 It's really a terrific pleasure and honor to introduce Director Easterly, who's had an amazing career, beginning at West Point and then a Rhodes Scholar at Oxford and a colonel in the Army who served in Iraq and was instrumental in NSA's dismantlement of al-Qaeda in Iraq, helped establish cyber command, top kind of terrorism official for the Obama administration, headed up global security and cyber security at Morgan Stanley, a senior fellow at New America, and now the director of the Cyber Security and Infrastructure Security Agency known as CISA. So Director Easterly, so quick, easy first question. What does CISA do? Because I think a lot of people don't necessarily completely understand the mission. Awesome. Well, first of all, it's great to be with you, Peter. And always great to follow a dear friend like Josh Geltzer. I always learn something when he speaks as well, and I appreciate the kind introduction. I always find myself wanting my son to be around to hear that stuff, because I think I'm much less impressive to him. But you know, that's good. Our kids keep us, keep us humble, as you know. So CISA is the newest agency in the federal government. We were formed almost four years ago at the end of 2018. And our mission is to lead the national effort to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day. When you say a term like critical infrastructure, it sounds a bit technical. You know, at the end of the day, critical infrastructure are just the systems and networks and data that underpin everything that we do virtually every minute of the day. So it's how we get gas at the pump, food at the grocery store, money from the ATM, how we communicate, how we get on transportation. So again, these are the networks that underpin our lives, and we have a mission to protect and defend it. Now, anybody listening to this call will know that the vast majority of that critical infrastructure is owned by the private sector. And so it's interesting. You talked a little bit about my career, spent the majority of my time in the army and the intelligence community and the policy world. You could argue that in the national security and the counterterrorism space, the federal government has monopoly power. But when you think about cyber security, the federal government is a partner. We're a partner with our state and local colleagues and with private industry. And so the most important thing that we do is build trusted partnerships. And that's really to enable two main roles that we have. And the first is as America's cyber defense agency. That's why the Congress established CISA. That's why we've gotten more money, more people, more authorities, more responsibilities over the last four years. And that's why, frankly, the Congress is doubling down every year, giving us more money is to really build a capability to defend the nation and cyberspace. And the second role we have is as the national coordinator for critical infrastructure resilience and cyber security. And that's to bring together all the various partners in the federal government across industry at the state and local level to enable us to reduce risk. So hopefully that made sense. But if you remember two things, America's cyber defense agency and national coordinator. It makes a lot of sense. And so a critical piece of infrastructure is our elections. And the midterms are soon upon us. And so what are your concerns? How secure are they? What are you doing to secure them? Yeah, so I mean, it's it's useful to step back a second when you understand the world of critical infrastructure. So there are 16 critical infrastructure sectors, CISA is actually responsible as the sector risk management agency for eight of them, meaning that we're responsible for helping to provide resources and tools and capabilities and working very closely with the sector to ensure that they have the information they need. Within the government facilities sector, there is the election security sub election infrastructure sub sector. Now, you may remember that in 2017, following what happened in 2016 with the election, the former secretary now secretary Johnson actually made election infrastructure critical infrastructure. It wasn't before them. And frankly, state and local, as we all know, the federal government doesn't run elections, it's all run by state and local officials. And there was a massive tide of unhappiness with the federal government seemingly getting involved in election infrastructure security. And so fantastic kudos to my predecessor, my great friend, Chris Krebs, for really building incredible partnerships with the election community, state and local election officials, secretaries of state to help them strengthen their security, such to the point that when I had my first meeting in the summer of 2021 with election officials, they were hugely complimentary of all the work that CISA had done to help them ensure they have the resources to protect their elections. Now, the big focus leading up into 2020 was cybersecurity and all of the things that state and local election officials needed to do to shore up their cybersecurity given the hacking that we saw from the Russian government in 2016. Now, the threat environment is arguably even more complex because you think about cyber threats, not just from nation-state actors, but from criminal groups. We worry about things like ransomware on election infrastructure. A lot of concerns, and this is very disturbing when you think about it, concerns of physical security threats to election officials, which I think is a really worrying thing for our democracy, frankly, worries about insider threats, and then finally, threats of foreign malign disinformation. And so our job at CISA is to