Industry reps like CISA's public-private cybersecurity collaborative, but offer tips on how to scale it

The Cybersecurity and Infrastructure Security Agency’s public-private cybersecurity collaborative on cyber risk information has been a fruitful partnership, industry witnesses told lawmakers during a Thursday hearing of the cyber subcommittee of the House Homeland Security Committee.

But they also came with feedback for what CISA needs to do to maintain the usefulness of the Joint Cyber Defense Collaborative as it scales.

The top Democrat on the subcommittee, Rep. Eric Swalwell (D-Calif.), also previewed a forthcoming bill to clarify questions about JCDC like what exactly its role is and who can be a member of the group.

CISA established the JCDC in 2021 as a convening group with federal, state and local government stakeholders and industry partners to share cyber risk information and synchronize planning and response. 

“Everyone who I've spoken to about JCDC has told me and our staff of its importance to ensuring productive collaboration between CISA and the private sector,” said Swalwell during the hearing.

“But JCDC has existed for a year and a half without a charter or concrete criteria for membership, all of which are essential for the JCDC to provide enduring value,” he continued. “A number of people have asked me, ‘How do we get into JCDC?’ Toward that end, in the coming weeks, I plan to introduce legislation to clarify the activities of the JCDC to improve on its successes and increase its impact.”

Drew Bagley, vice president and council for privacy and cyber policy at cybersecurity tech company Crowdstrike, told lawmakers that “CrowdStrike values the partnership” and continues “to invest time and expertise in the JCDC community,” but sees room for improvement. 

One recommendation: for CISA to segment membership in JCDC “to maintain trust,” he said. 

“As the group expands, JCDC leadership should account for the possibility that some members may become less willing to share details about sensitive issues,” he explained in his written testimony.

“JCDC has addressed this concern by maintaining clear direct channels of communication with participants, and creating ad hoc working groups with a subset of members,” he continued. “But additional subgroup governance may help promote more active and applied sharing. Articulating long-term aims for membership composition may also be of value.”

The other industry witnesses, including Marty Edwards, deputy chief technology officer of operational technology security at Tenable, agreed, pointing to the need to consider scalability. 

“One of the things that's very important is for CISA to ensure that as JCDC grows, it's growing with intention, with deliberation and with a bit more structure,” said Heather Hogsett, senior vice president of technology and risk management at the Bank Policy Institute, a financial services industry trade group. 

“Certainly, there are strengths to the fact that there are more members bringing more capabilities,” she continued. “But the more that CISA can actually structure with purpose and with themes [and] different working groups, I think that can lead to certain advantages and certain efficiencies.” 

Hogsett also said that although JCDC has been helpful in responding to events like the invasion of Ukraine, it needs to do more long-term planning. 

“This response-oriented focus, however, has not fulfilled the need for longer term strategic planning across government agencies and with the private sector,” she said. 

“As authorized by Congress, CISA was charged with creating a joint cyber planning office to develop plans for cyber defense operations and coordinated actions that public and private sector entities could take to protect, mitigate and defend against malicious cyber attacks,” Hogsett continued. “We have not seen the JCDC engage in this type of proactive planning, but continue to believe this would be beneficial for financial institutions and other more mature sectors.”

Eric Goldstein, executive assistant director for cybersecurity at CISA, also recently acknowledged the need to focus on long-term risks, writing that “collaborating around immediate risks is necessary but not sufficient” in a recent blog post about the group’s 2023 agenda.

“We must also look over the horizon to collaboratively plan against the most significant cyber risks that may manifest in the future,” he continued.

As for how CISA itself quantifies the groups’ successes so far, Goldstein touted JCDC’s role in response to the Log4Shell vulnerability and to Russia’s invasion of Ukraine. 

Among the agenda items is a JCDC-led effort to update the National Incident Response Plan, which outlines how the government and industry would respond in the event of cyber incidents.