Home
cover of episode Sorry, Donald. Jen Easterly Plans To Make Elections Boring Again.

Sorry, Donald. Jen Easterly Plans To Make Elections Boring Again.

2023/6/12
logo of podcast On with Kara Swisher

On with Kara Swisher

Chapters

Jen Easterly explains her role as the director of CISA, emphasizing its mission to reduce risk to cyber and physical infrastructure in the U.S.

Shownotes Transcript

On September 28th, the Global Citizen Festival will gather thousands of people who took action to end extreme poverty. Join Post Malone, Doja Cat, Lisa, Jelly Roll, and Raul Alejandro as they take the stage with world leaders and activists to defeat poverty, defend the planet, and demand equity. Download the Global Citizen app today and earn your spot at the festival. Learn more at globalcitizen.org.com.

On September 28th, the Global Citizen Festival will gather thousands of people who took action to end extreme poverty. Join Post Malone, Doja Cat, Lisa, Jelly Roll, and Raul Alejandro as they take the stage with world leaders and activists to defeat poverty, defend the planet, and demand equity. Download the Global Citizen app today and earn your spot at the festival. Learn more at globalcitizen.org slash bots. It's on!

Hi, everyone, from New York Magazine and the Vox Media Podcast Network. This is that hot new summer band, Jack Smith and the Indictments. Just kidding. This is On with Kara Swisher, and I'm Kara Swisher. And I'm Naeem Areza. And Jack Smith, of course, is the special counsel appointed by Merrick Garland to investigate these documents that Donald Trump had taken from the White House. And just yesterday, not Jack Smith, but Donald Trump announced that charges have been filed. Donald Trump has responded via Truth Social that he's an innocent man. These are politically motivated charges.

And everyone from Kevin McCarthy to Jim Jordan to Lee Stefanik, all your favorites, basically, are decrying that this is a dark or sad day for America. Well, they have to, don't they? They have to do this. But Bill Barr, who was his attorney general, said this is not that. He said he shouldn't have taken the documents. And most people who take these documents end up in jail.

in the way that he's done it. Lots of people by accident take him and all kinds of things, and they get various and sundry things. But most people who do this end up in jail. So in this case, I'm going with Bill Barr, although that's an unusual thing for me to do. I think that's what you should call your next memoir. But he's a lawyer. He knows. I'm going with Bill Barr. Yeah, he knows. He knows what this is. He took these documents and then he tried to hide them, and then he lied about hiding them. And so it's the same.

bullshit from him. We're going to see two things. Trump supporters are going to want to equalize Trump and Biden's documents. But the issue with Trump, of course, is that the volume of documents that he took and importantly, the refusal to comply and give them back when requested versus Biden volunteered his. Yeah. And same thing with Mike Pence. He was cleared.

doing the same thing. And it's just a matter of intent and how you behave and you compel other people to lie. And we'll just see when the indictment is unsealed, which it will be pretty soon, we'll see what he did. And I'm sure he did all kinds of things trying to hold onto the documents and get people to help him lie about holding onto the documents. And the other thing you're going to want to make it seem is they're going to try to make this, as Trump loves to say, a banana republic, right? That the government is the steep state or political opponents are out to get him. And

This happens in Pakistan, for example. You're seeing fabricated charges against the former prime minister, Imran Khan. He's had an attack on his life, which he says is an assassination attempt on political opponents. But this is not that. This is just nonsense. He did something wrong and they're prosecuting for it. Yeah, this has been outsourced to a special counsel, Jack Smith, who has a long career across the DOJ and The Hague.

investigating people from both parties. And so, of course, Trump is flipping the script. Yeah, he was. But it's nonsense. He likes to break the law and he thinks it's hysterical to do so. And then he gets hysterical when he does so. Yeah, and he seized on the opportunity to come out ahead of this announcement. Jack Smith hadn't even let

the secret service or the marshals know they were all scrambling to kind of figure out how to do it is all press good press for him he seems to think so i don't know i think people are tired of this ultimately i think he has his base that always no matter what he does no matter how many times he takes a shit on the constitution they like it and then i think everyone else is tired of it um

It's not even a smoke, there's fire kind of thing with this guy. There's just fire. And he likes to burn everything down, including laws. And people can say whatever they want, but let's just take it to court just like they did his election lies. And he'll lose. And that's what's going to happen here. He lost in the sexual...

assault case, he just loses because courts of law behave differently than Donald Trump does. The question is, will he lose the election? Obviously, he did in 2020. Obviously, 2022 was a referendum. But I was really worried the other day. I listened to an episode of The Daily where they were kind of going over the suddenly crowded GOP primary. And Shane Goldmacher said that

Something like the most important thing you have to look for in evaluating these candidates, like most things in the Republican Party over the last eight years, is how they define themselves relating to Donald Trump. Yeah, of course. Of course. He's really mutated that party. And we'll see. We'll see if they want to keep losing. People are sick of him, but he's so powerful. He's a loser. He's a three, one, two. He lost the midterms. Three-time loser. So I'm enjoying Chris Christie in the race because he's pointing this out rather well.

I love Chris Christie. You love him. Yeah. I don't love him. I think he's, you know, he's he really was too tight with Donald Trump. He did Bridgegate. But I love what he's doing right now. And I think he's just spouting the facts. And, you know, he was a very good prosecutor. And obviously you can see how well spoken he is. And a friend of mine worked for him and didn't much love his politics, but certainly had great respect for his legal qualities.

I think he's funny. I think I just gave him $5. Did you? Yeah. You're making political donations? I just $5. I just, it was like just to get him on the debate stage. I noticed you shared his announcement on Twitter and I thought that was odd. I'm like, oh, I didn't know. I want him to be on the debate stage. That's all. It's $5. So you can question my fairness. I want to see him on the debate stage. And if everyone gives a bunch of money, he'll be on the debate. It's how they decide who's going to get on. And so. He needs what? 40,000 individual donors. Yep.

Kara Swisher is one of them. Five bucks. Chris Christie, let's go. Anyways, these charges will make the 2024 elections even more of a spectacle, which is probably exactly what Donald Trump wants. And it demands that it be airtight in terms of election security and claims of fraud. And that's why we thought it was very important to have on this guest today, Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, also known as CISA.

