[MUSIC PLAYING] Hello, my name is Aastha Verma, and I'm speaking to you today on behalf of the Cybersecurity and Infrastructure Security Agency. I'll be talking to you today about protecting the Homeland from cyber risk, which we all know is a preeminent threat really to our lives. And so it is nice and comforting to know in fact that the government does care about these topics and therefore we as a relatively new agency in the federal space really are focused on trying to help reduce the nation's risk across the public and private sectors, which is a very unique partnership.
I'm going to talk about that a little bit more as we talk about my agency. I'll tell you a little bit about myself. I am a branch chief with my agency. And I'm in a very interesting role with a very interesting branch called Fusion. And Fusion really is the set of support services for all of the different types of assessments activities that CISA does. And so it's a very unique place for me to sit as far as supporting those folks doing their very important work.
But it also gives me a very broad view of the set of challenges that really do exist in the cyberspace. And so I try to talk about that in a way that even non savvy audiences can really grasp some of the challenges with the cyber landscape and where and how CISA is doing its part to try to solve these challenges. I am a classically trained engineer. I went to school for electrical engineering. And I went back to get my master's in systems engineering, so steeped in technology.
But I did not spend my career in the government. This was something I share often in my speaking roles is that I'm a late stage convert to the government. And that's because the mission, especially this mission that this agency has spoke very loudly to me. Because cyber risk is a universal problem. And it can't just be solved by government. There has to be partnership between the government and the private sector.
We are one of the few agencies that are tackling that frontier. We've been given very specific authorities by the government by the Congress to do what we do. And that makes it a very unique place for me to be and to do my part to help this cyber risk picture. So very happy to have come on board. The agency itself is quite new. And my role is to help digitally transform the agency towards the future.
And that means like every other enterprise and every other environment, we have our own set of challenges to try to overcome. And in that process, we try to take all of those guiding principles that we use to govern ourselves as an agency, we really make that benefit available to the rest of our constituency to really follow the model or take our advice and follow many of the guidelines that the agency puts out in an effort to help this space.
So I look forward to speaking to you today about this topic. Let me share a little bit more about the agency. Many of you may or may not have heard of this agency. We like to call ourselves a cyber defense agency of the country, of the nation. And it's often that word defense that trips people up because they automatically assume we must be part DOD or the defense truly high side of any kind of data, data activity, or data analytics work.
In fact, that is not the case. We operate not in that defense space. And that's what makes us sort of unique. And we were created only a few years ago in 2018. CISA was founded to address the nation's growing cyber risk. And we are headquartered out of DC vicinity. And we today have an annual budget, I think that's north of $3.5 billion. And we have FTE personnel north of $3,000. We've actually grown quite a lot.
Believe it or not we've grown a lot during COVID because the need and the risk didn't disappear during COVID. If anything, it got bigger. And so we as an agency also had to adjust and grow to absorb that risk and to be able to do something about it. We are led today by our illustrious director is Jen Easterly. She is quite a popular figure at the agency actually.
And if you've heard her at Black Hat or at DEFCON, then you may be quite familiar with her actually solving a Rubik's cube behind her back as she delivers her keynote address and then finishes it by giving you the completed Rubik's cube at the end. It's quite spectacular to watch. And she's done quite a lot to really advance the agency particularly when it comes to diversity and inclusion, one of the things that I also very passionately care about.
I mentioned this as unique in that we are one of the few public private partnerships there are. So when we talk about why this is unique, we're uniquely positioned. Because we not only work with the government and specifically I mean SLTT and FCEB, FCEB. Those are acronyms the government's famous for acronyms, so I'll tell you what those are. SLT stands for state, local, tribal and territorial because not everything is a state. And FCEB stands for Federal Civilian Executive Branch.
You don't hear the word defense in there, right? So again, there's a very clear distinction. Our authorities differ from the DOD. And because of that, we are not and should not be interpreted as the Big Brother agency. Sometimes people have a tendency to think that way about government. We are trying to be a different kind of agency. And in doing so, we operate differently perhaps than as I like to say your grandfather's agency of old.
So look for some new and novel things that this agency is trying to do in this space. We really gained notoriety during the last election cycle, which just about all Americans and even the global population really was watching with bated breath, right? And as we all saw the challenges occur with that election cycle, CISA had a role to play. And many got to know our former director, Mr Christopher Krebs as really putting the stamp on certifying the election as being fair and being valid.
So that elevated the posture of the agency. Of course, elections happen every two years, right? There's one just around the corner. So as you can imagine, CISA's focus on the election space never really goes away. Even though that was what brought us into front center focus for most American households, that is not the only area in which we operate, although every two years, it is certainly one area of focus.