really ensure that state and local election officials have all of the resources that they need to shore up their security and to run safe elections. And so we work with them, our election security and resilience team. I brought on a terrific senior election security advisor, former Republican Secretary of State Kim Wyman from the state of Washington. And so we are very well plugged into the community and doing everything we can to ensure that the elections that are coming up in November of 2022 and certainly the elections in 2024 are as secure and resilient as possible. And so, again, working with state and local, but also working with our federal government partners, the vendor community, the election infrastructure, sharing and analysis center. So like everything else in cyber and in homeland security, Peter, it is a team sport and one that requires collaboration across the board. We're just a drill into those a little bit. I mean, you mentioned that there's a kind of smorgasbord of problems or issues, right? I mean, there's disinformation, there's state actors, there's potential attacks on election officials themselves in the United States. So how do you rank, I mean, to get into the sort of more specifics to the extent you can, who are the bad actors here? Well, talking about just taking a step back because election infrastructure is a priority mission, safeguarding and helping state and local officials safeguard their election infrastructure is, of course, a priority mission, but we, as you will know, deal with so many other threats. And so we need to ensure that we are resourced to cover the full landscape. We're very focused, of course, on nation state threats, China, Russia. Certainly we can talk about what we did with our Shields Up campaign to prepare for Russian maligned cyber activity on critical infrastructure in the wake of their unprovoked attack in Ukraine and the war that's gone on now for over six months. We are also focused on Iran. You might have seen the recent announcement coming from the White House about Iranian attacks on Albanian critical infrastructure, a NATO partner, as you know, attacks coming from North Korea. And then we focus a lot on the criminal groups, whether they are sponsored by, given safe haven by or aligned with some of these nation state actors. And that has been an increasing problem, as you know, with things like ransomware. Even over the past couple of weeks, we've seen significant ransomware events in LA at the Unified School District. We've seen ransomware events in the UK with the National Health Service and Staffordshire Water. And so we spend a lot of time working on how we can ensure that businesses large and small, the American people, all of our partners have the resources and the information and the tools and the capability that they need to keep themselves safe from nation state actors. But, you know, mostly the big problem is ransomware. And so we set up StopRansomware.gov, one stop shop. Last year, one of the most visited sites we have to to ensure that the resources are out there about how to protect yourself. What is ransomware? How do you protect yourself? And if you get, unfortunately, if you're the victim of an attack, what can you do about it? And so we are all in the business of supporting and helping and resourcing and empowering the American people to help protect themselves online. So the ransomware, I mean, is this entirely people for profit or are some of these groups proxies for states sort of are sort of posing as sort of criminals? Yeah, I mean, it's very largely criminals looking for money. Now, there have been, you know, as you know, there have been ransomware gangs that have safe haven from nation states. And clearly, there are some associations between criminal groups and nation states. But in many ways, the attribution piece doesn't matter so much in our business because we are very focused on ensuring defense. We are all about building that resilience, ensuring that preparedness. It's important for people to understand the threat, of course, but even more, how do they mitigate the risk of threats like ransomware? We just put out a product with our FBI colleagues the other day about a group called Vice Society. And so there's all kinds of flavors of groups out there and all kinds of variants of ransomware. I think the key question is, what does everybody need to be doing to mitigate risk to themselves, to their family, to their businesses, keeping them safe and secure online? And where we are very focused, keeping our critical infrastructure owners and operators safe because our national security and our economic prosperity and our public health and safety is put at risk. You mentioned the Shields Up campaign that you had as a result of Russia's invasion of Ukraine, and it seems pretty striking how feckless the Russians have been with cyber attacks either in Ukraine or in the United States. And obviously, the things that probably we don't know that somehow were averted. But I mean, do you have any thoughts about, because there's been a lot of concern, rightly so, about their capacities, but of late, there doesn't seem to be much action? Yeah, I mean, I wouldn't use the word feckless. There have been many attacks, cyber attacks, into Ukraine. And we have been working with our partners, our Ukrainian partners. We actually had a terrific meeting with the Ukrainian delegation. In fact, we just met with a separate group today to talk about some capacity-building efforts. So we're very excited about moving forward on that. But there have been attacks. There was some good reporting that we've seen over the past couple of months. I think the bigger question is probably twofold. First of all, why haven't