WASHINGTON—To protect and continue to expand the digital economy, the next U.S. president must strengthen collaboration between the public and private sectors before, during and after cybersecurity events, according to a new report released today by a blue ribbon Presidential Commission.
“When it comes to cybersecurity, organizations cannot operate in isolation. It is impossible to stop all attacks. Resilience must be a core component of any cybersecurity strategy,” the commissioners said in their report.
The Commission on Enhancing National Cybersecurity was established by President Obama (Executive Order 13718) with the explicit purpose of making recommendations to strengthen cybersecurity in both the public and private sectors.
The 90-page report emphasizes the need for partnerships between the public and private sectors, as well as international engagement. It also discusses the role consumers must play in enhancing our digital security. The report categorizes its recommendations within six overarching imperatives focused on infrastructure, investment, consumer education, workforce capabilities, government operations, and requirements for a fair and open global digital economy.
Noting that “the attacker has the advantage,” the commission laid out actions that government, industry and consumers can take to more effectively address a range of cybersecurity threats, from nation-state breaches of government infrastructure to denial-of-service attacks that exploit the “Internet of Things” (IoT).
Given “the urgency of the challenges facing our nation,” the commission said many of its recommendations should and could be initiated in the new administration’s first 100 days.
Examples of specific recommendations include:
- creating a new civilian component agency, or repurposing an existing one, to serve as a fully operational cybersecurity and critical infrastructure protection agency that would, among other things, administer a consolidated federal network;
- forming a national public-private initiative to improve digital identity management;
- launching a new cybersecurity awareness and engagement campaign to help consumers better protect themselves, including the “equivalent of a cybersecurity ‘nutritional label’ for information technology products and services” to drive product innovation and improve purchasing decisions; and
- starting a new workforce program to train 100,000 new cybersecurity practitioners.
Other recommendations focus on areas such as critical infrastructure, IoT, cybersecurity innovations, public awareness and education, state and local issues, insurance, international norms, and the role and vulnerabilities of small and medium-sized businesses.
The commission identified and considered broader trends affecting each of these topics, including the convergence of information technologies and physical systems, risk management, privacy and trust, legal and liability considerations, the importance and difficulty of developing meaningful metrics for cybersecurity, and consumer responsibilities.
President Obama established the commission in February 2016, with a 10-month deadline to make detailed recommendations that strengthen cybersecurity while also protecting privacy, fostering innovation and ensuring economic and national security. The commission’s 12 members included four recommended by leaders of both parties in the U.S. Senate and House of Representatives and the rest selected by the president.
To develop their recommendations, the commissioners consulted technical and policy experts, solicited input from the public through open hearings and a request for information, and reviewed existing literature. The report also highlights the work of several government agencies, including the U.S. Commerce Department’s National Institute of Standards and Technology, and the departments of Homeland Security and Defense, as well as private sector organizations.
The full Report on Securing and Growing the Digital Economy is available online. More information about the commission’s activities can be found on its website.