On August 5, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) announced the standup of the Joint Cyber Defense Collaborative (JCDC), a new agency effort to lead the development of cyber defense operations plans. The agency’s objective is to execute cyber defense operations plans in coordination with partners from the federal interagency, private sector, and state, local, tribal, territorial (SLTT) government stakeholders to drive down risk before a security incident and to unify defensive actions should an incident occur.
CISA is establishing the JCDC to integrate unique cyber capabilities across multiple federal agencies, many state and local governments, and countless private sector entities to achieve shared objectives. Specifically, the JCDC will:
- Design and implement comprehensive, whole-of-nation cyber defense plans to address risks and facilitate coordinated action;
- Share insight to shape joint understanding of challenges and opportunities for cyber defense;
- Implement coordinated defensive cyber operations to prevent and reduce impacts of cyber intrusions; and
- Support joint exercises to improve cyber defense operations.
Splunk welcomes the roll out of the JCDC, spearheaded by CISA Director Jen Easterly, as a significant step forward in leveraging collaborative data and defense to battle cyber attacks from criminal organizations and nation states. Critical to the success of the initiative will be the technical infrastructure that is built to support information sharing and collaboration. Given the increased sophistication of attacks and rapidly increasing cyber defense surface area, this infrastructure must support cloud-based intelligence management to automate timely sharing of threat-relevant data. Cloud-based intelligence management is not necessarily new, but automating sharing for fusing and operationalizing cyber intelligence is.
In the aftermath of the 9/11 attacks, the Intelligence Community’s (IC) information sharing faults were exposed; intelligence relevant to the plot was fragmented across several intelligence agencies, creating stovepipes. James Clapper, director of national intelligence, and Al Tarasiuk, IC’s chief information officer, championed the vision of a cloud-based information sharing and intelligence management platform for the IC. The IC’s cloud-based operations have been in place for nearly a decade and have contributed to success defending against more conventional threats like terrorism and countering weapons of mass destruction. Splunk applauds the creation of the JCDC as it can learn from these lessons in the Counter Terrorism (CT) space and bring them to the cyber domain.
The importance of information sharing is especially critical as the DHS and IC have struggled with cyber intelligence sharing as demonstrated by the insidious SolarWinds attack. The challenge of managing intelligence in cyberspace extends beyond the IC to the rest of the federal government, critical infrastructure and the private sector at large. The JCDC will also struggle if it is dependent on human-centric, manual collaboration since humans can’t normalize, transform, correlate and prioritize event data in threat-relevant timelines. Success will depend on automating the flow of information between parties against these timelines.
To achieve true success, the cloud-based information infrastructure to support the JCDC should include four key features:
- No-code intelligence workflows to collect, prepare, normalize, and prioritize data from across internal and external sources;
- Permissions-based enclaves to collect and preserve relevant data (as called for in President Biden’s May 12, Executive Order);
- Automated dissemination of data to parties ranging from government agencies, private sector companies, and information sharing organizations such as Information Sharing and Analysis Centers (ISACs); and
- The ability to automatically identify and redact PII.
The combination of these capabilities will address the challenges we've faced and build a foundation for expected attacks in the future. The platform, which underpins JCDC’s technical infrastructure, must be extensible, and able to accommodate new security tools and sources against an ever-evolving set of attacks. The platform should be able to ingest data from a variety of sources including IT monitoring and observability platforms for more comprehensive situational awareness. This combination of features allows for agile responses during quickly evolving attacks (e.g., Colonial Pipeline) and better resilience during more insidious, slower attacks (e.g., SolarWinds). We need to share data quickly to address immediate threats, and also “collect and preserve” data, as stated in Biden’s Executive Order on improving the nation's cybersecurity, to expeditiously look back on past event data and piece together attacks that evolved slowly. The JCDC is well positioned to move the nation towards these important goals.
These feature sets are available today through Splunk Cloud PlatformTM.