Security researchers have a crucial role to play in balancing an offense-heavy ecosystem, the director said.
Cybersecurity and Infrastructure Security Agency Director Jen Easterly will use her discretion to put members of the hacking community on a new federal advisory committee at the Department of Homeland Security.
Easterly spoke Wednesday at an event hosted by Wired and was addressing the unique way in which she reached out to the community at annual hacker conferences Black Hat and DEFCON shortly after starting in her role. She was famously sporting her mastery over the Rubik’s Cube and dragon pants, which she revealed came from a trip to Vietnam two decades ago.
“I had some really good outreach after that and we are going to continue to recognize great folks that reach out to us to identify vulnerabilities,” she said. “There are many of them and I think it's hugely important ... I'll be bringing some folks on our soon to be announced Cybersecurity Advisory Committee, who specifically I'm going to ask to help me do that.”
Easterly said her well-noted introduction to the community came from a genuine identification with independently minded puzzlers but she’s also reshaping the agency’s strategy to leverage the talent of hackers who discover vulnerabilities in critical infrastructure and are willing to give the government dibs on patching them. Hackers could instead get a price for vulnerabilities on an open market that could include malicious actors looking to exploit them, but they are also motivated by the opportunity to defend against damaging cyberattacks.
“At the end of the day, I feel like that's my community, man, and we want to ignite the power of hackers and researchers and academics,” she said. “Because at the end of the day, the world is full of vulnerabilities and I feel like the offense is dominating the defense. And so I want to make sure that we are tapping into the brilliance and the goodness of that community to help us identify and to close those vulnerabilities.”
DHS officially established the Cybersecurity Advisory Committee with a notice published in the Federal Register on Friday. Its purpose “will be to develop, at the request of the CISA Director, recommendations on matters related to the development, refinement, and implementation of policies, programs, planning, and training pertaining to the cybersecurity mission of the Agency,” the notice reads.
The committee was authorized in the National Defense Authorization Act of 2021 under a charter that limits its membership to 35 individuals, at least one of which must be from each of 12 different sectors of industry. Those include: defense, education, financial services, health care, manufacturing, media and entertainment, chemical, retail, transportation, energy, information technology and communications. The rest are up to Easterly to identify as she sees fit.
Easterly credited the hacking community for honing the agency’s focus on vulnerability remediation and supply chain transparency. The inclusion of disclosure policies in procurement guidance for federal agencies is a major feature of a recent executive order Easterly described as a signal for what the government is expecting from industry.
“I want to ignite that community because they are absolutely critical to the safety and security of all of our technology and systems,” she said. “Because of that we are so focused on driving these foundational improvements to the ecosystem … about things like software and hardware bill of materials and more effective vulnerability management programs.”