these attacks had more impact within Ukraine? And why have we not seen any spectacular attacks here in the homeland? Which frankly, I was very concerned about, given that we know malicious cyber activity as part of the Russian playbook, we wanted to ensure we were very prepared for whether it was a state-sponsored retaliation type attack, whether it was a cascading attack, something like we saw with Noppechen 2017, which was focused in Ukraine, but then affected targets around the world to the tune of $10 billion, or whether it was potentially a criminally-aligned ransomware group that did another attack, as we saw similar to Colonial Pipeline last May. And so we were very concerned about all of these things. And that's why we launched the Shields Up campaign, Shields Up because I am a big Star Trek fan. But at the end of the day, it is really about ensuring that we understand the potential threat environment and that we know all of the things that we need to be doing to mitigate risk to our businesses, large and small, to our families and to our national security. And that's been a very successful campaign because we aim to ensure that we weren't talking in tech speak or nerd speak, as I like to say, we tried to ensure that we were providing very clear guidance that anybody could follow and implement to help protect themselves. Now to the larger question of why we haven't seen any of these attacks, I would say a couple of things first, we don't really know. I do think we should give enormous credit to the Ukrainians for building up their capability in cyber over the past couple of years. Russia has gone after them in a pretty serious way. And I think the Ukrainians have been very agile in terms of the lessons that they've learned to enable them to protect them. So you were saying about the Ukrainians, you know, in July, you just sort of following up on that, you signed an agreement with them on the side of the security, what were the sort of the headlines of that agreement? Yeah, so we're looking to really strengthen what we've already built. We have as, you know, CISO one of the other roles we play is US cert, the US computer emergency response team. And there are certs around the world. So we've got relationships with over a hundred and we had already been working with Ukraine cert, but we took the opportunity when the delegation came in to sign and formalize a memorandum of cooperation to enable us to really focus on how do we share more information? How do we build capacity? And how do we learn from each other? Because as I said, I think the Ukrainians have done an impressive job dealing with Russian cyber attacks during the past six months. And I think there's some really good lessons to learn from them. And then just today we met with another delegation to talk about some of the work that we are gonna do on capacity building based on a new interagency agreement. And that's to work on things like building capacity in threat hunting capabilities and focused on training with an industrial control system. So I'm just very excited about continuing to press into this partnership as I think it's incredibly important. So just returning to the United States for a minute. So what is critical infrastructure in practice? And what are the sectors that you have responsibility for? How many targets, how many kind of key nodes of critical infrastructure are there? And what are the responsibilities of those to report an attack, either ransomware attack or some other kind of attack to you? Yeah, so sort of a two-part question that may take it. I mean, critical infrastructure, 16 sectors, many sub sectors with every sector, which is typically the private sector, there's what's called sector risk management agencies or SRMAs. And they are a government agency, department or agency that work with those sectors to ensure that they have the resources and the capabilities and the information that they need to ensure their security and resilience. So the financial sector labs at Morgan Stanley, for example, we work closely with Treasury. The energy sector works closely with the department of energy. We at CISA work with the information technology community, the communications sector, the dam sector, the emergency management. So we have eight of those sectors. And then again, we work very closely with the rest of the government because at the end of the day, you really can't carve off one sector. Everything is connected, which is why in 2019, we actually laid out what we call the national critical functions. And those are the functions that are so important to our national security and economic prosperity and public health and safety that corruption or disruption could cause a massive impact. And so we look both at sectors and we look at functions. And within every sector, there is lists of entities that can be considered critical, although we're actually going through a re-imagining exercise right now. I had a board meeting earlier in the day where our chairman, Tom Fanning, who's the CEO of Southern Company is leading a group to really look at how we can identify what we call systemically important entities, those entities that are absolutely critical to national security, economic prosperity, public health and safety. So if America has a really bad day, those are the places where the government resources will go to. And that's probably, we haven't come up with that list yet, but we're working on it now. That's probably in the hundreds, but there are thousands of critical infrastructure owners and operators around the country. And some of them are what I call a target rich resource poor. So you think about hospitals, you think about schools, you think about some of the municipalities and