Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency (CISA), has warned of escalating cyber threats to critical infrastructure and urged immediate action to strengthen national resilience. A former intelligence officer and military official appointed by the Biden administration in 2021, Easterly emphasized that effective defense requires close cooperation with private industry and international partners as state-sponsored cyber activity intensifies.
Recent disclosures about Chinese cyber operations—reported under names such as “Volt Typhoon,” “Flax Typhoon,” and “Salt Typhoon”—have highlighted the threat posed by pre-positioned access to destructive capabilities within vital sectors. Easterly said these campaigns reveal an intent to embed footholds in networks that support water, transportation, power, and telecommunications infrastructure.
She warned that these discoveries likely represent only a fraction of the activity underway. “We do think that’s the tip of the iceberg,” Easterly said, noting that many actors have gone dormant or dark after publicity, complicating detection and response efforts.
Critical infrastructure at risk
Easterly explained that Chinese cyber actors are strategically preparing options to disrupt or destroy services that underpin daily life, linking those efforts to Beijing’s ambitions regarding Taiwan. She said analysts expect actions toward reunification—whether diplomatic or military—could occur within the coming years, and that adversaries are positioning to exploit any resulting crisis.
“There are moves afoot by the PRC to be able to hold our critical infrastructure at risk,” she said, distinguishing between espionage campaigns and operations designed to cause large-scale disruption. Easterly cautioned that a major crisis in the Taiwan Strait could trigger “massive disruptions here in the US,” intended to paralyze societal functions and hinder government and military responses.
Given that full prevention of every cyber incident is unrealistic, she said the nation must shift its priorities from pure prevention toward resilience: preparing systems and people to respond and recover rapidly when attacks occur. “It’s not about preventing every cyber attack,” she said. “It’s about architecting our systems, training and exercising our people, and designing for rapid response and recovery.”
To operationalize that approach, Easterly outlined three core lines of effort: denial, resilience, and punishment. CISA’s Joint Cyber Defense Collaborative (JCDC) is focused on strengthening public-private collaboration and improving visibility, detection, and eradication capabilities across federal and critical infrastructure networks.
Deterrence and punishment
Asked why deterrence has not fully stopped state-sponsored cyber aggression, Easterly drew on her experience helping to stand up US Cyber Command. She argued that norms-based approaches have limits and called for an integrated mix of defensive measures and credible offensive options.
“You’re left with deterrence by denial and resilience,” she said, underscoring the need to reduce network risk so adversaries cannot achieve their objectives. At the same time, she stressed that the US must be able to use the full range of government tools—including military and offensive capabilities—to impose meaningful consequences on those who threaten critical infrastructure.
Easterly framed CISA as the nation’s civilian cyber defense agency and described ongoing efforts to expand its proactive capabilities. She credited recent growth in CISA’s authorities to provisions in the National Defense Authorization Act (NDAA), which granted the agency enhanced threat-hunting powers, red team authorities, and joint operational responsibilities.
She also highlighted CISA’s “Secure Our World” campaign as a public-facing effort to normalize basic cyber hygiene—simple, everyday practices she likened to “washing your hands and brushing your teeth.” Despite progress, Easterly acknowledged that CISA remains much smaller than agencies like the FBI or the Department of Defense and said continued growth is necessary to meet the threat.
Recruiting and retaining top cybersecurity talent remains a persistent challenge given higher private-sector salaries. Under Easterly’s leadership, CISA has used specialized hiring authorities to attract skilled staff committed to public service, but she emphasized more investment is needed to maintain and expand the workforce.
Addressing regulatory and sectoral gaps
Easterly criticized overlapping and sometimes conflicting reporting requirements across federal regulators, such as the Securities and Exchange Commission (SEC) and CISA, which can confuse operators of critical infrastructure. She urged harmonization of regulatory frameworks with an emphasis on simplicity and usability so operators can more effectively reduce operational risk.
She stressed the importance of supporting less-resourced sectors—such as water utilities and rural hospitals—that are attractive targets because of limited cybersecurity budgets and expertise. Easterly called for continued resourcing of Sector Risk Management Agencies (SRMAs) and targeted grant programs to help these sectors build defenses without duplicating capabilities CISA provides.
“The government needs to continue to resource those SRMAs to enable them to work with their sectors to reduce risk,” she said, noting SRMAs bring essential sector-specific knowledge even when they do not replicate national incident response teams or red team functions.
Adversaries thwarted
Easterly praised the coordinated response across federal, state, and local partners during recent elections, crediting a strong community of officials, vendors, and information-sharing organizations for countering foreign influence operations from Russia, China, and Iran. She noted that while some campaigns incorporated synthetic media and tools amplified by artificial intelligence, most stemmed from traditional capabilities of sophisticated adversary actors.
International cooperation has been critical to quickly identifying and attributing campaigns such as Salt Typhoon, she said, pointing to seamless collaboration among CISA, the FBI, private firms, and allied partners as a force multiplier in incident response.
Looking ahead, Easterly reiterated the urgency of securing future systems today while continuing to attract talent who can be tempted by significantly higher private-sector compensation. “Continuing to hire and retain talent that could be making a hell of a lot more money in the private sector will be key to enabling us to grow and have an impact on driving down risk to the American people,” she concluded.
See also: Spectrum auction urged to remove Chinese telecoms equipment
Want to learn more about cybersecurity and the cloud from industry leaders? Explore the Cyber Security & Cloud Expo, held in Amsterdam, California, and London. The event is co-located with industry gatherings that focus on digital transformation, IoT, blockchain, and AI & big data, offering opportunities to learn from practitioners and thought leaders.
Explore other upcoming enterprise technology events and webinars powered by TechForge.