The Cybersecurity and Infrastructure Security Agency's Joint Cyber Defense Collaborative (JCDC)'s first collaborative cyber planning agenda brings key federal and private sector partners together to focus on managing and preventing persistent cyber threats, such as supply chain risk and open-source software.
JCDC, one of CISA's most transformative initiatives, provides CISA with a unique capability to create a trustworthy circle of agencies and industry partners to understand the cyber threat landscape, recognize the changes in cyber trends, share information and take collaborative action before and when a cyber incident occurs.
The JCDC 2023 planning agenda will primarily focus on addressing three key areas: collective cyber response, systemic or concentrated risk, and high-risk communities.
Collective Cyber Response
JCDC will work on updating the National Cyber Incident Response Plan in 2023, which has not been changed since 2016. The updated version will include lessons learned since the plan's initial release. It will also articulate specific roles for private sector partners in organizing and executing national incident response activity in ways that match JCDC's collaborative nature.
"The current version says a lot about federal roles and responsibilities, but it doesn't say a ton about the role of private industry," Seth McKinnis, chief of future plans for the JCDC, told GovCIO Media & Research in an interview. "I think this is a real opportunity to really reflect our focus around key industry collaboration that will help clarify industry's role in a significant cyber incident."
While McKinnis did not identify the stakeholders involved in the initiative, he wants to see extensive collaboration between industry and government.
"The normal set of folks from the interagency side certainly would be heavily involved in this effort, as well as those, you know, industry partners who I think would be really critical to plug into the National Cyber Incident Response," McKinnis said.
While all organizations are at risk of cyberattacks, adversaries and malicious actors target specific parts of the ecosystem to achieve a more widespread impact.
JCDC is bringing federal government and private industry partners together to understand and prevent risks posed by open-source software, specifically in industrial control systems, in 2023.
"You have kind of that entire spectrum," McKinnis said. "So how do we understand open-source software used in industrial control systems, and then ultimately move to work with the right players to move components of open-source software up that maturity spectrum to … be more responsive to vulnerabilities, be more secure in its implementation?"
Many small- and medium-sized businesses, including critical infrastructure entities, rely on processes such as Remote Monitoring and Management Vendors (RMM), Managed Service Providers (MSP), and Managed Security Service Providers (MSSP) to help manage and monitor companies' IT systems.
"The overwhelming majority of those managed service providers are also, you know, small and medium businesses themselves, and in many cases, those managed service providers could use more resources to be able to defend against or recover from cyber attacks," McKinnis said. "And by working with those RMM, MSP vendors, we're really hoping to be able to improve the cybersecurity posture of MSPs at scale."
When it comes to the water sector, JCDC will identify the risk landscape and develop an approach to enhance the security and resilience of edge devices, which are increasingly prevalent in this space.
"Water entities… many of them are very small. And how do you sort of work with them to have the resources they need to deploy new technologies in a secure and thoughtful way?" McKinnis said.
The planning agenda also includes efforts to deepen operational collaboration and integration with the energy sector in partnership with the Department of Energy.
Malicious cyber actors don't just target critical infrastructure. Journalists, cybersecurity researchers, and civil society organizations remain a persistent target for threat actors. JCDC will work with key government or industry stakeholders to develop cyber defense planning for high-risk organizations in 2023.
"I think the key here is that a lot of these targeted communities don't even know that they're being targeted. If you're a journalist … you may not even be aware that you're a target from a foreign state entity for whatever reason. Maybe you're aware of that, but don't necessarily have the knowledge or resources to respond effectively," McKinnis said. "How do we get those communities, the tools, and resources that they need, so they're able to … address that challenge, and really recognize not only their risk in that area, but also what to do about that risk."
The JCDC team is also starting work on its 2024 priorities, thinking more strategically about where they can add value in joint operational planning, as well as the particular focus areas most beneficial to bring the right partners to the table and make a difference from a risk perspective.