We have been very vocal boosters of CISA,  the efforts of CISA leadership, and since its inception, the work of the Joint Cyber Defense Collaborative (JCDC). And we continue in our support of both organizations.  The Defenders have a tough mission.  In this post, however, we remain objective and sort out some of the recent constructive criticism directed at CISA and the CISA JCDC by Federal IT leaders.   It is an interesting, productive conversation these decisionmakers have opened up through their professional feedback to the agency.  

Feds: CISA’s JCDC Promising, But Still in ‘Infantile State’

As reported by Meritalk: 

Top IT experts at the Departments of Treasury and Veterans Affairs (VA) said that the Cybersecurity and Infrastructure Security Agency’s (CISA) Joint Cyber Defense Collaborative (JCDC) program holds a lot of promise, but is “still in its infancy” with program kinks to be worked out.  JCDC is a public-private cybersecurity collaborative that leverages authorities granted by Congress in the 2021 National Defense Authorization Act in an attempt to unite the global cyber community in the collective defense of cyberspace.  “It’s still in its infancy. Some of the kinks still need to be worked out,” the VA’s Deputy Chief Information Security Officer and Executive Director of Information Security Operations, Jeff Spaeth, said of CISA’S JCDC during a Feb. 6 CSIS webinar.

Some of the room for improvement specifics itemized in the Meritalk article include: 

• More in-depth technical pieces from vendors instead of the level of detail they are currently providing. 
• Integration and coordination overall was praised by the participants in the CSIS panel, “more involvement from Federal agencies – and additional elements, like state and local governments – to be a part of the overall threat landscape and intelligence sharing.  Spaeth said this would aid the Federal government in quick reactions and ‘closing the holes as quickly as possible.'”
• The VA says they are managing limited internal resources, so they “rely on CISA’s collaborative partnership to inform them…[so]…when vulnerabilities do arise…[the VA would like to see] more guidance from CISA on how to protect critical systems.” 
• Questions for CISA and the CISA JCDC  from Amber Pearson, the VA’s executive director of information security policy and strategy, included:
  • “What are those actions that we as a Federal agency need to do next?….I think there’s a big gap there and how we actually continue to ensure that we’re monitoring…”
  • “I think a lot of Federal agencies struggle when those things do come up, and how do we respond from a hardening capability, giving that hardening guidance to us? So those recommendations I would be looking for from agencies like CISA and helping us in responding.”

Federal IT officials call on CISA for tougher standards, more coordination

From Fedscoop:  Many of the comments made during [the CSIS] panel mirrored findings from an October 2023 CSIS report, titled “CISA’s Evolving .gov Mission: Defending the United States’ Federal Executive Agency Networks.” The report called for: 

• Major investments into the federal cybersecurity workforce;
• Better preparation for cyber threats brought on by artificial intelligence and machine learning, and
• The adoption of a more standardized and centralized cyber defense strategy, akin to the Department of Defense Information Network.  

What Next?  

 “I don’t think the theory of the JCDC is bad at all. I think it’s still in a very infantile state.”    

Overall, these federal IT leaders were positive and very specifically prescriptive in their feedback to CISA and JCDC, namely this feedback (as also reported by Meritalk): 

• Jeff King, the principal deputy chief information officer at Treasury, noted:  CISA has the opportunity to be a “real catalyst” in threat hunting but needs to be a “driver and a doer” rather than a coordinator.  “I think they’re on the right track….I think they may be spread across a lot of different initiatives where we need more distinct focus on specific things. So, I think the remit is still not fully clear to me as a decision maker.
• He said that the “ingredients are there” but CISA needs to focus on making JCDC a “repeatable and reliable apparatus.”  “We’ve got this body; we know that they’re chartered and empowered to a certain extent. Now it’s kind of like to turn the corner, figure out what is the core mission, execute against that mission, and consider the areas where you may be spread too thin.”  
• the VA’s Spaeth offered this coda:  “Again, I don’t think the theory of the JCDC is bad at all. I think it’s still in a very infantile state.”  

2024 JCDC Priorities

FedScoop featured a quote from Rob Lee, CEO and founder of Dragos, that is a great precursor to review of the recently:  “When government ends up focusing, especially CISA, on the ‘here is the strategy’ level, it’s very effective. … When it gets to the tactical and actually having the experts around the table, that tends to be a bit lacking.”  The Fedscoop analysis goes on to make a vital point: 

“Approaching security from a more defined and risk-based approach wouldn’t necessarily be an easy shift for CISA or the JCDC, the agency officials acknowledged. But focusing more on the latest threat vectors and threat actors as opposed to ‘ports, protocols and services,’ Spaeth said, is a worthy target,  “There needs to be, I think, more formulation if this is the way we’re going into a top-down, enforceable strategy,”  King said. ‘And I recognize that is very much a divergence from the way that we’ve thought about cyber and acted on cyber probably over the past decade, if not two.'”

