“CISA’s Mission Has Never Been More Urgent”: Director Easterly Shares Insights on the State of American Cybersecurity in Subcommittee Hearing

WASHINGTON, D.C. – This week, the Committee on Homeland Security’s Subcommittee on Cybersecurity and Infrastructure Protection, led by Chairman Andrew Garbarino (R-NY), held a hearing with testimony from Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly on the nation’s current cybersecurity posture. In the hearing, Members and Director Easterly highlighted the importance of public-private cooperation and interagency coordination in defending our nation’s critical infrastructure from the federal and state level to communities across America.

WATCH: Director Easterly Delivers Opening Remarks: “CISA’s Mission Has Never Been More Urgent”

In her opening statement, Director Easterly gave an in-depth analysis of CISA’s crucial work as our nation’s risk advisor and the agency’s alignment with the Committee’s CISA 2025 initiative:
 
“The threats we face have become more complex, more geographically disbursed, and they affect the entire cyber ecosystem from federal civilian government agencies to businesses large and small, to state and local governments and, ultimately, the American people. CISA’s mission has never been more urgent…To serve as both a sector risk management agency and, more broadly, as the national coordinator for critical infrastructure and resilience…Co-creating a culture of collaboration to enable us to attract and retain the best talent in the nation and indeed growing that talented workforce by nearly a thousand new teammates. Meticulously executing our rapidly expanding budget to ensure we remain responsible stewards of taxpayer dollars…I greatly appreciate this Committee’s steadfast work to help CISA achieve these goals and also appreciate that the tenants outlined in the CISA 2025 plan from optimizing the organization, growing in expert cyber workforce, enhancing operational visibility, advancing our capabilities, harnessing partnerships, and measuring outcomes to determine progress are all well-aligned. So, our efforts together can advance a shared vision for cybersecurity in America…Working with our trusted partners to enable a collective defense of our critical infrastructure, to include working with those target-rich and cyber-poor entities like small businesses, and school districts, and water facilities, and hospitals and local election offices to ensure that they have the resources and tools they need.”

WATCH: Chairman Garbarino Urges CISA Director to Avoid Duplicative Regulations in Financial Services Sector

In his opening line of questioning, Chairman Garbarino detailed the strain of duplicative regulations on critical infrastructure entities, including those in the financial services sector:

“The cyber workforce is spending 30 to 40 percent of their time on regulatory compliance. I just met with a major bank last week who said that by the end of this year, when some other regulations come out, it’s probably going to be closer to 50 percent. The SEC proposed a rule that seems to conflict with the requirements in the congressionally-mandated Cyber Incident Reporting for Critical Infrastructure Act…What steps did you and [SEC] Chairman Gensler take to harmonize the proposed SEC rule with the Cyber Incident Reporting for Critical Infrastructure Act rule-making?”

Director Easterly answered:

“Having spent four and half years at Morgan Stanley…I am very sympathetic to those views. We don’t want to create burden or chaos, what we want to do is ensure that we get the information in a streamlined way. So, of course we’ve had discussions across the government…The good news is in the legislation that you all gave us, it very specifically accounts for any crossover. So very specifically, the legislation says that if there is a requirement to report to another agency and they have a reporting timeline that’s similar to ours, if they have substantially similar information then you can sign a memorandum of agreement, so you don’t have to report twice. We are working to ensure that that is a streamlined process. It’s really important from a harmonization perspective.”

WATCH: Rep. Lee Highlights the Importance of Expanding Our Nation’s Cyber Workforce

Subcommittee Vice Chair Laurel Lee (R-FL) asked Director Easterly about increasing retention and recruitment in CISA and expanding the cyber workforce:

“I know one of the challenges that faces CISA and many other partners across sector, as it relates to technology and cyber is recruitment and retention of appropriate talented trained people. And I know CISA launched the Cyber Talent Management System back in 2021 with the intention to be to recruit and retain the appropriate professionals you need for your workforce. How has CTMS been working? You mentioned the expansion of your team, have you been able to effectively and efficiently recruit? And how does your FY 24 request support the use of that operation and recruitment?

