Mayorkas, Easterly at RSAC Talk AI, Security, and Digital Defense

SAN FRANCISCO -- RSA CONFERENCE -- How are the nation’s tech resources and thought leadership being put to work understanding and fighting threats from bad actors who use AI and other digital attack vectors?

Secretary of Homeland Security Alejandro Mayorkas and, in a separate talk, the Director of the Cybersecurity and Infrastructure Security Agency (CISA) Jen Easterly, shared some insight on such matters from a federal level as the Biden administration continued its time in the spotlight at this year’s RSA Conference with Tuesday’s opening keynotes.

Mayorkas, who recently survived a contentious yet futile Republican-led impeachment campaign for his ouster, discussed “Homeland Security in the Age of Artificial Intelligence” in a fireside chat with Rumman Chowdhury, CEO of Humane Intelligence. Chowdhury is also a member of the Department of Homeland Security’s Artificial Intelligence Safety and Security Board, which had its first meeting on Monday.

The new AI advisory board has more than 20 members that also includes the likes of Sam Altman, CEO of Open AI; Jensen Huang, CEO of NVIDIA; and Arvind Krishna, CEO of IBM. “We’re looking at how to harness AI to advance the security of critical infrastructure as well as how to defend critical infrastructure from the malevolent use of AI,” Mayorkas said during the keynote.

Related:Bruce Schneier: 5 Ways AI Could Shake Up Democracy

While acknowledging the increasingly ubiquitous use of AI in many services across the nation, Mayorkas commented about the advisory board’s conversation of leveraging that technology in cybersecurity. “It’s a very interesting discussion on what the definition of ‘safe’ is,” he said. “For example, most people now when they speak of the civil rights, civil liberties implications, categorize that under the responsible use of AI, but what we heard yesterday was an articulation of the fact that the civil liberties, civil rights implications of AI really are part and parcel of safety.”

Concerns Mayorkas touched on included AI potentially perpetuating implicit bias. He also said the board is focused on practical application of AI and developing guidelines that can have real-life implications.

Rumman Chowdhury, left, listens as Secretary Mayorkas speaks at the RSA Conference. Photo by Joao-Pierre Ruth.

Chowdhury asked how Homeland Security would balance its use of AI with citizens’ right to privacy in the context of implicit bias, especially with parts of the population who are Black, Brown, or low-income and often subjected to elevated surveillance. “What distinguishes our department is we have statutorily created an office of civil rights, civil liberties, and an office of privacy,” Mayorkas said. “That same institutionalization of those interests carries over to the board, which is why we have 40% of the membership is from civil society.”

Related:‘They’re Coming After Us’: RSA Panel Explores CISO Legal Pressure

He took time to praise other federal agencies such as CISA for their work on cybersecurity, as well as the security community as a whole, with international partners as well.

“One of the successes in the international domain is, quite frankly, Ukraine’s ability to prove its resilience,” Mayorkas said. “That is a function of CISA’s work in the international domain … what CISA did domestically in the Shields Up campaign. And so I think it has redefined the cybersecurity community to be a very inclusive one, not just domestically but internationally.”

CISA's Threat Focus

CISA’s leadership, past and present, took the stage after Mayorkas to discuss the need for resilience in the face of ongoing geopolitical conflict that extends into cyberspace.

Easterly, who became the second-ever director of CISA in 2021, with the Washington Post’s Joseph Menn moderating a chat on “A World on Fire: Playing Defense in a Digitized World … and Winning” that also included Chris Krebs, chief intelligence and public policy officer with SentinelOne. Krebs was the prior director of CISA and, on Monday, joined CISA’s Cyber Safety Review Board.

Related:Blinken: US Agencies Will Unify Cyber Approach With ‘Digital Solidarity’

“It seems as if, at least in our lifetimes, that there is some geopolitical conflagration in every corner of the globe,” Krebs said. “The challenge is that unlike even a decade technology, cyber, information operations, disinfo is an integral part to conflict, to military doctrine.”

 He also said that in talking to businesses about such matters, it becomes increasingly clear that business risk and geopolitical risk are intertwined. “You cannot pull them apart,” Krebs said. “And really what it’s manifesting in our three primary risk drivers.”

Easterly discussed some of CISA’s current efforts and areas of focus on the threat landscape, such as ransomware. “It’s become a multibillion-dollar, really trillion-dollar business,” she said. “There’s some estimates that the cost of global cybercrime will exceed $10 trillion by next year.”

Another threat Easterly highlighted, and testified about in January, are Chinese cyber actors -- Volt Typhoon -- which she said are burrowing into US critical infrastructure. “Not for espionage. Not data theft. Not for intellectual property theft, but specifically to launch disruptive and destructive attacks in the event of a major conflict in the Taiwan Straits, which many experts predict will happen in the coming five years,” Easterly said. “And that’s a world where a major war in Asia could well affect the safety and security of livelihoods of Americans here at home through the explosion of pipelines, the pollution of water facilities, the severing of communications, the derailing of transportation.”

CISA Director Jen Easterly at the RSA Conference 2024. Photo by Joao-Pierre S. Ruth

She said the Volt Typhoon threat is tied to China’s clearly stated doctrine to incite societal panic, chaos, and to deter the ability of the US to marshal its military might and citizens. “It really is different in kind from anything that I’ve seen over the past several decades.” Easterly, a retired Army colonel who specialized in military intelligence, has a résumé that includes serving as special assistant to President Obama and senior director for counterterrorism with the National Security Council, as well as time as deputy director for counterterrorism with the National Security Agency.

“We always looked at China, highly resourced and sophisticated, as an espionage threat,” she said. “This is a different threat in kind and it’s why we’re talking so much about resilience and why we're talking about secure by design.”

Easterly went on to explain that what ransomware and Chinese threat actors who infiltrate US critical infrastructures have in common is they largely take advantage of known public flaws and defects.

“Why? Because for 40 plus years, the technology that has been created and now underpins the critical infrastructure that Americans rely on every hour of every day is inherently insecure,” she said. “It was created for speed to market. It was created for cool features. It was not created to put security first, which is why, frankly, we have a multibillion-dollar cybersecurity industry and why we have a cyber security agency because we all use tech that is insecure.”

The Promise of Secure by Design

Easterly said she wants to continue to catalyze the CISA’s Secure by Design effort, which she said is about ensuring that technology manufacturers build, design, test, and deliver tech products that are, first and foremost, secure by design.

Though Secure by Design is a pledge for manufacturers rather than a mandate, Easterly said the principles are needed in the near-term to elevate US cyber defenses, especially as threat actors show no sign of relenting. “We are on a trajectory now where the technology that we’re relying upon is way too important to our daily lives,” she said. “We don’t have time to wait 18 years, but how do we make up for decades and decades of no technology minimum standards for cybersecurity? Well, it has to be a recognition across the entire ecosystem that we need to do this together for the collective defense of the nation, and the good news is we are starting to see real change.”

This is being done in part, Easterly said, through the use of procurement power to demand that technology purchased from manufacturers is as safe and secure as possible. “That’s why we’re using our federal acquisition regulations,” she said. “It’s why we’re using a software attestation form that has to be signed off by CEOs or their designees, and it’s why we've implemented this pledge that’s going to be signed, I think tomorrow, by over 60 technology companies that says ‘We are committed to taking these steps to ensure that the ecosystem is much more secure than it is today.’”