government entities that don't have really robust cybersecurity. So we work with them as well to provide them resources and info and tools and capabilities. And Peter, we have a growing field force which I'm really excited about of cybersecurity advisors, cybersecurity state coordinators that are working on the front lines across our 10 regions around the country. We're growing those forces to ensure that we can help all of these infrastructure owners protect themselves. And one of the things you mentioned is sort of part two of the question is reporting requirements. So right now there are not a very explicit reporting requirements from cyber incident that are starting to evolve recently, but very happily in March as part of the omnibus. The Hill passed the Cyber Incident Reporting for Critical Infrastructure Act that basically said significant cyber incidents need to be reported to CISA within a certain period of time. And we've just started to kick off the rulemaking process for that by putting out a request for information. We're gonna do 11 listening sessions because we want it to be a very consultative process. It's really important that we have an understanding of what's going on across the ecosystem, not so we can name or shame or blame or stab the wounded, but so that CISA as America's Cyber Defense Agency can render assistance to victims who might not be able to afford bringing in a big incident response company, but they may need help from us, but also critically important, we can use this information to warn others before they become victims of an attack. And that's, you know, I think of collaboration as our superpower and we really use our very expansive information sharing authorities, some of which we got when the Department of Homeland Security was stood up, as you well know, Peter stood up in the wake of 9-11. It was a lot about connecting those dots and information sharing, but we got more expansive information sharing protections in 2015 that enable us to work and to share information and also protect privacy and liability. And, you know, that's really the main reason why the Congress decided that reporting should come to CISA because we have the ability to protect it and then also to share it with our government partners that can help render assistance, whether it's investigative or law enforcement assistance. And then also, again, to warn other potential victims before they get hacked. Yeah, mention of 9-11, there was sort of a narrative at one point about a cyber 9-11 or whatever, which always seemed to me to be like very overblown, but clearly there's sort of a Moore's law here where people, their abilities will get bigger over time. So what is the sort of scenario that keeps you up at night that is, you know, it's plausible, but, you know, in the realm of plausibility. Now, as a CT person, Peter, and I know you probably get this question too, what keeps you up at night? Everybody gets asked it. And the truth is like, you know, nothing really keeps me up at night. I don't actually sleep that much, but when I do, I sleep pretty well. It's really, I think, what gets you up in the morning is a really key question. And that's what brought me back from Morgan Stanley to the government to be the director of CISA. And that's the ability to work with all of our partners and stakeholders to drive down risks to our critical infrastructure. And the things that we are very focused on, we can't just be focused on one sort of threat of risks. We just actually published our strategic plan today that I'm very excited about, that talks about where we were gonna focus over the next three years from spearheading our effort to ensure the resilience and defense of cyberspace to everything we're doing on the risk reduction and resilience to what we're doing on operational collaboration to what we're doing as an agency, but we need to be able to focus on the full landscape of threats. I will say we've spent a lot of time over the past year in particular on cyber threats to operational technology and industrial control systems because you think about things that can break things and that can lead to actually kinetic impacts and loss of life. And so working with the industrial control system community has been a huge effort over the past year. We actually just expanded our platform for operational collaboration that we call the Joint Cyber Defense Collaborative or JCDC to bring in a bunch of industrial control system vendors. Again, to drive down risks to operational technology. So we have a lot on our plate and the good news is we have a fantastic team and some terrific partners helping us to reduce risk to the nation. So this, the Joint Cyber Defense Collaboration you mentioned, is this a Goldwater nickels for the cyber community or what is it? Yeah, you know, one of the best things to happen over the past five years, well, one of the best things to happen was the creation of CISA. But other great thing that happened came out of the cyberspace solarium commission. And I think you know some of the folks that were on the solarium commission and just some amazing people. And you know, Peter, you've been around for a long time. There are a lot of these commissions out there. I would say probably the 9-11 commission had a real impact but there's a lot of commissions that become shelf wear. The great thing about the cyberspace solarium commission is they had sitting members of Congress there that were able to, as the recommendations come forward, actually craft legislation. And you know, 75% of their recommendations have found themselves in two ball, in particular with the NDAA in 2021 and 2022. And frankly, CISA has benefited from a lot of those recommendations. We have gotten