A

Welcome to Cyber Leaders with me, Kieran

B

Martin, and me, James Line. Now, we're both from the SANS Institute, who are kindly backing this podcast. I myself am a massive geek, and I've spent my days chasing cybercriminals around the Internet.

A

I'm not even a tiny geek, but I dealt with cyber security policy and operations in the British government and set up its national Cyber Security Center. But nowadays, James and I are trying to unpack the weird, wacky, wired, wild wireless world of tech security. There you go. Extra W, James, and all the complicated things that it involves.

B

A list keeps getting longer, I think. Kieran, by the end of this podcast, you'll be firing off exploits, and I'll be writing policy documents, and I'll be talking about Wombat. This podcast is a voice for security leaders. We want CISOs, security directors, frankly, everyone beyond in the security community to build their knowledge of what works, of what doesn't, and ultimately secure their organizations more comprehensively and quickly.

A

Indeed. Now then, James, we need to talk about the other night. We do, we do, James. It was so special.

B

I'm not entirely sure where you're going with this, Kieran. I. I actually gave up drinking years ago, so I admit my recollection is pretty clear at this point, I think. What are you. What are you talking about?

A

How can you say this, James? It was a magical evening, but I just don't know where we go from here. Can we recreate the magic of that night? Can we?

B

Well, this is an audio podcast, so I suppose I should clarify for the audience that I am now shifting deeply, uncomfortably in my chair. Where was this magical experience? What are you talking about, Kieran?

A

Oh, how can forget? It was at the incomparable surroundings of the Defense Academy of the United Kingdom in Shriven and Wiltshire. James.

B

Yes. Okay, finally I got it. I was struggling to connect the two statements, so I'd better explain.

A

I'm. I'm sorry.

B

Following your usual nonsense, Kieran, we start this time everywhere. We get sensible in the end. Nope. The other evening, Kieran and I went to the Defense Academy with one other guest to do a session on all things cyber conflict condestation with the military officers there who are studying. I geeked out. You talked some stuff about how government works, or doesn't work as it may be. And then our guest had everyone rap till. She spoke expertly about how cyber was evolved in state power on the offensive and defensive side, as well as how we need to secure our technology better, the power of storytelling in cyber, and much, much more. Frankly, Kieran she'd made me feel a little incompetent and a bit small, to be honest. It was a tour de force and the audience were spellbound. We barely got a word in, did we?

A

They absolutely were. It was a special night. You see, I was right. Now, happily for the audience, for our listeners, it was a private event. That's kind of what you get at a defense academy. But luckily for us, our guest is still around. She's here with me in Oxford and that's why we're going to try and recreate the magic here on this podcast. Now, by the time this episode goes out, she might well be back in the U.S. actually, given our laziness, she might have done two around the world trips before this goes out and still be back in the U.S. but for now, here we have her privileged in Oxford as our special guest.

B

Yes, it's an absolute honor to welcome to the show one of the era's outstanding cyber security leaders. Take it away with the intro, Kieran. Pause for perfect.

A

You ruined my pause with your laughing. But one difference with the other night is I'm going to condense the introduction a bit. I think it's military etiquette that you list pretty much everything, but I thought given our guests list of distinctions, that will be the whole episode and we never get started. So I may miss out important parts of this, but I'll try to do justice to this cyber security giant as succinctly as I can. She is a 20 year US army veteran, graduate of the prestigious West Point Military Academy in New York State, two bronze stars, deployments to Iraq and Afghanistan. She's also cyber through and through, having worked in the elite Tailored Access Organization unit. That's the special bit of the National Security Agency. And then crucially, she was a key member of a small team that stood up the US Military's cyber offense capability. But she's more than just cyber. She spent time working for National Security Advisor Condoleezza Rice in the Bush administration and as deputy head for counterterrorism at the White House's National Security Council under President Obama. Serving in bipartisan ways with distinction, she's led the cyber defense of one of the world's biggest banks. And she's super smart as well. Recipient prestigious Road scholarship here in Oxford. So we are so proud to have her as a distinguished fellow visiting here at the Blavatnik School of Government from where she and I are recording this while you put your feet up at home. James.

B

Well, it's true, I may be sipping a delicious Espresso with my feet up, Kieran. But I'm paying enough attention to know that you've missed out a couple of crucial bits.

A

That is entirely fair. Sorry. Oops. Because maybe I'm doing the Defence Academy introduction after all. Because we're only at 2020, we now move to the current decade where she becomes one of the outstanding cybersecurity leaders of our time. First, she serv as the second director of the US's National Cyber Defense Agency, CISA. Controversial pronunciation. She can do it properly. It's a hot topic. She does that for four years amidst some huge challenges, which no doubt we'll come on to, and takes real leaps forward in American cyber security. And now, as of this year, she's the chief executive of rsac, the world's biggest cyber security conference organization. So, James, drum roll.

B

We are very proud to introduce our guest today. It is, of course, the one and only Jen Easterly. Welcome, Jen.

C

Hey, guys. So great to be with you.

B

Fantastic. Thank you for joining us. And of course, I think, Kieran, this is going to be another one of these podcasts where we have to admit, early on, we're going to struggle to control ourselves. I've got about 17,000 questions I want to ask Jen, so we'll try and keep ourselves focused.

A

Why don't you go first, then, James?

