CISA director plans proactive cybersecurity for at-risk companies

Director of the Cybersecurity and Infrastructure Security Agency Jen Easterly says one of its most robust public-private partnerships is building ways to help critical infrastructure operators get ahead of cyberattacks, rather than respond.

Why it matters: The congressionally mandated Joint Cyber Defense Collaborative (JCDC) inside CISA has spurred new excitement among private tech and cybersecurity companies who previously weren’t keen on working with the federal government on cybersecurity issues.

• Congress mandated CISA stand up the JCDC early last year to create an interagency hub where companies can work with the government to both plan for potential cyber threats and work together to respond to large-scale attacks.

What's happening: JCDC, which Easterly named after the rock band ACDC, marks its unofficial one-year anniversary this week as the Black Hat conference kicks off in Las Vegas. Easterly launched the collaborative at last year's event.

• JCDC has more than 20 tech and cybersecurity company members, including Microsoft, Google Cloud, CrowdStrike, Mandiant and Palo Alto Networks. Agency partners include the National Security Agency, the Pentagon's U.S. Cyber Command, the FBI and the Office of the Director of National Intelligence.
• JCDC members meet regularly about the latest cyber threats they're seeing — speeding up communication between the public and private sector as the number of threats mounts.

The big picture: After spending the first year mostly responding to large-scale attacks, the JCDC is ready to focus in on getting ahead of those attacks and establishing response plans.

• They're planning exercises for critical sectors, including finance, energy and telecommunications, to help them test defenses before an actual hacking attempt. A CISA spokesperson said those exercises could include attack simulations and discussions about best practices.
• JCDC is also planning a similar initiative for pipeline operators and cybersecurity companies focused on critical infrastructure sectors. That exercise comes after the Transportation Security Administration rolled out new cyber rules for pipelines last month.
• Easterly also said members of the JCDC have already started briefing state and local election security officials on the threats they're anticipating before the November midterms.

Between the lines: The Biden administration's cyber offices have received criticism from some lawmakers who worry they're not focusing enough on preventing attacks and are spending too much time responding to threats. The JCDC's planning focus could help ease those concerns.

What they're saying: Easterly, a former Morgan Stanley cybersecurity executive and NSA official, told Axios the JCDC has transformed how the federal government approaches public-private partnerships.

• "We approach that partnership with humility," Easterly said. "Certainly, we don't have all the answers, and this is not a problem that the government can solve. It's something we all collectively have to come together to solve — and with a sense of gratitude."
• Easterly also said she has been surprised at how receptive the tech industry was to join JCDC, noting that she expected more hesitation about being able to trust the government.

Flashback: High-profile cyber issues like the discovery of the Log4j vulnerability last year that affects "hundreds of millions" of devices, and the cyber fallout from the war in Ukraine have also boosted the collaborative's effectiveness, Easterly said.

What to watch: CISA is still firming up its midterm election strategy.

• Easterly said she can envision the agency standing up "some sort of channel" to share cyber threat information with state and local election officials — similar to how JCDC has shared info during Log4j and the war in Ukraine.