The President’s Commission on Enhancing National Cybersecurity, submitted their long-awaited report in December. The report, 100 pages in length, identified 16 recommendations and 53 related actions which the Commission believes will enhance the cybersecurity of the United States. The executive branch has 45 days to review and provide a response by 15 January 2017. The commission had 12 commissioners representing a variety of professional points of view.
Background – the February 2016 Executive Order
The Commission was formed following a February 9, 2016 Executive Order forming the Commission. The Commission was specifically charged with the development of recommendations regarding:
- How to bolster the protection of systems and data, including how to advance identity management, authentication, and cybersecurity of online identities, in light of technological developments and other trends.
- Ensuring cybersecurity is a core element of the technologies associated with the Internet of Things and cloud computing, and that the policy and legal foundation for cybersecurity in the context of the Internet of Things is stable and adaptable.
- Further investments in research and development initiatives that can enhance cybersecurity.
- Increasing the quality, quantity, and level of expertise of the cybersecurity workforce in the Federal Government and private sector, including through education and training.
- Improving broad-based education of commonsense cybersecurity practices for the general public.
- Any other issues that the President, through the Secretary of Commerce (Secretary), requests the Commission to consider.
President Obama was delighted with the work of the Commision. In his statement, he commented, how the “Commission’s recommendations are thoughtful and pragmatic. Accordingly, my Administration strongly supports the Commission’s work, and we will take additional action wherever possible to build on the work my Administration has already undertaken and to make progress on its new recommendations before the end of my term. Importantly though, I believe that the next Administration and the next Congress can benefit from the Commission’s insights and should use the Commission’s recommendations as a guide.”
And while President Obama was pleased with the 100 page report, some found the Commission used a broad brush approach in the creation of their recommendations and accompanying action items and demonstrated a lack of cyber reality on the part of commissioners. CEO of Errata Security Robert Graham, appropriately called out a few of these in his clearly labeled posting “The ‘Commission on Cyber Security’ is absurd.” Graham’s blog calls out how the narrative surrounding the 16 recommendations aptly demonstrates the need for enhanced understanding of the topic of cybersecurity by the Commission. His critique makes a cogent argument as to how it would appear the members of the Commission did not scrub their recommendations and findings for concordance with technological realities of how technology actually works; a propensity for buzz-word-bingo with respect to public-private partnerships; and a lack of visibility into the fiscal realities faced by the small-medium businesses of the United States.
That said, one can not deny that the adoption of enhanced authentication methodologies would have a positive effect in securing applications and access to data, yet the cost of implementation while individually modest, is significant when the laws of large numbers are applied. Similarly, the adoption of the cybersecurity framework across government is the right direction, save for the fact the government as a whole is experiencing a shortage of personnel with the requisite cybersecurity skills. The solution, is an additional 100,000 cybersecurity professionals within the government space within three years, 2020.
Between now and January 15, 2017, we’ll see numerous points of view provided on the Commission’s recommendations, some will no doubt find fault, while others will sing its praises. Shortly after January 20, we should be able to determine if this effort will be adopted, adjusted or filed in the circular file by the incoming administration and congress.
A read of the report by every individual involved in IT security will not be time wasted. The Commission’s recommendations and calls to action are worthy of deeper discussion.
The Commission’s 16 Recommendations:
- Imperative 1: Protect, Defend, and Secure Today’s Information Infrastructure and Digital Networks
- Recommendation 1.1: The private sector and the Administration should collaborate on a roadmap for improving the security of digital networks, in particular by achieving robustness against denial-of-service, spoofing, and other attacks on users and the nation’s network infrastructure.
- Recommendation 1.2: As our cyber and physical worlds increasingly converge, the federal government should work closely with the private sector to define and implement a new model for how to defend and secure this infrastructure.
- Recommendation 1.3: The next Administration should launch a national public–private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management.
- Recommendation 1.4: The next Administration should build on the success of the Cybersecurity Framework to reduce risk, both within and outside of critical infrastructure, by actively working to sustain and increase use of the Framework.
- Recommendation 1.5: The next Administration should develop concrete efforts to support and strengthen the cybersecurity of small and medium-sized businesses (SMBs).
- Imperative 2: Innovate and Accelerate Investment for the Security and Growth of Digital Networks and the Digital Economy
- Recommendation 2.1: The federal government and private sector partners must join forces rapidly and purposefully to improve the security of the Internet of Things (IoT).
- Recommendation 2.2: The federal government should make the development of usable, affordable, inherently secure, defensible, and resilient/recoverable systems its top priority for cybersecurity research and development (R&D) as a part of the overall R&D agenda.
- Imperative 3: Prepare Consumers to Thrive in a Digital Age
- Recommendation 3.1: Business leaders in the information technology and communications sectors need to work with consumer organizations and the Federal Trade Commission (FTC) to provide consumers with better information so that they can make informed decisions when purchasing and using connected products and services
- Recommendation 3.2: The federal government should establish, strengthen, and broaden investments in research programs to improve the cybersecurity and usability of consumer products and digital technologies through greater understanding of human behaviors and their interactions with the Internet of Things (IoT) and other connected technologies.
- Imperative 4: Build Cybersecurity Workforce Capabilities
- Recommendation 4.1: The nation should proactively address workforce gaps through capacity building, while simultaneously investing in innovations—such as automation, machine learning, and artificial intelligence— that will redistribute the future required workforce.
- Imperative 5: Better Equip Government to Function Effectively and Securely in the Digital Age
- Recommendation 5.1: The federal government should take advantage of its ability to share components of the information technology (IT) infrastructure by consolidating basic network operations.
- Recommendation 5.2: The President and Congress should promote technology adoption and accelerate the pace at which technology is refreshed within the federal sector.
- Recommendation 5.3: Move federal agencies from a cybersecurity requirements management approach to one based on enterprise risk management (ERM).
- Recommendation 5.4: The federal government should better match cybersecurity responsibilities with the structure of and positions in the Executive Office of the President.
- Recommendation 5.5: Government at all levels must clarify its cybersecurity mission responsibilities across departments and agencies to protect and defend against, respond to and recover from cyber incidents.
- Imperative 6: Ensure an Open, Fair, Competitive, and Secure Global Digital Economy
- Recommendation 6.1: The Administration should encourage and actively coordinate with the international community in creating and harmonizing cybersecurity policies and practices and common international agreements on cybersecurity law and global norms of behavior.