B

Yeah, I'll start and then you can kick me off stage quickly. But look, Jen, as I said, it's hard to know where to start with such an incredible career and so many contributions. So I'm going to start with what we always ask people. Look, you're clearly a cyber great. I mean, this industry is built on the shoulders of giants and you're one of them. But to adapt the old adage, were you born in cyber or did you have cyber thrust upon you? You can wear a Bane mask for this bit if you'd like. It's up to you. What's your story of your journey into cyber?

C

Yeah. So, first of all, it's great to be with both of you and that evening at Shrivenham was fantastic, by the way. You all were equally, if not more impressive. So thank you for being great teammates and great part. Was I born cyber? Well, let's see. I guess the answer to that is no. Interestingly, when I went off to the United States Military Academy at West Point, we were actually the first class to be issued computers. I think it was like the Zenith Z248. It weighed probably like 80 pounds. It had the old floppy disk and the dot matrix printer. So I'm sure, James, you've probably hacked into a lot of those.

B

I can neither confirm nor deny, Jen.

C

Exactly.

A

Knowing West Point, did you have to like lug it up mountains as well, like while sprinting or something?

C

I think they changed that later and they made them do that. But no, we were just trying to figure out how to get the thing to work. So those were the very early days, frankly. This was the late 80s really, you know, a couple years after the dawn of the Internet. And you know, I went to an engineering school, but you know, they didn't teach computer science back then, had to take basic programming. But I don't think that qualifies me as being born into cyber. And in fact, you know, it wasn't really until I went off to the National Security Agency, which is of course the world, world's largest and most technical intelligence agency. That was really the immersion into cyber. And Kieran, you know this from time spent at gchq, obviously some of the greatest technical brain power there. And that's where I was able to really learn a lot about the art of communications. But I would say that my first deep immersion was when I was in Iraq. Brand new U.S. army lieutenant colonel deployed to Iraq from the U.S. national Security Agency. And our, our top secret mission at the time was essentially to build from scratch a life saving technology. So folks will remember that back in 2007, this was the year the insurgency in Iraq was at the apex of its strength and violence at an all time high. And terrorists were using these homemade bombs to create improvised explosive devices. You all remember this, the IEDs. And it was having catastrophic effects, killing thousands and thousands of civilians, thousands and thousands of our troops. And we had this mission to essentially build and operationalize this high technology platform. It was called Real Time Regional Gateway, or rtrg. Highly classified, top secret at the time, all since declassified. But the idea was to take all the massive amounts of data that we were collecting in theater, whether it was data from cell phones or satellites or reporting from troops on the ground, take all that data and then figure out how to use basically very early AI, traditional AI, to enrich it and correlate it and integrate all those various sources of data so we could illuminate, illuminate those terrorist networks, essentially make sense of them not in days and weeks when the information was old and useless, but in hours and minutes and then provide that to the troops on the ground so they could pursue and disrupt those terrorist networks. So, you know, I had this team sitting in the makeshift van in the Middle of Baghdad, coating up this system. And you all will appreciate this, but literally it was hour by hour, day by day, week by week, failure, failure, failure, failure. And, you know, it was pretty tough because the stakes were so high, but we were finally able to get the system up and running. And it ultimately provided a capability to the troops on the ground, in particular the special Operations forces, that helped them take thousands and thousands of insurgents off the battlefield and save thousands and thousands of lives. And, you know, that was really the beginning of my love affair with technology, my obsession with the power of data and the power of sort of, how do you understand communications and the ability, ability to protect those communications or use communications, to be able to project power in cyberspace. And so, you know, when I came back from Iraq, I was asked by the then director of the NSA at the time, a guy called Keith Alexander, to stand up the Army's first Cyber Operations Battalion. And so I did that. And that led to me being selected to be part of a small team that set up U.S. cyber Command, which was responsible for the protection of military networks and then projection and power in cyberspace. And so it really started about 20 years ago in earnest. And my pathway since then has sort of been this mix of offensive cyber, defensive cyber, counterterrorism, intelligence and then pure cyber defense. So. But it's been a fantastic couple decades.

A

Well, brilliant and thank you. So we've now learned that whilst James may have been born with a Commodore

B

64 in his lap, what a beautiful bit of equipment.

A

Sorry, Kieran, You, Jen. I mean, it's remarkable about how you learned it in extraordinarily difficult and challenging circumstances in Iraq. But I'm not going to let you gloss over your last point, because obviously to people, you know, young kids like James, and people even younger than James, they may know you on your public profile as a cyber defender, but you just alluded there to the fact that you come back from Iraq, you come back to the mainland United States, you're back in the nsa, you work for the legendary General Alexander. And whilst now we take Cyber Command for granted, it's a huge feature of any talk of cyber power and contestation and all of that. You were there at the start. You can't tell us everything about that. I can imagine we don't want to have to be the subject of any covert operations because we know too much, let alone our listeners.

B

Not again. Care.

A

Not again. But tell us a bit more about that experience, because there isn't the capability then that there is now. You're there Designing it. What was that process like? How did you come to the choices you did? What was the experience? It must have been fascinating.

