State

CISA director offers governors advice on talking about cyber

Jen Easterly told a National Governors Association meeting that people "get scared of cyber because it’s seen as very technical."

By Benjamin Freed

January 31, 2022

CISA Director Jen Easterly speaks at the National Governors Association winter meeting in Washington, with Tennessee Gov. Bill Lee and Connecticut Gov. Ned Lamont (on screen). (Scoop News Group / Benjamin Freed)

Cybersecurity and Infrastructure Security Agency Director Jen Easterly told a handful of governors from across the United States on Saturday that they should continue focusing on replacing legacy technology and moving toward secure cloud services as states seek to improve their resiliency against digital threats.

Speaking during a meeting of the National Governors Association, Easterly also said she’s “very excited” about the new $1 billion state and local cyber grant program created in last November’s infrastructure law, with the first $200 million set to go out later this year.

“We recognize resources are very precious when it comes to technology and there’s a lot of work to be done particularly when there’s a lot of legacy technology to be updated,” Easterly said.

She pushed the governors to embrace multi-factor authentication across their governments as one of the best ways to cut down on the risk of cyberattacks, citing a 2019 study by Microsoft that found that requiring users to supply an additional credential prevents 99.9% of account compromises.

But Easterly also acknowledged that as much as governors have to learn about cybersecurity, it can be just as daunting for those elected officials to communicate that knowledge to their constituents.

“People get scared of cyber because it’s seen as very technical,” she said in response to a question from Delaware Gov. John Carney. “If you come from a background that’s not an IT background it’s very daunting. It seems scary because it is.”

To which, Carney replied: “Check, check, check.”

Easterly said that last Friday, her agency published a new guide for cyber incident resources tailored for governors, which adds to a stack of other materials CISA has published, including its “Cyber Essentials” series and its StopRansomware.gov site.

“At the end of the day what we’re trying to do is communicate this topic in a way that people are not so scared of it that their brain shuts off,” she said. “We’ve created terms like multi-factor authentication that people’s eyes glaze over.”

She said CISA would be open to working with the NGA on creating a public service advisory campaign promoting the notion that “MFA is the seatbelt of the information superhighway.”

And while states are looking forward to the new grants, Gov. Bill Lee of Tennessee asked what other resources are available to states. Easterly pointed to grants for election administration — administered by the U.S. Election Assistance Commission, but with input from CISA in its role protecting a critical-infrastructure sector — as well as the agency’s growing field staff, which she said now numbers nearly 600, including statewide cybersecurity coordinators.

But, Easterly said later in the session, it’s governors’ jobs to make sure their entire enterprises are focused on resiliency and cyber hygiene.

“A lot of folks are not cybersecurity or IT savvy at the end of the day,” she said in response to a question from New Mexico Gov. Michelle Lujan Grisham. “Leaders have to understand this is not the purview of the IT guy or girl anymore. “This is a leadership responsibility. Communicate in ways everyone can understand.”