Rep. Jim Langevin (D-RI) and Mark Montgomery, leaders on the Cyberspace Solarium Commission, have proposed several measures CISA can take to ensure its Joint Cyber Defense Collaborative is effective and develop a “whole-of-nation response” to strengthening U.S. cybersecurity.
The Cybersecurity and Infrastructure Security Agency announced the creation of the JCDC last week. The new collaboration hub brings together agencies and industry to develop “cyber defense operations plans” through partnerships that aim to “drive down risk before an incident and to unify defensive actions should an incident occur,” according to the agency.
“The JCDC represents a further evolution of the government’s drive to operationalize collaboration with the private sector, one of the six pillars of the Cyberspace Solarium Commission report we helped craft,” Langevin and Montgomery wrote in a blog post on Lawfare last week. “The creation of this collaborative is also a crucial step in fulfilling the mandates in the National Defense Authorization Act for Fiscal Year 2021 (NDAA) for the creation of a Joint Cyber Planning Office (JCPO) and the design of an Integrated Cybersecurity Center.”
Rep. Jim Langevin (D-RI)
They write, “However, we commend [CISA Director Jen] Easterly for going beyond the framework in the commission report and laying out a vision for integrating these elements within CISA. Strengthening CISA is vital to our strategic vision for securing the U.S. in cyberspace, and the JCDC announcement has the potential to be hugely consequential for CISA’s future. As we track the stand-up of the JCDC, there are three parts fundamental to its success: planning, operations and information fusion.”
Langevin is a commission member and cyber policy leader on Capitol Hill. Montgomery is senior advisor to the commission and senior director for the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies.
Langevin and Montgomery write, “First, the JCDC should develop and maintain cyber planning and exercising capabilities. This must be an integral part of the collaborative -- successfully defending the United States against malicious cyber incidents will require the federal government to be able to mount its own coordinated defensive campaigns that includes integration between the public and private sectors. Effective cyber planning and exercising ensures that the government can utilize the full range of tools it has available for cyber defensive purposes.”
Their second priority is for the JCDC to “have the ability to integrate public- and private-sector cyber defense operations as well as operations within the federal government. Without effective, meaningful cooperation between federal government entities, defensive cybersecurity measures will continue to lag the threat and the federal government will fall short of being a mature operational partner for the private sector. CISA is currently a key component in coordinating cyber defense operations between the federal government and the private sector, but the ability to conduct fully integrated cybersecurity operations with federal and nonfederal partners remains immature. In particular, while there have been ad hoc working groups that have conducted public-private operations, these efforts have not been institutionalized.”
Mark Montgomery, Senior Advisor, Cyberspace Solarium Commission
The fiscal 2021 NDAA directs the Department of Homeland Security “to submit a plan to Congress to better improve the coordination of federal cybersecurity efforts within an integrated cybersecurity center,” Langevin and Montgomery write. “This report is due in January 2022. Based on Easterly’s vision, we believe the JCDC should serve as a venue for integrated operations within the federal government and as the lead federal cyber center for cybersecurity operations.”
Their last recommendation is for CISA to stand up the creation of a Joint Collaborative Environment under the JCDC. The JCE would function as “an information-sharing environment with a common toolset that would integrate the federal government’s unclassified and classified cyber threat information, malware forensics, and data related to cybersecurity risks, and would enable real-time public-private collaborative analysis,” according to Langevin and Montgomery.
The creation of the JCE is a key recommendation from the Solarium Commission’s March 2020 report.
They write, “The JCDC is the perfect venue to house the JCE and chair its governance board. If the collaborative is to be successful, it must emphasize the importance of having a steady stream of analytics to inform public and private actions to defend critical infrastructure.”
Langevin and Montgomery also provide ways the JCDC can help with CISA’s deliverables to Congress mandated by the fiscal 2021 NDAA.
They write, “First, the JCDC should take responsibility, in coordination with CISA’s National Risk Management Center and the Office of the National Cyber Director, for the Continuity of Economy planning required by the NDAA. Section 9603 of the NDAA requires the president to develop and submit a plan to Congress in the next year and a half for ensuring the reliable functioning of key economic assets and sectors in the event of a significant incident that might debilitate the United States, including a cyber incident.”
JCDC should also contribute to a CISA report required on the “need for an Integrated Cyber Center,” and DHS “should then task the JCDC with fulfilling the function of an Integrated Cyber Center within CISA,” Langevin and Montgomery write.
Lastly, they say, “Congress must work to establish the JCE in law, empowering it to serve a critical function fusing the cyber information picture. CISA can get a head start by helping to unify federal civilian government efforts to fuse cyber threat information both within the federal government and between the public and private sectors.” -- Sara Friedman (sfriedman@iwpnews.com)