C

Yeah, it was actually one of the most rewarding and maybe to some extent challenging experiences throughout my career. It kind of all comes back to how do you catalyze the right teamwork to be able to solve some of our most complicated and important challenges? And, you know, it was, I want to say it was probably like October of 2008. I was the commander of the Army's first Cyber Operations battalion. At the time, we called it the Army Network Warfare Battalion. A nwb, for those out there in the know, no longer exist. And then I was a key leader in, as you mentioned, NSA's Tailored Access Operations. And so I had both of those jobs, an operational role and a leadership role. And I was already very, very busy again, Lieutenant Colonel at the time. And I get this phone call, and a very gruff person at the end of the phone call announces himself as, this is Captain White. You need to come down to this office immediately.

A

This is the first story I've ever heard that actually matches cyber in the movies. This is Captain White. You must come to this office. That actually happened.

B

I thought it was gonna be Thunderbirds, if I'm honest.

C

Oh, it completely. It completely happened. And so, you know, I'm a Lieutenant colonel and I've never been one for authority, and that's probably why I didn't end up stay in the Army. Pass, Colonel. But, you know, when a captain kind of very gruffly orders you to show up someplace, I'm like, who is this captain? Because obviously two ranks below me. So it sounded like a call of great urgency. So I went where he asked me to be, expecting to find a junior officer and wondering why the hell I was being ordered down to report to this person. As it turned out, it was actually a Navy captain, so more senior to me, Navy Captain Tim White. And this was all about what was back then referred to as Operation Buckshot

B

Yankee, which was the coolest name for anything ever.

C

Yes. Oh, there's all kinds of crazy names that NSA and CyberCon comes up with. But so this was a Russian operation to essentially try and hack into US military networks. And it was a human enabled operation. It's all out there publicly. In fact, there was an article written about it at the time by the Deputy Secretary of Defense. But this really was a wake up call because it was the first time where we saw some of our more sensitive networks being penetrated in a serious way by an adversary. And it really Led to the Secretary of Defense, Bob Gates, to direct General Alexander to figure out how we make the case and stand up and organize what was to become US Cyber Command. And myself, TJ White, Captain White, an 06 Army Colonel Paul Nakasone and an 06 Air Force Colonel SL Davis were the four people who were asked to build a small team to come up with the mission and the vision and the organizational structure and build the implementation plan for US Cyber Command. And I have to say, working, doing this mission for General Alexander and the Deputy Director of NSA at the time, a great man who you probably both know, named Chris Inglis.

A

Wonderful person.

C

Yeah, it was.

A

Future guest. Tell him you enjoyed this podcast and he should.

C

Oh, I will. You should absolutely have him on here. Our first national Cyber Director. But it wasn't specific orders we got, it was, you guys figure out how to do this, how to basically stand up this Combatant Command. We actually did this panel at RSA a couple years ago about it, but I had mentioned this the other night. One of the, probably the most valuable person on our team was a young, maybe 25, 27 year old graphic artist. Because we were trying to really explain to all the stakeholders, key leaders in the Department of Defense, leaders in industry, leaders in academia, and perhaps most importantly, leaders in the US Congress, what the imperative was for getting the authorization and the funding, the resources, the people to stand up this new Combatant Command and to stand up Cyber Command on the platform, the cryptologic enterprise platform, ultimately leading to the commander of Cyber Command being dual hatted as the Director of nsa. So very, very unique. And so a lot of it was storytelling. What is this cyber thing? How do packets work? How do hacks work? How do you protect networks? What are the exquisite NSA capabilities that you actually need to be able to ultimately project power in cyberspace? So we did this for probably a year. We briefed that, what we called the Cyber storyboard maybe 105 times. Ultimately we're able to get Cyber Command congressionally authorized, get the funding for it, get General Alexander promoted to four star. But it was a fantastic experience. A very small team, being very entrepreneurial, figuring out how to get the communications and the storytelling right. And ultimately what we've seen over the past, boy, I guess 15 years is a significant increase in the capability and capacity of both, you know, being able to defend US military networks, obviously a very serious target for our adversaries, but also also being able to effectively project power in cyberspace. And we are seeing that element being used as part of other spheres of power in operations recently over the past year, if you believe some of the public reporting. So you know, that was one of the greatest experiences.

B

And Jenna, I think that's a fascinating area to dive into, if you don't mind. And I do want to underline something you just talked about as well, though we've talked about on this podcast before. We talked to some of the great explainers of cyber journalists who are capable of taking these technical concepts and explaining them to others. And I just love your part there about use of graphic artists and cartoon to explain to people outside our community. I appreciate military context here, but a good reminder to all security leaders listening of the power of some of those tools. If we stop and move beyond our word documents into alternative means of expression, we'll come back to that. Jen, you were talking about the interweaving of cyber and these developed capabilities into other operations. As you mentioned, there's been a lot of talk about military cyber effects this year with Venezuela, the president's discombobulator, or well, more seriously, the very visible way in which, you know, cyber command has been talked about in US Military operations. So what's going on? Tell us a bit more about that in the here and now.

C

Yeah. Hey, dude, I should throw some props your way because you are, and I know you love being the geek and you truly play it well and you are it.

A

But don't stop going to his head.

