On December 1, 2016, the US Commission on Enhancing National Cybersecurity (the “Commission”) presented its final report to President Obama, Report on Securing and Growing the Digital Economy. While directed to President Obama, the report is also intended to be a helpful guide for the next administration on “strengthening cybersecurity in the public and private sectors,” with “actionable recommendations” that “can and should begin in the near term.”

Background

The Commission was established by President Obama in February 2016 through Executive Order 13718. The Commission included 12 representatives from the private sector, civil society and academia, along with several current and former government officials. The Commission was charged with making “detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices.” To accomplish this goal, the Commission held six public meetings and received more than 100 comments in response to its request for information.

Structure

The Commission’s report is organized around six imperatives:

  1. Protect, defend and secure today’s information infrastructure and digital networks.
  2. Innovate and accelerate investment for the security and growth of digital networks and the digital economy.
  3. Prepare consumers to thrive in a digital age.
  4. Build cybersecurity workforce capabilities.
  5. Better equip government to function effectively and securely in the digital age.
  6. Ensure an open, fair, competitive and secure global digital economy.

Encompassed within these general themes are 16 recommendations and 53 associated action items. According to the report, “[e]ach recommendation is designed to have a major impact, and each action item is meant as a concrete step toward achieving that impact. . . . Some are directed at government, some at the private sector, and many at both.” The Commission envisions that some of its recommendations deserve “action within the first 100 days of the new Administration.”

Many recommendations address private sector activity or government activity directed at the private sector. To respond to the cybersecurity challenges facing the United States, the Commission recognized that “most solutions require joint public-private action,” and the Commission specifically emphasized that “joint collaboration between the public and private sectors before, during, and after a cyber event must be strengthened.” The private sector “cannot operate in isolation.”

The Commission also identified 10 principles that informed its recommendations. Some of these principles have particular relevance for private sector entities. For example, one principle recognized that the federal government bears “ultimate responsibility for the nation’s defense and security and has significant operational responsibilities in protecting the nation’s rapidly changing critical infrastructure.” Other principles included the need to prioritize security, privacy and trust in the creation of new technology products and that “incentives should always be preferred over regulation” to enhance cybersecurity. The Commission also identified several factual findings that reflect the situation facing many private sector companies confronting cybersecurity threats. The Commission noted the “significant market pressure” that companies face to innovate and bring products to market quickly and the fact that “[o]rganizations and their employees require flexible and mobile working environments.”

Three sections of the report should be of particular interest to companies. Imperatives one, two and six explicitly address private sector concerns, activities and responsibilities. The other imperatives primarily discuss recommended actions for the federal government to undertake to improve its own internal cybersecurity and the nation’s overall cybersecurity posture.

Imperative One: Protect, Defend and Secure Today’s Information Infrastructure and Digital Networks

Under this imperative, the Commission recommended several action items that involve or impact the private sector.

For example, the Commission recommended that the federal government and private sector engage in a significant, joint effort to develop and implement strategies for more coordinated responses to cyber incidents and better mitigation efforts. This initiative would be modeled on the Department of Commerce’s multi-stakeholder processes and would address “the impact of botnets, including denial-of-service attacks, and then expand to address other malicious attacks on users and the network infrastructure.” The Commission also recommended establishing a separate public-private forum to focus on defining respective roles for government and companies in supporting national cybersecurity, expanding public-private information sharing to address cyber supply chain issues and creating a public-private initiative devoted to confronting problems posed by “disruptions of wireless communications.”

The Commission also recommended that the government evaluate providing enhanced legal liability protections to private sector companies sharing “information about their risk management practices.” The Commission specifically suggested that the Department of Homeland Security (“DHS”) collaborate with the private sector to “identify changes in statutes, regulations or policies” that could reduce the legal exposure inherent in such sharing. The Commission highlighted possible protection from requests under FOIA, disclosure in civil discovery, use in regulatory investigations or actions, and waiver of the attorney-client privilege.

The Commission also recommended efforts to sustain and expand the use of the voluntary NIST Cybersecurity Framework. Such efforts could include establishing a working group to develop metrics that quantify the Cybersecurity Framework’s benefits, “extend[ing] additional incentives to companies that have implemented cyber risk management principles” and requiring agencies to “harmonize existing and future regulations with the Cybersecurity Framework to focus on risk management.” According to the Commission, this last action could help “reduc[e] industry’s cost of complying with prescriptive or conflicting regulations that may not aid cybersecurity and may unintentionally discourage rather than incentivize innovation.”

The Commission also devoted a recommendation to actions that could enhance the cybersecurity of small and medium-sized businesses (“SMBs”). Associated action items include expanding support for SMBs using the Cybersecurity Framework, evaluating the Framework’s “cost-effectiveness specifically for SMBs” and developing “practical guides needed by small and medium-sized companies that have limited technical capabilities, time, and resources.”

Imperative Two: Innovate and Accelerate Investment for the Security and Growth of Digital Networks and the Digital Economy

Under this imperative, the Commission recommended that the federal government and private sector take several specific steps to “improve the security of the Internet of Things” (“IoT”).

For example, the Commission suggested that the President issue an executive order “directing NIST to work with industry and voluntary standards organizations to . . . jointly and rapidly agree on a comprehensive set of risk-based security standards, developing new standards where necessary” for critical, commercial and consumer IoT systems. The Commission also recommended that agencies evaluate whether such new or existing standards are adequately implemented by their regulated entities and, if not, “initiate any appropriate rule making to address the gaps.” The Commission also recommended that the Industrial Control Systems Cyber Emergency Response Team (“ICS-CERT”) “develop and communicate guidelines for IoT cybersecurity and privacy best practices for rapid deployment and use.” Finally, the Commission recommended that the Department of Justice “lead an interagency study,” in collaboration with interested private-sector parties, “to assess the current state of the law with regard to liability for harm caused by faulty IoT devices.”

Imperative Six: Ensure an Open, Fair, Competitive and Secure Global Digital Economy

Here the Commission articulated actions that the government should take to promote American leadership on cybersecurity on an international basis.

For example, the Commission recommended that President-elect Trump during his term appoint an “Ambassador for Cybersecurity to lead U.S. engagement with the international community on cybersecurity strategies, standards, and practices.” The Commission also recommended that the government “increase its engagement in the international standards arena to garner consensus from other nations and promote the use of sound, harmonized cybersecurity standards.” Relatedly, the Commission recommended that the Department of State continue its efforts to “promote peacetime cybersecurity norms of behavior.”

Additional recommendations relevant to the private sector include promoting adoption of the NIST Cybersecurity Framework by international partners; reform of the Mutual Legal Assistance Treaty Process, which facilitates foreign requests for data held in the United States; and passage of proposed legislation that would provide “a speedier alternative for qualifying governments to obtain extraterritorial communications data related to preventing, detecting, investigating, or prosecuting serious crimes.”

Conclusion

This report’s recommendations reveal the advanced state of the threats confronting the United States as well as the necessity for cooperation between the public and private sectors to address these threats. The report provides a detailed roadmap of significant issues for the Trump administration, which will determine whether and how to implement any of the Commission’s suggestions.