On December 1, the nonpartisan Commission on Enhancing National Cybersecurity (Commission) released a report on securing and growing the national economy. This report includes six imperatives for enhancing cybersecurity (and suggested action items to support each imperative) that will require significant commitment, cooperation, and collaboration between the public and private sector to implement.

US President Barack Obama charged the Commission with identifying ways to enhance cybersecurity while

  • protecting privacy;
  • ensuring public safety and economic and national security;
  • fostering discovery and development of new technical solutions; and
  • bolstering partnerships between federal, state, and local governments and the private sector in developing, promoting, and using cybersecurity technology, policies, and best practices.

The Imperatives

The Commission found six major imperatives containing 16 recommendations and 53 action items in the report.

The imperatives are the following:

  1. Protect, defend, and secure today’s information infrastructure and digital networks.
  2. Innovate and accelerate investment for the security and growth of digital networks and the digital economy.
  3. Prepare consumers to thrive in a digital age.
  4. Build cybersecurity workforce capabilities.
  5. Better equip government to function effectively and securely in the digital age.
  6. Ensure an open, fair, competitive, and secure global digital economy.

Areas of Focus

The Commission studied 10 cybersecurity topics (eight from the executive order and two more identified by the Commission), taking into account broader trends and issues.

The topics are the following:

  1. Federal Governance
  2. Critical Infrastructure
  3. Cybersecurity Research and Development
  4. Cybersecurity Workforce
  5. Identity Management and Authentication
  6. Internet of Things
  7. Public Awareness and Education
  8. State and Local Government Cybersecurity
  9. Insurance
  10. International Issues

Findings

Upon studying the key cybersecurity issues that face the United States, the Commission made the following broad findings:

  1. Technology companies are under significant market pressure to innovate and move to market quickly, often at the expense of cybersecurity. This creates vulnerabilities due to businesses prioritizing being the “first to market” over being “secure to market.”
  2. Organizations and their employees require flexible and mobile working environments. Due to businesses’ growing reliance on mobile technologies to function, there is an important need for security for such devices to catch up to the security for other computing platforms.
  3. Many organizations and individuals still fail to do the basics.
  4. Both “offense” and “defense” adopt the same innovations. As new capabilities emerge in fields such as automation, artificial intelligence, and quantum computing, there is no doubt that malicious actors such as criminals and nations with adverse interests will use such capabilities to their advantage.
  5. The attacker has the advantage. While businesses and individuals need to expend time, effort, and cost to protect all their devices, malicious actors only need to access one.
  6. Technological complexity creates vulnerabilities. As technology grows and expands with a growing number of products and updates, so too does the opportunity for gaps and vulnerabilities to form.
  7. Interdependencies and supply chain risks abound. The increasing complexity and number of products and updates also increases the issues that arise from people and different business sectors trying to work together.
  8. Governments are as operationally dependent on cyberspace as the private sector. The government also faces additional issues such as a large legacy IT base, an outdated procurement process, and being tied to the legislative budget process.
  9. Trust is fundamental. Individuals and businesses need to trust in technology, and the companies that provide it, for the digital economy to succeed. Such trust is compromised by corporate and personal data breaches that are increasingly in the public awareness.