving Ground talk on our coordinated vulnerability disclosure so we run that for the government and essentially we work between researchers and vendors certainly if they can't come together and that happens a lot um to essentially work through that whole process to make sure that the uh vulnerability is disclosed responsibly that there's a patch we look at timing obviously because we want to make sure that there's not excessive uh exploitation once the vulnerability is disclosed uh one of the other really cool things that we did that I think is one of the most important things that that the team did is is what we call binding operational directive 2201 which is our that's a catching name Bing operational dir this is the government so what we did was instead we called it the Kev the Kev the uh known exploited vulnerabilities catalog has anyone heard of that known exploited vulnerabilities catalog the Kev that sounds like a person I like to meet the Kev yeah exactly Kev right and so the Innovation here was we all know that there's a ton of vulner and frankly that's what we're trying to do with secure by Design we should stop accepting that technology products come off the line full of vulnerabilities like we've normalized that in some crazy way and it is unacceptable so we want to make sure that actually we're lessening that but as we catalyze that Revolution the thing that we're focused on here is ensuring that people uh know in a prioritized way how they patch the most severe vulnerabilities so the Kev is essentially vulnerabilities that we know whether it's through Intel or other sources that are being exploited in the Wild by threat actors and so it really helps with prioritization now it's only binding on the.gov that we the operational lead for but a lot of private sector have taken that and uh looked at it and used it for prioritization so I think it's really important it's becoming adopted thing I think a lot of people yeah I'm I'm chatting with h Patrick G from nuclear security another security researcher who did this cool thing I posted it on social media he took the Kev and he did it in terms of like