The Commission on Enhancing National Cybersecurity, established by President Obama, has released its much-awaited Report on Security and Growing the Digital Economy (December 1, 2016). The Commission was tasked with assessing the state of our nation’s cybersecurity and developing actionable recommendations for securing the digital economy, while at the same time protecting privacy, ensuring public safety and economic and national security, and fostering the development of new technical solutions.
The Commission sought to examine what is working well, what represents a challenge, and what needs to be done to incentivize and cultivate a culture of cybersecurity in the public and private sectors. The Commission found that while the interconnectedness of the digital ecosystem creates unparalleled value for society, technological advancement is outpacing security and will continue to do so unless the government and the private sector change how they approach and implement cybersecurity strategies and practices.
Among the observed challenges, the Commission pointed out that technology companies are under significant market pressure to innovate and move to market quickly, often at the expense of cybersecurity. An example of this would be the widely-used Internet-of-Things (IoT) devices, ranging from pace makers to fitness trackers to smart home devices, many of which do not provide sufficient security.
Another challenge is represented by mobile working environments. The Commission observed that gone are the days when employees performed work only at an office using an organization-issued (and controlled) desktop computer, but that many organizations fail to properly secure mobile devices. Moreover, today, no organization is an island, and few are able to function without connecting to vendors, customers, and partners in multiple global supply chains. These developments are making the classic concept of the security perimeter largely obsolete.
The Commission also found that malicious actors continue to benefit from organizations’ and individuals’ reluctance to prioritize basic cybersecurity activities and practices that could help mitigate risk. This is especially troublesome given that some threats against businesses today come from teams of highly-skilled attackers who can spend months carefully planning and carrying out an intrusion.
The Report is organized around six major imperatives, which together contain a total of 16 recommendations and 53 associated action items. The imperatives are:
- Protect, defend, and secure today’s information infrastructure and digital networks.
- Innovate and accelerate investment for the security and growth of digital networks and the digital economy.
- Prepare consumers to thrive in a digital age.
- Build cybersecurity workforce capabilities.
- Better equip government to function effectively and securely in the digital age.
- Ensure an open, fair, competitive, and secure global digital economy.
The Commission observed that most of its proposed solutions require joint public-private action in order to encourage the technology, policies, and practices needed to enhance the security of the growing digital economy. It remains to be seen which of these recommendations and action items the Trump Administration will act upon, but the collaboration between the public and private sectors will undoubtedly increase in the coming years.
Below are the highlights of some of the Report’s recommendations and action items that, if adopted, will impact business.
- Companies should be encouraged to share with the government information about any large-scale threat they detect in their systems so that the government and industry can coordinate an appropriate response. Conversely, the government should share actionable intelligence that could aid companies in managing their cyber risk. As part of this initiative, the President is called upon to create, through executive order, the National Cybersecurity Private-Public Program (NCP) as a forum for addressing cybersecurity issues through a high-level, joint public-private collaboration.
- The Administration should launch a national public-private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management. Identity, especially the use of passwords, has been the primary vector for cyber breaches. The shared goal of both the public and private sectors should be that compromises of identity will be eliminated as a major attack vector by 2021. This will require a fundamental shift in thinking on the part of designers and those responsible for cybersecurity toward making authentication stronger and simple to use.
- Regulatory agencies should harmonize existing and future regulations with the Cybersecurity Framework to focus on risk management – reducing industry’s cost of complying with prescriptive or conflicting regulations that may not aid cybersecurity and may unintentionally discourage rather than incentivize innovation.
- Companies should develop “conformity assessment programs” that are effective and efficient, and that support the international trade and business activities of U.S. companies. Conformity assessment is an approach by which organizations determine and demonstrate that they are exercising diligence with regard to cybersecurity. To be meaningful, the assessment regime must promote meaningful results and outcomes, rather than simply affirming that a review has been conducted.
- The government should extend additional incentives (e.g., tax incentives, government procurement incentives) to companies that have implemented cyber risk management principles and demonstrate collaborative engagement.
- The federal government and private-sector partners must join forces to rapidly improve the security of the Internet of Things (IoT). As part of this initiative, the President is called upon to issue, within 60 days, an executive order directing NIST to work with industry and voluntary standards organizations to identify existing standards, best practices, and gaps for deployments ranging from critical systems to consumer/commercial uses – and to jointly and rapidly agree on a comprehensive set of risk-based security standards.
- Companies in the IT and communications sectors need to work with consumer organizations and the Federal Trade Commission (FTC) to provide consumers with better information so that they can make informed decisions when purchasing and using connected products and services.
- To improve consumers’ purchasing decisions, an independent organization should develop the equivalent of a cybersecurity “nutritional label” for technology products and services – ideally linked to a rating system of understandable, impartial, third-party assessment that consumers will intuitively trust and understand.
- The government and private sector should focus on educating and developing cybersecurity professionals. According to “The 2015 (ISC) Global Information Security Workforce Study,” 5 million more cybersecurity professionals will be needed globally by 2020. To close the existing sizeable gap between open positions and qualified applicants, employers will be expected to provide on-the-job training. Additionally, the President is called upon to initiate a national cybersecurity workforce program to train 100,000 new cybersecurity practitioners by 2020.
- Within the first 180 days in the office, the next President is called upon to appoint an Ambassador for cybersecurity to lead U.S. engagement with the international community on cybersecurity strategies, standards, and practices. This includes amending U.S. laws to facilitate trans-border access to electronic evidence “for limited legitimate investigative purposes” and reaching bilateral agreements with other countries that eliminate conflicts of laws, allowing each nation, under certain conditions, to have its requests for copies of data honored by companies in the other nation.
Recognizing that the next President and Administration will bear the burden of leadership in following up on most the Report’s recommendations, the Commission urged the private sector to evaluate what it can and must begin doing immediately, rather than delaying efforts to improve their digital security and resilience while the Commission’s recommendations are being considered.