And this agency exists under Homeland Security. It's primarily responsible for helping organizations prepare for, respond to, mitigate the impact of cyber attacks on everything from ordinary citizens and critical infrastructure like pipelines and power grids to securing our election infrastructure, which is through Chris Krebs how this really became a known entity to the public.

Yeah, I knew her predecessor, Chris Krebs, and I talked to him not infrequently, who was fired by Donald Trump for simply saying the election was not stolen. Fired by tweet. Yeah. And so, you know, I'm very interested in this role. It's a new government agency. It's designed to help state and local officials and across the country with these cyber attacks, not just election. That's been the focus, obviously, because of the Krebs firing.

But infrastructure, I've talked about this on Pivot, on lots of places, is the challenges we face as we become this incredible surface area of attack for the Chinese, for the Russians, for all kinds of malicious hackers, and including domestic hackers. So Easterly has a very tough job because she's got to get all these, hers is a voluntary organization, she's got to get all these secretaries of state and all these local election officials, including in states where there's high amounts of election denial. Right.

Yeah.

Another relatively calm election, which someone pointed out to me, and I think it's correct, that hasn't happened since Bush-Gore. That's when it really started to go off the rails, this idea of whether elections were secure or not. But even if you don't believe this, the constant chatter about our elections makes you not believe in your institutions, which is ridiculous.

brings you back to Donald Trump. He wants to burn it all down and make you feel like it's all a con or you're being cheated and stuff like that. And so it's important to talk to officials like this. And these are public officials across the country who are doing their best to make sure elections and other critical infrastructure is intact. Yeah. And of course, part of the challenge is that the reality of foreign threats kind of obfuscates or creates a cloud and cover under which conspiracists can claim that elections have been stolen. And so there's this

very wacky incentive structure. The more the government shares and is transparent about foreign interference and threats against U.S. democratic infrastructure, the more kind of conspiracists can point to things. And we've seen this especially in the Twitter files. Yeah, that Twitter files was such a largely a load of shit. And Twitter's own lawyers in a recent case have contradicted every bit of the allegations made by Elon Musk. Yeah, this stuff is often conspiracies, straw man arguments, but, you know, we

We are in a politically contentious moment, and that makes Easterly's work even more important. By the way, do you remember who Trump appointed as a cybersecurity advisor one spawn of time? I don't know, his grandmother? Even worse, Giuliani. Oh, right. Oh, that guy. Oh, good guy. His grandmother. I was correct. I correctly identified it. Oh, honestly, that guy. Just like, whatever. Anyways, let's take a quick break, and we'll be back, not with Giuliani, but with Director Easterly of CISA. ♪

It is on.

Jen, it's great to finally have you on the show. I've been wanting to talk to you for a long time, but I don't know if everyone fully understands what your job is. So before we start, explain what you do and what you run. Yeah, so thanks. It's awesome to be here. So it's CISA, the Cybersecurity and Infrastructure Security Agency. Balls off the tongue. Yes, right. That's why we call it CISA. Yeah. Many people know it because of my predecessor, Chris Krebs. Right.

Because he was fired. Because he was fired, as you well know, in 2020. So it's the newest agency the federal government stood up in November of 2018, essentially to be America's cyber defense agency. So the whole idea is reduce risk.

to the cyber and physical infrastructure that Americans rely on every hour of every day. And that's the decision that was made in the Trump administration to actually stand this thing up and to focus very heavily on our role in cybersecurity and also serving as the national coordinator for critical infrastructure, security and resilience. You know, at the end of the day, we're not an Intel collector.

We don't carry badges. We're not law enforcement. We're not a regulator. We're not a military. We are a voluntary agency, which is why our ability to create trusted partnerships, which as you appreciate can be super hard, is so important to our success and kind of be at the middle of success.

being able to coordinate everything that people need to keep themselves safe and cyber, which is, you know, is quite a bit. Yes. And we'll get to infrastructure in a second because that's sort of a lot of the concern. But it did become famous last election when Chris Krebs was fired after he called the 2020 election the most secure in American history. And then he was fired via tweet. He talked about this. Elections aren't all you do, but it's, of course,

a big thing now. It's become so partisan. It's, of course, being used by Donald Trump as a cudgel in his election efforts. Talk about our election infrastructure, because this is like the sort of third rail now for some reason. Yeah, I mean, you're right, and it's unfortunate. What I'd love to do is to make elections boring again. So in 2017, the secretary at that time before the changeover, Jay Johnson, designated election infrastructure as critical infrastructure, which meant

that CISA would serve as what's called the Sector Risk Management Agency, meaning that we work with state and local election officials who are responsible. Who are responsible. Who are responsible. We obviously are not for everything that they need to ensure secure elections. And the irony of this whole thing is when that designation came out,

State and local election officials were super unhappy. And to Chris, his credit, and his team, they developed these fabulous partnerships with secretaries of state of all parties. This is not a partisan sport. And really robust, great relationships that, frankly, I inherited. And I think the most important thing that people should know is we are a nonpartisan agency, even in a place where things get really politicized. Mm-hmm.

We have to ensure that we can work with Republican secretaries of state and Democratic secretaries of state so they can take advantage of all of the free services we have for cybersecurity, physical security, insider security, and foreign influence and disinformation. Which you will give them information on, and they can choose to use it or not, correct? Yeah. I mean...

The threat landscape arguably has become a lot more complicated even since 2020, right? We were very worried about cyber, a lot done to raise the bar on cyber security at the state and local level. Now we're worried, unfortunately, about physical security threats, which I think is pretty freaking outrageous. Yes, I watched Succession. Go ahead. Right? I saw that. You were probably like, oh, good God. For people who don't know, on one of the final episodes of Succession, there was a fire and it ruined the ballots.

And it was not quite clear whether it was a terrorist attack or a domestic terrorist attack or not. You think about what foreign adversaries can do to take advantage of the uncertainty around whether something bad that happens is intentional or malicious or just something that happens at the end of the day. So it's cyber threats, it's physical threats, it's insider threats and foreign influence. And the physical threats are these threats against election officials. Yeah, it's crazy. And that is something you help with?

