This agency is tasked with protecting elections from cyber attacks. If Trump wins, it could be in danger

Jen Easterly’s confirmation by the Senate in July 2021 to become director of the Cybersecurity and Infrastructure Security Agency (CISA) was about as smooth as Senate votes get. With a résumé that includes time in the U.S. Army, on both the National Security Council and National Security Agency, and leading Morgan Stanley’s cybersecurity division, Easterly was seen as wholly qualified and appropriately nonpartisan to lead the five-year-old agency and its 3,400 employees as only its second director.

The Senate voted unanimously in her favor, with Mike Gallagher, the Republican congressman from Wisconsin, praising her “incredible” qualifications at the hearing. Following the Senate’s unanimous vote, Homeland Security Secretary Alejandro Mayorkas called her a “brilliant cybersecurity expert.”

Of course, CISA is housed under the Department of Homeland Security, so Mayorkas’s flattery was a foregone conclusion. CISA is tasked with enforcing cybersecurity and protecting American infrastructure across all levels of government. The agency is responsible for keeping some of our most vital systems—power grids, transportation networks, administrative websites, and everything in between—safe from private and nation-state hackers. It is also charged with overseeing the security and integrity of elections. And it’s this area that’s now fueled a somewhat predictable political divide on Capitol Hill, with misinformation—and Easterly—at the center of the controversy.

CISA was, for a time at least, actively monitoring voting-related misinformation on social media, which it deemed a threat to election security, and thus squarely in its purview. Those efforts prompted by-now-familiar accusations of government overreach from a number of prominent Republicans, chief among them Ohio Rep. Jim Jordan, who chairs the House Judiciary Committee. Even now, after CISA had curtailed its misinformation protocol, that suspicion remains, no doubt in large part animated by Donald Trump’s own animosity toward the agency.

At the same time, some Democrats have been pushing for CISA to ramp up its election security efforts, namely by taking a more active role in policing misinformation, particularly on social media platforms. Those competing visions put Easterly in an uncomfortable bind: trying to placate both sides while, in the background, insiders worry that the agency might be totally disempowered and defunded under another Trump presidency.

Easterly, for her part, stresses on a phone call that CISA coordinates with election officials from both parties. “I’m going to spend time with Bob Evnen, Secretary of State of Nebraska; and Paul Pate, Secretary State of Iowa; and Scott Schwab, Secretary of State of Kansas. All Republicans,” she tells Fast Company. “They see this as not a partisan issue; they want to ensure they’re taking advantage of the services and the capabilities that we provide.”

That’s all well and good, but it doesn’t guarantee job security for Easterly, who as CISA director has no fixed terms and can be removed by the president (or the next president) at any time.

“She’ll go play the guitar in a gathering”

She is the daughter of two career bureaucrats: Her father, Noel Koch, was a speechwriter for Richard Nixon and then a deputy assistant secretary of Defense in the Reagan administration where her mother, June Koch, worked as undersecretary for intergovernmental relations in the Housing and Urban Development Department. Before entering public service, Easterly graduated West Point, was a Rhodes scholar at Oxford University, and served 20 years in the Army, including in the intelligence and cyber operations, a gig that included tours of duty in the Balkans, Iraq, and Afghanistan.

Easterly’s previous White House experience includes stints as a special assistant to President Barack Obama for counterterrorism and executive assistant to National Security Advisor Condoleezza Rice. And even with all that, Easterly doesn’t look the part of your typical buttoned-up government employee—given her nose stud, the tattoo on her left wrist representing the Japanese concept of ikigai (“essentially, it translates to the reason you get out of bed in the morning,” she says), and the leather jacket she often sports.

During our conversation, Easterly speaks candidly about her brother Eli’s suicide in 2001. She has become a vocal mental health advocate in the years since, talking openly about the tragedy to colleagues and on social media. “When I talk about my brother’s suicide, people will come up to me, and you’ll hear all these stories,” she tells me. “Everybody has stories of something that has happened to friends or family.”

“She connects with people,” says Hugh Thompson, director of the cybersecurity conference RSAC (where Easterly has spoken several times). “She’ll go and she’ll play the guitar, for example, in a gathering. Why would you do that? It’s to build rapport with people.” Thompson isn’t being metaphorical: Watch the video on the internet and see for yourself.

