CISA Dir. Jen Easterly to step down Jan. 20: Security community reacts

Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly will resign on Inauguration Day, Jan. 20, 2025, the agency confirmed this week.

Easterly will be stepping down along with all other CISA staff appointed by President Joe Biden, including Deputy Director Nitin Natarajan, as former President and now-President Elect Donald Trump is sworn in a second time.

The agency’s second director since it was established in 2018, Easterly was appointed in July 2021 after first CISA Director Chris Krebs was fired by Trump on Nov. 17, 2020, for rejecting the then-president’s claims of election fraud.

Easterly previously served in the U.S. Army for 20 years and helped establish the United States Cyber Command (USCYBERCOM) in 2009. She also served as National Security Agency (NSA) deputy director for counterterrorism from May 2011 to October 2013, and as senior director for counterterrorism on the National Security Council (NSC) from October 2013 to February 2016 before spending four and a half years in the private sector as a cybersecurity leader at Morgan Stanley.

During her time at CISA, Easterly has been known for her championing of strong public-private partnerships between CISA, tech companies and critical infrastructure sectors, including through CISA’s promotion of the Secure by Design initiative and pledge.

“Jen Easterly is leaving behind a remarkable legacy at CISA. Her leadership, collaboration with technology vendors, and the Secure by Design Pledge initiative have inspired around 70 software companies to prioritize security,” Dave Brown, head of security and compliance at Andesite, told SC Media.

Easterly also oversaw the establishment of the Known Exploited Vulnerabilities (KEV) catalog in November 2021, responses to major cyber incidents like the May 2021 ransomware attack on Colonial Pipeline and December 2021 exploitation of the Apache Log4j vulnerability, and more recently has helped address the growing need to prepare for quantum computing and artificial intelligence (AI) driven threats and security risks.

In the lead up to the 2024 election, assured the public that election infrastructure has “never been more secure,” while also warning about the risks of foreign influence operations and disinformation campaigns.

“Director Easterly did an incredible job in the middle of an extremely turbulent period in US cybersecurity history. Her willingness to get out front-and-center and her instincts for ‘marketing the problem’ have been a core part of driving and improving cybersecurity awareness across a huge variety of domains, ranging from critical infrastructure and the threat posed by nation-states, through to consumer cybersecurity education,” Bugcrowd Founder and Advisor Casey Ellis told SC Media. “She has consistently been a huge champion of the good-faith hacker community as a part of the solution to cyber resilience.”

Easterly was also lauded as an inspiration for women in the cybersecurity field in several tributes posted on social media in response to the news of her impending resignation.

“Jen is someone I so look up to, and who has inspired me to reach for the next level in my cybersecurity career. So appreciative for not only what she has done for security for DHS, but for women in the industry as well. What a phenomenal role model,” LogRhythm Solutions Engineer Gabrielle Hempel said in a post on X.

What’s next after Easterly’s departure?

Easterly’s plans after her departure from CISA, as well as who her successor may be, are unclear, although POLITICO has reported that Ohio Secretary of State Frank LaRose is a potential candidate, citing sources close to LaRose.

 “It would be difficult to predict how a change in leadership, specifically the departure of such an impactful leader like Easterly, will impact CISA in the near or long term. However, I feel confident that if CISA remains committed to consistent partnership with technology and security software companies, collective efforts to protect U.S. critical infrastructure will continue to move in a positive direction,” said Brown. “Cybersecurity is a team sport, and it is imperative for the industry to build trust and transparency in both directions.”

The Department of Homeland Security (DHS), which oversees CISA, will also come under new leadership come 2025, with Trump having nominated South Dakota Gov. Kristi Noem to replace Alejandro Mayorkas as DHS secretary. Additionally, the Senate Homeland Security and Governmental Affairs Committee, which has jurisdiction over CISA, will be helmed by Sen. Rand Paul (R-Ky.) during the next Congress.

Paul has previously accused CISA of censoring conservatives during its efforts to counter online disinformation in the lead-up to the 2020 presidential election, and told POLITICO last week that he would like to eliminate the agency, or “at the very least, eliminate their ability to censor content online.”

However, Paul would need the necessary support from other legislators to drive forward any effort to shutter the agency, which Paul himself admitted was “unlikely.”

Members of the security community say they hope CISA will continue Easterly’s positive work in engaging the private sector to strengthen the nation’s cyber defenses through initiatives like Secure by Design, Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) regulations and the vulnerability reporting requirements of Binding Operational Directive (BOD) 20-01.

“Cyber defense is a constantly evolving game of cat-and-mouse, and these initiatives have had a material and measurable impact,” said Ellis.

“It’s too early to tell, especially with all of the leadership shifts happening at the moment, but I expect that once the cutover takes place the Trump administration will review the core initiatives, potentially add or make a few cuts, and the department will otherwise be left to get back to work,” Ellis added.

Jason Soroko, senior fellow at Sectigo, noted that one of Easterly’s strengths was shifting the perspective on initiatives like Secure by Design, which became “a positive call to arms to do the right thing” rather than a “regulatory burden.”

“CISA should continue its work and look at initiatives to promote more public-private partnerships as well as look at what it can do to promote a strong cybersecurity workforce,” Soroko said.