Well, we do a couple of things. So we are in the what I call like left of a boom. So we are helping to build resilience. So we do physical security assessments. We advise on best practices for facility security. But it's really what they rely on is the state and local law enforcement to help with things like that. And then the FBI and justice has a task force there.

But at the end of the day, we are trying to help them understand the things that they need to do to keep themselves safe. So like training we did called the Power of Hello and de-escalation training so that they can be prepared to deal with threats at polling places. And these are physical threats against families or... Yeah, I mean, at their home, you've heard all the horrible stories. But, you know, to be clear, like I thought... So 2022, I thought, went incredibly well. And that's all off the back of state and local election officials who...

kicked ass and were fantastic. But I was super worried that there was going to be an active shooter at a polling place. I was super worried about a ransomware attack. And, you know, off the back of this great work, we were able to, they were able to keep these secure and safe. Last week, Chris Krebs said he expects Russia, China, Iran, maybe even domestic groups like militias to try to meddle in the elections. What's the biggest foreign threat right now to our election? How are you trying to counter? I worry a lot about that.

as well. You know, we can't, we have to plan for the worst and frankly hope for the best. And, you know, in the military, they teach you to plan against the most probable course of action and the most dangerous one. So you think about cyber threats, physical threats, insider threats, and then foreign influence disinformation.

I think if you look at the nexus of some of the AI capabilities that we're now seeing, I think that there are many things that could happen with AI-generated scripts and chatbots that could make the

information environment, that's that much more difficult. So I worry a lot about that. I mean, Jeff Hinton talked about this, right? The godfather of AI, that there's going to be flooding the internet, even more so with fake text and photos and videos. So the average person can't tell what's real anymore. Who would you say is most

you're seeing problems most with? Well, right now we're not, you know, we're obviously continuing to monitor the environment, but we're not seeing specific problems, um, focused on the elections. But, you know, quite frankly, I think we will. We're doing everything we can to be proactive and prepare for it. You know, we expect, uh, for our foreign adversaries to look for ways to undermine, uh,

Our democracy, I mean, look at Chinese doctrine, okay? They have a specific thing in their doctrine called cognitive domain operations. The military would call it psychological warfare. So they're specifically looking to be able to influence the American people. It's part of their doctrine. So I expect that we may see things like that, and that will make things even more complicated. Problematic, right. And one of the things they have is they have a huge landscape in this country. They have a huge surface area, I guess. Let me use a military. You have a lot of surface area to attack.

including social media companies, which have played a big role. And I know the Biden administration has focused on them a lot. They're a private company to distribute information. They run political ads on their platforms. And in the election denier, post-COVID, Elon, Twitter era, everything has become completely contentious and even more so. How do you work with

social media companies now? Because it seems like they are starting to take the brakes off again. Yeah. So we don't actually work with social media companies. At all? No, no. Do you think you should be? No, I don't think so. The FBI works with them. Yeah, the FBI works with them. You know, I think as the director, I need to ensure that we are able to do our core mission to reduce risk to critical infrastructure.

And at this point in time, I do not think the risk of us dealing with social media platforms is worth any benefit, quite frankly. And, you know, as you know better than anyone, these platforms make their own decisions. Mm-hmm.

And I want to be very pure on what it is that we are doing. And we're doing it. I want to emphasize the reason that we focus on foreign influence disinformation is because we hear from state and local election officials that it is a major concern of theirs. And we feel obligated to be helpful.

But I don't want to be seen in any way as telling social media companies what they should be doing. It's entirely up to them. Well, you know, Matt Taibbi did the Twitter files full of factual errors, actually. But it is true that CISA partners with organizations that flag tweets to Twitter. Oftentimes, Twitter took them down. Sometimes they didn't.

What do you say about people who are uncomfortable with government doing that, partnering to try to change this stuff? So thanks for asking, just to be very clear. So this was in 2018, 2020. There were...

I think 200 pieces of information that came from state and local election officials that went to the election infrastructure information sharing and analysis center. They sent them to CISA. We sent them to Twitter saying, you know, this is information that comes from state and local, you know, do with it what you will with a, you know, this is not, and we're not telling you to do anything with it.

So that was done in 2018, 2020.

200 piece of information and I made a decision not to do that. So we are not doing that. Let them put, let them give them themselves. State and local election officials can give them to the platform themselves. And I think that's the right place for us to be. Does that give conspiracies too much power? I don't, I mean, we weren't playing a significant role. First of all, it was a small amount. And we were essentially in the middle of a process where they can send

things directly. I mean, the other thing that I took a really hard look at, it's not like I'm going to, you know, back the fuck down because conspiracy theorists, right? Right. I'm a combat veteran. But, like, I took a look at measures of effectiveness. Mm-hmm.

Is some of these things actually having an impact? And at the end of the day, I did not see huge measures of effectiveness in saying, yeah, this is really making a difference in terms of that specific disinformation. Right.

And so that's one reason why I want to make sure we are not communicating with these companies. Yeah. And we are seen by everybody as we are here to help. And, you know, by the way, like just as an aside, if you look at the brief that was filed by Twitter's lawyers, they made it very clear that nothing in the Twitter files was

that the information was being used by Twitter to censor anything. Right, or cuss it. There was no... Yeah. Specifically the government, there was no coercion, no censorship. No, I wasn't much impressed with the Twitter files. But where are we for 2024? Yeah, good question. So we've...

We've started already. We met with secretaries of state, state election directors in January. We want to get out to local election officials and ensure that, you know, whatever resources we have, they can take advantage of. So now our field forces are going out there to do cybersecurity assessments, to do physical security assessments, and to ensure that resources are available. So we're getting— How do you fend off the people who—

The ones who are convinced that this is being taken, I mean, they attack the Capitol. You know, I mean, these people, they have beliefs. Like, at the end of the day, we are not going to convince certain people of the integrity of processes at the ballot box. I mean, we want to be...

I'm really certain that as much as possible, those people will listen to the federal government and listen to the advice and the advisories we're putting out.

that we are preventing, frankly, our adversaries that I'm most worried about. And our mission is not about protected speech. We need to be very, very clear on that. But we need to also recognize that China, that Russia and Iran, we've seen these foreign adversaries use influence operations to undermine American confidence. But, you know, more than 80 percent of Republicans and independents who call themselves very conservative think this election was stolen.

