States, localities to play critical roles in cyber defense collaborative, CISA says

Officials from the Department of Homeland Security’s main cybersecurity arm on Thursday nudged state and local governments to speak up and share any potential vulnerabilities as they participate in the federal government’s new, multi-sector effort to counter cyber threats.

That effort, the Joint Cyber Defense Collaborative, is led by the Cybersecurity and Infrastructure Security Agency, whose director, Jen Easterly, announced the program in August. The JCDC is being designed to foster preventative collaboration between the federal government, the private sector and state and local agencies before attacks occur.

“This is a great opportunity to participate in plans that jointly defense our critical infrastructure,” Shannon Moser, a CISA engagement lead for state, local, tribal and territorial governments, said during a webinar on Thursday. “This is the opportunity to vocalize, raise the risks you think are critical to your government and critical infrastructure in your area.”

So far, the JCDC program has focused mostly on defending critical infrastructure — it was credited in part for a recent interruption of the REvil ransomware gang, which earlier this year attacked Colonial Pipeline. But on Thursday, CISA offered further details about how state and local cybersecurity and IT officials can get involved.

Officials who participate in the JCDC program are asked to contribute to the development of sector-wide and nationwide defensive and incident-response plans. At the state and local levels, CISA officials said, that work will likely address the continuity of government services and threats against elections and ransomware. The agency said it’s also looking for participants with specific subject-knowledge in several areas, especially elections and K-12 schools.

There are three levels of engagement in the Joint Cyber Defense Collaborative program, officials showed during the presentation — “alliance,” “specialist,” and “community of interest.” Participants at the highest level, “alliance,” are fully integrated into the program’s planning and operations, including committing some of their personnel and resources to the effort. CISA said state governments are automatically offered involvement at that level, which also includes several major IT and cyber vendors, including Amazon Web Services, Google Cloud, Mandiant and Microsoft.

“Those participating have a demonstrated ability to regularly collaborate and contribute,” said Moser, adding that an official designated by their state to participate in the JCDC will commit about “5 to 10%” of their time.

Those officials, according to a presentation accompanying the webinar, could include chief information and chief information security officers, public-safety and emergency-management personnel or members of a state National Guard.

Local governments, tribes and territories are being offered the “specialist” level, which focuses more on subject-matter expertise, such as schools, elections or a specific area of infrastructure. Moser called it a “choose-your-own-adventure route.”

The “community of interest” tier is offered to associations — like those representing government officials — and smaller local governments that might not have the resources or personnel to participate more fully.

CISA officials also said there’s “mobility” between levels of participation.