On December 1, the U.S. Commission on Enhancing National Cybersecurity (Commission) released its Report on Securing and Growing the Digital Economy (Report), the conclusion of an intensive 10-month study. The nonpartisan, 12-person Commission was first established in February 2016 by President Obama, with the charge to develop bold, actionable steps for securing the nation’s digital economy. The Report makes clear that cybersecurity is foundational to the global economy and therefore, going forward, it should be a preeminent priority for both government and the private sector.
The Commission urged immediate action, with goals to implement most action items within two to five years and others within the first 100 days of the next administration. The Commission emphasized that its prescriptions are not distinct and mutually exclusive; rather, they should be viewed as one interconnected whole. The Report detailed six imperatives, summarized below, outlining 53 action items:
- Protect, defend and secure today’s information infrastructure and digital networks. Substantive public-private sharing of risk management practices will improve overall cybersecurity. Action items centered on formalizing public-private sector collaboration, including the creation of several public-private sector programs and forums. The Department of Homeland Security was charged with working directly with private companies to identify changes in statutes, regulations and policies.
- Innovate and accelerate investment for the security and growth of digital networks and the digital economy. The Commission stressed that security, privacy and trust must be primary considerations at the outset in designing and developing new technologies, particularly devices and systems that are part of the “Internet of Things.” The Report encouraged federal government and private sector partners to collaborate to rapidly and purposefully improve the security of the Internet of Things.
- Prepare consumers to thrive in a digital age. The Commission concluded that raising awareness must be a core aim of any cybersecurity strategy and suggested that cybersecurity should be intuitive, demanding a minimum amount of extra thought and effort from consumers.
- Build cybersecurity workforce capabilities. The Commission called on the next administration to initiate a workforce program to train 100,000 new cybersecurity practitioners by 2020, and a separate initiative targeting traditional four-year universities and two-year community colleges to train an additional 50,000 new cybersecurity practitioners by 2020.
- Better equip government to function effectively and securely in the digital age. The Report concluded that the federal government has the ultimate responsibility for national defense and security, and it has significant operational responsibilities in protecting the nation’s rapidly changing critical infrastructure. The Commission emphasized incorporating cybersecurity requirements into an agency’s core functions and capabilities, rather than conceptualizing security as a separate after-the-fact checklist.
- Ensure an open, fair, competitive and secure global digital economy. The Commission urged that the United States must be a standard-bearer for cybersecurity and should encourage and actively coordinate the creation of an international cybersecurity system, including the development of technical standards, conformance requirements and coordinated incident response; increased multilateral legal cooperation; continued progress toward international consensus on applying international law to cyberspace; and formalization of communication channels.
The Commission recognized that the next president and administration will bear the burden of taking these recommendations forward. But the Report’s central themes demonstrate that companies and individuals should not delay their own efforts to improve digital security and resilience.