They do now. It's worked, however it got there. Eight Republican-led states have pulled out of the Electronic Registration Information Center. There's a conspiracy theory that it's a George Soros-backed liberal operation. It's obviously not true. It's a bipartisan effort to maintain voter rolls. What does that say about the state of elections if you're trying to do this, if they actually believe the election wasn't stolen? Well, I mean, I'll tell you, in my experience over the last two years working with

state election directors with secretaries of state, generally, they don't take a partisan view toward it. They actually want the American people to have confidence in the integrity and security of their elections when they go to the ballot box. And by the way, just to emphasize, I have talked to Republican secretaries of state, Democratic secretaries of state. They're all concerned about disinformation. This is not a party issue. Even if they believe the election was stolen. Yeah.

They're as concerned about disinformation. They do everything they can to look at this as not a partisan issue. I mean, keeping elections...

safe and secure and resilient or about the safeguarding the fabric of our democracy. And my experience with state and local election officials is they agree with that, notwithstanding the rest of the political zeitgeist. In Alabama, Indiana, South Dakota, Wyoming, Florida, secretaries of state are outright election deniers or choose to say President Biden won at the local level. It's

might be even worse in Pennsylvania, 18 candidates who spread election misinformation are likely to win their races in November and a position to oversee how their counties run elections. How do you, that's not your job, but how do you fight that? And how do you interface with these officials? I've interfaced with all those officials, actually. And where we come out on this is, first of all, we have to make sure that at the state and local level,

that those election officials feel like they can avail themselves of our capabilities. Right, I got it. So physical security assessments, cybersecurity assessments, and

And that's the most important thing. That's our core mission. Right. Okay. But if they don't believe you or imagine you're a George Soros backed. We have not had any issues with people saying, I'm not going to avail myself of your resources because I think you're part of whatever. Right. By the way, I'm an independent. Right. I get it. I get it. Just to like for your audience out there. So I have not come across that.

And we work very hard to be seen as nonpartisan, which is increasingly difficult because of the specter of disinformation and misinformation. You mentioned earlier you're independent. As you said, you went to West Point. You served in the NSA under Condoleezza Rice. You were confirmed unanimously by the Senate. So your commitment to the country is obviously clear.

Thank you. And yet I wouldn't be shocked if people started personalizing the tax against you as part of the deep state in this day. Are you prepared for this? I mean, you're not Lena Kahn, but... I mean, there will always be, you know, haters going to hate. They hate a lot. I have enjoyed, you know, a good amount of support. Certainly, I think, as you know very well, you have to have a thick skin in any sort of, you know, public position.

To me, what's most important is my family. And so to make sure that my family is safe and secure is number one, as it was, I think, for Chris as well. But

What I would want people to know is, you know, at the end of the day, somebody who puts on a uniform and spends 21 years in the U.S. Army and combat zones all over the world, it's not about ego. It's not about money. It's about protecting and defending the Constitution of the United States of America from all enemies, foreign and domestic. Were you surprised when they attacked Chris, for example? I mean, they seem to attack anybody. Yeah, I think it got really, really difficult. So do

Does that make you want to keep a lower profile or a higher one? Last December, there was a scathing article about you published in the cyber industry news site CyberScoop. Reporters spoke to 32 insiders and they essentially said you've been too much focused on promoting your personal brand and that's distracted you from articulating a clear vision within the agency. Do you worry about that? Yeah. I mean, that article, I think it quoted Jim Langevin, who came back on top and so said

I'm sort of dismissive of that one piece. But I think for the core point, you know, it's not about me, right? It's like Ted Lasso. It's not the Lasso way. It's never about me. It's about, you know, the Richmond way. It's the CISA way. Now, CISA is a new agency that's been through a lot of stuff. Got our director fired. We had a pandemic. You know, we had an entire reorganization.

What I want to do is be able to attract the best talent and then hold on to that talent as long as we can. So I get out there and I talk about culture and I talk about mission and I talk about operations and I talk about what it's like to work at CISA. And like, to be honest, Karen, notwithstanding what that article said, over the last two years, we've hired 1,105 people.

So that's a lot for a government agency. Right. So I think we're doing pretty well. And I think, I guess the last thing I'd say is, look, nobody's banging on Nate Fick for getting out around the world and meeting with foreign partners. But, you know, when a woman who has a tattoo and a nose piercing and likes to wear the clothes that she likes to wear goes out there and is dealing with,

tech people, you know, it attracts, I think, attention. Right. There's an element of sexism involved too, I think. Oh, you think? Yeah, I do. You think that? I think that. What do you think? Yes. Yes. Okay. We'll be back in a minute.

Elections aren't the only critical infrastructure that you have to protect. This happens every couple of years. We have pipelines, government networks, millions of cell phones. What keeps you up at night? I mean, I think we both read, this is how they tell me the world ends. Oh, yeah. Nicole's fabulous. Nicole's Pearl Roth's book. After I read that, everything kept me up at night. So what are you most nervous about?

I mean, look, so whatever, 35 years, counterterrorism, intel, cybersecurity. As you might expect, I don't sleep very much as it is. So I think what has been worrying me a lot lately, to be honest, is what we're seeing with these incredible developments on artificial intelligence. Mm-hmm.

And I see it through the lens, right, of counterterrorism. You know, I believe in the power of technology. Right. But I think it's a leader's job to be able to leverage the power of imagination and to avoid the failure of imagination. And I think there's not enough of a healthy debate about how these tools can be used to

by very bad people who will operate them with impunity. So I worry a lot about that. And I look at it through the lens of, quite frankly, the short history of information technology is the history of unsafe technology. What do you think about 1983 TCP/IP? It was never meant for security, right? It was Dan Kaminsky. The internet was meant to move pictures of cats. Very good at moving pictures of cats.

But you have internet with viruses. You have software full of vulnerabilities, right? So you force the user to patch them. You have social media that is full of disinformation and quite frankly, separately causing real mental health issues that I worry about as I'm a mom.