COVID-19 also became a huge area of focus during the two years we were all in lockdown. Because guess what? We all adopted technologies much more than we ever did. Most of our work lives suddenly went from the office to home. And we use a myriad of tools, new tools, tools we've never used before quite the same way in the same volume. People went from two or three virtual meetings to suddenly 910 virtual meetings a day. So a different kind of lifestyle was created.
And in doing so, we also created risk. And that's where again, CISA is doing its part to try to contain that risk in all the ways it's possible. I mentioned that I work for a branch called Fusion. And the reason it's interesting is because it is the intersection of all of these areas that you see here, technology, service support, lab environments that you have to tune and adjust and configure for different types of analysts, data always a big problem to solve whether it's data quality or data retention. There's many aspects of data.
And then obviously, there is a development component as well. We work with many apps. Many of our users employ new apps or develop their own custom apps. And even those applications often have hidden risks within them. So Fusion sitting in the nexus of all of that really got a good understanding of what this environment is and why it is so fractured. So as I like to say, cyber in a nutshell, I like to compare it to the Wild Wild West.
In fact, I've thought about this, and all of the archetypes really do present themselves when you think about the cyber landscape. One of the classes I took was on pen testing, was fascinating for me having been a network admin my whole life. I didn't realize I had all the tools I needed to become a hacker. I just didn't have the mindset. So when I took that class boy, did I learn a lot that I could still use those relatively old skills I had as a Linux, Unix, Windows Admin and do some nefarious stuff if I really wanted to.
But that learning, that thinking, that mindset taught me a lot. And so I asked my instructor, you know it feels to me like this whole cyber landscape is like the Wild, Wild West. And he said, as a matter of fact, you're exactly right. We consider the digital age to be the epitome of civilized advancement with the ability for users to work, play, communicate, and relax just by letting their smartphone connect to the systems and services available around the world.
But the ecosystem underneath all of that advancement is anything but civilized. And the more closely you look at it, the more closely it represents the Wild Wild West. So with that, I took a brief history lesson in where and how cyber risk actually got introduced. It's not like we created this problem today. The problem is we inherited these problems from 30, 40 years ago, back when some of these software platforms and operating systems were built.
They weren't built with the hackers frame of mind. We were all doing new frontier stuff. It was all in a positive vein. We weren't stopping to think to ourselves, ooh how is someone going to use this for nefarious purposes. And yet 30, 40 years later, here we are with a somewhat brittle environment that's quite fractured where you have all sorts of boundary conditions between apps and operating environments.
And we have all sorts of memory problems built into old software this old software new software. This ecosystem over time, I like to call it Tetris growth. Because what happens is we pile stuff on top. Sometimes it's buggy and brittle beneath. There are holes and crevices and when there is an issue, it causes a big collapse. And so part of this is to try to gain control of this fractured environment and talk to a non-savvy user base.
A lot of people are intimidated by the word cybersecurity. Just think about how many syllables are in the word cybersecurity. It's enough to make anyone feel overwhelmed. And then when you start talking the jargon, it gets even more scary, especially for the average citizen at home in front of their computer on a VPN or into their ISP using and downloading all sorts of apps. How do you reach that non-savvy user base? How do you get them to understand where and why they're vulnerable sometimes to that risk?
CISA is taking on that challenge as well to educate people into changing their behaviors. Because solving the cyber risk sometimes involves changing human behavior, which is one of the hardest things to get done. Another reason why CISA has a particular challenge on its hands is that when we think about infrastructure, when an enterprise thinks about infrastructure, they're thinking about their databases, their servers their cloud environments, their hybrid environments.
But we have to think about the nation's critical infrastructure. What do I mean by that? I mean all of the things that we as citizens of this country and even those that live here use every single day. I'm talking about the power grid, the railroad systems, the pipelines, airports, shipping ports. And if you can believe it, spaceports. It's true. We are actually constructing a strategy around protecting them, too. Because that's the future.
And what happens is that each of these interfaces every single time we introduce a new technology, a new tool, a new way of doing something, we create new fuzzy borders. What do I mean by fuzzy borders? Well, let's see. Everywhere you can use self service now. Everywhere there's automation now. You have apps for your bank, for your entertainment, for just about everything. Now we're going one step further.
Internet of Things is taking that one step further where your refrigerator now needs to talk to your dishwasher or your car needs to tell you when it needs an oil change. This hyper connectivity also creates cyber risk. It creates many more frontiers and borders for that data to transit. And whenever there is a transit border to cross, there's always risk that data could leak. So the Wild Wild West in fact exists. And the way I break it down, you've got cowboys, I call them or cowgirls.
