Thursday, February 16, 2023
Reprinted with the permission of the Cybersecurity and Infrastructure Security Agency (CISA), today’s blog first appeared on CISA’s website in a bylined piece, published on January 26, 2023 by Eric Goldstein, who serves as the Executive Assistant Director for Cybersecurity at CISA.
In 2021, CISA and our partners across government and the private sector created a new kind of partnership organization — the Joint Cyber Defense Collaborative (JCDC). While our model is still evolving, we collectively demonstrated how persistent collaboration and frictionless engagement can yield benefits in addressing exigent risks like the Log4Shell vulnerability and potential cyber activity resulting from Russia’s full-scale invasion of Ukraine. However, collaborating around immediate risks is necessary but not sufficient. We must also look over the horizon to collaboratively plan against the most significant cyber risks that may manifest in the future. This proactive planning is foundational to JCDC, as first envisioned by the Cyberspace Solarium Commission and then codified by Congress.
To advance this critical aspect of our work, CISA and our partners are proud to announce JCDC’s 2023 Planning Agenda. This Agenda is the first of its kind — a forward-looking effort that will bring together government and the private sector to develop and execute cyber defense plans that achieve specific risk reduction goals and enable more focused collaboration. We will continue to expand the breadth and depth of our partnership to maximize both the completeness and impact of these planning efforts.
Through a rigorous process that included input from subject matter experts and our government and private sector partners, we have developed a Planning Agenda focused on three topic areas: systemic risk, collective cyber response, and high-risk communities.
- While all organizations are at risk of cyber intrusions, we know that certain elements of the ecosystem can be abused by malicious actors to achieve widespread impacts. To reduce these types of risk at scale, we will convene key partners across the following efforts:
- Understand and mitigate risks potentially posed by open source software (OSS) used in industrial control systems
- Advance cybersecurity and reduce supply chain risk for small and medium critical infrastructure entities through collaboration with remote monitoring and management, managed service providers, and managed security service providers
- Deepen operational collaboration and integration with the Energy Sector, in partnership with the Department of Energy
- Identify approach to enhance security and resilience of edge devices for the water sector
- Over the past several years, government and the private sector have significantly advanced our processes and approaches for incident response, but our plans and doctrine have not kept up. JCDC will lead an effort to update the National Cyber Incident Response Plan, in close coordination with the Federal Bureau of Investigation and other partners, which will include articulating specific roles for non-federal entities in organizing and executing national incident response activities.
- Malicious cyber actors do not only target critical infrastructure or businesses; to the contrary, we know that high-risk communities, such as civil society organizations that support journalists, and cybersecurity researchers are routinely targeted by adversaries seeking to undermine American values and interests. JCDC will lead collaborative planning efforts with key non-government organizations, government, and industry stakeholders to develop a cyber defense plan for civil society organizations who are at high risk of being targeted by foreign state actors.
In the coming weeks, we will kick off our planning efforts on OSS and scaling cybersecurity to support small and midsize critical infrastructure and state, local, tribal, and territorial entities. The remaining priorities for cyber defense planning efforts will commence in the following months.
Through these planning efforts, CISA and our partners across government and the private sector will take steps to measurably reduce some of the most significant cyber risks facing our country and deepen our collaborative capabilities to enable more rapid action when the need arises.
This level of proactive planning is new; we’ll learn as we go, and we’ll be transparent about our successes and our continued areas of growth, informed as always by the input and feedback from each of our partners in this critical work. We will also maintain flexibility to undertake urgent planning efforts as the risk environment changes, recognizing that agility is foundational to our shared success.
JCDC is a public-private cybersecurity collaborative that leverages new authorities granted by Congress in the 2021 National Defense Authorization Act to unite the global cyber community in the collective defense of cyberspace. CISA welcomes all critical infrastructure organizations and entities with cybersecurity expertise and visibility to participate in our collaboration efforts. For further information about JCDC, email email@example.com.