Top IT experts at the Departments of Treasury and Veterans Affairs (VA) said that the Cybersecurity and Infrastructure Security Agency’s (CISA) Joint Cyber Defense Collaborative (JCDC) program holds a lot of promise, but is “still in its infancy” with program kinks to be worked out.
JCDC is a public-private cybersecurity collaborative that leverages authorities granted by Congress in the 2021 National Defense Authorization Act in an attempt to unite the global cyber community in the collective defense of cyberspace.
“It’s still in its infancy. Some of the kinks still need to be worked out,” the VA’s Deputy Chief Information Security Officer and Executive Director of Information Security Operations, Jeff Spaeth, said of CISA’S JCDC during a Feb. 6 CSIS webinar.
“One of the things that we would like to see a little bit more of is when they get notified by some of these major vendors – and I’m not saying they don’t pass the information along, but sometimes it takes a while to get down – for some of that really in-depth technical pieces instead of, ‘Hey, this was a compromise,’” Spaeth said.
He clarified that “we love the integration, we love the coordination” that the VA is getting from CISA’s JCDC but would like to see more involvement from Federal agencies – and additional elements, like state and local governments – to be a part of the overall threat landscape and intelligence sharing. Spaeth said this would aid the Federal government in quick reactions and “closing the holes as quickly as possible.”
Amber Pearson, the VA’s executive director of information security policy and strategy, said the agency’s relationship with CISA has blossomed over the last year. Due to the VA’s limited internal resources, she noted that they rely on CISA’s collaborative partnership to inform them.
However, Pearson said when vulnerabilities do arise, she would like to see more guidance from CISA on how to protect critical systems.
“What are those actions that we as a Federal agency need to do next? And I think there’s a big gap there and how we actually continue to ensure that we’re monitoring,” Pearson said. “I think a lot of Federal agencies struggle when those things do come up, and how do we respond from a hardening capability, giving that hardening guidance to us? So those recommendations I would be looking for from agencies like CISA and helping us in responding.”
Jeff King, the principal deputy chief information officer at Treasury, said that CISA has the opportunity to be a “real catalyst” in threat hunting but needs to be a “driver and a doer” rather than a coordinator.
“I think they’re on the right track,” King said of CISA’s JCDC. “I think they may be spread across a lot of different initiatives where we need more distinct focus on specific things. So, I think the remit is still not fully clear to me as a decision maker.”
He said that the “ingredients are there” but CISA needs to focus on making JCDC a “repeatable and reliable apparatus.”
“We’ve got this body; we know that they’re chartered and empowered to a certain extent. Now it’s kind of like to turn the corner, figure out what is the core mission, execute against that mission, and consider the areas where you may be spread too thin,” King said.
VA’s Spaeth added, “Again, I don’t think the theory of the JCDC is bad at all. I think it’s still in a very infantile state.”
