On December 1, 2016, the Commission on Enhancing National Cybersecurity (Commission)—established ten months earlier by President Obama—released its Report on Securing and Growing the Digital Economy (Report). The 50-page Report includes six major imperatives with 16 recommendations and 53 associated action items to improve national cybersecurity. The Commission is a non-partisan panel comprised of 12 members from various industries, including Uber, Microsoft and U.S. Cyber Command.
The Commission’s Recommendations
The six major imperatives, as they appear in the Report, are to:
-
Protect, defend, and secure today’s information infrastructure and digital networks;
-
Innovate and accelerate investment for the security and growth of digital networks and the digital economy;
-
Prepare consumers to thrive in a digital age;
-
Build cybersecurity workforce capabilities;
-
Better equip government to function effectively and securely in the digital age; and
-
Ensure an open, fair, competitive, and secure global digital economy.
These recommendations are directed to the next administration. The Report states, “[t]he Commission considers this report a direct memo to the next President” and suggests that most of the recommendations should begin within the Trump’s first 100 days in office.
The Report calls for increased industry and government information sharing, more guidance on cybersecurity best practices and increased consumer education on the issues. To implement those principles, the Report details what agencies should be involved and provides a timeline for the President-elect. For example, the Report states that:
“[t]he Department of Justice should lead an interagency study with the Departments of Commerce and Homeland Security and work with the Federal Trade Commission, the Consumer Product Safety Commission, and interested private sector parties to assess the current state of the law with regard to liability for harm caused by faulty IoT (Internet of Things) devices and provide recommendations within 180 days.”
Other recommendations include:
-
Initiating a national cybersecurity workforce program to train 100,000 new cybersecurity practitioners by 2020;
-
Developing a standard template for documents to inform consumers of their cybersecurity roles plus creating a “Consumer’s Bill of Rights and Responsibilities for the Digital Age”;
-
Appointing an Ambassador for Cybersecurity within the first 180 days; and
-
Increasing funding for cybersecurity across the federal government.
Incorporating the Report into Trump’s Cybersecurity Plan
While the Report is directed to the Trump administration, it is unclear if the President-elect will incorporate the Commission’s recommendations. During the campaign Trump outlined a cybersecurity plan that focused on defensive and offensive strategies. Trump’s campaign outline, however, did not include the level of detail that the Report provides. Some of the Report’s recommendations are similar to items in Trump’s plan. For example, the Report suggests appointing an Assistant to the President for Cybersecurity, while Trump’s campaign plan included a proposal to create a Cyber Review Team to evaluate vulnerabilities in critical infrastructure.
One major vulnerability in cybersecurity infrastructure is the capability to shut down internet service companies. In response to the October attack on Dyn, several legislators have called for safeguards to protect internet security. Senator Mark Warner, for example, released a letter from FCC Chairman Tom Wheeler in which Wheeler proposed an FCC-mandated cybersecurity certification process for “Internet of Things” devices. Wheeler, who will step down as chairman once President-elect Trump is inaugurated, said the FCC’s Advisory Committees should develop a “device cybersecurity certification process.” This certification process would attempt to prevent attacks like the one Dyn experienced.
But the President-elect, who said that for every new regulation, two old regulations must be eliminated, may not be quick to follow any recommendation leftover from the Obama administration, especially if it requires new regulatory action. If Trump chooses not to follow the Report’s recommendations, he will undoubtedly be expected to release an exhaustive national cybersecurity plan shortly after taking office.
