CISA releases 2024 priorities for the Joint Cyber Defense Collaborative

The Cybersecurity and Infrastructure Security Agency on Monday released the 2024 priorities for the Joint Cyber Defense Collaborative, an operational-focused government and private collaborative which has faced recent criticism.

The announcement of three broad priorities will mark an alignment of “resources and strategic direction.” In the coming year, the JCDC will focus on: defending against advanced persistent threat (APT) operations, raising baseline protections for critical infrastructure owners and operators, and anticipating emerging technology and risks.

“These priorities will further expand the breadth and depth of our partnership to tackle more challenging, forward-leaning cyber risks that could evolve in the future, not just the immediate risks,” Clayton Romans, associate director at CISA, wrote in an accompanying blog post. “To be clear, JCDC in this context is not a specific team or organization; it represents the collective group of industry and government partners drawn together to drive positive change for our nation’s cybersecurity.”

The announcement also comes amid increasing — but not new — concerns about the effectiveness of the JCDC due to a lack of technical expertise and an overabundance of lawyers. Recent reporting reveals that security researchers are not as active — with one notable researcher Juan Andres Guerrero-Saade calling the JCDC “dead” — in part due to increasing backlash from conservatives over election disinformation efforts, Politico reported.

“When the JCDC first stood up, it was met with a ton of fanfare, but it quickly turned into a cool-club for vendors,” Brian Harrell, a former assistant secretary at the Department of Homeland Security, said in a message to CyberScoop. “It’s high time that CISA provides value to industry by showcasing risk mitigation. They need to go from talking about risk, to reducing it.”

The release also follows a spree of warnings from the federal government about Chinese intrusions into critical infrastructure. Last week, top security officials from the FBI, CISA, and NSA warned that recent Chinese hacking operations are pre-positioning themselves for disruptive attacks on critical infrastructure networks.

Federal IT officials, meanwhile, are also calling for more from CISA. During a panel discussion hosted by a Washington think tank last week, federal IT officials said the agency needs to be faster at sharing information and more aggressive in the standards it sets to mitigate threats.  

At a House hearing last week on securing OT threats in the water sector, cybersecurity experts said that the JCDC is suffering from “growing pains.” CISA has a good strategy, but the tactics tend “to be a bit lacking,” according to Robert M. Lee, CEO and founder of the industrial cybersecurity firm Dragos.

The first priority on APTs — nomenclature that often refers to nation-state hackers — will include the release of an updated National Cyber Incident Response Plan, which outlines the roles and responsibilities of federal agencies during an incident. The update is expected this year and will include “significant changes in policy and cyber operations” since the initial 2016 publication. Additionally, CISA plans to “discover and defend” against attacks by state-backed hackers, particularly China, the announcement noted.

In addition to helping state and local election officials secure sensitive networks, CISA plans to make “measurable” progress in decreasing ransomware attacks against critical infrastructure and the agency’s secure-by-design push. CISA plans to “prioritize operational activities” that can defend and disrupt ransomware attacks. CISA also noted that it will decrease risk posed by AI to critical infrastructure.

“Even as we urgently work to help organizations implement the most effective cybersecurity measures, we know that scalable change requires a fundamental shift in how technology is designed, built, and maintained,” Romans wrote. “We will continue to drive measurable commitments across the technology ecosystem that reduce the number of defective technology products by design and ensure that strong default settings are the norm.”