With that, the CISA JCDC released there annual priorities document.  Overall, it reflects that they have integrated and internalized – and plan to make operational – some of the feedback they have received from federal agencies:

“For the first time, we are aligning our priorities under three broad focus areas, which in turn will enable alignment of resources and strategic direction.

(1) Defend Against Advanced Persistent Threat (APT) Operations: Last year’s ODNI Annual Threat Assessment makes clear the threat posed by malicious cyber actors, particularly those affiliated with the People’s Republic of China (PRC). No longer can our cyber defense focus on espionage and data theft; we must now posture to protect our country and allies against destructive attacks designed to cause real-world harm. Our priorities in this focus area center on JCDC’s strategic and operational efforts to counter known and suspected APT attack campaigns targeting entities that support national critical functions.

• Discover and defend against malicious abuse by APT actors, particularly those backed by the PRC, on and against U.S.-based infrastructure.
• Prepare for major cyber incidents. CISA, through the JCDC, will finalize and publish the National Cyber Incident Response Plan (NCIRP), in close coordination with interagency and industry partners.

(2) Raise the Cybersecurity Baseline: Too many successful intrusions are preventable, the result of inadequate investment in basic practices. Our priorities in this focus area center on JCDC’s ability to organize and support efforts that raise the cybersecurity baseline of critical infrastructure entities.

• Help state and local election officials secure their networks and infrastructure against cyber threats as part of CISA’s broader election security efforts.
• Measurably decrease the impact of ransomware on critical infrastructure.
• Make measurable progress toward a world where technology is Secure by Design. Even as we urgently work to help organizations implement the most effective cybersecurity measures, we know that scalable change requires a fundamental shift in how technology is designed, built, and maintained. We will continue to drive measurable commitments across the technology ecosystem that reduce the number of defective technology products by design and ensure that strong default settings are the norm.

(3) Anticipate Emerging Technology and Risks: Innovation can help to close off entire avenues of attack but may also create new cybersecurity risks. Our priorities in this focus area center on JCDC’s work with the cybersecurity community to support accelerated innovation in cyber defense and reduce known and suspected risks posed by the deployment of emerging technologies.

• Decrease the risk posed by Artificial Intelligence (AI) to critical infrastructure. In alignment and coordination with CISA’s Roadmap for Artificial Intelligence, JCDC will work to decrease the likelihood and impact of AI-related threats and vulnerabilities to critical infrastructure providers.

If you have a particular take on or direct experience with CISA and/or the CISA JCDC, we would love to hear more.  Please reach out at [email protected].  OODA Network members can reply in the Member Slack Workspace.  

Additional OODA Resources 

Cyber Risks

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised, without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Recommendations for Action

Decision Intelligence for Optimal Choices: The simultaneous occurrence of numerous disruptions complicates situational awareness and can inhibit effective decision-making. Every enterprise should evaluate their methods of data collection, assessment, and decision-making processes. For more insights: Decision Intelligence.

Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the responsibility of the IT department or the CISO – it’s a collective effort that involves the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses

The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance

Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront external threats, many of which are unpredictable. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. All organizations, regardless of their size, should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning

Track Technology Driven Disruption: Businesses should examine technological drivers and future customer demands. A multi-disciplinary knowledge of tech domains is essential for effective foresight. See: Disruptive and Exponential Technologies.

Planning for a Continuous Pandemic Landscape: COVID-19’s geopolitical repercussions are evident, with recent assessments pointing to China’s role in its spread. Regardless of the exact origins, the same conditions that allowed COVID-19 to become a pandemic persist today. Therefore, businesses must be prepared for consistent health disruptions, implying that a substantial portion of the workforce might always operate remotely, even though face-to-face interactions remain vital for critical decisions. See: COVID Sensemaking

The Inevitable Acceleration of Reshoring and its Challenges: The momentum towards reshoring, nearshoring, and friendshoring signals a global shift towards regional self-reliance. Each region will emphasize local manufacturing, food production, energy generation, defense, and automation. Reshoring is a complex process, with numerous examples of failures stemming from underestimating intricacies. Comprehensive analyses encompassing various facets, from engineering to finance, are essential for successful reshoring endeavors. See: Opportunities for Advantage