C

I know, Kieran, I have to say it though. But I think one of the greatest things about James is your ability to take the super geek nerd speak and route it through the flux capacitor and then be able to explain what a reference in non. Yes, exactly, go 80s movies in non technical terms to people. What are the things that you need to do to secure your systems and your networks and your data? Because look, at the end of the day, if you're not able to explain to the vast majority of the world why and what they need to do to keep themselves safe online, you're actually not going to have much success at all. And I certainly saw that when I was working at Morgan Stanley and you dealt with clients every day, right? You don't want to give them a bunch of nerd speak. You want to explain to them the things that they need to do to keep them safe and the things that you are doing to keep their assets safe online. So any good cyber leader needs to be able to do that translation. And you're a master at it. So just a little kudos to you.

B

That's very Kind of you. It's our duty to be understood, isn't it? Thank you, James.

C

Exactly.

A

It's too kind.

B

That will drive Kieran wild.

A

It's too kind. And I don't mean that in the polite sense.

C

Sorry, Karen. I'll throw some props your way, you know. I love you, too. Yeah, it's thoroughly deserved, but so on this offensive. So the current administration, I think, has talked publicly about the desire to be able to impose costs on our adversary and to be able to leverage the significant capability and capacity that has been built in US Cyber Command over the past 15 years. And frankly, having been at the early days a plank holder of the command, I am encouraged by what I'm seeing. And I don't think it's just used as a separate tool. It's being integrated into the broader context of military operations, you know, as part of a land, sea, air, space and cyberspace domains of warfare. And so again, if you listen to the public reporting about it, both in Venezuela and in Iran, cyber was an element of that. And I felt sometimes when I was in uniform or even when I was in the administration, that we did not effectively leverage the tools that we had built to be able to help keep the nation safe. And so it is useful to see cyber used in that way. And I look forward to. I understand this is going to be a part of the new U.S. national Cyber Strategy, and I think that is important. When I was the head of America's Cyber Defense Agency at cisa, and it's to your point, Kieran, my friend pronounced cisa.

A

Thank you. Not cisa.

C

We don't call it cybersecurity because it's too long, too hard to say, as you know. But one of the biggest things we dealt with was hackers from the Chinese People's Liberation army deep inside our critical infrastructure, very actively holding at risk that critical infrastructure. And so I think it is important that we are able to hold our adversaries at risk as well as part of the ability to deter action against the American people.

A

So because of our 17,000 questions, I'm conscious that we haven't even got to your time as head of America's Cyber Defense Agency yet. But just before we do, he said justifying and filibustering at the same time. I wanted to come back to this period of time at Morgan Stanley, not least because I get this all the time. Yeah, sure, you know something about cyber defence, but it's government. It's easy. You don't have to worry about profitable organizations and P and L and all that sort of stuff. But you headed cyber defense and wider resilience and so forth for a major global bank. I recall talking to one of your competitors when I was head of the National Cyber Security center, who had a bigger budget for cyber defense for their company, for their bank, than I did for the uk, which was a bit humbling.

C

So.

A

As well, as you've mentioned the communication, but you can't do gobbledygook and so forth for clients or whatever. But you've been in the private sector. You've been at the sharp end. You've been defending an organization that wasn't a cyber organization. Its mission was something else. What was that like? What did you learn from it?

C

I mean, it was a fantastic opportunity, I'll tell you. You know, I left the White House. I was the head of counterterrorism from 2013 to 2016.

A

Yeah, we're glossing over that. It doesn't sound like an easy job.

C

Yeah, yeah, it was not an easy job. But I knew I didn't want to go back to nsa, actually, because my son was going to be a teenager, and he may not have thought this, but I felt he needed me more in his life. So a lot of people do not go to a major investment bank to spend more time with their family, but when you're the head of counterterrorism, you actually do.

B

I've never heard that before, Nabi. Yeah.

C

So headed up to Manhattan, but, you know, I had studied economics here at Oxford. I had taught economics at West Point, but I'd never been in the financial services sector. Right. I'd never been part of one of the biggest global investment banks. And then here I am parachuting in as, you know, a senior managing director in technology, trying to figure it all out and really trying to build a capability. You know, they had built essentially the infrastructure for a fusion center. And that was in the aftermath. You'll remember the distributed denial of service attacks on the financial services sector by the Iranians, right in the 2012, 2014 timeframe. It's really when finance started getting their act together, really seriously investing in cybersecurity. And that's why they're probably the strongest sector from a cybersecurity perspective. But they built this infrastructure, but there was no operating model. So it was figuring out, how do you hire the team, develop the operating model, build the capacity to both understand the threat, detect the threat, and then respond to the threat. And so we built this big, beautiful fusion center. But of course, when I got there, like all Security geeks, the first question you get is, how much is this going to cost me? Right. Because they see all security as a cost center. And so the real art was to be able to turn the cost center into a competitive business advantage and really a revenue driver. And that was leveraging the fact that we had a massive wealth management business and a lot of clients who wanted to make sure that in this very complex, dynamic world, you'll remember there were a lot of cyber attacks. There was the North Korean attack against the bank of Bangladesh, There was the WannaCry attack, there was the NotPetcha attack. So we had a series of very profile hacks at the time. And so clients were very aware of this and they wanted to be assured that we could protect their assets. And so we brought people in and we showed them exactly. Here's the threat environment, here's the analytics we're building, here's how we're responding and making sure that we're reducing risk to your assets and our networks and our data. And so, you know, we were able to ultimately really turn the center, and not a cost center, but a revenue driver for the firm. And again, a lot of that is how do you tell that story? Clients are not geeks, or very rarely are they the super technical. So how do you tell that story? So they understand the imperative, what you're doing, why you're doing it, and how you're doing it in a way that gives them comfort and confidence in what you're doing to protect critical infrastructure. So that was terrific on many levels. And frankly, before I went back to CISA in 2021, I guess I'd been in government for almost 27 years or so. But the most important job for CISA was that time at Morgan Stanley.

