April 2024 marks the first anniversary of the Cybersecurity and Infrastructure Security Agency’s Secure by Design initiative. With Secure by Design, CISA aims to work with tech developers to implement security measures early in the software product’s lifecycle to reduce exploitable flaws before they make their way into the end users’ system. The idea is to ensure software technology is secure and safe out of the box, equipped with features like multi-factor authentication.
“Every day, we hear about cyber attacks, and they’re just getting more and more disruptive in ways that impact our safety and our lives. To truly scale, security must be shifted from the end user to the technology manufacturer ⏤ we all want prosperity and well-being, it can be better,” said Lauren Zabierek, senior advisor of the Cybersecurity Division at CISA.
“According to the FBI’s Internet Crime Report, cyber threats are constant in an ever-expanding cyber landscape, costing our nation billions.” Zabierek said, “These attacks are often perpetrated by actors who easily exploit well-known software defects, compounded by their ubiquity or place in the supply chain. Even so, software manufacturers largely haven’t prioritized security in their products because they haven’t had to, because there is no economic incentive or legal reason to do so. The nation must keep up by properly managing threats, reducing risk and vulnerabilities. As we become more globally connected and adopt new technologies, national security becomes a priority.”
For Zabierek, security is safety and freedom. Cyber attacks can impact critical infrastructures, rendering citizens without water or power, if those systems are affected. The idea behind Secure by Design is to prevent that from happening, to make the software that these systems operate on secure enough.
“From a national security perspective, we can design a better experience, not just in cyber, but in all aspects of our lives,” she said.
Zabierek is involved in various projects at CISA, including Secure by Design, but her passion for national security predates her time there. Zabierek is driven by making positive changes in cybersecurity and said national security is about keeping our citizens safe. Her hope is to transform how the nation approaches cybersecurity.
As the oldest of four children, she studied economics and political science at the University of New Hampshire. Her father was a pilot in the U.S. military during her childhood years, and he suggested she try out for an Air Force ROTC scholarship.
“It was great leadership training, and gave me that circle of camaraderie,” It also meant a great job opportunity after college. After the Sept. 11, 2001, attacks, Zabierek decided on the intelligence career field.
She spent 5 years in the U.S. Air Force as an intelligence officer before taking on a consultant role with Deloitte. She quickly realized she wanted to transition back to national security in a civilian role.
“Serving has been really important to me,” she said.
In 2010, Zabierek joined the National Geospatial-Intelligence Agency as an intelligence analyst ⏤ an experience she said was extremely formative for her.
That same year, her younger brother, a U.S. Army ranger, was killed in action in Afghanistan. Zabierek felt a sense of duty to pick up where her brother left off. She deployed three times to Afghanistan, and in turn, helped drive a new method of intelligence analysis and felt what it meant to truly be a part of a greater mission.
“It was a very transformational time,” she said.
During this time, Zabierek was also attending classes at Georgetown University in national security policy in Washington, D.C.
“I was entrenched in this world,” she said.
But in a turn of events, her husband was given a job opportunity in Boston they couldn’t pass up.
“He had supported me throughout my deployment years, it was my turn to support him and let him pursue a great career opportunity,” Zabierek said. “That’s when everything changed.”
She applied for the Harvard Kennedy School, not wanting to waste the time spent at Georgetown, and aiming to change intelligence community for the better.
She also joined a cybersecurity startup, Recorded Future, as a senior intelligence analyst. Zabierek is grateful the CEO Christopher Ahlberg gave her an opportunity in a field she was just getting started in. It was there she had the sense that “we could do cyber better as a nation” because she knew too well the costs of inaction. This idea drove her through her time as a student at the Kennedy School, to the Belfer Center, and now with CISA.
Transforming the nation’s approach to a resilient cyber landscape is an ambitious goal, but Zabierek remains hopeful. She wrote an article at the Kennedy School for her class called “Making Change When Change is Hard” that argued for maternity leave in the intelligence community to stem attrition and help recruit and retain more women. After graduating, she joined the school’s Belfer Center for Science and International Affairs, where she said she was free to focus on the things she was drawn to.
She wrote about creating an Intelligence Community Innovation Unit to disrupt stale IC policies, of which a version was included in the fiscal 2024 National Defense Authorization Act, as well as two pieces exploring whole-of-nation operational collaboration in cybersecurity and a series focusing on data security and privacy legislation. And while at the Belfer Center, she co-founded the online social media movement, #ShareTheMicInCyber, which garnered over 100 million impressions on the site formerly known as Twitter.
Since joining CISA in January 2023, Zabierek has supported Secure by Design initiatives and established the Cyber Response and Recovery Fund program. Her experiences in government, the U.S. military and beyond, including motherhood, equipped Zabierek for her current role.
“Since I’ve been able to move along this path, I can see how valuable all those different experiences were, and I can draw upon the different networks; the different ideas that I was able to explore in an academic setting; the different experiences between the private sector, academia, government and the U.S. military,” she said.
“I think I have a much broader view of the world; it has given me a really solid foundation to be able to draw from,” she continued. “I am motivated to use my experiences in national security to protect people, and especially our families. Security impacts all aspects of life, but also things like diversity, healthcare and making sure that our kids are educated and taken care of, to me these are all matters of national security because they allow more of us to work towards our best potential.”
It’s why Zabierek also feels passionate about mentorship. She served as a mentor with Girl Security and to many of her former students from the Kennedy School, and established the Recorded Future Women’s Mentorship Initiative. She is a fellow at the National Security Institute at George Mason University, and a fellow at New America where she is an advisor to the #ShareTheMicInCyber fellowship. She hopes to bring diverse ideas and experiences to national security policy.
Secure by Design is just getting started. CISA continues to seek input from the community and encourages manufacturing companies to commit to Secure by Design principles. Additional information is also available via CISA blogs, guidance and the new Secure by Design alert series, Secure by Design Alerts | CISA, which ties a cyber attack to a well-known and preventable software defect.
Last year, CISA and its international partners updated their Secure by Design Principles Joint Guide, to address challenges related to cyber threats and global security.
“The more we can collaborate and work together, the better our outcomes will be. Cybersecurity is increasingly an economics and policy issue, and not just a technological one,” Zabierek said. That’s why they will continue to raise awareness and encourage “Secure by Demand,” too.
“In my role, I get to have this expansive view of our country as well as the perspective of the end-user. I think about not only the perils that we face but also the potential ⏤ can we make it better?” Zabierek asked. With Secure by Design, she knows the answer is “yes.”