Her CISA appointment came at a crucial time for the fledgling agency, which was understaffed, overworked, and struggling to effectively monitor federal computer systems and infrastructure in the face of high-profile incidents, starting with the 2020 SolarWinds cyber attack, where hackers compromised thousands of government and private networks globally. The following year’s Colonial Pipeline breach forced the shutdown of a major U.S. fuel pipeline, leading to widespread fuel shortages and disruptions. And being a newer entity didn’t help—many companies didn’t have CISA on speed dial yet, so it wasn’t their first phone call in an emergency. (Colonial Pipeline, for example, rang up the FBI first, and then declined to tell CISA about ransom payments it made to the hackers.)

“Exceptionally collaborative with the private sector”

Now, three-plus years into her directorship, Easterly has earned solid marks from many in the corporate world for righting the ship. “CISA, under Jen Easterly’s leadership, has been exceptionally collaborative with the private sector,” says Amit Yoran, CEO of Tenable, the cybersecurity company behind the software Nessus. “They’re sharing meaningful threat intelligence with their private-sector counterparts, and also encouraging the private sector to work together.”

That encouragement sometimes takes the form of industry conferences, where Easterly is a regular presence, sometimes to her underlings’ chagrin. In 2022, CyberScoop reported that some CISA employees worried that Easterly was over-indexing on her personal brand. Easterly defended her speaking engagements, noting that CISA’s ability to connect with outside organizations requires interface. “People don’t trust institutions, they trust people,” she said in a statement at the time.

Andy Thompson, an offensive tech researcher at CyberArk, is similarly effusive when talking about Easterly’s tenure. “She’s very well-respected in the information security community, regardless of your political leaning,” he says. Yet, outside of that community, her work isn’t all that likely to register. Polling suggests that most Americans know very little about cybersecurity, a dangerous irony since cyberattacks have been rising over the years at a steady clip.

To that end, CISA has initiated flagship projects including its “Secure by Design” campaign, which encourages (but doesn’t mandate) tech companies to promote secure development practices in a bid to tamp down harmful attacks; a “cyber hygiene” scan, which can help organizations identify weak spots in their networks and devices; and a running database of broader network vulnerabilities (called Known Exploited Vulnerabilities, or KEV), for which businesses would be wise to keep an eye out.

These programs have proven quite successful at assisting companies bolster their digital defenses. As Jake Olcott puts it, the world before CISA and its KEV initiative “just looked like a lot of new vulnerabilities.” Olcott, vice president of government affairs at the cyber risk management firm Bitsight, points out that his company has collaborated with CISA in the past to identify new vulnerabilities in industrial control systems because following the agency’s guidelines and red flags requires a good deal of synchronization, with government and free market bodies alike. “We share information research with them about time-sensitive findings,” Olcott adds. “Data can be tough to come by.”

“The IT guy is not fending off Iran”

Even CISA’s election work would seem, for the most part, pretty innocuous. Take last month’s statement, published jointly by CISA, the Federal Bureau of Investigation (FBI), and the Office of the Director of National Intelligence (ODNI), detailing how Iranian hackers had managed to break into Trump’s campaign systems over the summer and send sensitive information to his Democratic opponent (at the time, Joe Biden, whose team by all accounts ignored the outreach). CISA didn’t run the investigation into the Iran hack; that job fell to the FBI. But CISA made sure that the campaigns were as shielded as possible, and aided in messaging news of the breach to the public.

The agency has also conducted, by Easterly’s count, around 1,000 physical security assessments at polling places throughout the U.S., and has performed about 140 simulations with state and local election officials to work through a variety of scenarios (think deepfakes, cyberhacks, and so on).

“There are multiple layers that have been put in place to ensure that election infrastructure is protected,” Easterly says. “The voting systems are tested for accuracy before they’re put into use; there are multiple systems for cybersecurity detection and prevention; there are now physical access controls in place; and there’s extensive ability to do post-election audits.” CISA acts, in other words, as a firewall—no small feat in an era when election interference is practically enshrined in the political process (this is the third straight presidential contest to feature such outside hacking)—but not exactly the flashiest assignment within the executive branch.