And now we're hurtling in the world of AI. So it's interesting. I want to get to AI in a second, but you didn't mention, for example, the Colonial Pipeline cyber attack in 2021 or SolarWinds attack, which was one of the biggest cybersecurity attacks. Where are we with those, the Colonial Pipeline and the SolarWinds? Explain each of them for people who didn't understand and what the fallout. Sure.

is the name of a company that provides essentially, just to think of it as like sort of it provides software to a lot of different companies to help manage their networks. And in December of 2020, it was revealed that there was Russian infiltration.

of solar wind that gave them a foothold in a variety of networks. They're in the glue, essentially. Yeah, inside the networks. So essentially this became a pretty big deal because this was during the transition and sort of in some ways it was, it hopefully helped set the agenda for this administration to put cybersecurity as make it a top priority. So actually in some ways it was pretty important

It's never helpful to have a cyber incident, but that helps set the agenda. So Russian intrusions, essentially for espionage, it was getting into the supply chain, as you said, so to have those impacts to steal data. Then, as you mentioned, we had Colonial Pipeline. So that was a ransomware attack by a Russian-affiliated cyber threat actor.

that essentially got into the information technology. So think about part of your business in the colonial pipeline. It did not get into the part of the pipeline that actually controls the flow of gasoline, but there was a

Possibly.

that, again, really got the sense of urgency about what we needed to do to improve cybersecurity. And it's interesting because it's a software supply chain attack, which I think people are going to go, oh, what? Like, it's not like a hack that you think of a virus steal my credit card kind of thing. But the increase has been massive over the last three years, according to a recent study. How do you...

even think about protecting ourselves when this software, which is the glue of network, I don't know how else to explain it, it's glue, and they're in the glue and they're hiding in the glue. And these are attacks from the private sector vulnerability because we rely so much on the private sector, but it has implications for the whole nation. How do you...

How do you deal with that across multiple industries then? Is it even possible because of the landscape we have? I mean, I think you say the critical thing here. So a lot of what's common is the software. You know, famously, software is eating the world. Yeah. Like, frankly, we're all getting food poisoning from it. So the issue goes back to the fact that we have normalized this acceptance of

software that comes full of holes, full of flaws, full of vulnerabilities. And so we've accepted it, we've normalized it, which is why we think the only approach to sustainable cybersecurity, to getting ahead of these complex, dynamic, increasingly sophisticated cyber threats, is to move up

the chain so that the software that we buy is much more secure. Secure by design, secure by default. But you can't make them, right? You don't have an ability, a stick to make them do it because they spend their own money to beef up cybersecurity. Why should they? Yeah. So a few things, right? First of all,

I have to assume that businesses care about the safety and security. I want to assume that. Please don't. Care about the safety and security of their customers. They do not. What has...

Maybe one guy. So let's assume they care about their customers and the safety of their customers. At the end of the day, what has been missing is a clear signal. Consumers actually don't know what to ask for. They're like, okay, I'm going to sign this user agreement. I'll just press approve because I can't turn my phone on. And essentially what that is saying is you accept all liability for everything that will go wrong for this device. Right.

So we've been forced in a place where the users have all the security placed upon us, and we just assume that that's normal. So part of what we're trying to do is to move the Overton window so now you have not this normalization of software that's unsafe, but actually software that's created secure by design, secure by default. This is what you call it. Let me just say you wrote in Foreign Affairs Magazine, and the quote is, under this new model, cybersecurity would ultimately be the responsibility of every CEO and every board.

How do we get here? Because I haven't seen them concerned about safety of anything so far. Okay, first of all, it's not easy. Their own yachts. They're very concerned about their own security. Okay, so 1965, Ralph Nader wrote the book, Unsafe at Any Speed. Yes. It was until 1983 that we got seatbelt legislation, right? I don't think we have that long to wait to move us from unsafe at any CPU speed to a place where technology products are in fact safe.

So what are we trying to do? Well, we're working with technology companies to ensure that they understand what we think safe products are, what is secure by design, meaning tested, developed, such that you reduce the number of vulnerabilities and flaws that can be exploited by malicious threat actors.

So now we can actually move to safer code. There are things that we can do. So that's one thing. And we're calling for radical transparency so that we understand what's your roadmap to memory safe? What's your roadmap to enterprise multi-factor authentication? What's your roadmap to going passwordless? So I don't have to teach my 90-year-old mom how to enable multi-factor, two-factor authentication.

So that's a piece of it. And by the way, we're having very good conversations with the tech companies on this. So I'm not saying this is going to happen next year. Sure. But I think we can start to nudge if we show what the clear market signal is from the producers to the consumers. And we continue to use our platform to get there. And it's got to be a global platform. And the product that we put out in April is...

We had six countries with us on it, the FBI, NSA. And again, we're working with industry on this, who I think gets it. But it's hard because there's never been any regulation of technology. No, never, never been it. And also going back to SolarWinds, CISA has said the federal government has managed to evict the Russian hackers out of American markets. Others say perhaps not. I'm not sure we can be sure.

sure that we booted them out at all. You know, they were in these vulnerable systems and they could be hiding there for as long as they need to. Yeah, I agree with you. I mean, we live in a world where the products that we have are not secure by design or secure by default. And quite frankly, it is super hard to prevent

bad things from happening. What we need to do is to assume that disruptions will occur and then build the processes and the networks so that we prepare for those disruptions. We have to be able to do that so that we can reduce risk to the American people. Are these Russians out of the networks? Did you just say that they're not? I mean, we...

did everything we could to ensure that these networks were remediated, but nation-state actors can burrow in to spaces and can be very difficult to find. So can I say with 100% certainty that there's not nation-state actors lurking in our infrastructure? No, which is why, again, we need safer software. We need CEOs and boards that treat corporate cyber responsibility as a matter of good governance.

And that we all recognize, like, this ain't something the government's going to solve or that industry can solve. We have to work together in what we call persistent operational collaboration. You know, I've always felt there was a—the distrust between government and technology companies came from the Snowden revolutions. You know, at the time, I covered them. And—

They were surprised, I have to say. And I was surprised they were surprised. They were like, can you believe this? I'm like, uh-huh. Yeah, I can. I remember them feeling betrayed, many of them. I always thought they were naive, actually, which was interesting. By the way, so 10 years on, which is interesting from Snowden, I think the landscape has changed markedly. I think that even just over the last couple of years, some of it because of these high-profile hacks like SolarWinds and Colonial Pipeline. Sure.

