The President’s Commission on Enhancing National Cybersecurity (the “Commission”) recently issued a thoughtful report on improving the United States’ cybersecurity posture. (The full report can be read here.) The majority of the Commission’s recommendations would require action by the Trump Administration but may nonetheless prove influential. The Commission was charged under President Obama’s February 2016 Executive Order 13718 with “mak[ing] detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions” and enhancing partnerships between the private sector and all levels of government. The Commission recently issued a report detailing its recommendations.
As part of its cybersecurity study, the Commission conducted several open meetings and issued a request for information. The Commission also analyzed previous federal agency and legislative cybersecurity reports and initiatives, although it found that many of these previous reports’ recommendations were unrealistic. The Commission focused its study on ten topics: federal governance, critical infrastructure; cybersecurity research and development; cybersecurity workforce; identity management and authentication; Internet of Things (IoT); public awareness and education; state and local government cybersecurity; insurance; and international issues.
In preparing its recommendations, the Commission analyzed cybersecurity issues through a set of principles that are useful for any organization when considering cybersecurity issues. Some principles include:
- Responsibility, authority, capability and accountability for cybersecurity and cyber risk management should be explicit and aligned within an enterprise’s risk management and governance strategy.
- Effective cybersecurity depends on consumer and workforce awareness, education, and engagement in protecting their digital experience.
- Technologies and products should make the secure action the easy option as users continue to rely on defaults and human behavior tends to follow the “easy” option.
- Security, privacy, and trust must be primary considerations at the outset when new cyber-related technologies and policies are conceived.
The Commission identified a number of hurdles that create challenges—in both the public and private sectors—to implementing effective cybersecurity measures.
- First to market pressures. The drive to bring products to market quickly often leads to cybersecurity being an afterthought. While security features may be added later through product updates, the result is a lower level of security when compared to products for which security was integrated into product development.
- Flexible and mobile work environments introduce cyber risk. The myriad devices that now connect to an organization’s network, from employees’ personal mobile devices to vendors’ devices, hampers an enterprise’s ability to protect its networks. As the Commission stated, “[T]he classic concept of the security perimeter is largely obsolete.”
- Many organizations and individuals fail to implement basic security measures.
- Complexity creates vulnerabilities. As the size and complexity of software and devices and their supply chains grow, so too do the number of vulnerabilities. Systems and software must be managed and updated, which can become difficult as the environment expands, especially with legacy systems and even new systems, such as IoT devices.
The Commission organized its findings and recommendations into six issue areas. The areas and some of the key recommendations under each follow.
1. Protect, defend, and secure today’s information infrastructure and digital networks:
- The public and private sectors must collaborate to protect networks and infrastructure. The Commission recommends the creation of a National Cybersecurity Private-Public Program to define the cybersecurity roles of the respective sectors, share classified information, and conduct and improve training. The federal government should build on and improve its information sharing programs and should work with industry to identify statutes, rules, and policies that discourage the private sector from sharing cyber information (e.g., FOIA, use in civil discovery or regulatory enforcement action, waiver of attorney-client privilege). The new administration should build on the NIST Cybersecurity Framework, and regulatory agencies should harmonize their regulations with the Cybersecurity Framework (which would both simplify and enhance cybersecurity compliance).
2. Innovate and accelerate investment for the security and growth of digital networks and the digital economy:
- The federal government and private sector partners should work together to improve security in IoT devices, such as through the creation of voluntary standards, which agencies should consider when undertaking rulemakings. Federal agencies should initiate an interagency study to evaluate “the current state of the law with regard to liability for harm caused by faulty IoT devices and provide recommendations” to incentivize companies to design secure products.
3. Prepare consumers to thrive in the digital age:
- The private sector should work with the FTC to identify ways to provide consumers, through a public awareness campaign, with better information so consumers can make informed decisions when purchasing and using connected products and services. This campaign should be coupled with security improvements in devices and systems. The Commission recommends an independent organization develop a “cybersecurity nutrition label” for technology products and services. The FTC, working with industry and consumer advocates, should develop a Consumer’s Bill of Rights and Responsibilities for the Digital Age that would improve consumer education, clarify privacy protections and how information is used, and identify products’ security attributes.
4. Build cybersecurity workforce capabilities:
- The federal government should launch a national cybersecurity workforce program to train new cybersecurity practitioners.
5. Better equip government to function effectively and securely in the digital age:
- Federal civilian agencies should be allowed to consolidate and share network connections while moving to an enterprise risk management approach for handling cybersecurity. Government at all levels must clarify cybersecurity mission responsibilities across departments and agencies to protect, defend against, respond, and recover from cyber incidents; to accomplish this, the next administration should issue a National Cybersecurity Strategy while Congress should consider consolidating cybersecurity and infrastructure protection functions under a single federal agency.
6. Ensure an open, fair, competitive, and secure global digital economy.
- The Administration should work with the international community to harmonize cybersecurity policies and practices. The next administration should appoint an Ambassador for Cybersecurity to engage the international community on cybersecurity issues. NIST and the Department of State should work with international partners to develop cybersecurity standards and to promote the NIST Cybersecurity Framework’s risk management approach.
Most of these recommendations are both thoughtful and non-ideological. It remains to be seen whether the Trump Administration will embrace them, although they sketch out many areas for potential progress. Its recommendations also make interesting reading for private sector businesses with regard to strategies to improve cybersecurity at the federal level as well as on private sector networks and products and services.