The Joint Cyber Defense Collaborative (JCDC) is proud to announce its 2023 Planning Agenda—a major milestone in the collaborative’s continued evolution and maturation. Economic prosperity, national defense, and public health and safety depend on interconnected digital technologies. Widespread security flaws and configuration missteps in these technologies create opportunities for malicious actors to steal information, destroy valuable data, and cut off access to critical goods and services. JCDC’s planning agenda addresses these important and complex security challenges.
Charged with staying ahead of and confronting cyber risk and cyber threats to the nation’s critical infrastructure, CISA brought together experts across the government and the private sector to develop a collaborative cyber planning agenda. No single entity has the complete knowledge, capabilities, and legal authorities to defend the entire digital ecosystem against advanced persistent threat (APT) actors. By combining the capabilities of key industry partners with the unique insights of government agencies, JCDC can create common, shoulder-to-shoulder approaches to confront malicious actors and significant cyber risks.
The agenda’s priorities represent proactive planning and persistent collaboration, which means having the right groups ready to engage in real-time collaboration in a rapidly changing risk environment. JCDC’s new multidirectional real-time information-sharing initiative—which is built on trust and a willingness to work together—is a fundamentally different collaboration model that will enable us to accomplish the agenda priorities.
In 2023, JCDC will work on joint cyber defense plans focused on three areas: systemic risk, collective cyber response, and high-risk communities. We will also maintain flexibility to undertake urgent planning efforts as the risk environment changes, recognizing that agility is foundational to our shared success.
(1) Systemic risk: Malicious actors know how to work smarter, not harder, by targeting single points of failure in critical infrastructure. Targeting of software, hardware, and services that are widely used across sectors or compromises of lifeline functions like electrical and water that underpin virtually every organization could result in cascading impacts and severe impacts to our national critical functions.
The 2023 Planning Agenda includes efforts to address the following risk topic areas:
- Open-Source Software: Understand and mitigate risks potentially posed by open-source software (OSS) used in industrial control systems.
- Remote Monitoring and Management Vendors, Managed Service Providers, and Managed Security Service Providers: Advance cybersecurity and reduce supply chain risk for small and medium critical infrastructure entities through collaboration with remote monitoring and management (RMM), managed service providers (MSPs), and managed security service providers (MSSPs).
- Energy: Deepen operational collaboration and integration with the Energy Sector, in partnership with the Department of Energy.
- Water: Identify an approach to enhance the security and resilience of edge devices for the water sector.
(2) Collective cyber response: As a nation, we must anticipate that malicious cyber actors will at times circumvent our combined defenses. At the same time, the American people rightly expect the U.S. government to plan for a coordinated public-private response to minimize impacts and quickly recover.
The 2023 Planning Agenda identifies an effort to:
- Update the National Cyber Incident Response Plan (NCIRP): Over the past several years, the government and the private sector have significantly advanced our processes and approaches for incident response, but our plans and doctrine have not kept up. JCDC will lead an effort to update the National Cyber Incident Response Plan, in close coordination with interagency partners. The update will include incorporating changes and lessons learned since the release of the 2016 NCIRP and articulating specific roles for non-federal entities in organizing and executing national incident response activities.
(3) High-risk communities: Malicious cyber actors do not only target critical infrastructure or businesses; to the contrary, we know that adversaries—seeking to undermine American values and interests—routinely target high-risk communities, such as civil society organizations that support journalists and cybersecurity researchers.
The 2023 Planning Agenda outlines an effort to:
- Strengthen the protection of civil society organizations that are at higher risk of being targeted by foreign state actors through collaborative planning with key government and industry stakeholders. (1)
According to our friends over at The Record:
“CISA Executive Assistant Director for Cybersecurity Eric Goldstein released JCDC’s yearly agenda, explaining that this is the first time the government and private sector will ‘develop and execute cyber defense plans that achieve specific risk reduction goals and enable more focused collaboration. Over the past several years, government and the private sector have significantly advanced our processes and approaches for incident response, but our plans and doctrine have not kept up.’
The document highlights longstanding efforts to reduce risks posed by vulnerabilities in open-source software used by industrial control systems and supply chain attacks. There have been multiple recent attacks on energy infrastructure, including the ransomware attack on Colonial Pipeline, the cyberattack on a Florida water treatment plant in 2021, and another attack on a Kansas utility. Several other attacks on U.S. energy infrastructure have been uncovered by the federal government in recent years.
The JCDC has been lauded for its work in bringing together the most important players in the cybersecurity space and has been considered the lynchpin of Easterly’s tenure as director of CISA. The organization was pivotal in disseminating information last year as businesses and organizations dealt with the Log4J issue that affected thousands of companies. The JCDC was also responsible for an election security toolkit released last August that provided free resources for vendors and state and local government officials ahead of the midterm elections.
- Goldstein said the JCDC wants to collaborate more with remote monitoring and management companies, managed service providers and managed security service providers to better protect small and medium-sized critical infrastructure entities.
- He added that the JCDC wants to deepen its work with the energy sector in collaboration with the Department of Energy and provide better protection to edge devices used within the water sector, like meters and testing tools.
- JCDC will lead an effort to update the National Cyber Incident Response Plan, in close coordination with the Federal Bureau of Investigation and other partners, which will include articulating specific roles for non-federal entities in organizing and executing national incident response activities.
- and other partners, which will include articulating specific roles for non-federal entities in organizing and executing national incident response activities.
- The JCDC also plans to work with non-government organizations, government, and industry stakeholders to develop a cyber defense plan for civil society organizations ‘who are at high risk of being targeted by foreign state actors.’
- Plans for work on open-source security and cybersecurity support for small and midsize critical infrastructure belonging to state, local, tribal, and territorial entities will be unveiled in the coming weeks, while the rest will roll out over the next few months. ‘This level of proactive planning is new; we’ll learn as we go, and we’ll be transparent about our successes and our continued areas of growth, informed as always by the input and feedback from each of our partners in this critical work,’ [Goldstein] said. ‘We will also maintain flexibility to undertake urgent planning efforts as the risk environment changes, recognizing that agility is foundational to our shared success.'” (2)