Why the U.S. plans to lean on the hacker community to bolster ‘cyber hygiene’

“At the end of the day, cyber threats—and in particular ransomware—is now a kitchen table issue,” Easterly said at Fortune’s Brainstorm Tech summit in Half Moon Bay, Calif., on Wednesday. “And my goal as the head of the nation’s cyber defense agency is to make cybersecurity and cyber hygiene, in particular, a kitchen table issue as well, and to really regain the initiative on the defense.” 

For years, the country has focused primarily on cyber offense, and as the second director of the youngest federal agency, Easterly is focused on regaining the initiative on cyber defense.

The agency’s Cybersecurity Advisory Committee is helping reshape the nation’s cyber ecosystem to favor defense. On Tuesday, CISA announced the group’s 23 members, who will advise Easterly on policies, programs, planning, and training. 

Last year’s cyberattack against IT firm SolarWinds exposed America’s vulnerability. Hackers used a back door in SolarWinds software to access major companies, high levels of the federal government, and other entities.

Cyber hygiene is “the key thing we need to do as a nation, because cybersecurity is not about technology, in my view. It’s about human behavior,” she said. 

Something as simple as enabling multifactor authentication can protect a person against the vast majority of hacking attempts, she noted. “It’s about human behavior, [multifactor authentication], updating your software, thinking before you click, and really understanding there are just some basic things that you need to do to make us safer.”

The Cybersecurity Advisory Committee was set up to help tackle issues like cyber hygiene and election misinformation. It has a diverse lineup that includes Austin Mayor Steve Adler, cybersecurity journalist Nicole Perlroth, Mastercard chief security officer Ronald Green, Krebs Stamos Group partner Alex Stamos, and University of Washington associate professor Kate Starbird, a leading researcher in how people share and interact with information (and misinformation) in digital environments, such as social media.

In October, CISA hired Washington State’s former secretary of state, Kim Wyman, to help address election security. As secretary of state, she oversaw Washington’s elections. Following the 2020 election, Wyman was one of a handful of elected Republican officials to challenge former President Donald Trump’s unfounded claims of election fraud. 

Following last year’s election, CISA’s first director, Chris Krebs, dismissed Republicans’ fraud allegations and said the election was secure. Shortly thereafter, Trump fired Krebs in a tweet.

Easterly called Krebs’ stand as a “moral courage moment” and said she wants to keep CISA apolitical. However, as Krebs’ dismissal showed, being nonpolitical doesn’t inoculate an agency from being pulled into the political maelstrom. 

Next week, Easterly said, she is meeting with “senior leaders” from internet service providers, cybersecurity vendors, and other key technology actors at a gathering in California hosted by Dave DeWalt of NightDragon and Ted Schlein at Kleiner Perkins. Department of Homeland Security Secretary Alejandro Mayorkas and National Cyber Director Chris Inglis are coming out for the meeting, as well. 

“This is really about us meeting people where they are, not dragging them to Washington,” she said. “We’re going to move fast and build things—build trust, build partnership, build security.”

“It’s very important for CEOs to understand that cybersecurity is not just the IT guys or security guys,” she said. “It’s an existential business risk and, quite frankly, a risk to national security given the connectivity.”