Reactions from industry stakeholders to CISA’s new “planning agenda” for the Joint Cyber Defense Collaborative suggest progress and opportunities for deepening the work of the high-priority program, as well as questions over the adequacy of available resources and a need for greater explanation of the “flowdown benefits” expected for non-JCDC members including smaller entities.
“JCDC continues to enhance processes over time and the creation of a planning agenda is itself a marker of growing maturity,” said Drew Bagley, CrowdStrike vice president and counsel for privacy and cyber policy. “CISA continues to play a unique convening role across industry, and has taken feedback from members about focusing collective efforts on the highest leverage initiatives.”
James Hayes, senior vice president of government affairs at Tenable, said, “The JCDC has shown a desire to move at startup speed rather than government speed, which is key to the success of such an ambitious agenda."
But Hayes noted, “There is a definite need for Congress to adequately fund the JCDC in order to enable both strategic planning and operational response at the same time.”
CISA last week released the “planning agenda” for the JCDC, focused on “systemic risk, collective cyber response, and high-risk communities” and beginning with efforts aimed at securing open source software and assisting state and local governments and smaller entities.
The plan also singles out industrial control system risks, supply chain security and the energy and water sectors for close attention.
CISA says the plan will “advance cybersecurity and reduce supply chain risk for small and medium critical infrastructure entities through collaboration with remote monitoring and management, managed service providers, and managed security service providers.”
It is intended to “deepen operational collaboration and integration with the Energy Sector, in partnership with the Department of Energy” and “identify approach to enhance security and resilience of edge devices for the water sector,” CISA says.
CISA executive assistant director for cyber Eric Goldstein on Monday told Inside Cybersecurity: “Planning and collaboration efforts executed through JCDC are intended to benefit not only immediate participants but also the broader community, including through our public Cybersecurity Advisories and information shared with trust groups such as Information Sharing and Analysis Centers.”
Goldstein said, “These planning efforts are intended to be conducted serially throughout the fiscal year to incorporate lessons learned and effectively manage resources for participating agencies and private sector representatives.”
Several industry members of JCDC said the plan sets a workable framework for pushing the JCDC -- first launched in 2021 -- into its next phase.
Tenable’s Hayes commented, "The JCDC has been aggressive in its attempts to proactively align its activities with the private sector in order to improve cyber best practices, and the plans to engage on ICS/OT security issues in 2023 to go beyond operational response are certainly worthwhile. It will be important to bring in stakeholders from the critical infrastructure sector to engage in such initiatives.”
CrowdStrike’s Bagley said, “The slate of priorities outlined in the 2023 planning agenda focus on a few key strategic problems, and should serve as an ordering principle for JCDC engagements over the coming year. We look forward to partnering to help those entities most at risk.”
But other stakeholders from the cybersecurity community said the plan still leaves questions.
“There are some good ideas, however I am not sure how you settle on specifically helping two critical infrastructures -- electrical and water -- and not the others,” said one national security leader.
This source said, “There’s also no real discussion about how they build a collaborative information exchange system,” which would be essential to achieving the “flowdown” benefits that CISA’s Goldstein has said will benefit stakeholders across industry sectors.
“There’s a disconnect between the composition of the current JCDC -- the largest global entities -- and interest in planning in the small business area,” said a critical infrastructure source. “Also, it’s not clear to me how this planning agenda aligns with a host of other cyber planning efforts across other agencies.”
The source said, “I question whether CISA has the resources to expand the scope of their mission and the exclusivity of the current membership.”
A water industry source said that despite the planned focus on the sector, JCDC hasn’t engaged directly with the water community.
“The value of the collaborative process has merits if it expediates transmission of actionable information to those entities not directly involved, but the applicability of the JCDC to our sector has never been discussed directly with the sector,” the source said.
The source added, “I’m not sure any water systems would have the manpower to support direct participation in the JCDC. I suspect the total cyber budget of finance sector alone would dwarf the total annual budget for a large number of water systems in America.”
But a CISA official told Inside Cybersecurity, “JCDC has held productive conversations both with water entities and with technology vendors serving this community, and we’re eager for this planning effort to benefit under-resourced water entities across the country regardless of their ability to participate.”
The official said, “The JCDC planning agenda is the U.S. government’s principal effort to bring together government and industry around specific risks of significant importance to the nation’s cyber risk.” -- Charlie Mitchell (cmitchell@iwpnews.com)