I typically call them our pen testers or the ones that are doing ethical hacking to figure out where the risk is they're monitoring the frontier part of the range if you will. Of course, you have outlaws and bandits, right? Those are your malicious actors. Now, I found it very interesting during several of the keynotes where folks said the hackers mindset is also changed in 20, 30 years, 40 years. It's no longer the vanity glory of breaking into something.
Now, it's down to cold hard cash. How much money can you make by being a cyber criminal? And there's lots of money to be made. And the most recent example, probably the most prominent one that comes to mind is ransomware. So we'll talk about ransomware in a minute. But you've got outlaws and bandits clearly with nefarious intent. And then you have the local sheriffs in the town. And who do I mean? I mean your local IT staff.
Sometimes, the one human or a handful of humans that are trying to fight an army of malicious actors who might be trying to break into their systems at all times at all hours of the day. So those local sheriffs have their hands full. There are sometimes often defenseless IT staff with primitive tools not enough of the right technologies nor can they afford those technologies. If you're a small to medium sized business, how are you going to pay for some of these very expensive tools and their expensive licensing models to protect your little enterprise?
It's a challenge. CISA is trying to solve that challenge. Then you have wooing and courtship. This is probably my favorite part of this whole analogy. Because the wooing and courtship is real. Social engineering is an example of that wooing and courtship. There are so many examples of people shoulder surfing or tailgating their way in or worse, getting phished. If you look at the stats, so many, I would say a very large number probably upwards beyond 80% 90% start with phishing.
Once you get that way in through phishing, the world is your oyster. It'd be great if we could stop them right at that point so that they could never get further, but that requires a change to human behavior. And so again, wooing courtship, damsels in distress, there is often damsels in distress. I have a great story about how I hacked into the back gates of Windsor Castle once being a damsel in distress.
I'll tell that story maybe later at the end. Many of you probably watched The Queen's procession, and it really made me think about just vulnerabilities existing in all spaces. The story roughly goes like this. I was waiting outside of the town of Windsor trying to get in to see the castle. It was a Sunday I sat at the bus stop forever pacing. There's no bus service on Sundays. I couldn't get in to see the castle. Oh, but the local construction crew saw me waiting there for an hour and they offered me a lift to the castle in their dump truck.
And I took it. I was all suited up, but I didn't care. I just wanted to get to my destination. And surely I did, except guess what? Those trucks go into the back gates of the castle because they're fixing things in the castle like all things need fixing. And that's where I arrived suited up on a dump truck in the back gates of the castle and had the rare, rare opportunity to see for just a fraction of a second the queen riding on her horse.
And there you have it. I unintentionally got through the back gates to get to the golden assets, the gold mines. In that case, it was a view just a fraction of a second of the queen. But your gold mine could be much, much, much bigger, right? Your data assets, or your highly critical keys to the kingdom if you will. Those are where those high stakes rampages occur and those ransomwares can happen and where those trapdoors exist where nefarious actors are trying to get into the back door and then hold you for ransom. And then you've got trains and cargo barreling unevenly down the track.
And that's the infrastructure that's trying to keep up with everything that's happening. So if you look at this problem, you can actually draw analogies to the archetypes. It's kind of fun. And if you're interested, I've included a few little references here so you could take this even further as you try to explain this risk to your own constituency perhaps in a way that they can digest and learn.
So let's talk about ransomware. Because that clearly is the one type of attack that has skyrocketed and perhaps skyrocketed during COVID more so than other types of attacks even though we saw so many. We saw Solarwinds and Log4j and Colonial Pipeline. Many of these things made it to the national news. But there are thousands of ransomware incidents that don't make the news because they're not targeting necessarily the big guys.
But they're targeting very significant sectors of our daily lives. In this case, if you look at just some stats here that I've shared, and they're somewhat old now at this point in time. Ransomware is a big problem, and look who they went after. They went after health care. During the COVID two years that we were all experiencing a peak in activity around health, those bad actors were targeting that exact community with ransomware. And that's tragic.
And we saw the same thing happen with schools. Schools got attacked with ransomware because they were not seen as the target audience. You would not necessarily assume that schools would be such a ripe place for an attack. And yet they were perfect sometimes unprepared for those ransomware attacks. And those attacks hit health care. They hit many forms of many industries. But I mention health care in particular because that's where we all felt it and that's where it hurt the most.
So it's important to pay attention. Why? Because for example, ransomware causes downtime up to 21 days of downtime, which for most firms translates directly into money. When you're down, you're either not making money or some part of your critical ops isn't there to serve your audience, and that's a problem. It can take up to a year, 287 days just to recover. Again, every day that you're recovering from something, you're not advancing your business, serious problem.
