A Cybersecurity and Infrastructure Agency (CISA) spokesperson recently announced that all appointees of the Biden-Harris administration will vacate their positions by inauguration day. As the U.S. begins to prepare for the official presidential transition, CISA now faces a pivotal moment with the resignation of Director Jen Easterly and her leadership team.
Easterly had served as the Director of CISA since April of 2021, when she was nominated for the role by President Biden. During this time, she led CISA’s efforts to understand, manage, and reduce risks related to America’s cyber and physical infrastructure.
CISA was created in 2018 when the Cybersecurity and Infrastructure Security Agency Act of 2018 was signed into law. This legislation reorganized the National Protection and Programs Directorate (NPPD) of the Department of Homeland Security (DHS) into CISA, with a focus on strengthening the nation’s cybersecurity and infrastructure resilience.
This appointment was the latest in her long and successful career. She previously held the role of Head of Firm Resilience at Morgan Stanley, where she was responsible for ensuring preparedness and response to business-disrupting operational incidents and risks. Prior to that, she held two positions in the White House: Special Assistant to President Obama and Senior Director for Counterterrorism. She also served as the Deputy for Counterterrorism at the National Security Agency (NSA).
A two-time recipient of the Bronze Star, Easterly retired from the U.S. Army after more than 20 years of service in intelligence and cyber operations. During this time, she was responsible for standing up the Army’s first cyber battalion and was also instrumental in the design and creation of the United States Cyber Command.
Driving Innovation in Cybersecurity Resilience at the CISA
Under Easterly’s leadership as Director of CISA, the agency launched many transformative initiatives that enhance cybersecurity resilience and promote collaboration across the public and private sectors. Programs like Secure by Design, Shields Up, and vulnerability disclosure mandates exemplify her commitment to building a proactive cybersecurity culture.
- Secure by Design advocates for technology manufacturers to prioritize security as a fundamental aspect of product development instead of an afterthought. It emphasizes building secure systems from the ground up to reduce vulnerabilities and mitigate risks for end users. By encouraging transparency and robust security practices, the Secure by Design initiative aims to shift industry standards toward safer digital ecosystems.
- Shields Up is a nationwide effort to strengthen organizational cybersecurity posture in response to heightened cyberthreats, especially from nation states. Shields Up provides actionable guidance, resources, and tools to help organizations protect against and respond to potential cyberattacks.
- Vulnerability disclosure policy mandates encourage companies and require federal agencies to establish policies that allow security researchers to report vulnerabilities in their systems. These mandates seek to foster collaboration between various agencies and the cybersecurity community to identify and remediate security flaws before they can be exploited. The Binding Operational Directive 20-01 is a famous example of this mandate and formalizes the requirement of agencies to create appropriate methods to identify and address vulnerabilities.
These initiatives not only strengthened our country’s cybersecurity posture but also earned widespread recognition from industry leaders.
Reflections on Easterly’s Legacy
Casey Ellis, founder and advisor at Bugcrowd, a leader in crowdsourced cybersecurity, praised her overall impact. “Director Easterly did an incredible job during an extremely turbulent period in U.S. cybersecurity history,” he said. “Her willingness to get out front and center and her instincts for marketing the problem have been a core part of driving and improving cybersecurity awareness across a huge variety of domains, ranging from critical infrastructure and the threat posed by nation-states, through to consumer cybersecurity education.”
Others agree. Jason Soroko, Senior Fellow at Sectigo, a provider of comprehensive certificate lifecycle management (CLM), credited her approach to public-private partnerships. “Easterly’s CISA’s proactive initiatives were positive for the buy and sell side of the cybersecurity industry. What could once be seen as a regulatory burden was actually a positive call to arms to do the right thing.”
What Comes Next for CISA?
Easterly’s departure could leave a big void for the CISA, particularly as the agency transitions to the Trump administration and determines its next priorities.
Elad Luz, Head of Research at Oasis Security, a provider of Non-Human Identity Management solutions, expects the next administration to continue to bolster national cybersecurity to address evolving threats and maximize resilience against threat actors.
“We anticipate that CISA will continue to play a vital and expanded role in protecting infrastructure, securing the national supply chain, and mitigating emerging cyber threats. The agency’s ongoing efforts will remain essential to ensure the resilience of vital systems and defend against nation-state actors and other sophisticated adversaries.”
Building on CISA’s Legacy for a Secure Future
As CISA begins to navigate this period of transition, the agency stands at a crossroads and could be poised to build on the strong foundation Easterly built during her tenure. The next chapter will require steadfast leadership as well as a commitment to innovation in the face of ever-evolving threats. The resilience of our nation’s most critical systems will depend on CISA’s ability to adapt, collaborate, and lead the way to a more secure digital future.