Jen Easterly, former Director at the Cybersecurity and Infrastructure Security Agency (CISA), reflected on the success, experiences, and lessons learned at CISA during the Biden administration during a fireside chat hosted by the Foundation for Defense of Democracies (FDD). She also discussed the immediate actions the agency should take to mitigate vulnerabilities and strengthen U.S. cybersecurity.

The conversation was moderated by RADM (Ret.) Mark Montgomery, Senior Director of FDD’s Center on Technology Innovation (CCTI) and former Executive Director of the congressionally-mandated Cyberspace Solarium Commission. 

Entering 2021, the Biden administration was immediately confronted with a series of significant cyberattacks that underscored the growing vulnerabilities within both public and private sectors. Among the most prominent were the SolarWinds breach, which compromised numerous U.S. government agencies and private companies, and ransomware attacks targeting critical infrastructure, such as the Colonial Pipeline. 

Additionally, the administration had to contend with sophisticated cyber espionage campaigns, including attacks attributed to groups like Salt Typhoon and Volt Typhoon, which targeted sensitive systems and sought to disrupt key U.S. sectors. During the fireside chat, Easterly revealed that CISA was the first to identify Salt Typhoon on federal networks, initially believing it to be part of a separate cyberattack campaign.

One of the more recent incidents, the Treasury Department hack, also revealed the ongoing threats posed by foreign state actors, further highlighting a need for enhanced cybersecurity measures. These high-profile data breaches and attacks underscore the critical importance of strengthening U.S. cybersecurity defenses. 

In response to these escalating threats, CISA and Easterly have played a crucial role in coordinating the federal government’s work to address the breaches and mitigate further damage. As Easterly steps down and the Trump administration takes office, CISA’s role in coordinating and enhancing cybersecurity efforts will remain critical. 

During the fireside chat, Easterly described the key priorities for CISA in safeguarding U.S. critical infrastructure in the digital age, emphasizing the need for focused action on several fronts:

• Preparation for Disruption: Easterly emphasized that China represents the most persistent and formidable cyber threat to the U.S. With China’s long-term objective of Taiwan reunification likely to materialize by the end of the decade, analysts have raised alarms about the nation’s increasing efforts to infiltrate critical U.S. infrastructure — particularly in sectors such as water, transportation, energy, and communications. These activities extend beyond traditional espionage and suggest the possibility of disruptive or even destructive cyberattacks during a high-stakes crisis, such as a potential conflict over Taiwan. Furthermore, Easterly illuminated the complicating factor of the People’s Republic of China (PRC) cyber operatives who have gone dormant, thereby complicating efforts to fully assess the scale and nature of the threat. In order to effectively mitigate these risks, it is essential that U.S. infrastructure and systems be fortified to ensure resilience, enabling rapid recovery and the continuation of vital services for Americans in the event of a cyber disruption. 
• Denial by Punishment: Looking ahead, Easterly stated that “denial by punishment” will be a critical component of the incoming team’s strategy, emphasizing the need to place adversaries' critical infrastructure at risk. “Denial by punishment” is a strategy of imposing consequences on adversaries, such as cyber attackers, by disrupting or hindering their activities. Rather than merely defending against attacks or responding to them after they occur, this approach aims to proactively penalize or “punish” bad actors, deterring them from continuing to cause harm. She explained that this requires leveraging the full spectrum of the U.S. government, including military and offensive capabilities, to create a meaningful deterrent. While deterrence by denial and resilience remain central to CISA’s approach, it is imperative that these strategies be exercised and reinforced through continued collaboration across all relevant sectors. The successful implementation of this framework will depend on collective action to address emerging threats and enhance overall cybersecurity resilience.
• Operational Collaboration: To expand CISA’s capabilities and effectively address the growing spectrum of cyber threats, it is essential to prioritize operational collaboration across various sectors. This collaboration must extend beyond government entities to include the private sector, where corporate governance and cyber responsibilities play a pivotal role. In this context, Easterly explained that CEOs and corporate boards must recognize that cyber risk is not only a technical issue but a strategic business risk that can have far-reaching consequences on an organization’s operations, reputation, and bottom line. This holistic approach, underpinned by strong corporate governance and operational coordination, will be crucial in mitigating cyber threats and safeguarding both public and private infrastructure.
• Secure by Design Technology: Ensuring secure technology is essential, and the principle of "secure by design" plays a key role in reducing vulnerabilities throughout the lifecycle of products—from development to deployment. Easterly highlighted that technology manufacturers and software developers must prioritize security early on to minimize flaws. She noted that Congress could play a critical role by establishing a software liability regime that sets clear standards of care for security practices, while offering safe harbor provisions for companies that adopt secure development protocols. This approach could shift the industry away from prioritizing speed, market share, and features over security, fostering a more resilient and defensible technology ecosystem. By incentivizing secure practices, this shift could create a safer digital environment for all.
• Cyber Regulatory Harmonization: To drive meaningful progress in cybersecurity, Easterly suggested establishing a centralized entity for cyber regulation, particularly naming the Office of the National Cyber Director (ONCD). She said that the National Cyber Director (NCD) could play a key role in harmonizing cybersecurity standards across sectors, ensuring consistent requirements and reducing inefficiencies caused by fragmented regulations. Consolidating these standards into a single framework could streamline processes and make it easier for the private sector to collaborate with the government. This regulatory harmonization could also garner bipartisan support in Congress, advancing national cybersecurity efforts while promoting greater efficiency and coordination between public and private stakeholders. 

As the Trump administration takes office amidst a rise in PRC-led cyberattacks, Easterly expressed optimism that CISA’s efforts would continue to foster coordinated collaboration across sectors, addressing the rapidly evolving cyber threat landscape and enhancing the county's overall cybersecurity posture.

‍