Industry reps like CISA's public-private cybersecurity collaborative, but offer tips on how to scale it

Rep. Eric Swalwell (D-Calif.) said Thursday during a House subcommittee hearing on cyber that CISA needs a codified charter and membership rules for its Joint Cyber Defense Collaborative.

Rep. Eric Swalwell (D-Calif.) said Thursday during a House subcommittee hearing on cyber that CISA needs a codified charter and membership rules for its Joint Cyber Defense Collaborative. Kevin Dietsch / Getty Images

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
Natalie Alms By Natalie Alms,
Staff Reporter, Nextgov/FCW

By Natalie Alms

|

Rep. Eric Swalwell (D-Calif.) noted in the hearing that CISA’s Joint Cyber Defense Collaborative lacks a charter or membership criteria and previewed a forthcoming bill to “clarify activities of the JCDC.”

The Cybersecurity and Infrastructure Security Agency’s public-private cybersecurity collaborative on cyber risk information has been a fruitful partnership, industry witnesses told lawmakers during a Thursday hearing of the cyber subcommittee of the House Homeland Security Committee.

But they also came with feedback for what CISA needs to do to maintain the usefulness of the Joint Cyber Defense Collaborative as it scales.

The top Democrat on the subcommittee, Rep. Eric Swalwell (D-Calif.), also previewed a forthcoming bill to clarify questions about JCDC like what exactly its role is and who can be a member of the group.

CISA established the JCDC in 2021 as a convening group with federal, state and local government stakeholders and industry partners to share cyber risk information and synchronize planning and response. 

“Everyone who I've spoken to about JCDC has told me and our staff of its importance to ensuring productive collaboration between CISA and the private sector,” said Swalwell during the hearing.

“But JCDC has existed for a year and a half without a charter or concrete criteria for membership, all of which are essential for the JCDC to provide enduring value,” he continued. “A number of people have asked me, ‘How do we get into JCDC?’ Toward that end, in the coming weeks, I plan to introduce legislation to clarify the activities of the JCDC to improve on its successes and increase its impact.”

Drew Bagley, vice president and council for privacy and cyber policy at cybersecurity tech company Crowdstrike, told lawmakers that “CrowdStrike values the partnership” and continues “to invest time and expertise in the JCDC community,” but sees room for improvement. 

One recommendation: for CISA to segment membership in JCDC “to maintain trust,” he said. 

“As the group expands, JCDC leadership should account for the possibility that some members may become less willing to share details about sensitive issues,” he explained in his written testimony.

“JCDC has addressed this concern by maintaining clear direct channels of communication with participants, and creating ad hoc working groups with a subset of members,” he continued. “But additional subgroup governance may help promote more active and applied sharing. Articulating long-term aims for membership composition may also be of value.”

The other industry witnesses, including Marty Edwards, deputy chief technology officer of operational technology security at Tenable, agreed, pointing to the need to consider scalability. 

“One of the things that's very important is for CISA to ensure that as JCDC grows, it's growing with intention, with deliberation and with a bit more structure,” said Heather Hogsett, senior vice president of technology and risk management at the Bank Policy Institute, a financial services industry trade group. 

“Certainly, there are strengths to the fact that there are more members bringing more capabilities,” she continued. “But the more that CISA can actually structure with purpose and with themes [and] different working groups, I think that can lead to certain advantages and certain efficiencies.” 

Hogsett also said that although JCDC has been helpful in responding to events like the invasion of Ukraine, it needs to do more long-term planning. 

“This response-oriented focus, however, has not fulfilled the need for longer term strategic planning across government agencies and with the private sector,” she said. 

“As authorized by Congress, CISA was charged with creating a joint cyber planning office to develop plans for cyber defense operations and coordinated actions that public and private sector entities could take to protect, mitigate and defend against malicious cyber attacks,” Hogsett continued. “We have not seen the JCDC engage in this type of proactive planning, but continue to believe this would be beneficial for financial institutions and other more mature sectors.”

Eric Goldstein, executive assistant director for cybersecurity at CISA, also recently acknowledged the need to focus on long-term risks, writing that “collaborating around immediate risks is necessary but not sufficient” in a recent blog post about the group’s 2023 agenda.

“We must also look over the horizon to collaboratively plan against the most significant cyber risks that may manifest in the future,” he continued.

As for how CISA itself quantifies the groups’ successes so far, Goldstein touted JCDC’s role in response to the Log4Shell vulnerability and to Russia’s invasion of Ukraine. 

Among the agenda items is a JCDC-led effort to update the National Incident Response Plan, which outlines how the government and industry would respond in the event of cyber incidents.

NEXT STORY: Collaboration Over Self-Preservation Highlighted in Latest Guide to Cyber Oversight

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.