CISA advisors urge changes to JCDC's goals, operations, membership criteria

The federal government needs to make important changes to a key public-private cybersecurity partnership to address complaints from some members, an advisory panel recommended on Wednesday.

Officials on the Cybersecurity Advisory Committee (CSAC) voted in favor of refining the goals, membership criteria and operational standards of the Joint Cyber Defense Collaborative (JCDC), which allows private sector companies to share threat information and more with government agencies.

In February, several unnamed JCDC participants complained to Politico that the initiative was “hampered by mismanagement,” slow to act on the tips provided and was not staffed with enough technical experts. The JCDC has more than 300 member organizations, including Google, Microsoft, Amazon and Verizon. 

The meeting at the U.S. Military Academy in West Point, New York, was the CSAC’s second this year. The panel reports to the Cybersecurity and Infrastructure Security Agency (CISA), which kickstarted the JCDC in 2021. A CSAC subcommittee had previously been tasked with looking into the JCDC, speaking with its members and getting feedback on how it operates. 

Ron Green, chair of the CSAC and Mastercard’s former chief security officer for 10 years, said the subcommittee found that JCDC members wanted the initiative to focus less on policy and develop better structures of coordination. 

The three recommendations, which were approved in a unanimous vote by the CSAC, say:

• The JCDC’s day-to-day activities will “center around operational collaboration, active incidents and potential incidents.” While members can be consulted on policy questions, that should not be the initiative’s focus.
• Clear criteria on what it means to be a member of JCDC and participate in the information sharing process. Within 60 days, CISA has to provide information on what it takes to become, and stay, a member of the JCDC. Members would also like a physical space to collaborate.
• Expanded and more developed coordinating structures. The JCDC will have a “clear process for continuing to identify appropriate partners for given situations” and the JCDC will focus on responding to active issues while proactively preparing for future concerns.

Chris Inglis, former national cyber director at the White House and a member of the subcommittee, explained succinctly that the first two recommendations clarify what happens at the JCDC and the third gets into what happens as a byproduct of the JCDC. 

CISA director Jen Easterly will now implement the changes or respond to the committee in a report ahead of the next CSAC meeting in September. 

'A threat to many'

Easterly said she knew the JCDC would be a difficult project when CISA created it due to the scale of the effort, noting that it was different from many other public-private partnerships because the government is  asking companies — some of whom are in direct competition with one another — to come together and share information. 

“We're asking for companies, who are used to working with the government just through government affairs or through lawyers, to bring their technical and operational folks to the table. We're asking for companies to not just respond to crises but to actually do cyber defense planning on the most serious threats,” she said at the meeting on Wednesday. 

“We're asking for companies to really recognize that a threat to one is a threat to many. And we're asking the federal government to be responsive, to be transparent, to add value in every interaction we have, which has not always been the case.”

She added that the underlying goal — to understand threats and drive down risk for the United States — was being achieved but appreciated the recommendations which will help them “optimize things going forward.”

The JCDC has already been lauded for its work coordinating responses to several crises including the Log4Shell vulnerability and the cybersecurity ramifications of Russia’s invasion of Ukraine. The JCDC was also responsible for an election security toolkit released in August 2022 that provided free resources for vendors and state and local government officials ahead of the midterm elections. 

Clayton Romans, associate director of the JCDC, said that it has been difficult to pull in resources from across CISA and other federal agencies, and  it has taken time to create new communication channels between the government and private sector. 

The JCDC, he said, is trying to get better at connecting the dots between technology competitors as well as owners and operators in the IT sector. 

“We came in at the JCDC focused on operational planning, learning from our partners at the Department of Defense, learning from our partners in DHS at FEMA to really get the discipline of planning right and what we learned is that there was a lot of opportunity that we have at CISA to structure the activities that we undertake with the private sector,” Romans said. 

“As long as we have that foundational understanding for how these capabilities are going to be used, how information is going to be shared, how other partners outside of these communities connect in and figuring out what cyberdefense means has been part of this process of building a cyberdefense planning methodology.”