Pushing through legislation to establish the Joint Collaborative Environment at CISA is a top priority for Rep. Jim Langevin (D-RI), a leading voice for cyber policy on Capitol Hill, who says the new structure will accelerate information sharing between government and industry and build upon the Joint Cyber Defense Collaborative work already underway at the cyber agency.
Langevin said he wants to get the JCE “across the finish line because it would create common operating tools for U.S. intelligence agencies and private sector critical infrastructure to share information in real time and help each side understand context of the information they are seeing.”
“It’s one thing that is lacking right now, the common operating tools for sharing and analyzing the data and threats we see. The JCE would change that and I’m excited about the prospects of getting that passed the finish line,” Langevin said on Wednesday. The congressman will be retiring at the end of the year.
The creation of the JCE is a recommendation from the Cyberspace Solarium Commission, which has achieved some major legislative wins over the past two years including the creation of the National Cyber Director, establishing the Joint Cyber Planning Office which was turned into the JCDC by CISA Director Jen Easterly, and mandating continuity of economy planning.
Langevin identified codifying systemically important critical infrastructure as another proposal from the Solarium Commission that he wants to see passed in Congress this year. He spoke at a U.S. Chamber of Commerce event on Wednesday about the Cyberspace Solarium Commission’s work and ongoing challenges.
Christopher Roberti, senior vice president for cyber at the Chamber, said his group supports the creation of the JCE during a conversation with Langevin.
Roberti said, “We’ve talked with a lot of government agencies. There seems to be a lot of agreement that there’s opportunity for engagement in this area for critical infrastructure entities to maybe be able convey to the intelligence community what would be important to know if the IC came across information about certain threats.”
However, Roberti noted, “There seems to be a little bit of resistance there,” asking Langevin for suggestions on how to get the legislation “over the hump” because the Chamber thinks “it’s an important component” for collaboration.
On the JCDC, Langevin said it is “very important” because “it will better facilitate government and private sector working closely together and that’s where I think the joint collaborative environment fits in very well with JCDC. An opportunity for private sector and government to work more closely together, paying dividends for the private sector, our partners who I believe should include the owners and operators of systemically important critical infrastructure.”
Roberti also pushed for harmonization on cyber incident reporting rules following the Securities and Exchange Commission’s latest proposal to establish requirements for publicly traded companies to report incidents within four days to the SEC. He addressed the proposed rule in the context of the new cyber incident reporting law which establishes a mandatory reporting regime under CISA for critical infrastructure owners.
“When we look at the SEC rule, it seems to us that Congress has spoken and used things like confidentiality and liability protection as a means to foster a virtuous circle of reporting and action,” Roberti said. “The confidentiality piece also allows government to take action on information quickly and maybe warn other entities in that industry or other industries of potential impeding or in process attacks.”
Roberti said the four-day window and public disclosure policy could “upend the intent of Congress and may be moving in a different direction.”
Langevin responded, “We definitely want to harmonize what Congress is thinking and what the SEC is working on and taking action. Congress has already made it clear that substantially similar reporting requirements should in fact be streamlined. That’s a major reason why the legislation was drafted this way. The intent is not to create another reporting burden for covered entities on top of their existing regulations.”
The law creates a Cyber Incident Reporting Council, which Langevin said will “coordinate, deconflict and harmonize reporting requirements including those issued through regulations.” He said CISA will “determine the parameters of a covered incident” and he expects regulators to work together to “proactively identify opportunities to streamline the reporting process and establish interagency agreements and streamline information sharing pathways.”
Langevin said those pathways will “need to be clearly communicated of course to covered entities. And the goal should be to avoid a rollout where covered entities are not sure, for example, where they should be talking into in case of a breach.”
Evaluating Solarium Commission progress
At the end of 2021, the Solarium Commission wrapped up its activities as an entity authorized by Congress and transitioned into a non-profit organization under the Center for Cyber and Technology Innovation at the Foundation for Defense of Democracies.
Mark Montgomery served as executive director of the commission in its first iteration and currently leads the non-profit organization. He evaluated Solarium’s progress in a separate discussion with Roberti at the Chamber event.
Montgomery noted that it usually takes two years for legislative changes to make an “impact” on federal policy and identified four policy changes from the fiscal 2021 National Defense Authorization Act that are works in progress, starting with the creation of the Office of the National Cyber Director.
The commission is keeping an eye on the force structure assessment of the Cyber Mission Force at Defense Department, codification of Sector Risk Management Agencies and implementing continuity of economy planning.
Congress mandated continuity of economic planning to be completed in two years, but Montgomery said the government hasn’t done much to get the initiative in place 15 months later.
Solarium co-chairs Sen. Angus King (I-ME) and Rep. Mike Gallagher (R-WI) sent a letter in December to President Biden expressing concern over the lack of progress and to “consider explicitly placing responsibility for coordination on this issue with the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Security Agency (CISA).”
The Chamber event also featured National Cyber Director Chris Inglis, Frank Cilluffo of the McCrary Institute for Cyber and Critical Infrastructure Security, JP Morgan Chase’s Ben Flatgard, Robert Morgus of Berkshire Hathaway Energy and a former Solarium staffer, and the Chamber’s Vincent Voci. -- Sara Friedman (sfriedman@iwpnews.com)