Director Easterly answered: 

“I think we’re at about 80 people with a Cyber Talent Management System…We are hoping to use CTMS more aggressively this year. But I will tell you, I think the recruiting that we’ve done to date is a real success story. 516 people last year, [and] we’re on pace to exceed that. Our retention level is between seven and eight percent. And it’s not just quantity, we’re bringing in some of the best talent across the country…I’m okay if somebody comes work to work at CISA for three to five years and then goes off to a hospital or a power company or a bank to help them with their critical infrastructure security, because at the end of the day, this is really about collective cyber defense, and we need to work together hand in hand.”

 

WATCH: Rep. Gimenez Asks Director Easterly About Dangers Posed by Chinese-Manufactured Port Cranes

Subcommittee on Transportation and Maritime Security Chairman Carlos Gimenez (R-FL) highlighted his oversight work investigating the threats posed by Chinese-manufactured cranes at U.S. ports and asked Director Easterly about China’s dangerous monopoly and threats of espionage:

“About 70 to 80 percent of the cranes in the United States are actually made in China…I was made aware that there may be some threats with this. I have two things I am concerned about. Number one, if the CCP decides not to replace with replacement parts or spare parts when they break down, it could hurt our ability to provide commerce since most of the stuff that we move moves through these cranes. Or two, if it’s actually a Chinese software reporting back to the CCP so they can track everything that we do, what cargo is flowing through to where. Have you assessed that situation?” 

Director Easterly answered:

“It is a real concern of ours…I think you’re referring to Zhenhua, the port machinery company, 70 to 80 percent and 23 seaports. We have significant concerns about supply chain disruptions as well as surveillance. We are working with our partners across the government to help with analysis and what we can do about it…This is a piece of a larger issue of Chinese technology encroaching into our national security, and I worry about that from a very strategic perspective. We’re actually setting up a counter-PRC cyber effort.” 

WATCH: Rep. Ezell Questions CISA Director Easterly on Rural Cybersecurity Infrastructure

Rep. Mike Ezell (R-MS) asked Director Easterly about cybersecurity infrastructure in rural communities throughout America:

“I live in basically a pretty rural district, and how is CISA addressing some of the challenges that cybersecurity [faces] in the rural areas, especially with the cyber workforce?”

Director Easterly answered:

“One of the things I’m most excited about is the cybersecurity grants for state and local. I think this is a really groundbreaking program. You know, a billion dollars is not a lot, but I think if we can prove out the model, we can actually make a real difference to those entities that, frankly, are not well resourced at all. As you know, 80 percent of the money goes out to local, and 25 percent of that goes to rural. It is very specifically focused on how to improve cybersecurity in places that typically don’t have resources. What we’ve seen to date is we’ve seen requests for training to improve that cyber workforce. We’ve seen requests for equipment and requests for assessment. And I think we’ve got 15 plans in. We have approved all but two of them, and then [in] seven, I think, the money’s already gone forward…We’re working very hard to get that out the door.”

Rep. Ezell then asked about the greatest cyber threats facing our nation, and Director Easterly concluded:

“There are two epoch-defining threats and challenges. One is China, and the other is artificial intelligence. There are some incredible things that AI will do. But we need to ensure that just as we’re talking about technology being built with security in mind, we need to ensure that these fantastic capabilities have the right controls and guardrails to keep us safe and secure. I think those two challenges are things that we’re going to be concerned about over the next ten to 20 years and more.”

 

WATCH: Rep. Luttrell Asks Director Easterly About the Importance of Interagency Cooperation in Cybersecurity

Rep. Morgan Luttrell (R-TX) highlighted the dangers of siloed cybersecurity rather than cooperation between agencies and the private sector:  

“You are the next phase of the combative frontier and the protection of our country. We’ll no longer fight wars the way that my colleagues and I did in the military with bombs, planes, and guns—it’s you…In cyberspace when it comes to threat and risk, we’re so siloed and that is an issue.  Are you having success in breaking down those silos when it comes to multi-department coordination?” 

Director Easterly answered:

“One of the things that the Joint Cyber Defense Collaborative gave us is the legislation. It’s the only cyber entity in statute that says we bring together the federal cyber ecosystem, so not just CISA but the FBI and NSA and Cybercom and other agencies. It was built to actually break down those silos, and we’ve been doing that over a short period of time. Not just bringing in industry, but bringing in state and local colleagues, bringing in international partners, and then by design bringing in the federal government. That is not an easy thing to do…I joined this job from the private sector, and I thought there were a lot of issues with silos and a lack of cohesion, and so we know what the problem is, and we are working hard to enable us to fix it.”

 

###