On Friday President Obama's Commission on Enhancing National Cybersecurity released its final report, which recommended policies and actions on a wide range of subjects. The Commission did not really break any new ground in its recommendations, but it presented an excellent summary of many of the ideas that are being discussed regularly to solve cybersecurity issues.
On February 9 of 2016, President Obama issued Executive Order 13718, calling for the creation of the Commission on Enhancing National Cybersecurity as part of the Cybersecurity National Action Plan (CNAP). The President and bipartisan congressional leadership selected 12 individuals to serve on the Commission:
- Tom Donilon, former Assistant to the President and National Security Advisor (Chair)
- Sam Palmisano, former CEO of IBM (Vice Chair)
- General Keith Alexander, CEO of IronNet Cybersecurity, former Director of the National Security Agency and former Commander of U.S. Cyber Command
- Annie Antón, Professor and Chair of the School of Interactive Computing at Georgia Tech
- Ajay Banga, President and CEO of MasterCard
- Steven Chabinsky, General Counsel and Chief Risk Officer of CrowdStrike
- Patrick Gallagher, Chancellor of the University of Pittsburgh and former Director of the National Institute of Standards and Technology
- Peter Lee, Corporate Vice President, Microsoft Research
- Herbert Lin, Senior Research Scholar for Cyber Policy and Security at the Stanford Center for International Security and Cooperation and Research Fellow at the Hoover Institution
- Heather Murren, former member of the Financial Crisis Inquiry Commission and co-founder of the Nevada Cancer Institute
- Joe Sullivan, Chief Security Officer of Uber and former Chief Security Officer of Facebook
- Maggie Wilderotter, Executive Chairman of Frontier Communications
The Commission delivered its report to the President on December 1, 2016, which contained a total of 16 recommendations and 53 associated action items noted as either "Short Term" or "Medium Term." The Commission did not put forth any long-term action items.
Principles, Findings, and Imperatives
The executive order asked the Commission to address a wide range of cybersecurity topics: federal governance, critical infrastructure, cybersecurity research and development, cybersecurity workforce, identity management and authentication, Internet of Things, public awareness and education, and state and local government cybersecurity. As their work moved forward, the Commission chose to add insurance and international issues to this list.
To guide their recommendations within these Imperatives, the Commission identified ten Foundational Principles:
- The growing convergence, interconnectedness, interdependence, and global nature of cyber and physical systems means that cybersecurity must be better managed in all contexts – international, national, organizational, and individual.
- As the global leader for innovation, the United States must be a standard-bearer for cybersecurity. This leadership requires investment in research and collaboration with other nations, including on international cybersecurity standards.
- The federal government has the ultimate responsibility for the nation's defense and security and has significant operational responsibilities in protecting the nation's rapidly changing critical infrastructure. The government also has cyber mission roles that need to be clarified, including better defining government (including individual agency) roles and responsibilities, and addressing missing or weak capabilities, as well as identifying and creating the capacity that is needed to perform these activities.
- Private sector and government collaboration before, during, and after an event is essential in creating and maintaining a defensible and resilient cyber environment.
- Responsibility, authority, capability, and accountability for cybersecurity and cyber risk management should be explicit and aligned with every enterprise's risk management and governance strategies.
- Effective cybersecurity depends on consumer and workforce awareness, education, and engagement in protecting their digital experience. This effort must be a continuous process and advance individuals' understanding and capabilities as vital participants in shaping their own—and the nation's—cybersecurity. Nevertheless, to the maximum extent possible, the burden for cybersecurity must ultimately be moved away from the end user—consumers, businesses, critical infrastructure, and others—to high-level solutions that include greater threat deterrence, more secure products and protocols, and a safer Internet ecosystem.
- Because human behavior and technology are intertwined and vital to cybersecurity, technologies and products should make the secure action easy and the less secure action more difficult.
- Security, privacy, and trust must be primary considerations at the outset, when new cyber-related technologies and policies are conceived, rather than auxiliary issues to be taken into account after they are developed. Improved privacy and trust, boosted by transparency and accountability, will contribute to the preservation of civil liberties.
- Despite their often-constrained resources, small and medium-sized business are essential stakeholders in any effort to enhance cybersecurity—particularly in light of their role in the supply chain—and their needs must be better addressed.
- The right mix of incentives must be provided, with a heavy reliance on market forces and supportive government actions, to enhance cybersecurity. Incentives should always be preferred over regulation, which should be considered only when the risks to public safety and security are material and the market cannot adequately mitigate these risks.
Through several public meetings, the Commission heard from a wide range of government and private sector experts and leaders, and, combined with their own expertise and that of their staff, identified several key findings:
- Technology companies are under significant market pressure to innovate and move to market quickly, often at the expense of cybersecurity.
- Organizations and their employees require flexible and mobile working environments.
- Many organizations and individuals still fail to do the basics.
- Offense and defense adopt the same innovations.
- The attacker has the advantage.
- Technological complexity creates vulnerabilities.
- Interdependencies and supply chain risks abound.
- Governments are as operationally dependent on cyberspace as the private sector is.
- Trust in fundamentals.
Based on the range of topics and findings and in order to create meaningful approaches grounded in the Foundational Principles, the Commission developed six "Imperatives" around which to structure their recommendations and the associated action items. Those Imperatives are:
- Protect, Defend, and Secure Today's Information Infrastructure and Digital Networks
- Innovate and Accelerate Investment for the Security and Growth of Digital Networks and the Digital Economy
- Prepare Consumers to Thrive in a Digital Age
- Build Cybersecurity Workforce Capabilities
- Better Equip Government to Function Effectively and Securely in the Digital Age
- Ensure an Open, Fair, Competitive, and Secure Global Digital Economy
The Commission's report brings forth a handful of key themes that the incoming administration is likely to acknowledge:
- Cybersecurity is a global, ubiquitous challenge for both government and the private sector, and, as such, requires an inclusive, transparent, and standards-based solutions approach;
- Cybersecurity is foundational to the global economy, and therefore the marketplace has the primary role in shaping and developing secure and innovative technology;
- Government's role should be limited, but clearly defined and consistent with its existing and historical mission to protect the nation and foster a secure digital economy.
It remains to be seen how closely the incoming administration will implement these recommendations, but the bipartisan nature of the Commissions, combined with the significant input from private sector leaders, is worth noting and may positively influence its acceptability.