Presidents Commission Cybersecurity

The Presidents Commission on Enhancing National Cybersecurity Report on Securing and Growing the Digital Economy has been released and can be found here: presidents-cybersecurity_report

Executive Summary

Presidents Commission Enhancing National Cybersecurity

Recognizing the extraordinary benefit interconnected technologies bring to our digital economy—and equally mindful of the accompanying challenges posed by threats to the security of the cyber landscape—President Obama established this Commission on Enhancing National Cybersecurity. He directed the Commission to assess the state of our nation’s cybersecurity, and he charged this group with developing actionable recommendations for securing the digital economy. The President asked that this enhanced cybersecurity be achieved while at the same time protecting privacy, ensuring public safety and economic and national security, and fostering the discovery and development of new technical solutions.

Presidents Commission on Cybersecurity
Presidents Commission on Enhancing National Cybersecurity

The interconnectedness and openness made possible by the Internet and broader digital ecosystem create unparalleled value for society. But these same qualities make securing today’s cyber landscape difficult. As the world becomes more immersed in and dependent on the information revolution, the pace of intrusions, disruptions, manipulations, and thefts also quickens. Technological advancement is outpacing security and will continue to do so unless we change how we approach and implement cybersecurity strategies and practices. Recent attacks in which everyday consumer devices were compromised for malicious use have made it abundantly clear that we now live in a much more interdependent world. The once-bright line between what is critical infrastructure and everything else becomes more blurred by the day.

While the threats are real, we must keep a balanced perspective. We should be able to reconcile security with innovation and ease of use. The Internet is one of the most powerful engines for social change and economic prosperity. We need to preserve those qualities while hardening it and making it more resilient against attack and misuse. Changes in policies, technologies, and practices must build on the work begun by the private sector and government, especially over the past several years, to address these issues.

Our commitment to cybersecurity must match our commitment to innovation. If our digital economy is to thrive, it must be secure. That means that every enterprise in our society—large and small companies, government at all levels, educational institutions, and individuals—must be more purposefully and effectively engaged in addressing cyber risks. They must also have greater

accountability and responsibility for their own security, which, as we now know all too well, directly impacts the cybersecurity of our country.

From its inception, this nonpartisan Commission developed a report directed both to President Obama and to the President- elect. The Commissioners, who possess a range of expertise relating to cybersecurity, reviewed past reports and consulted with technical and policy experts. The Commission held public hearings, issued an open solicitation for input, and also invited the public at large to share facts and views. It devoted attention to areas including critical infrastructure, the Internet of Things (IoT), research and development (R&D), public awareness and education, governance, workforce, state and local issues, identity management and authentication, insurance, international issues and the role of small and medium-sized businesses.

The Commission identified and considered broader trends affecting each of these topics, notably the convergence of information technologies and physical systems, risk management, privacy and trust, global versus national realms of influence and controls, the effectiveness of free markets versus regulatory regimes and solutions, legal and liability considerations, the importance and difficulty of developing meaningful metrics

for cybersecurity, automated technology–based cybersecurity approaches, and consumer responsibilities. In these areas and others, the Commissioners examined what is working well, where the challenges exist, and what needs to be done to incentivize and cultivate a culture of cybersecurity in the public and private sectors.

There was much to readily agree on, including the growing convergence and interdependencies of our increasingly connected world; the need for greater awareness, education, and active stakeholder engagement in all aspects of cybersecurity, from developers and service providers to policy makers and consumers; the ways in which small- and medium-sized companies face additional pressures and limitations in addressing cybersecurity and the importance of remedying that situation, especially in light of their role in the supply chain; and the need, from both operational and mission perspectives, to clarify the federal government’s roles and responsibilities.

It was also evident that most solutions require joint public– private action. Every enterprise in our society—large and small companies, government at all levels, educational institutions, and individuals—must be more purposefully and effectively engaged in addressing cyber risks. They must be equipped to understand the role they play in their own security and how their actions directly impact the cybersecurity of the nation more broadly.

Other areas required more consideration:

  • how best to incentivize appropriate cybersecurity behaviors and actions and how to determine if or when requirements are called for;
  • who should lead in developing some of the most urgently needed standards and how best to assess whether those standards are being met;
  • what is the feasibility of better informing consumers, for example, through labeling and rating systems;
  • which kinds of research and development efforts are most needed and at what cost;
  • how to project the right number of new cybersecurity professionals our economy needs and how to choose among different approaches for attracting and training the workforce at all levels; and,
  • what the roles and relationships of senior federal officials should be and how best to ensure that they not only have the right authorities but are empowered to take the appropriate actions.

From these discussions, some firm conclusions emerged. Partnerships—between countries, between the national government and the states, between governments at all levels and the private sector—are a powerful tool for encouraging the technology, policies, and practices we need to secure and grow the digital economy. The Commission asserts that the joint collaboration between the public and private sectors before, during, and after a cyber event must be strengthened. When it comes to cybersecurity, organizations cannot operate in isolation.

Resilience must be a core component of any cybersecurity strategy; today’s dynamic cyber threat environment demands a risk management approach for responding to and recovering from an attack.

After building on those points of agreement and identifying foundational principles, the Commissioners organized their

findings into six major imperatives, which together contain a total of 16 recommendations and 53 associated action items.

The imperatives are:

  1. Protect, defend, and secure today’s information infrastructure and digital networks.
  2. Innovate and accelerate investment for the security and growth of digital networks and the digital economy.
  3. Prepare consumers to thrive in a digital age.
  4. Build cybersecurity workforce capabilities.
  5. Better equip government to function effectively and securely in the digital age.
  6. Ensure an open, fair, competitive, and secure global digital economy.

A table detailing these imperatives and their associated recommendations and action items is included in Appendix 1. The groupings should not be viewed as distinct and isolated categories; indeed, a number of recommendations apply to more than the imperative under which they first appear. The text notes when action items are particularly relevant to other imperatives. This structure reflects the interdependent nature of our digital economy, where steps taken to improve the cybersecurity of one enterprise can meaningfully improve the posture and preparedness of others.

Each recommendation is designed to have a major impact, and each action item is meant as a concrete step toward achieving that impact. Many require a commitment of financial resources far above the level we see today. Some are directed at government, some at the private sector, and many at both. Some call for entirely new initiatives, while others call for building on promising efforts currently under way.

Acknowledging the urgency of the challenges facing our nation, the Commission determined that most recommendations can and should begin in the near term, with many meriting action within the first 100 days of the new Administration. All of these recommendations and actions highlight the need for the private sector, government, and American public to recognize cybersecurity as an integral part of our welfare with serious implications for our country’s national and economic security and our prospects to maintain a free and open society.