The Center for Strategic & International Studies (CSIS) released the final report of the Commission on Cybersecurity for the 44th Presidency on Monday, December 8, 2008 (PDF available at http://www.csis.org/tech/cyber/). CSIS organized the Commission, made up of information security experts from a variety of backgrounds, in August of 2007. Over the past 16 months, the Commission held four plenary meetings, along with numerous briefings, working group meetings, and drafting sessions. The resulting report provides the incoming administration with 25 recommendations that build on the National Strategy to Secure Cyberspace from 2003.
The Commission approached the issue of cybersecurity in a comprehensive and holistic manner, looking broadly at all aspects of security in cyberspace. In its conclusion, the Commission noted that while "[c]ybersecurity is among the most serious economic and national security challenges we face in the twenty-first century", the overall security situation can be improved in "relatively short order." More importantly, the Commission noted that "the effort to improve cybersecurity offers the opportunity to rethink how the federal government operates and to build collaboration across organizational boundaries."
The notion of collaboration runs throughout the specific recommendations from the Commission, which fall into the following 7 broad categories: Create a Comprehensive National Security Strategy for Cyberspace, Organizing for Cybersecurity, Rebuilding Partnership with the Private Sector, Regulate for Cybersecurity, Identity Management for Cybersecurity, Modernize Authorities, and Build for the Future.
Key recommendations include:
- appointing an assistant to the President on cyberspace, who would be supported by a new National Office of Cyberspace (NOC)
- assessing statutes governing criminal investigations of online crime in order to increase clarity, speed investigations, and better protect privacy
- developing regulations for industrial control systems (ICS) through the NOC working with regulatory agencies and NIST
- developing and implementing "security guidelines for the procurement of IT products"
- increasing the use of secure Internet protocols, both domestically (e.g., via requirements for agencies to only contract with entities that use such protocols) and internationally (e.g., via working with like minded nations and international standards bodies to expand the use of such protocols)
- making "strong authentication of identity, based on robust in-person proofing and thorough verification of devices, a mandatory requirement for critical cyber infrastructures"
Marc Zwillinger, the Chair of the Internet, Communications, and Data Protection (ICDP) practice group at Sonnenschein, participated as a Commissioner and was extensively involved on various working groups. Randy V. Sabett, a partner in the ICDP practice group at Sonnenschein, participated as a Commissioner; co-chaired the Federal Organization, Strategy, and Doctrine Working Group; and contributed to several other working groups.