The CISA-led Joint Cyber Defense Collaborative has significantly improved government and industry’s “shared understanding” of the threat environment, according to three prominent JCDC partners from the cybersecurity and tech sectors, and has gotten off to a strong start in providing a model for collaboration in securing critical infrastructure.
Tenable CEO Amit Yoran told Inside Cybersecurity that JCDC is “moving at startup speed, not government speed,” and can already show a “positive track record after a year-and-a-half.”
“The key to success is balancing things that are important to CISA and the government with things of value to industry and the security community. CISA has established itself as a value-added organization,” Yoran said, pointing to JCDC collaborations and the sharing of tools such as the “Known Exploited Vulnerabilities Catalog” and security alerts for industrial control systems.
Amit Yoran, CEO, Tenable
Those tools are pushed out to the broader cybersecurity community but are informed by the type of collaboration encouraged under JCDC, he said.
“Things are moving in the right direction and we’ve learned a lot of lessons” since the launch of JCDC in August 2021, said Adam Meyers, CrowdStrike’s senior vice president of intelligence. At the beginning, Meyers said, “we found we needed a faster cadence – and they set up a platform in a day.”
The JCDC is “giving government an environment to work with industry on responsibilities and roles,” he said.
But Meyers warned, “This is not a magic ‘Super Friends Club.’ These are hard problems that require collaboration. JCDC provides an environment to do that.”
Alex Tosheff, chief security officer at VMware, said, “The JCDC has laid critical groundwork by operationalizing and facilitating public-private partnership at an unprecedented level, and CISA as a whole has been remarkably proactive about addressing difficult challenges head on, like attracting cybersecurity talent at a time when even corporate entities are facing a critical shortage of those skills.”
CISA executive assistant director for cyber Eric Goldstein, in an interview last week, told Inside Cybersecurity that the agency “in the coming weeks” will release a planning agenda for the next phase of the JCDC. Goldstein said the agenda will be based on “persistent collaboration and proactive planning.”
The initiative has encountered some criticism from stakeholders, as well as agitation from non-participants who say they feel excluded from the centerpiece program flagged as a top priority by CISA Director Jen Easterly.
A source from one participating company said JCDC “has a lot of potential, it’s still new, and now CISA needs to figure out where to go next with it. They need to define and execute on the next stage of JCDC. Those of us in JCDC want to participate but we need to get more out of it.”
Goldstein explained that the “rigorous” planning agenda coming out soon will “catalogue” steps needed to stay ahead of cyber threats and will require “sustained effort and attention among stakeholders and from CISA itself.”
CrowdStrike’s Meyers said the model being constructed at JCDC “is critical to bringing industry into the fold. Industry is the point of the sword when it comes to most critical infrastructure,” he said, pointing to what he characterized as initial successes for the body in the responses to Log4j, the Ukraine crisis and ensuring the security of the midterm elections.
“We continue to build the right cadence and rhythm, and we’re not constantly getting spun up by events,” Meyers said, while acknowledging that there has been criticism from some in industry.
“I think there may have been mismanaged expectations from industry,” he said. “Government doesn’t have ‘The Truth’ about UFOs or whatever. We in industry have a lot of the information that we’re talking about, more than we think, sometimes. … Right now it’s really about helping industry understand the role of JCDC and get people to the table.”
Meyers said, “When the government says there is a critical vulnerability, we work together to bring visibility to a problem.”
Tenable leader Yoran said “no government or cyber program is going to be perfect. There will be criticism but you learn from it and don’t let it get in the way of progress.”
He said, “JCDC is a foundational step for government and CISA. There’s broad participation from the well-known critical infrastructure companies but also from the deep-dive security companies. We’re starting to operationalize and coordinate that community. This is a meaningful step forward.”
“It’s a big endeavor,” Yoran said, “but there’s a phenomenal leadership team at CISA and they are very collaborative in their approach. They are innovating rapidly.”
Yoran offered one suggestion as CISA considers next steps and possible growth for the JCDC: “I hope they move to a model like the Financial Services ISAC uses, with concentric circles of inclusion, and within that, communities of interest.”
This could help ensure that the JCDC is an inclusive structure but avoid “opening the floodgates” in a way that would affect “operational tempo,” he said.
VMware’s Tosheff said, “Having worked within the JCDC for more than a year and a half, I can say there is tangible value in the wider lens it brings to both [the tech and security] sectors, particularly in a crisis situation. Instead of looking back, we should continue moving forward, addressing the imperfections as we go, to build a collaborative public-private model for protecting the critical infrastructures on which business, government and human lives depend.” – Charlie Mitchell (cmitchell@iwpnews.com)