A

Wow. Okay.

C

Because you want to understand how a critical infrastructure owner and operator defends itself. Right? Because CISA is America's cyber defense Agency. But it was built to be also the coordinator for critical infrastructure resilience and security. So working with critical infrastructure owners and operators, knowing how to talk to CEOs and boards, knowing how to deal with the rest of the sector, how that operates, how you integrate with the other critical infrastructure sectors that you're relying upon, whether that's power, water, transportation, communication, I mean, that was just invaluable to have that credibility to now, in my new role, deal with the CEOs and the boards and all of the private sector entities that frankly, I spent a lot, lot more of my time with than I did with anybody in the federal government.

B

And Jen You've given us a great segue to the obvious. Next question. But obvious shouldn't be confused with mundane scissor. I mean, you're nominated by the President, confirmed by the Senate, and then you're the head of America's Cyber Defense Agency. A massive amount of resource, a huge mandate, a challenging mission, and not the easiest time for it as well. Give us a sense of the highlights and lowlights. You were just starting to touch on some of that, the most difficult times, the incidents, the vault, typhoon shock, dawn of A.I. i mean, whatever it was. I suppose a bit of an impossible question really, but how do you look back on that period and the highlights and lowlights?

C

Yeah, I mean, I'm sure you all and probably your listeners sort of feel like, you know, every time I think I have a job, it's like, oh, that's the best job I'll ever have. You know, I thought that about being head of counterterrorism. I thought about my time at Morgan Stanley. But I mean, being the head of cisa, it was truly like just an amazing, amazing experience, to be totally honest. Like, CISA was totally new, right? Was no CISA when I left government, when I left the White House, CISA had been stood up when I was at Morgan Stanley, wasn't even three years old when I got back to government. And, you know, as you guys know, my predecessor, Chris Krebs, had been fired in November of 2020 after a very contentious presidential election.

A

We. We did talk to him about it.

C

Yes, yes, I'm sure. And, you know, that felt like a real shakeup for the agency, of course. So you had an acting director. Then you had SolarWinds, the Russian supply chain espionage attack. You had the hafnium campaign by, had Kaseya, you had jbs, you had Colonial Pipelines. So there was a lot going on. Right. The agency was dealing with a huge amount of stuff without a Senate confirmed director. And also, I think we were down about a thousand vacancies. So going in, in the middle of 2021, I really had to figure out very quickly where I was going to prioritize efforts to grow the capability and capacity of the agency and to build the partnerships that we needed. You know, CISA is for all intents and purposes a voluntary agency. The authorities are most strong, comes to the defense and security of Federal government networks, the.gov, what we call the Federal Civilian Executive Branch. But, you know, the rest of those roles, it's basically voluntary. Everything we do is by, with and through partners, whether it's State and local partners, election officials, private sector, academia, nonprofits, and of course, the very valuable relationships from our international partners. But, you know, it's all by, with and through. And so you have to be incredibly collaborative and you have to, for God's sakes, add value. Right? You can't be going to a private sector company and saying, I need this information from you. You know, they're going to tell you like, go pound sand.

B

I'm from the government. I'm here, I'm here to help. Yeah, yeah, good luck with that one.

C

Exactly. You know, but I used to say, I really am here to help. And the whole point was we wanted to add value because we had enormous visibility from what we were seeing from the dot gov, because of course, adversaries aggressively went after the dot gov and so we could add value. And we, we ended up hiring just amazing, amazing technical talent. I was really proud of our ability to hire quickly and to hire just am people from all over. But we really did. We were able to catalyze these incredible partnerships. And it was all based on, you know, one thing which I think is the most important thing in our business, and that is trust. You know, you have to really, really work at that. Because people don't trust institutions. They don't trust the federal government. You know, people trust people, which is why being out there building those relationships and making that connectivity and really focusing on adding value, that's what I, I thought was the funnest part of the job. And then being able to take all the capacity and capability that we were building and apply it to really difficult problems. Whether it was the log 4J open source vulnerability that happened a couple months after I'd gotten to ciso, whether it was our shields up campaign to prepare for potential Russian retaliatory cyber attacks in the aftermath of Russia's illegal invasion of Ukraine, whether it was, as you mentioned, and you both know that I hate calling these names like typhoons and bears and blizzards and all that, but hackers from the Chinese People's Liberation army, and

B

we got the Erudite Badger, which Kieran and I proposed for a campaign name. No one's named one yet, but Erudite Badger, Really?

C

I got a couple for you. How about Weak Weasel? How about my favorite doofus, Dingo? Scrawny Nuisance?

B

Scrumptious Squirrel?

C

I should use that.

A

Have you used that Threat Actor Generator one? So I came out as Warlike Manatee. I was quite proud of that.

C

Can you throw mine in there? I'm actually very curious what I am. I don't know how to do the threat actor named Fluxquill Capacitor.