Look at the money. 350 million, that's a low estimate. And that 311% increase, that's an old stat, two years old. I've seen some more recent stats where that number goes as high as 900% or higher. It's unreal. And the payouts themselves, they're not asking small dollars anymore, they're asking big dollars. That amount itself has escalated 171%. They're asking for interesting things like cryptocurrency, which depending on the market, some days that's a hot ask, and some days, OK, maybe you're just going to have to fork over some real cash.
This is a big problem. And I mention this because what is a company to do? Well first of all for ransomware, thankfully, there are many things you can do. There's lots here on ransomware that I'll share with you in this deck. If you're reading along, you can certainly see the impact it has had globally and where it has really hit us over the course of the last couple of years.
But the key takeaways that I would leave you here with are cybersecurity is not a choice. You have to do it. Even at the C-suite level you have to do certain things to prioritize your cyber posture. And of the things I would say, beware of fads. Don't just get the next app or the next piece of software without doing some homework about where it's sourced from. Many of our software that we employ is written perhaps in places we don't want source code to be written.
But we don't know that it's written there. We don't know where the components of software gets developed. That's where the SBOM, what's called software build of materials is taking shape as an initiative. Participate, this is one example of learning from the community. That's why I'm here on behalf of CISA. Because CISA needs to get the word out. Not many people are aware of us. And yet we are an advocate.
We are an advocate for that small to medium sized business, for that enterprise that feels like that defenseless IT staff with no one in their corner. We are in your corner. Because there is no NTSB when an incident happens. So you're left to whoever is out there trying to protect you. Sometimes it's cyber insurance. Folks have suddenly become a new industry unto themselves. But what are they regulated by? What is their core standard?
They're operating on their own understanding of this space. So the need for CISA is very much there, and we as an agency are trying to meet that call. So what can you do? What do you do? We as an agency are doing many things. I'm going to talk about that in a minute. But what can you do? You can do a couple of simple things. First, you can patch your systems. Most of these attacks would be prevented if we could simply patch.
Now in some cases, you can't patch. It's not that easy. When it comes to critical infrastructure like those power plants and those nuclear power plants and power grids, sometimes they're running on software that is so structured and specific, you can't just patch it. So what do you do when a risk shows up, when a vulnerability shows up? This is why CISA is so keen to try to build the right sorts of pathways for folks to take action when it's necessary.
Plan for disaster recovery. It's like one of those things no one wants to do because no one wants to think through those bad things happening. And yet if you did, when it does happen, you'll kick into motion. You'll automatically go into what you need to do to survive and to get through that incident. A plan will do you wonders in that moment of panic. CISA is your friend in this regard, right? We can help with many guidelines, steps, best practices.
We have a beautiful initiative called Shields Up. It is directly supported by our champion, Ms Jen Easterly. And the whole idea is that CISA can offer services to our constituency, not just the government that we serve, but the private sector that we want to build inroads with. We can help them, too by offering services that are free, free to help them protect themselves. Which are those free services?
There's a whole portfolio of them called cyber hygiene. And the first thing you can do is just simply type in that search term on our website. You'll have probably more than enough information to read for a day or several days. But here's what else you can do. You can send an email to vulnerability@cisa.dhs.gov. You will hear from one of us to get the process started.
Now, let me talk to you a little bit about what cyber hygiene is as a portfolio. I've included some helpful resources here for you all to actually go in and just click the link. It'll take you right to the page on our website where you can learn more. But a bit more about cyber hygiene itself, . Cyber hygiene is a portfolio of services. The mission behind this portfolio of services that we make available for free to anyone that wants to sign up for them, our mission is to lead the National effort to understand, manage, and reduce risk to our cyber and physical infrastructure.
That requires participation. That's why we want companies to participate. And what we make abundantly clear, and what I'm going to make abundantly clear here is that we do not share that data. We do not share that data without your willingness, without your vigilance, and we certainly don't share it across the borders of our authorities. So I want to make that very clear because so many of the private sector companies and outfits are afraid to engage with the government.
So again, I remind folks this is a different kind of agency. We have a different kind of model. We have a different kind of authorities. And our purpose is in fact, to create that in-roads with the private sector. We're uniquely positioned, and that's one reason why Congress, and I believe our funding for the future is going to be quite secure because we're the only ones tackling the space in this joint collaborative way.