more authorities and more responsibilities coming out of that. And one of the most foundational, it was really the, came out of Congressman Langevin, you know, a cyber hero in the Hill, that did a lot of great work on this, was called the Joint Cyber Planning Office, JICPO. Which if you say it too many times, you sort of get this semantic satiation and it just sounds terrible. So I didn't like JICPO. And so we sat with the team and we came up with Joint Cyber Defense Collaborative also because I'm a big 80s music fan. I actually wanted to call it the Advanced Cyber Defense Collaborative that the lawyers wouldn't let me. So we went with JCDC. And it really, it's emblematic of what we are trying to do. It's joint as we bring together all of our partners. It's about cyber defense as America's cyber defense agency, but it is all about collaboration. And the idea is we bring together the federal cyber ecosystem, the only entity that by law combines the power of CISA, NSA, FBI, cybercom, the director of national intelligence, the department of defense, department of justice, our national cyber director friends, our secret service friends, together with the private sector to find those dots of malicious and suspicious activity, to connect those dots so we can drive down risks to the nation at scale. And we have operationalized this over the past year to deal with serious vulnerabilities like log four shell, which was a serious open source vulnerability that was revealed last December. We've worked through it, going through the Ukraine tensions plan. We actually do planning and then we implement cyber defense operations. So it is at the core of what I've been trying to do, which is to transform public-private partnerships, which I think has become a bit of a hackneyed term into true real-time operational collaboration where the government is responsive, the government is transparent, the government is adding value. And we are having some good success on that. So I'm excited about continuing to build on that success and continuing to build on those collaborative partnerships. We have some audience questions. So here's the question. CISA is currently in, is it, do you have an intention to expand your threat detection capabilities Intel sharing with other Ally nation states? Yeah. Thanks for asking that. You know, we do. So the JCDC, we talk a lot about the private sector because really cracking the code on how we can work more closely with the private sector was something I was very passionate about having spent the last four and a half years at Morgan Stanley and being a little disappointed with what I saw in terms of a real lack of coherence with the private sector. So we went after that very aggressively also because the private sector has incredible visibility into the environment. So oftentimes they may see malicious activity before the federal government case in point solar winds, which was actually discovered by my great friend, Kevin Nandia, when he was the CEO of FireEye. But the private sector is one part of JCDC. Also our state and local partners leadership at all levels to include our election officials, but international partners are a hugely important element of that. We obviously have really close working relationships with our five eyes partners. I was having dinner last night with Abby Bradshaw, who's my counterpart at the ACSC in Australia. We work very closely with what's called the IWWN, which is the International Watching Warning Network 16 partners around the world. And then those over a hundred CERT partners that we are all sharing information because we recognize at the end of the day, the cyberspace has no borders. So we all need to come together to be able to protect and defend global cyberspace. And you can say there's different authorities and across different countries when it comes to things like offense. But defense, we're all pretty similar in terms of what we are trying to do, which is why we have been working hand in hand to include as we've been working to mitigate risk potentially from Russia. Our partners are doing exactly the same thing. So enormously productive international partnerships that we're super proud of. Switching gears a little bit. Are you surprised that there are half a million jobs or more that are unfilled in the cybersecurity space? And why is it the case? How do you remedy it? How do you diversify the cyber workforce? What are you doing specifically at your agency? How does your agency can be on the sector? Do you recruit hackers? It's a lot of questions. I'm not surprised, I'm not surprised at the number because I've been quoting it for way too long. I'm not surprised, but I'm disappointed. I'm particularly disappointed at the lack of diversity in this field. And I've made that huge centerpiece of our efforts as we build a talent management ecosystem to enable us to recruit and effectively on board and train and certify and mentor and coach and provide mobility opportunities and retain the cyber workforce. It's not just about recruiting. We have to be able to build this ecosystem. It's one of the reasons I'm really excited. We're gonna be bringing in a chief people officer in the next month or so to help us with that ecosystem and a long-term human capital strategy to enable us to bring that talent in and to make sure that that talent is able to grow and develop. So again, we have the kind of agency where people are excited to work. We spent a lot of time, Peter, over the last year probably about 50% of my time or more building our culture. Which I think is incredibly important for a new agency. So when you think about what makes any organization great, to me, it comes down to culture. And so we built out co-creating with our