A

We will do that before the end of the show.

B

You do seem like some type of manatee to me. Actually, Kieran. That's about right.

C

I agree with that.

A

Well, a lie. I know it's not a threat actor, but we'll allow Buckshot Yankees. That's cool. Anyway, where were we?

C

I was just saying, look, at the end of the day, we had a lot of challenges from a lot of threat actors. Still a huge cybercrime issue, but it was building the workforce, the talent, the capability, capacity to really enable us to reduce risk to businesses and, you know, frankly, Americans way of life. And it was an honor to lead the agency and to be part a fantastic team.

A

I was just pausing there because I was entering your name into the threat actor name generator. And I'm not sure if you should say this on air chat.

C

If it's not cool, do not say it on this podcast, dude.

A

Well, it's quite possibly offensive. It's a vixen lion.

B

There you are.

C

Is it lion like L I O N or L I as in the

A

animal, as in the giant cat? Not as in the not telling the

B

truth, not my alter ego or.

A

Yeah, vixen lying. You're James Sister Vixen.

C

I'm gonna be marinating on that throughout the rest of the. Possibly throughout the rest of my week.

A

Yeah. Well, I'm sorry that I've wrecked the podcast and indeed your week by the sounds of it. Gosh, where were we? I don't think I've ever got so completely lost before. How do we bring it around from here? Right. You've mentioned before we got into threat actor names and if I can commend an article which Jen wrote, but let me co sign which we'll put in the show notes about the whole nonsense of threat actor naming conventions is a brilliant one about scattered spider outmanoeuvre, Dragon Force in M hack or something like that. And we just show this to people in the street and they have no idea what this means. So again, that clarity of communications point. But where I wanted to go was about. You mentioned a lot of things that in a sense, as with any defense agency, you have to react to. You have to react to the change in the Chinese threat from data theft to pre positioning on critical infrastructure of all Typhoon. You have to react to developments in AI. You have to react to all these hideous ransomware attacks that preceded your appointment and many, many other things. But you did something Proactively, strategically, which was to highlight and try something about the inherent insecurity of technology, the foundational insecurity that we've talked about on this show before and in the industry for many years, the Secure by Design program. Say a bit about that, where you got to where you think it's going. And also just to pick up on something you were saying in the last bit of the discussion, the extent to which you think voluntarism. You described CIS as a voluntary agency and so far Secure by Design in the US has been voluntary and maybe in Europe it's becoming compulsory and so forth. Where does the agenda come from and where do you think it's going?

C

Yeah, such a great question and this is something I'm so deeply passionate about. Thanks. Raising it. And you know, this effort kicked off probably in 2022. You know, we had a team kind of working on the intellectual underpinnings, a team of, you know, fantastic thought leaders, sort of led by Bob Lord, if you all know him, former CISO at Twitter and Yahoo.

B

The infamous.

C

And so he had come bon, the infamous and famous senior technical advisor.

A

Sorry to interrupt you, but shall we give a shout out to Hack Lord because we've done episodes on FUD and Spreading Fear and we'll put it in

C

the show Notes of Bob has exactly do hack.

B

Yeah, let's do that. I thought you were about to suggest putting him into the name generator and I was going to veto that distraction.

A

Oh no, we've done quite enough of those. But if you want to take down a bad cyber security advice and again showing the technical and communication strength of the CISA family, then Bob's hackler is worth going. Sorry. Back to Secure by Design.

C

So we are working on this for just figuring out how we can best articulate this because it is a little bit different way to think about it. You know, at the end of the day, I think the bumper sticker we sort of landed on was we don't have a cybersecurity problem, we have a. A software quality problem. Right. So everybody tends to glorify the villains, the Raptors and the spiders and the bears and the Lazarus, blah blah blah, the villains and then blame the victims. But what we don't do is really go up that supply chain and hold vendors accountable. So the whole idea is at the end of the day, since the dawn of the Internet, the history of technology development is really about speed to market and features and convenience and driving down cost all prior over security, thereby requiring bolt on cybersecurity solutions. Leading to the cybersecurity aftermarket, the multibillion dollar industry that we all know and deeply love. But it's really about incentives at the end of the day. And, you know, frankly, you can't really blame vendors because the incentives are all about rewarding speed to market, rewarding features, and not rewarding security. Because there has never been any regulation around technology or cyber or software security, security safety, and there's never been any software liability. And so, you know, as a voluntary agency, we wanted to work on multiple levers as part of the Secure by Design campaign, which we officially launched at Carnegie Mellon University. I did a keynote there in the beginning of 2023, but it was a focus on the vendors. And that's where we launched the Secure by design pledge in RSA. We had 68 companies that voluntarily committed. They signed the Secure by Design pledge, committing to making material progress publicly transparently across seven secure design areas, from implementing multi factor authentication at the enterprise level, removing default passwords, things like a roadmap to memory safety. Right. So committing across that and then to do regular reports about it. And when I left, we had about 350 companies. And again, kudos to people like Bob, Jack Cable, Lawrence Aberich, Eric Goldstein. But this was an effort that we were joined with our international partners. We were joined with universities, we were joined even with customers. If you saw, you know, you mentioned JPMorgan Chase, Pat Opet, who I'm sure you know, Global CISO actually issued an open letter last year basically saying that the software as a service model was leading to cyber attacks and undermining the global financial ecosystem. And he demanded, you know, vendors need to prioritize security over rushing features to market and build security, and by default. So it's the whole ecosystem, it's the supply side on the vendors, and then it's the demand side using purchasing power that need to come together to nudge the ecosystem to a greater position of safety. But to your question, Kieran, like, does regulation play a role? I think it does. I think if you wanted to wave a magic wand and make a real difference in driving down cyber risk and improving software quality, we can get to the AI thing from my article, but it's really about where's the liability? And, you know, in Europe, you have this Cyber Resilience act, which is very consonant with Secure by Design principles and which is a bit of a software liability regime. So I think it'll be really, really interesting to see when that is fully implemented, what impacts that has on some of the behaviors in terms of Inc. A Secure by design approach into software going forward.

