Jen Easterly is the newest director of the newest federal agency. In her role at the Cybersecurity and Infrastructure Security Agency, she works with businesses, local governments and other stakeholders to improve the security of American “critical infrastructure.” As water management systems, pipelines, healthcare, communication and transportation systems become digitized, they become vulnerable to cyberattacks. Easterly shared the agency’s top concerns with Paul Miller fellows. [Transcript | Video]

5 takeaways:

➀ What AI does – and doesn’t – have in common with nukes.

“When you think about it, the most powerful technology of the last century was arguably nuclear weapons. The most powerful technology of this century is artificial intelligence,” Easterly said. “Nuclear weapons were built by governments that had the incentive to keep them safe. The incentives of those building AI is all about maximization of profit and business competition.”

The acceleration of artificial intelligence highlights how difficult it is to regulate, Easterly said. This month, scientists, experts and tech leaders asked labs generating AI to slow down so that risks can be studied. That’s an important conversation to be had, she said.

“That didn’t land very well because of the zeitgeist around this, but I do think it’s something that I worry a lot about,” she said.

➁ Easterly considers TikTok ‘a significant threat.’

Both Trump and Biden have wanted to ban TikTok and Congress may soon give that authority to President Biden. Easterly said China could use the “troves and troves of data” TikTok collects to threaten U.S. national security.

“We know that this data is going back to China and we know China is an adversary nation that has done things with our data both for espionage, for counterintelligence, for profiling. We also know that every intrusion into data can give a foothold, not necessarily for TikTok, but certainly in terms of the overall plan on critical infrastructure for disruption and destruction,” Easterly said.

➂ ‘Russia is a hurricane and China is climate change.’

“It’s a standard part of the Russian playbook to perpetrate malicious cyber activities,” Easterly said. “Frankly, I’m surprised that we have not seen attacks against critical infrastructure at home,” Easterly said, due to retaliation of U.S. support of Ukraine.

“China is the thing that I worry the most about because when you look at … the lessons that China is learning from Ukraine, they’re not going to make the mistake of not going against our critical infrastructure” if they invade Taiwan. “I think we can expect significant cyberattacks on our critical infrastructure whether that’s pipelines or transportation or communication. And that’s all about inducing societal panic. It’s about delaying military mobilization.”

Easterly pointed to the Colonial Pipeline cyberattack of May 2021.

“You saw the reaction to Colonial Pipeline. I mean, that was ransomware that didn’t even hit the actual pipeline. It was just on the IT, the business network. That caused a huge issue across the country. Eastern seaboard gas shut down for four days. … so I think we need to be very, very open-eyed about China’s plans.”

➃ Corporate responsibility is necessary for the common good.

To protect national security, private firms and government agencies should work together and share information. Under Easterly’s leadership of CISA, she “really wanted to shift the paradigm to something where we recognize that government and industry need to be in constant communication and real time-sharing of information in a way that we could come together and reduce risk to the nation.” She said prioritizing “collaboration over self-preservation” conserves the nation’s common good.

Easterly said CISA worked with pipeline companies to help them monitor potential cybersecurity issues. Specifically, after the cyberattack on the Colonial Pipeline in May 2021, CISA worked with pipeline companies to implement monitoring technology to prevent future cyberattacks. Congress also passed the Cyber Incident Reporting for Critical Infrastructure Act, which requires private companies to report any “significant” cyberattacks within 72 hours. “It’s really important because they’ve been trying to get this mandatory reporting regime for probably over a decade,” Easterly said.

➄ How individuals impact cybersecurity

“Everybody has to have an awareness of threats,” Easterly said. She said people should approach cybersecurity from an educational standpoint, not one of fear. Individuals should utilize password keepers and use “complex, unique passwords” to protect their online data. People should also educate themselves on phishing scams and strengthen their spam filters.

NPF is solely responsible for the content.