Jim Langevin, Mark Montgomery
On Aug. 5, Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency (CISA), announced the creation of the Joint Cyber Defense Collaborative (JCDC) to unify public and private national cyber defense efforts under one entity. This is welcome news—when discussing federal cybersecurity efforts, an emphasis on this kind of public-private collaboration is critical to embracing a “whole-of-nation” approach and strengthening overall U.S. cybersecurity.
Easterly, as the second person confirmed by the Senate to head CISA, chose an auspicious location for her first speech: Black Hat, one of the largest and most influential cybersecurity conferences in the world. Each year, Black Hat and its companion conference, DEF CON, attract tens of thousands of cybersecurity professionals to the Las Vegas desert. These are exactly the people that the JCDC will need to bring into the fold to be successful, and Easterly’s early roster of private-sector participants is impressive.
The JCDC represents a further evolution of the government’s drive to operationalize collaboration with the private sector, one of the six pillars of the Cyberspace Solarium Commission report we helped craft. The creation of this collaborative is also a crucial step in fulfilling the mandates in the National Defense Authorization Act for Fiscal Year 2021 (NDAA) for the creation of a Joint Cyber Planning Office (JCPO) and the design of an Integrated Cybersecurity Center.
However, we commend Easterly for going beyond the framework in the commission report and laying out a vision for integrating these elements within CISA. Strengthening CISA is vital to our strategic vision for securing the U.S. in cyberspace, and the JCDC announcement has the potential to be hugely consequential for CISA’s future. As we track the stand-up of the JCDC, there are three parts fundamental to its success: planning, operations and information fusion.
First, the JCDC should develop and maintain cyber planning and exercising capabilities. This must be an integral part of the collaborative—successfully defending the United States against malicious cyber incidents will require the federal government to be able to mount its own coordinated defensive campaigns that includes integration between the public and private sectors. Effective cyber planning and exercising ensures that the government can utilize the full range of tools it has available for cyber defensive purposes. Status quo measures have been more “reactive” to individual incidents, rather than being more “proactive” and forward looking. Section 1715 of the NDAA created the JCPO, which will develop plans for cyber defense operations between the public and private sectors. Per the statute, these plans should include coordination actions that would help the federal government protect against, detect, respond to, and recover from significant cybersecurity incidents. As part of a broader national strategic approach, the JCDC should house the JCPO to strengthen the United States’ capacity to conduct meaningful planning across government and between the public and private sectors.
Second, the JCDC should have the ability to integrate public- and private-sector cyber defense operations as well as operations within the federal government. Without effective, meaningful cooperation between federal government entities, defensive cybersecurity measures will continue to lag the threat and the federal government will fall short of being a mature operational partner for the private sector. CISA is currently a key component in coordinating cyber defense operations between the federal government and the private sector, but the ability to conduct fully integrated cybersecurity operations with federal and nonfederal partners remains immature. In particular, while there have been ad hoc working groups that have conducted public-private operations, these efforts have not been institutionalized.
Section 1731 of the NDAA requires the secretary of homeland security, in coordination with other key federal actors, to submit a plan to Congress to better improve the coordination of federal cybersecurity efforts within an integrated cybersecurity center. This report is due in January 2022. Based on Easterly’s vision, we believe the JCDC should serve as a venue for integrated operations within the federal government and as the lead federal cyber center for cybersecurity operations.
Finally, the federal government must improve its combined situational awareness of the cyber threats that are affecting the United States—particularly through sound analytics that encompass and fuse key threat information, insight, and other relevant data from the federal government and other critical public- and private-sector entities. The Cyberspace Solarium Commission’s report from March 2020 proposed the creation of a Joint Collaborative Environment (JCE)—an information-sharing environment with a common toolset that would integrate the federal government’s unclassified and classified cyber threat information, malware forensics, and data related to cybersecurity risks, and would enable real-time public-private collaborative analysis. The JCE will ensure that the most informed analysts in the public and private sectors can come together to look at common data streams, share notes and make life more difficult for U.S. adversaries.
The JCDC is the perfect venue to house the JCE and chair its governance board. If the collaborative is to be successful, it must emphasize the importance of having a steady stream of analytics to inform public and private actions to defend critical infrastructure.
The Path Forward for the JCDC
As the JCDC gets off the ground, CISA and Congress will need to take key steps to consolidate its functions and powers and work with ongoing initiatives within the federal government.
First, the JCDC should take responsibility, in coordination with CISA’s National Risk Management Center and the Office of the National Cyber Director, for the Continuity of Economy planning required by the NDAA. Section 9603 of the NDAA requires the president to develop and submit a plan to Congress in the next year and a half for ensuring the reliable functioning of key economic assets and sectors in the event of a significant incident that might debilitate the United States, including a cyber incident. The JCDC, in scoping its mission, should take on the task for planning (the National Risk Management Center should focus on risk assessment) and ensure that consistent and coherent leadership exists for this crucial national endeavor. The Office of the National Cyber Director will be a key partner for the JCDC in developing, socializing and implementing the plan.
Second, the JCDC should contribute to the report required by the NDAA on the need for an Integrated Cyber Center. The Department of Homeland Security—and potentially Congress—should then task the JCDC with fulfilling the function of an Integrated Cyber Center within CISA. Complementing this assessment, the force structure assessment of CISA (to include personnel, programs and infrastructure) required by the NDAA should be informed by the JCDC’s plans to support the efforts of other federal departments and agencies and the gaps that the collaborative can fill in national defense measures.
Third, Congress must work to establish the JCE in law, empowering it to serve a critical function fusing the cyber information picture. CISA can get a head start by helping to unify federal civilian government efforts to fuse cyber threat information both within the federal government and between the public and private sectors.
At the end of the day, the JCDC is set to provide the essential superstructure to tie together the JCE, the Integrated Cybersecurity Center, and the JCPO. Wrapping together the planning, defensive operations, and information fusing functions under one roof has the potential to significantly benefit the United States’ overall cybersecurity and resilience. As CISA moves forward with its plans, it should ensure that the visions for joint cyber planning, integrated operations, and public-private cyber threat analysis can be realized. The JCDC should take responsibility for ongoing lines of effort to provide leadership and direction and begin the work of bolstering the nation’s cyber defenses. Congress must also take action to ensure that CISA is authorized to perform this work and that appropriations support authorizations accordingly. The welcome step to establish the JCDC is only the beginning. The hard work of implementing the vision starts now.