Jeanette Manfra, one of the most senior and experienced U.S. cybersecurity officials, is leaving government after more than a decade in the public sector.
Manfra, who served as assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), will join the private sector in the New Year. CISA is Homeland Security's dedicated civilian cybersecurity unit set up a year ago to respond to help protect against threats to U.S. critical infrastructure and foreign threats.
In an exclusive interview with TechCrunch, Manfra said it was a "really hard time to leave," but the move will give her successor time to transition into the role ahead of the upcoming 2020 presidential election.
She did not say what her new job will be, only that she will take time off to be with her family in the meantime. She will leave her post at the end of the year.
Cyberscoop first reported her pending departure, citing sources.
Manfra's departure from government will be seen as largely unexpected. At Homeland Security, she has served three presidents and worked on numerous projects to improve relations with the private sector, which are considered crucial partners in defending U.S. cyberspace. She also saw the agency double down on election security, threats to the supply chain and efforts to protect U.S. critical infrastructure (like the power grid and water networks) from nefarious attempts by nation states.
At TechCrunch Disrupt SF this year, Manfra also talked candidly about the ongoing threats to U.S. cybersecurity, including a skills shortage and the risks posed by another global "WannaCry-style" cyberattack, which in 2017 saw thousands of computers infected by file-locking malware, causing billions of dollars' worth of damage.
Manfra joined Homeland Security in 2007 under then-president George W. Bush, half a decade after the department was founded in the wake of the September 11 terrorist attacks. Manfra described the early years as a time when there weren't "a lot of people talking about cybersecurity."
"It definitely was not really on the national stage at the time. It was, you know, there was still a lot of debate as to whether 'cybersecurity' was one word or two words," she said.
But in the years past and as internet access and tech companies continued to grow, she said the U.S. saw several "wake up" calls that brought cybersecurity into the public mainstream. The hack of Sony Pictures in 2016 and the WannaCry global ransomware attack in 2017 were two, and both were blamed on North Korea. Another, she said, was the 2015 data breach of the U.S. Office of Personnel Management (OPM), which saw suspected Chinese hackers steal more than 21 million sensitive background check files of government employees who had sought security clearance.
The department's cybersecurity presence started out as a "very small, frankly relatively unknown group of people," she said. A decade later it had become a major force in managing crises like the OPM attack, a breach that she said helped push government to better prioritize cybersecurity.
"[The OPM breach] forced us to make some changes across the government that've been good," she said.
In the aftermath, the government took steps to bolster its own systems and networks to lower its attack surface by removing Kaspersky from its networks, citing fears about Russian intelligence, and taking the lead rolling out HTTPS website encryption and email security protections across the federal domains — an effort still to this day largely neglected by some of the world's wealthiest companies.
Election security, she said, was another major wake-up call for the government. Russia waged a wide-scale disinformation — or "fake news" — campaign during the 2016 election to sow discord and exploit divisions in communities across the U.S. But there were also fears that hackers could break in and modify the tallies in voting machines, a concern that never came to fruition but one that security experts say remains a threat. Lawmakers have been pushing for the removal of paperless and electronic-only voting machines to reduce the risk of hackers manipulating the votes in favor of a particular candidate.
"In 2016, it was our best judgment that the Russians were looking to undermine confidence," Manfra told TechCrunch. "The public confidence is important, and we need to be thinking within the government about the adversaries' ability and willingness to use those against us," she said.
Manfra said the department knew it had to work closer with state and local election boards to figure out their needs following the 2016 election. "We had a lot of honest conversations with [election boards] about what they need, what do we do, and how can we help," she said. "It's the fastest I've ever seen a sector come together."
Those partnerships with local elections have given Homeland Security unprecedented visibility into the nation's election infrastructure, she said, going from "some coverage" in 2016 to near-absolute insight across the country.
"If we ever did again get technical indicators that an adversary was trying to do something, we would be able to move more quickly and much more expansively across the country," she said.
That effort paid off. Last year's midterm election was remarkably quiet compared to 2016. Both the Justice Department and Homeland Security said there was "no evidence" to support foreign interference during the midterms.
It's that running theme of public-private collaboration that Manfra looked back on with pride. "We don't have all the answers and we can't do it alone." Those partnerships across the industry verticals — from elections to finance, energy and manufacturing — are "crucial to everything that we do," she said.
"It's really easy to say how important it is to have the government and the private sector working together," she said. "But to do it well, it's actually really hard."
Manfra said the government had to be "willing to open itself" to build trust with its partners. "We now have some of the largest companies in the country that we built trusted relationships when they know that they can give us sensitive information — and we can take that and use it to protect other people, but we're not going to abuse that trust," she said.
Speaking of her time at Homeland Security, Manfra said she was most proud of her team. "A lot of them have been with me since we started," she said. "They could be working out in the private sector making a ton of money, but they're dedicating their lives here," she said.
But she said she was "forcing" herself to have no regrets during her time in government.
It's not yet known who will replace Manfra or take on her responsibilities. But her advice for her eventual successor: "Trust your team, trust your partners, and stay focused," she said. "It's such a broad mission. It's easy to lose focus."
- State of the Security Union with Jeanette Manfra (video)
- No one could prevent another ‘WannaCry-style’ attack, says DHS official
- The lack of cybersecurity talent is ‘a national security threat,’ says DHS official
- DHS cyber unit wants to subpoena ISPs to identify vulnerable systems
- Homeland Security has tested a working BlueKeep remote code execution exploit
- How Trump’s government shutdown is harming cyber and national security