I have seen industry and government come together in a pretty productive way. You remember Log4J? That was the software vulnerability in December of 2021. Pretty catastrophic vulnerability. That was a place where industry came together. Government, fantastic researchers.

to enable us to really urgently mitigate threats from this software vulnerability. And I think even the Russia campaign, our Shields Up campaign, where we work with industry to help them mitigate threats from Russia. Well, they shouldn't be in undenial anymore. But one of the things is actual citizens and Americans understanding the threat. It's very hard because they have accepted all these free maps and dating services and everything else, which I call them cheap dates. But do you think that they...

understand the vulnerabilities because it really there are so many points of failure including individuals. You've said we can't just PSA our way out of this. It can't be this is your brain on drugs. This is your brain on cyber. Should there be a national program to educate citizens and

What should they be listening to in order to understand it besides getting hacked someday? Is that your recommendation? This is your brain on cyber? No. Moms, don't tell people your social security number is my PSA, which recently happened. Yeah. We're actually launching a PSA campaign. Even though you said you can't PSA your way out of it? Look, one of the recommendations, which we're not going to take, was cybersecurity, fuck yeah. What? Yeah.

To get people excited about cybersecurity. But that's not it. No. So you can't PSA your way out of the strategic issue, but that doesn't mean explaining good cyber. It doesn't mean good cyber hygiene goes away. We obviously have an individual and a business responsibility. What we're saying is all the responsibility can't be on you and on a small business. Never should have been. Exactly. I mean, technology companies should bear the biggest responsibility.

part of that burden. And that's what we're saying. So what we're trying to do is what are the very simple steps that people need to do to keep ourselves, our family safe? And it's not rocket science at the end of the day. Look, it's four things that people can do that doesn't take a computer science degree. First and foremost...

Enable multi-factor authentication. Yeah, that just trips off the tongue. I know. I know. It's terrible. We create these words. That's why I like the, do you like music more than a feeling? Not much, but go ahead. All right, fine. It's like more than a feeling, more than a password. Okay. So it's a whole idea. It's just more than a password, right? But the good news is actually a lot of companies are going passwordless. So you won't have to, you know, you can do a thumbprint or

your face recognition so you don't have to remember all of those different passwords, but you can get a password keeper, which makes things easier. You update your software, which we'll hopefully have to do less of if software producers produce better software.

So, and, you know, the whole phishing email thing, you need to have people be aware of kind of malicious links. Those are the basics. I think most people fail at them almost constantly, unfortunately. You made an analogy about cyber threats from Russia and China. And as you said, Russia is the hurricane in China.

China is climate change. Can you explain what you meant by that? I mean, we worry all the time. Russia's talented in terms of their cyber capabilities. But the real formidable adversary, the ones putting the most resources and capabilities into this, is China.

And we put out a cybersecurity advisory, I think it was last week or the week before, that talked about Chinese intrusions into critical infrastructure and what companies and businesses need to do to look for those intrusions. Essentially, it was a technique called living off the land, which is using the processes that are native to your computer to

to actually hijack them so that you can burrow in there. And it could be burrowing in for espionage, but some of the targets we're seeing are not about espionage, but about potentially disrupting and destroying our critical infrastructure. You know, there's a document that comes out every year that very few people read, but it's incredibly important. It's the Intel Community's Annual Threat Assessment.

Everybody should go to the part on China cyber where it says that in the event of a conflict, which we know is potential given what's happening in Taiwan and the straits there, China is almost certainly going to launch aggressive cyber operations against our critical infrastructure pipelines, rail transportation to delay military deployment and to induce societal panic. And if you saw the reaction to colonial pipeline or the reaction to the high altitude balloon,

you see that inducing societal panic ain't going to be that difficult. And we need to be prepared for it. So speaking of China, TikTok, obviously, you said you support a total ban. I have asked this of senators, several senators. Do you approve that TikTok is a threat to national security? You kind of have to show your cards on that. Is that...

From my perspective, or do you support based on a theoretical threat that any Chinese based social media company that's wildly popular country is there for surveillance and propaganda? I think I believe that myself. But do you need to prove it?

No, I mean, I don't think you need to prove it. Certainly, we have a lot of evidence of the threat from, and just to be very clear, I am not worried about TikTok as a cybersecurity threat. I'm worried about the massive amount of data that will be available to the Chinese government because of the ways their laws are structured, and that data can be used for all kinds of purposes to include

targeted influence operations, right? And so that is one reason why TikTok is not on government devices. And I know there's discussions about potential bans. I think it would be very difficult in practice to make those bans work. But by the way,

When you talk about TikTok, you have to talk about the enshitification of TikTok because that's such a great word in Cory Doctorow's article, which basically says platforms will die. But even though they won't be of value to customers anymore, people will be addicted and they'll use them. So the things I worry about TikTok is the same thing in social media, is just the effect it's having on our kids and people generally. And I worry...

frankly, that this becomes the shiny object. TikTok is a very tactical issue. We need to be focused much more broadly on Chinese technology that can be used to give them a foothold for disruption and destruction. That's where the focus needs to be.

I agree. It's a shiny object. I agree. But let's move on to something bigger, AI. You've said AI is the most powerful technology of the century and you worry about the incentives to maximize profit to build better AI. What are your biggest AI, as you said, related cybersecurity concerns? You mentioned the ability to flood the zone with information, confusion. Anything else that's important from your perspective?

Well, we've talked about technology, product safety. AI is just another flavor of that. And I don't think looking at the internet, looking at software, looking at social media, we should expect that AI is going to be safe as it is designed. So just sort of that as a thesis. Let's just assume. Yes, they're in a mad rush. Right, right. For profits. And, you know, there's a bunch of different things to be concerned about. I would start with the uncertainty. Mm-hmm.