So our vision is to try to secure it by doing all sorts of activities around cybersecurity, communications, integrated operations, risk management, and even stakeholder engagement. We offer all sorts of learning opportunity and communication opportunity through our websites and through various programs that we have at the agency. We provide current activity updates, alerts, bulletins, analysis reports. State of the dot gov is one of our popular ones.
But we also provide disclosures, a very important function if and when a vulnerability is found. We disclose it in the correct way so that remediated-- mitigative action can be taken. CISA has many of these services. I encourage you all to look them up, read about them, and then sign up for them. Back to cyber hygiene and the portfolio of services, I'm going to quickly cover why cyber hygiene is important.
When you think about some of the more recent events, there's a list of them here that you can probably look at. But I'll mention a few targets. You all remember target, the breach is one of the early ones in 2013. OPM, probably one of the biggest ones that happened right to the government 2015, and then along the way more recently, Equifax had a terrible breach, Solarwinds, Log4j, Colonial Pipeline. And I believe there's even a brand new one we just saw the other day with Uber.
So it is in our daily lives. It is everywhere. And that's why we must protect ourselves. What can you do? Sign up for cyber hygiene because there's three ways, four ways actually that we can protect you right off the bat. One, we provide vulnerability scan services. This is our baseline service. What do we do? We go out and we scan your network with your permission only the stuff that is publicly exposed.
We will scan for those open ports that shouldn't be open or services that may be exposed or give you a general health check on your environment. The next thing we offer is web app scanning. Now during COVID, web app scanning really took off. Understandably, we're all at home using web apps. So web app scanning is a new service. And it will help to find those accessible websites where there might be bugs or weak configuration where you might get yourself in trouble interacting with a website because it's built wrong.
The third service we offer, very popular take a guess. Phishing, phishing campaigns, you can actually run a phishing campaign for your test, for your enterprise just to see how vulnerable you are. Do the people in your organization really know what to do? Do they understand what a phishing attack is? Do they know how to spot one and how to report one? These are all things that we can help you do. And it'll strengthen you from the inside out.
And then lastly, we have a new service because we're always expanding our services to meet the need. We have a new one called posture and exposure. Posture and exposure came directly out of that work we did for elections. Elections is a space where we had to marry software and hardware. Because it was actual infrastructure, actual systems that were out in these voting centers, and you had to make sure they were all OK.
So this is a unique service that does both, right? It finds the posture weaknesses that you have in a program or an event or any particular set of activities you're engaged in and provide you some actionable reports. You get a report in the case of cyber hygiene every Monday. You'll get a report at the end of these other scans. And it's a way for you to know where you stand, what to work on, what to prioritize.
And in the cases of some of those staffs that have a hard time getting funding, it's a way for you to approach your sea levels to say I need help. I need help to solve these challenges. I need funding. Look at what our report card says. Look at all these areas in red. Help me to solve some of those challenges. So this can be a remarkable tool.
Again, it gives you an overall understanding of your posture. And that can be a powerful way then to engage with CISA in deeper, more intrusive types of assessments, again, ones that you engage with us in. If you desire to have a pen test, a deep pen test that really looks at your entire architecture, we have many other types of services, too. That you can engage in and request. And those services are also free.
There is a tiered system to get to them. That's why I come and I recommend cyber hygiene as your start point because that will give you plenty to start with. And when you have understood what you get out of that set of services, you can then elevate to the next and the next and the next all the way to being as entrenched in a trust relationship with CISA as you care to be. And we certainly want to try to create those trust relationships with the private sector.
So I will leave you here with this slide deck to really understand a little bit more in detail about the services I just spoke about. There's lots of good information available here about web app scanning, exactly what it does, and how we help and phishing and posture and exposure as well, which will be coming out soon. We've been piloting it for a while. And then I'll end simply by saying email us at vulnerability@cisa.dhs.gov.
If you want to put the subject line in requesting cyber hygiene services to start. Those keywords will get you immediately plugged in to our service desk. They will start the process with you. I will set expectations that there is a bit of paperwork transfer that has to happen. That's legalese that is designed to protect you and your data and also indicates what our authorities are, so you know exactly what you're signing up for.
And as I mentioned, we are fully committed to making sure that our data that we secure, that we gather is correctly managed, maintained, and only made visible to the right audience in the right way. So I hope that eases some of the perhaps anxiety folks have around engaging with government agencies in this space. But I'm here today to try to make that a little bit easier more palatable.
As I mentioned, we're not your grandpa's agency. We're a very different model, working model. And our intent is to serve this space well. So we look forward to engaging with you in all the ways that we can. We look for you to participate and to engage. And if you have any questions, please do reach out. We are always there to be in your corner. Thank you.
[MUSIC PLAYING]
34:13