A

Brilliant. And just I think, Jen, you're going to give us a record amount of show notes because you're referring to so many interesting things and we don't have time to explore them all in depth. So if I can just say, if anybody's interested in the underlying sort of intellectual story behind Secure by Design and the need for it communicated in Jen's brilliant way, then the best place I've seen you do it that's publicly available is your Sphere conference in Helsinki presentation last May or June, I think, but so, Jen Easterly, Helsinki. Helsinki. Sphere Secure by Design is well worth watching.

B

James, continuing with the density of show notes. I like it. Kieran. So, Jen, I know we're working a little chronologically here, but it keeps producing gems. You're obviously back in private practice. You are currently, indeed very much this week compensating for Kieran's substantial failings as a teacher in Oxford.

A

Yes.

B

But your main job is fascinating. Head of RSA conferences. I mean, could be obvious, I suppose, but why did you take this job? And given your long mission focus, what do you hope to achieve in it? How does it tie back to what you spent your career doing?

C

Yeah. So you all are very aware of it, right? RSA 35 years. It's our 35th year. The conference has been around over the past two years, was actually evolved into a company. The conference is one part of what we do. But the things that made me most excited, obviously the incredible brand of rsa. And we've all been out to the conference and we see the amazing technical breadth and depth and the opportunity to connect with so many people across our amazing community, but to help grow this company as the premier global platform for the community. You know, we're not just the host of the world's largest and most influential cybersecurity conference, but again, building this platform out, internationalizing it, really being able to. This is one of the things that I thought was most attractive about it. Being able to continue to turbocharge our innovation ecosystem, as you probably know, for the past 20 years. I think this is year 21 of the innovation sandbox. About a thousand startups have been a part of that. We've seen a hundred, I want to say, acquisitions, 18 billion doll of investments. And so that is pretty incredible when you think about catalyzing that innovation ecosystem. And then the other thing we're building is a member community so that the community, and it really is the heart of why I think cybersecurity to us is so meaningful is that at the end of the day, it is a community of defenders who want to be able to protect and secure the networks, the systems, the infrastructure, the way of life that citizens across the world depend upon. So it's really growing that membership platform and that community around the world. And so RSA conference, it's now the company is rsac, it is where we've come from. But you know, the C, I think is more than just conference. It's about the culture and the content and the community. And those are things that I've been able to do my whole life is build a great culture, catalyze a great community to be able to do something that's really, really meaningful. And so, you know, why did I do it? It's like, oh, it's one of the greatest opportunities ever. And we may even have one of you speaking at this year's conference, but we will see.

A

Well, I wanted to just explore this and I mean, we all know rsa, we all love RSA and we've had many happy memories of the conference and the wider experience of the community. But look, Jen, every time you go into a new job, even if you have a great inheritance, as you have at rsa, you will find something that your predecessors have done that is just this awful legacy. So I'm sorry to get all serious at this stage of the pod, but you arrive there and you find that one of the most coveted slots in the global CyberSecurity calendar, a 50 minute main stage keynote at the RSA, has been allocated to someone called James Line at Sans. I just want to ask, have you figured out how it all went wrong and what have you done about it?

C

The famous James Line? Are you kidding me? I was thrilled. I have to say, I was thrilled. I was disappointed that there's no Kieran Martin on the stage this year.

B

Well, you know, I agree. I still. Time for for a double act. Kira, it's still possible, but we're going

C

to have to get you back. Maybe we can do the POD from RSAC next year. You never know. You never know. Talk about somebody's book or something.

B

Oh, what a great plan.

C

Yeah, no, I was thrilled. I was thrilled. And by the way, like, the whole team is thrilled. They're all jealous that I'm out here hanging out with you and James.

A

He will be annoyingly excellent, I promise.

C

That's what I've heard.

B

I will do my best. I'd assumed at this point there must be some kind of AI scheduling error of sorts. But, Jen, more seriously, I know we're rushing through time here. You're going to have to come back and join us again because we've got through half the topics, one would hope.

A

Live from rsa.