When Easterly and I spoke, she mentioned that she’d be flying in a few hours to Idaho to meet with Secretary of State Phil McGrane. “I’m doing a press conference with him,” she said, “being very public about the support that we provide to them.”

I reached out to McGrane, a Republican, to ask what that support entails, exactly. In response, he brings up Custer County, a 4,937-square-mile swath of Central Idaho, home to just 4,200 people. “A little over a year ago, the county clerk was bemoaning that their IT guy had quit,” he says. “The IT guy there is setting up email accounts. He is not fending off Iran.” But there’s no reason a place like Custer County couldn’t be the target of a foreign adversary. Working with CISA, McGrane was able to bring defense systems such as the security-focused software Cloudflare to local government systems.

“When we talk about cybersecurity in terms of any of our critical infrastructure, these are many of the communities,” he says. “And they’re just as vulnerable to attacks.”

Ironically, it’s the person helping the vulnerable who might herself be in a vulnerable position. Just ask Easterly’s predecessor, Chris Krebs.

CISA’s “switchboarding” problem

Easterly’s forerunner was brought on to lead the agency in June 2018. (At that point it was still known as the National Protection and Programs Directorate; the name change to the comparatively less cumbersome “CISA” came a few months later.) “It was the most frustrating job I’ve ever had,” Krebs says on a Zoom call, but also “the most rewarding job I’ve ever had.” Rewarding because ultimately, he says, the 2020 election marked something of a breakthrough in terms of intra-agency coordination. “You hear constantly about turf wars,” he says, referring to government agencies’ reputation for gatekeeping information and various functions. “But by the time we got up and running for 2020, everybody was on the same page.”

Everyone, that is, except the head of the administration. When Trump continued to promote unsubstantiated claims of fraudulent ballots and voting software glitches in the wake of his 2020 loss to Biden, Krebs unleashed a volley of statements and tweets maintaining that the election had, in fact, been totally secure. “On allegations that election systems had been manipulated, 59 election security experts all agree, ‘in every case of which we are aware, these claims either have been unsubstantiated or are technically incoherent,” Krebs posted on Twitter November 17, 2020. Later that day, Trump fired him. (For good measure, Joseph diGenova, a lawyer for the Trump campaign, said Krebs should be “drawn and quartered. Taken out at dawn and shot.”)

But even with Krebs gone, CISA remained a focus on the right, due mostly to CISA’s interactions with social media companies. During the 2020 contest, in an effort to tamp down misinformation that ran rampant the last cycle, the agency alerted social media platforms to state and local election officials’ complaints of misinformation.

This process, known as “switchboarding,” was essentially roped into the broader Republican ire directed toward the FBI after it advised Twitter and Facebook executives to suppress posts involving a New York Post story about a stolen laptop belonging to Biden’s son Hunter. (Though officials said at the time that the story was likely a Russian-linked hoax, news outlets have since authenticated some of the laptop’s contents.) In 2021, CISA went so far as to create its own “Misinformation, Disinformation, and Malinformation” team.

The way the GOP—at least, the national party—saw it, CISA was just another crooked government cog conspiring with Silicon Valley to censor conservative voices. “CISA wasn’t transparent in 2020,” says Adam Goldstein, vice president of strategic initiatives at the nonprofit Foundation for Individual Rights and Expression. Goldstein argues that while the agency issued reports detailing its misinformation effects, they were released months after the fact.

The “nerve center” of the federal government

Since then, the House Judiciary Committee, led by Jordan, has issued a series of reports, one of which cursed CISA as the “nerve center” of the federal government’s social media censorship operations. “CISA exploited its connections with Big Tech and government-funded nonprofits to censor by proxy, in order to circumvent the First Amendment’s prohibition against government-induced censorship,” one 2023 report claims. Such censorship allegedly included false information around election fraud and COVID-19. Earlier this month, Jordan subpoenaed Easterly to testify on whether her office is pressuring technology giants to censor free speech, though no such testimony has been announced.

