The Commission on Enhancing National Cybersecurity has released a 100-page document, nine months in the making, that they consider a "direct memo to the next president."
In the report, the Commission outlines 16 recommendations and 53 associated action items to improve the cybersecurity health of the United States.
The paper exerts, “America prides itself on fostering the individual entrepreneur, the independent and creative spirit, and the competitor who stands above all others. When it comes to tackling the host of cybersecurity challenges, we need those qualities—but we need joint efforts, collaboration, and cooperation even more."
How does the Commission suggest the upcoming government handle the cybersecurity issues plaguing businesses, individuals, and infrastructure in the U.S.? Through these six overarching imperatives:
Imperative 1: Protect, Defend, and Secure Today’s Information Infrastructure and Digital Networks
Neither the government nor the commercial sector can stop cyber threats on its own. It's going to take increased collaboration between the private and public sectors to properly implement needed security controls.
Within this set of recommendations, the report calls for solutions to address the "full range of risks across the electromagnetic spectrum," as well as stronger authentication across all Internet-based federal services.
The Commissions states, "Our reliance on passwords presents a tempting target for malicious actors. Despite the technical and demonstrated real-life success of a variety of novel approaches for improving identity management, individual users and the nation are still lagging significantly. Consequently, we are making it too easy for those who seek to do harm, whether they be nation-states, well-organized criminal groups, or online thieves."
The Commission is recommending increasing acceptance of the Cybersecurity Framework coupled with initiatives like the creation of a National Cybersecurity Private-Public Program (NCP-3).
Imperative 2: Innovate and Accelerate Investment for the Security and Growth of Digital Networks and the Digital Economy
IoT is a huge problem. And it's not going away. As we connect more and more things to the Internet, the attack surface increases exponentially.
Within 60 days of the next President taking office, the report recommends issuing an executive order allowing NIST to audit and collaborate with standards organizations to develop a set list of cybersecurity standards and create new ones where necessary to better secure our devices.
But it's not enough just to create standards, says the Commission. Regulatory practices must also be created, with balances and checks to determine where gaps lie.
The government should also support cybersecurity research and data collection, especially in previously underfunded areas.
Imperative 3: Prepare Consumers to Thrive in a Digital Age
It can't be on consumers alone to protect themselves. People often don't feel the repercussions of their security hygiene, unless their bank card gets stolen and they immediately receive a new one, worst case.
The Commission calls for the creation of the equivalent of a security "nutrition label" in which products are rated based on their cybersecurity practices. However, it's important for the customer to "intuitively trust and understand" these guidelines.
The report says, "The complexity of cybersecurity and the resources needed to address it must be reduced. In the long run, manufacturers should automate, simplify, and improve the process by which consumers are advised about the cybersecurity implications of using their digital devices. They must come up with more intuitive ways that demand the minimum amount of extra thought and effort."
Imperative 4: Build Cybersecurity Workforce Capabilities
The report points out that it's not enough to rely on our current system of cyber professionals and educators. Many of the greatest security breakthroughs to come will be dreamed of by individuals with fresh and creative ways of thinking.
Still, much more training is needed in the industry currently; the Commission calls for the creation of numerous new programs, such as a national cybersecurity apprenticeship program, a mandatory training program for executives, and processes to increase student awareness and involvement.
The emphasis on student involvement in cybersecurity is especially prevalent in the report, even advocating that, "Cybersecurity awareness messages should be developed and focused on children as early as preschool and throughout elementary school."
In order to completely change the culture of cybersecurity, everyone must have a stake in the process.
Imperative 5: Better Equip Government to Function Effectively and Securely in the Digital Age
The Commission explains, "In the face of rapidly changing information technology capability and a growing dependence on this technology, it is not enough for the next Administration to try to play catch-up with threats and vulnerabilities. The next President must ensure that the federal government is a leader in cybersecurity, both to secure its own operational systems and to carry out its mission to protect and defend our nation’s private networks when a major incident occurs."
Increased collaboration is a theme throughout this document, especially in sharing information regarding current risks. The commission advocates for a single government network to link agencies and contractors across the entire country in order to monitor cybersecurity performances.
These guidelines also call for an extensive cybersecurity action plan within the first 180 days of the new presidency, better funding for newer technologies, and state-level legislation to train the National Guard to respond to cyber incidents.
Imperative 6: Ensure an Open, Fair, Competitive, and Secure Global Digital Economy
Business doesn't stop at borders. Neither does cybersecurity. If an incident occurs, the United States can more effectively mitigate a problem if outside parties are sufficiently equipped with their own cybersecurity standards.
The commission calls for the Department of State and the Department of Human Services to actively participate in helping other nations build their own policies and standards. Within the first 180 days, the new President should appoint an Ambassador for Cybersecurity to engage with foreign nations to create cybersecurity practices.
What Now?
Some would argue that increasing government involvement in anything is bad news, especially when it's so heavily involved in private business as it is. While this 100-page report is intended to be used as an incredibly extensive guide for the next president, there's no guarantee that any of these policies will be implemented.
President Obama said in a press release that, "The Commission’s recommendations are thoughtful and pragmatic," and he has authorized a more than 35% increase in the cybersecurity budget for the 2017 year.
He added, "I am confident that if we implement the Commission’s recommendations, our economy, critical infrastructure, and national security will be better equipped to thrive in the coming years."
If businesses and consumers aren't doing enough to secure our banks, our devices, our communications, is this the natural next step? Or will increasing government regulation and involvement in our cybersecurity practices mean more surveillance and dependency?
