In April, President Obama officially formed the The Commission on Enhancing National Cybersecurity to examine the country’s electronic vulnerabilities in the wake of high-profile hacks like that of the Office of Personnel Management in 2015. Today that commission finally wrapped up its duties and delivered a comprehensive report to the President (and the public) identifying areas of weakness and offering concrete steps to improve.
Many of the recommendations are obvious, though getting them fully implemented will certainly be tricky. Setting stringent authentication requirements for all federal employees and contractors, is an admirable goal, but getting all the various agencies and departments inline will be easier said than done. The same holds true for getting all federal agencies to adopt the Cybersecurity Framework set forth by the Obama in 2014 — a fact that the commission readily acknowledges saying:
“…many agencies are not yet using the Cybersecurity Framework. They may be reluctant to do so because they are focused on the many requirements that they face, or because they do not understand how they can make productive use of the Framework within the larger context of managing their operations.”
The commission’s solution, to simply have the Office of Management and Budget (OMB) mandate it, might be effective, but it’s certainly not ideal.
Many of the other recommendations involve improved collaboration between various government agencies and the private sector. Including incentivising companies to implement cyber risk management principles and actively work with the government to “identify, protect from, detect, respond to, and recover from cyber incidents affecting critical infrastructure.”
This collaboration extends to increasing both public and private investment in research, development and establishing industry standards around security. This includes developing a “integrated government–private-sector cybersecurity roadmap for developing usable, affordable, inherently secure, resilient/recoverable, privacy-protecting, functional, and defensible systems. “
One area of the consumer market singled out in particular is the internet of things (IoT). The importance of which was made all the more clear by the recent attack against a popular DNS service that brought down major swaths of the internet, including Twitter, Spotify and New York Times.
Perhaps the most important and difficult recommendations focus on updating our laws and educating the public. Because, as the report goes out of its way to highlight, simply building security systems isn’t enough, every individual has a part to play in protecting the country against hackers, criminals and cyber spies.
President Obama released a statement embracing the commission’s recommendations, but with his time in office winding down, there’s only so much he’ll be able to implement. The president directed the commission to brief Donald Trump’s transition team “at their earliest opportunity.” You can read the entirety of the commissions report for yourself right here.