The agency has since pulled back from communications with Big Tech platforms. Many tech companies, meanwhile, have reneged on their internal misinformation efforts themselves, leaving users with even fewer resources to detect real from doctored news. But the congressional pressure against CISA has continued—thanks mostly to Jordan, who claims the agency is, even now, squeezing tech companies to police election-related speech. What’s more, more than 100 House Republicans voted last year to cut CISA’s budget by 25%, though, fortunately, the measure ultimately failed.

CISA has repeatedly denied allegations of impropriety, saying it acted as an intermediary for social media platforms and didn’t pressure them to censor specific posts. “I don’t think it is fair, and certainly not constitutionally required, to demand that CISA adopt an entirely hands-off approach,” says Alex Abdo, litigation director of the Knight First Amendment Institute at Columbia University, “that it ignore threats to our elections based on vague, speculative allegations around government pressure that crosses the constitutional line.”

Yet Congressional Republicans’ uproar is often at odds with local party members, many of whom say CISA has taken a measured, even deferential, tactic in its communications around election security. “What is happening on a national scale, especially as it relates to foreign actors and maybe malicious individuals inside this country [who] are trying to disrupt the election process, to the extent that [CISA] can share that information with us in a meaningful way, then that is really helpful,” says New Hampshire Secretary of State David Scanlan. “The same thing is true in reverse: If we have an issue that we suddenly find ourselves faced with that is beyond the scope of the State of New Hampshire, and requires some national attention, it’s reassuring to know the agency is there.”

Jordan did not respond to a request for comment. Easterly, when asked to weigh in on Jordan’s ongoing crusade, grows a bit more reserved. “We deal with congressional letters directly with Congress,” she tells me. “But what I will say, emphatically, is that CISA does not and has never censored speech, period. The allegations against the agency are riddled with factual inaccuracies, and that has been recognized by the Supreme Court.” (Easterly is referencing Murthy v. Missouri, a Supreme Court ruling issued earlier this year that determined the government can indeed contact social media platforms to combat what it perceives to be misinformation.)

“It would be stupidity on steroids”

Here’s where things get even trickier: Across the aisle, Easterly is facing calls to reengage the misinformation watchdogging. “You’ve got Americans, sometimes including candidates, saying crazy things, and it’s made it easier for adversaries to spread misinformation,” says Virginia Senator Mark Warner, the Democratic chair of the Senate Intelligence Committee. “An American may have a First Amendment right to say something that’s wrong, but then if the adversaries amplify it, that’s a problem. And the adversaries realize that misinformation, disinformation is cheap and easy and effective.” (Warner adds, “On the integrity of the vote process, [Easterly’s] done a very good job.”)

All of which means that, this time around, Easterly’s biggest election challenge isn’t necessarily identifying the cyber threats; it’s, as RAND Corporation cybersecurity researcher Quentin Hodgson puts it, the “extent to which the American people have confidence in the integrity of elections.”

It’s actually been a while since Trump has spoken publicly about CISA; he’s directed that anger mostly toward his presidential opponent, whom he’s been falsely claiming is rerouting Federal Emergency Management Agency (FEMA) aid to housing undocumented migrants. But there’s mounting concern on the left that Trump might enact vengeance on CISA during a second term, packing the agency with loyalists who would, in turn, slash operations. “It would be stupidity on steroids,” says Warner, “if a future Trump administration said ‘Well, we’re going to try to get rid of this or defang it’ when we are under increasing vulnerabilities in the cybersecurity domain.”

It’s also worth noting that CISA is singled out by the Project 2025 policy blueprint released by the Heritage Foundation, an influential conservative think tank. Following public outcry, Trump has disavowed Project 2025 and has even barred hiring anyone associated with the policy agenda should he win back the White House. Still, the proposal tends to align closely with Trump’s outline for a second term on issues ranging from economics to immigration. So it’s notable that Project 25 recommends moving CISA under the Department of Transportation, rather than DHS—an overhaul that would effectively prevent CISA from doing its job.

But for now, that’s all speculation. In the meantime, CISA is fielding calls from state secretaries across the U.S. and patrolling for the usual vulnerabilities, election-related and otherwise. And Easterly has a simple message for would-be cynics: “If you’re skeptical about the process, be a part of it. Sign up to be a poll worker. Talk to your elected officials.”