workforce core values and core principles that are about trust and teamwork and collaboration and innovation and inclusion and empowerment and ownership. And that really will underpin how we're going to bring in great talent. And how we're going to retain that talent. We're trying to be really creative about it. Yes, we bring in hackers, but we bring in people from all walks of life. You don't need to be a hacker to be part of the cyber community. We have policy people, we have communicators. So frankly, what we're doing using some new authorities that we got at the end of last year, the cyber talent management system which not only allows us to hire in a more agile way but allows us to pay closer to market, giving the competitive nature of cybersecurity, but we're able to bring in people without a college degree. You know, my most talented technical person at Morgan Stanley had no college degree. Oftentimes it's people who have skill, who've done this since they were young, who are intellectually curious. And so we are really looking for that talent to bring them in to help us build America's cyber defense agencies. So I'm very excited about the things that we're going to be doing in the new year to include getting out on the road and doing some recruitment in particular at HBCUs, at minority serving institutions, at Hispanic serving institutions. So again, we can build that diversity, whether it's neurodiversity, diversity of gender identity, sexual orientation, race, national origin, experience, skills, age, background. Because all of that equals diversity of thought. And in my core, I honestly believe that diversity of thought is what makes us better at solving the most difficult problems for the nation. So we're going to help get a dent in that workforce. I welcome anybody who's interested in the call to join us in that. I have made a personal pledge to get to 50% of women in cybersecurity by the year 2030. I think we're at 23 or 24% now. So we got a lot of work to do, but I believe we can get there. Interesting audience question from Warren Butler. The US government can promote cybersecurity sort of through two ways, saving private industry money, carrots, versus legal repercussions, stick. So how do you sort of sort that out? Well, I sort it out in the fact that we're not a regulator. We're very, very small regulatory authorities with our CFATS program, which is chemical facilities, anti-terrorism standards. So it's part of our physical security mission. But we are not a regulator. And frankly, I don't want to be a regulator because I think if we became a regulator, we would really use the magic of our ability to collaborate with partners in the way that we do. And so there are regulatory sticks, if you will. There are, you know, we dealt with this in the financial services sector. We had a range of regulatory agencies, but where we are focused is ensuring that we can build the right type of partnership so that businesses large and small know what they need to do to prevent having a breach or an incident. So the big companies say in, you know, finance, we spend billions of dollars. Energy has really raised the bar. But, you know, there are some hospitals out there and there are some schools out there that don't have a lot of cyber resources. So what we are in the business of doing is providing no cost resources, vulnerability assessments, phishing assessments. We have advisors that come in because, I mean, the thing that we have to remember, Peter is, you know, the bad actors are rarely getting into these systems with a very exotic zero day of vulnerability that's unknown. Usually they're using vulnerabilities that are common, that are just not patched or they're using credentials that are out there on the web because they have been one of the breaches or because people are not using strong passwords because people are not implementing multi-factor authentication, which is perhaps the most important thing that you can do to keep yourself safe online. So yes, there is a place for regulation, but we are very focused on how do we build resilience and what are the tools, what are the ways that we can help businesses large and small, critical infrastructure owners and operators to drive down risk to their businesses because if you're critical infrastructure, you're talking about national security. And for anybody who's out there who's in the position of being a business leader or a CEO, I just wanna emphasize, when we're talking about cybersecurity and we say words that sound sort of technical because cybersecurity people still need to work on how we storytell and how we get our message across, but this is not the responsibility of the IT people. This is not the responsibility of the chief information security officer. Cyber security is the responsibility of the CEO and the leaders and the board because cyber risk is business risk. It can be existential business risk and it certainly is national security risk. So I think just think it's really important that we understand that as you think about their board members out there, think of it like the way you think of other risks, whether that's franchise risk or liquidity risk. We need to start thinking of cyber risk in the exact same way. Well, I think that is a very good place to end it because I know Director Eastilly that you have to go at 530. I wanna thank you very much and also your team for arranging this and good luck on getting to that 50% and good luck with all your important work keeping us all safe. Awesome, that's great. Thanks for being with us today, Peter. I really appreciate the invites. Great to see you again and I look forward to seeing you in person at some point in time. Likewise. Awesome, thank you.