What do we know about these capabilities and how they can be used both for good but also for evil? I mean, you have to look at that lens. I think it's irresponsible to only say AI can save the world and do all these great things and not to imagine that they can also be used by terrorists.

by rogue nations to do a whole range of bad things. Although many of them have talked about the end of civilization. The people that are making it are worried. And obviously you mentioned Jeff Hinton, but even Sam Altman put out a statement saying this is very problematic for humanity. But Marc Andreessen, a very famous guy who was part of the Netscape browser,

important technology leader, just published a long post where he says AI will save the world. He says that the, quote, public conversation about AI is presently shot through with hysterical fear and paranoia. What's your response to that?

I will respond first, as usual. Yes, please, you respond first. Mark is thinking of Mark, and Mark never does anything wrong, and he's moved on from Facebook. And let me just read this quote. The greatest risk of AI is that China wins global dominance and that we, the United States and the West, do not. I recently had Tristan Harris on. He thinks the AI arms race will actually foster AI adoption by China. So tell me what your thoughts are.

Let me just hit three points here. So let's go back to your point about some of the industry executives saying that they're worried, right? At the end of the day, we've heard a bunch of perplexing things. First, we've heard cases being made to include Congress on the need for regulation.

Um, we've also heard that government doesn't know how to do this. Industry has to regulate. But at the end of the day, you know, that makes no sense because businesses are built to maximize profits for shareholders. They're not built for security. So I don't, I really don't get that. We've heard issues with the EU AI act so that people want to pull out of Europe. And then there was a reversal on that. Uh,

But the EUAI Act, the schema in there is not too different from the AI risk management framework that was put out by Commerce's NIST, National Institute for Science and Technology. And so I think the only difference is that the EUAI Act has teeth. So I don't totally understand that. And then you alluded to this statement earlier.

22 words, right? Mitigating the risk of extinction from AI needs to be a global priority on the scale of societal risks like pandemics and nuclear war. 22 words that I think to be somewhat uncharitable is an exquisite exercise in risk transference. Here are my 22 words.

And what are we going to do about it? I mean, if you actually think it can lead to the extinction of humanity... Why are you making it? Maybe we could come together in self-regulation. Maybe we could pause. Maybe we could slow down and don't put all the burden on governments to put regulation in place, but say, I don't like that regulation. We're going to keep on just hurtling forward as Marc Andreessen would want us to do without...

really thinking about the implications of that. So just sort of one piece. The second, having people

feel like any regulation can crush innovation at the end of the day. Sure, that's their argument. And so, but we've seen, like, emission standards lead to electric cars. We've seen accessibility have the cut-curbed effect where you can use accessibility for a bunch of different things. You've seen financial regulation lead to fraud detection and to secure payments, right? So regulation done the right way can spur innovation. Sure can. So you can accept that. And the last thing...

Right. There's a lot of fear mongering going on on China. And I just think we need to step back and have a more reasoned conversation about this. There was a really good piece in Foreign Affairs from Helen Toner from Georgetown's

Center for Security and Emerging Technology and two of our colleagues basically talked about, you know, China is actually not hurtling into this space. You know, their LLMs are less advanced than ours. They're actually fast followers. So if we slow down a little bit, they'll need to slow down. Also, their macroeconomic conditions, investment, what they have going on with semiconductors, they're actually behind. And frankly, that may become more behind.

And what they're ahead on is regulation. And they are putting very strict rules in place that govern how you test, how you develop, and how you generate content so it aligns with socialist core values. And frankly, it's not a model that lends itself to large language models which scrape the web for data. You know, the trope is you can't count to 10 in

in Chinese AI capabilities because it includes 8.9 in the year of Tiananmen Square. So I think this is a bit overblown that if we don't race ahead... No, no, I do. I think technologists are hysterical about how China's going to beat us and then not hysterical enough about the threats. I think we need to have a much more reasoned debate about this. Mark, stop being hysterical about China. Let me ask, regulation, what would you like to see? What about AI? I mean, I think...

The EU is way ahead, as they've been ahead in many things, to include privacy regulation. I think if people have a lot of concerns with the EU AI Act, I think there should be some discussion about maybe how you can take what is good about that. This would be a really good opportunity for us to actually have a conversation with China. Maybe we think about...

AI is going to be the most powerful capability. It's also going to be the most powerful weapon. And governments need to figure out how we are going to control the capabilities that can be weaponized. At least on killer robots. At least killer robots. We can agree. Maybe we can agree on that. Maybe we cannot. I'm not a fan of killer robots. I know, but maybe. There are things we can agree on. We've agreed on many others. The problem is we've become such a short-term society. Part of that is just the technology itself. But I'm reading this great book by a classmate of mine from Oxford. It's called The Good Ancestor.

And essentially the argument is we need to look at what is going to be inherited by seven generations from now. What are we creating? What's the earth we're creating? What's the capabilities that we're creating?

and stop thinking about, you know, the next week, the next quarter, the next election. It's really hard to do, but quite frankly, we need to do it or else we're not going to leave the world we want to leave for our kids and our grandkids. We're leaving them a lot of plastic, one-use plastic. That's what we're leaving them. Okay, last question. If you could wave a magic wand and fix one cyber threat, what's the most consequential thing you do? Increase cybersecurity for all power generation companies? Eliminate Russian hackers? Pause AI? Yeah.

Pick one. I know you hate the word, and I do too. So we should call it something different. No, I think we should enable multi-factor authentication in all of our systems. Anything that holds sensitive data, we should enable multi-factor authentication at enterprises because at the end of the day, the studies show that is the thing that drives down risk. Lock doors. Better than anything. Yeah, it's locking the doors and double bolting them. Yeah.

So it's like a technical answer, which people are not going to love. But quite frankly, it's the best thing we can do. All right, everybody. Multi-factor authentication. And I would take anyone who comes up with a better thing to call it. I wonder if Marc Andreessen does multi-factor authentication. I'm sure he does. He probably has one of his minions do it. Please multi-factor authenticate me or something like that. Anyway, thank you so much. My pleasure.

