While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
A presidential commission has recommended that the incoming Trump administration launch a program to train 100,000 cybersecurity practitioners and initiate a national cybersecurity apprenticeship program to train 50,000 more by 2020.
Those were two of the dozens of recommendations offered by President Obama’s Commission on Enhancing National Cybersecurity, which issued its final report on Friday. The commission, which Obama set up in February as part of his Cybersecurity National Action Plan, was charged with recommending actions that can be taken by the federal government and private sector over the next decade to enhance cybersecurity while protecting privacy, fostering development of new technologies and promoting cooperation between government and industry.
As the Obama administration winds down, it is aiming to underline the importance of cybersecurity, an issue which will likely continue to grow in importance during the next administration as technology evolves, other nations improve their cyber capabilities and threats change to counterdefenses.
The commission included business leaders, former government officials and cybersecurity experts, and the report includes 53 specific “action items” for the incoming administration to follow up on. Thomas Donilon, a former national security advisor to President Obama, chaired the commission, while Samuel Palmisano, the retired chairman and CEO of IBM, was the commission’s vice chairman.
The report is organized around six major imperatives, which together contain a total of 16 recommendations and 53 associated action items. In many cases, the report recommends that the government work with the private sector to strengthen cybersecurity.
Some are directed at government, some at the private sector, and many at both. Some call for entirely new initiatives, while others call for building on promising efforts currently under way. The commission determined that most recommendations can and should begin in the near term, with many meriting action within the first 100 days of the new administration.
The six major imperatives are:
The report notes that the Framework for Improving Critical Infrastructure Cybersecurity (better known as the Cybersecurity Framework) serves as a successful example of an innovative public–private solution; government convened industry to create the Framework. Called for by a presidential executive order in 2013 and produced a year later in a collaborative private–public effort, the voluntary framework is now being used by a wide range organizations across the economy to assess and prioritize cybersecurity risks and the actions to reduce them. The report says that all federal agencies should be required to use the Cybersecurity Framework.
Among the specific recommendations in the report, the commission says that the Office of Management and Budget should require federal agencies to use the Cybersecurity Framework for any cybersecurity-related reporting, oversight, and policy review or creation. And the report says that in the first 100 days of the new administration, OMB should work with the National Institute of Standards and Technology and the Department of Homeland Security to clarify responsibilities under the Federal Information Security Modernization Act to align with the Cybersecurity Framework.
In terms of specific security recommendations, the report says that priorities include an immediate enhancing of the nation’s ability to detect and resolve purposeful wireless disruptions, as well as improving the resilience and reliability of wireless communications and positioning, navigation and timing data.
The report also says the Trump administration should launch a national public–private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management.
In terms of its more inventive recommendations, the report says that, “to improve consumers’ purchasing decisions, an independent organization should develop the equivalent of a cybersecurity ‘nutritional label’ for technology products and services —ideally linked to a rating system of understandable, impartial, third-party assessment that consumers will intuitively trust and understand.”
Cybersecurity has taken on much more prominence following the 2014 breaches at the Office of Personnel Management, which led to theft of personal information of 22.1 million current, former and potential federal employees. The Obama administration has engaged in offensive cybersecurity operations, like the Stuxnet virus, to sabotage Iran’s nuclear program, and has also been trying to fend off intrusions from states like China, Russia and Iran.
“The interconnectedness and openness made possible by the internet and broader digital ecosystem create unparalleled value for society. But these same qualities make securing today’s cyber landscape difficult,” the report notes. “As the world becomes more immersed in and dependent on the information revolution, the pace of intrusions, disruptions, manipulations, and thefts also quickens. Technological advancement is outpacing security and will continue to do so unless we change how we approach and implement cybersecurity strategies and practices.”
The report cited a recent cyberattack that took advantage of connected devices to disrupt access to popular internet applications and services as an example that shows “we now live in a much more interdependent world” and that “the once-bright line between what is critical infrastructure and everything else becomes more blurred by the day.”
“While the threats are real, we must keep a balanced perspective. We should be able to reconcile security with innovation and ease of use, “the report says. “The internet is one of the most powerful engines for social change and economic prosperity. We need to preserve those qualities while hardening it and making it more resilient against attack and misuse. Changes in policies, technologies, and practices must build on the work begun by the private sector and government, especially over the past several years, to address these issues.”