CISA’s Newest Advisor Could Soon Have Agencies Asking: 'Does This Spark Joy?'

Bob Lord, who oversaw information security for Yahoo and Twitter before and—most recently—the Democratic National Committee, was made senior technical advisor at the Cybersecurity and Infrastructure Security Agency, according to a press release Monday.

“Bob’s decades of experience and unparalleled expertise will be a great asset as we further strengthen our community partnerships, expand the Joint Cyber Defense Collaborative, and continue our work as the nation’s cyber defense agency to make us more resilient,” said CISA Director Jen Easterly. “Bob and I share both a passion for helping Americans stay safe online and a dedication to raising the cybersecurity baseline across the nation. I’m super excited for the creativity he’ll bring to the team.”

In a New York Times profile last summer, Nicole Perloth—now herself a CISA advisor—described Lord’s work at the DNC as reflecting “something of a digital Marie Kondo— the Japanese tidying expert—decluttering the DNC’s networks, excising old software and canceling extraneous vendor contracts.”

Lord owned that characterization last month during a podcast from the cybersecurity firm Rapid 7, where he was also recently a chief information security officer in residence. He said the approach helped save money and is foundational to sound security along with the general inventorying of assets. 

That sort of cheerleading could come in handy for efforts such as the Continuous Diagnostics and Mitigation program and related goals of Executive Order 14028 which are aimed at establishing visibility across the federal enterprise. It’s something that can be seen as boring, compared to the acquisition of fancy new machine learning tools for detection, Lord suggested, noting he didn’t focus as much on the latter when securing the DNC’s operation. During the podcast, he emphasized the human component in his approach, navigating employees’ incentives by not shaming them for reporting a regrettable click on a phishing lure, for example.

Like Perloth, and fellow CISA advisor and former Facebook CISO Alex Stamos, Lord is also something of an evangelist for Fast Identity Online—FIDO—keys. 

According to the FIDO alliance, such keys require users to authenticate their logins through a pre-registered device, keeping the secondary authentication data—such as a fingerprint, PIN or facial scan—private from the main system while validating user identity.

“Any other form of two-factor—and if you follow me on Twitter, you know…—you will be phished,” Lord said on the March 22 podcast. “We will all be phished, and we will be successfully phished, because legacy two-factor is phishable, and we're all human, and we're all going to get conned. If you think you're smart enough not to get conned, you're a perfect mark. I have to build a system that's resilient so that when I'm conned, when other people are conned, they will still be safe. And there is only one technology for that, so we decided to move everybody to FIDO security keys.” 

The standard for multi factor authentication pioneered by Google and others of the FIDO Alliance is recognized as appropriate for use under a May executive order according to Federal CISO Chris DeRusha. But ultimate decisions over use of physical FIDO keys will be left to agencies, and some officials are concerned about the associated costs of comprehensively implementing such an approach. 

“As we face a pivotal moment in time for cybersecurity, I’m thrilled to contribute my experience to support CISA’s efforts to reduce risk to critical infrastructure, strengthen its collaboration with industry and make basic cyber practices accessible to all Americans,” Lord said. “I look forward to joining Team CISA and helping to further the agency’s dynamic and critical mission.”