Multi-factor authentication is so sexy. I know. They should add it to a dating apps, you know, like I'm looking for a man with multi-factor authentication. Yeah. Yeah. I guess. I tell you a lot about a person. I have everything multi-factor authenticated, but I cannot get my mom to use it or anyone who's even slightly, I mean, it's hard for people who are smart about it to use these things, but she's right. But honestly, can they not come up with something better? Shouldn't be one guy in your office who clicks on a stupid link

phishing link and then you're all fucked. So as we discussed before the interview, we were super curious how Easterly was going to thread that needle of questioning around the election deniers, secretaries of state and kind of ensuring that they have access to CISA services and they play nice with CISA. And she played a very bipartisan and buttoned up role

They're great. She had to. She had to. I mean, I think on the field, it's a little more complex. We hear from the noisiest people. We have to listen endlessly to that, you know, that yammering Carrie Lake. To the eight states. Yeah, exactly. And I think in most states, most people, the people who are loudest get the most attention.

most attention. And in practice, they tend to be, once you get near them, they tend to be a lot more cooperative. But she definitely didn't want to like slap around the election deniers very much. Irrespective of what they do, her job is to kind of ensure there's this open door for states to benefit from the infrastructure, from the security that they're providing and to not isolate them. There's probably something to be learned from that. Sure is. That's why I'd never be an election official. Yeah.

The most interesting thing for me, though, was when she mentioned that they don't work with social media companies. It's not even worth the look of suppression. Yeah, that makes sense, actually, for that particular agency. There's other agencies, you know, in Congress dealing with the social media companies. But I think it's best if she looks as nonpartisan as possible. She really is the personification that having worked for Condoleezza Rice, who I think

very few people can argue isn't conservative and Republican, et cetera, to the Biden administration. So she's really got to look like I'm here to help you do a better job and, and,

let's let the chips fall where they may in terms of the election, but I'm here to make sure they're secure. And I think that's probably the best thing. And not even look like, but be like. I found that kind of concerning. I asked you to push back on that. It doesn't give the conspiracists too much power in some way. Yeah. I like that she pushed back with the kind of shade to Twitter's attorneys. And I really appreciated her. I'm not going to back the fuck down because of conspiracy theorists. I'm a combat veteran. Yeah, exactly. I love when she pulls out the... I can use an AK-47. So just be careful. You know, I know how to...

I know how to take a man down with one touch, you know, that kind of thing. I mean, obviously there's not much you can do in this country, but in countries like Brazil, you see they are able to come out and the government's able to come out and block extremist content on both ends. Yeah, it would be nice if 90 days before the election, all the social media companies would shut the fuck up. They should do that like they do in other countries. Or in France, you only have like three weeks of campaigning. I mean, not just the social media companies, the airwaves, everything. Like, can we just reduce the pork barrel of our politics a little bit? That would be nice. No, we cannot.

No. You said something very interesting I wanted to pick up on. You said the distrust between government and tech companies you've always thought comes from the Snowden revelations. Say more. Look, tech companies and government have worked together for decades and decades and decades and decades. Like, it's not, this is not a new fresh relationship. And so there's always been a cooperative thing. And then, of course, subpoenas to get certain information. And as more information has grown online, that's where the subpoenas come from. You

We all understand that. But I think with Snowden, I was there and covered it for Recode. And they were very surprised the extent of what the government was doing in terms of spying. And I was surprised they were. Not everybody, of course, but I think a lot of them were very much surprised.

we're helping you and you're doing this, you're spying on us too. And the manner in which they spied. And, you know, I thought, I just, I remember it being, them being very exercised and distrustful of government during that period. And, you know, they cooperate today behind the scenes in ways we probably don't, we'd be surprised about. And they're also, I mean, the government's a huge customer for them. So their skepticism is interesting. I always thought it was interesting

something uniquely American, not endemic to the tech sector. The tech sector was a little bit of an outlier in the collaboration, but something around the creation of this country, like people...

Most of us have come here as immigrants, maybe persecuted by a government. And there is a distrust of government and a kind of make your own mentality that leads to that distrust. Well, I don't know. Maybe. Right now, there's more of a prevalence. The Elon Musk crowd sort of hates government even as they benefit from it extensively, whether it's Palantir or space stuff or whatever. But they always manage to put up deep state kind of ideas.

around the government. Well, it serves people. It serves capitalists to undermine and neuter government. I mean, that's one of the things. Well, they've done a great job. Oh, yeah. That's the thing. 100%. But you guys, you and Jen had kind of flipped skepticism. She had more bullishness about private companies wanting to protect the privacy and security. You said they only care about securing their yachts. Yes, that's correct. And you were more bullish about the AI founders and you cut them some slack for recognizing the dangers up to extinction, which...

she kind of replied, what will they do about it? I tend to agree with her on that. Yes, that's true. But the original inner people, it was all diamonds and roses and daffodils. And it never was, this could kill humanity. And I get that it could be just a flex or virtue signaling or whatever, but no one ever said it publicly. And so I get that they could try to neuter some of these efforts. But I think everyone's aware that this time we have to get it right. As two of your favorite words. What?

Low bar. Low bar, that's true. All right, well, let's do a test before we leave. Okay, all right. What are the four things she had wanted people to do?

Oh, God. Two-factor authentication. Multi-factor, whatever. It's two-factor, really. Oh, change your password or get a password manager. I guess don't click on stupid things, you idiots. Yeah, beware of malicious phishing. And I don't know the fourth one. Update your software. Update your software. Which you just did. Yeah, I did. I did, indeed. So that's good tech advice from Jen Easterly. And we, speaking of advice, are doing a special advice episode of On.

see if you want our tips on anything, career, tech, relationships, fashion. Just ask tech stuff. That would be good for me. Anyway, the number is 1-888-CARA-PLEASE, PLZ. And we will talk about anything you want. We like to do these shows and we love to hear from our listeners at all times and always with great questions. So again, call 1-888-CARA-PLEASE, PLZ. All

All right. Want to read us out? Yes. Today's show was produced by Naeem Araza, Blakeney Schick, Christian Castro-Rossell, Megan Burney, and Megan Cunane. Special thanks to Andrea Lopez Cruzado. Our engineers are Fernando Arruda and Rick Kwan. Our theme music is by Trackademics.

If you're already following the show, you get a star in the SysA PSA. If not, you have to be Marc Andreessen's minion. Go wherever you listen to podcasts, search for On with Kara Swisher and hit follow. Thanks for listening to On with Kara Swisher from New York Magazine, the Vox Media Podcast Network, and us. We'll be back on Thursday with more.