B

I think so. I think so. You touched on this earlier a little bit, and I think it's a great way to wrap up thinking here for our security leaders who can learn a great deal from your dealings all the way through military and government and into the private sector. It's pretty rare to have senior government officials that could do a technical talk at Black Hat and not just survive, but merge with their reputation at actively enhanced. You know, you sit there and do a Rubik's Cube. I watched it the other night at Shrivenham. I could see you visualizing it in your head. I think as a prop, you should start to carry on around with you, you know, in less than a minute, whilst answering someone's question. You've done these amazing, amazing pieces of work in conveying difficult technical concepts to surprisingly challenging audiences and have them invest in a way that has shaped the entire future of cyber response on the planet, not just at a national scale, but truly beyond. So you clearly use power of communication and storytelling incredibly effectively to get cybersecurity messages across. I just want to come back to that and say, how do you think about that and develop it? Have you got any advice for security leaders who may be struggling with doing exactly that with their boards or with their customers? Any top tips you would share with them?

C

I mean, it's such a good question, right? Because I actually think, you know, and I could ask this right back to you because you speak a lot, James. It's. Some people may find it comes naturally.

B

People have said I use too many words, Janet. It's been said.

C

Is that right?

A

And you interrupt people all the time.

B

I do. I do.

C

Well, I wouldn't say that.

B

I'm going back to mute.

C

I did bring my Rubik's Cube, though. I just want to, like, have proof that I do have it with me.

B

For those listening, I can confirm there is actually a Rubik's Cube for sure.

C

Look, it actually takes work. At the end of the day, it is hard work because not only do you have to know your technical business, you know, really talking about cybersecurity specifically, but you got to know what the heck you're talking about. About. But then you actually need to be able to translate into the language that your audience is going to understand and appreciate, whether you're talking to a CEO or a cio or a school superintendent or a governor or a mayor or cabinet secretary or an international leader. And that takes work, it takes effort. And you also have to very actively prepare. And for me, I think, you know, stories are what drives us, right? Stories entertain us, they educate us, they inspire us. And so from a very young, My parents, you know, my mom was a Ph.D. english literature professor, my dad was a presidential speechwriter. You know, I grew up in a home of poetry and literature and stories. And so that's always kind of how I think about things. And I do think it's really important when you're trying to get even, you know, difficult technical concepts across what's the story that you can tell that will appeal to your audience and help them understand it. So, you know, very simply, I'd say prepare, work hard at being a better communicator, and then figure out what the story is that's going to draw your audience in and get them to really leave with some very useful information that can help them protect themselves.

B

Actionable advice at the end there. I love it. And I just want to underline the thing you said, that it takes work. You know, folks, I think look at people who are expert communicators and go, oh, they just have a gift. They just stand on a stage and magic happens. And sure, there's some of that, but thinking about your message and how you want to describe it and then making it seem natural is the real magic. I just. I think that's wonderful advice. Generally, I hate to do this because of time. We're gonna have to bring things to a close.

A

We are.

B

I feel mean for our listeners.

C

Next time, baby. Next time.

A

Yes, but, James, of course, even though we've just had a huge number of different bits of actionable advice, you still have to do your favorite thing.

B

I do have to do my favorite thing, of course.

C

Oh, I don't even know what this is. Your favorite thing.

B

Oh. Prepare yourself.

C

Is there food or. Or drink involved?

B

There should be.

A

Well, you are here in Oxford. You are an Anglophile. You're a Rhodes Scholar at Oxford. So after this, shall we go to the pub?

C

We should. We should. My friend.

A

King's Arms.

C

Good idea. Rock on.

B

That's your reward for surviving the favorite bit.

A

Yeah.

B

Look, Jed, it's not going to take you very long. By design. Look, we ask people to listen to us and we think it's really important to give them something useful at the end, which you've just done, but I'm going to make you do it again.

A

So we are Asking you for your 30 seconds.

B

Second takeaway. Look, the podcast is about lessons for cyber security leaders. So if you had 30 seconds with the cybersecurity leader, perhaps in the aforementioned pub, what would you advise them? It could be a thing to pay attention to, to ignore, to start doing, stop doing anything you like. What would be your 30 seconds?

C

I'll give you something that's counterintuitive maybe, but something I fundamentally believe, and it is the responsibility of all leaders, including cybersecurity leaders, particularly in a world where one can argue that AI. You know, we haven't talked much AI or at all about AI, but AI, yes, has truly captured the world's imagination, and I think rightfully so. But I fundamentally believe that it is the responsibility of all of us as leaders to be able to leverage the power of that imagination without suffering a failure of imagination. So that's what I would leave you with.

B

Wow. I like it.

A

You topped it all off at the

B

end with something even better whilst doing a Rubik's Cube.

A

Yes.

C

There you go.

A

We cannot thank you enough. You've earned whatever it is we shall get at the King's Arms. But please do come back. Or maybe we'll come to you in San Francisco.

C

Excellent.

A

Thank you for the invite. We look forward to James's annoyingly excellent presentation. But on behalf of all of us and everyone listening, thank you, Jen.

C

Thanks so much, guys. It's awesome.

A

And that is all we've got time for, so we will bid our goodbyes.

B

Apart from, of course, Kieran Feedback. Can't forget feedback. Feedback.

A

Well, we can, but we chose not to. But you can leave us feedback at the podcast site or you can email us@cyberleaderspodcastams.org tell us whatever you like, such

B

as your favorite threat actor name that you've generated. But with that, thank you very much for listening.

A

Yes, thank you for listening. And keep cybering.

B

So, from me, Kieran Martin, and me, James Line, it's goodbye and may AI solve all of our cyber security problems by next Tuesday.

C

Sam.