Takeaways from The Presidential Commission on Enhancing National Cybersecurity Report: Part I

bruce_potterIn February, President Obama established a commission to examine mechanisms to enhance the state of cybersecurity in the nation. I was fortunate enough to serve as a technical advisor and spent the last 10 months helping the Commission on Enhancing National Cybersecurity and its staff prepare the December 1 report. The 12 commissioners drew on their collective experience and information from experts around the country to develop the 16 recommendations in the report. In this and my next blog post, I’ll discuss the report, its recommendations and how you can help.

Focus on Digital Economy

The first thing you’ll notice in the report is a focus on the digital economy:

We live in a digital economy that helps us work smarter, faster, and more safely. Change is not limited just to our workplaces, of course. Our lives are enriched by digital devices and networks and by the innovators who have found creative ways to harness technology. Still, our digital economy and society will achieve full potential only if Americans trust these systems to protect their safety, security, and privacy.

This is unique in the realm of broad cybersecurity reports coming out of Washington. Previous reports focused largely on public sector concerns and addressed federal government cybersecurity concerns. This report’s much broader approach addresses issues affecting our economy as more and more economic activity occurs online.

This is an important and timely area of focus. In the early days of the Obama administration, smartphones were just hitting the market, private companies had little knowledge of nation-state threats against their enterprises and the idea of a connected home was more sci-fi than Best Buy.

Today, we stream high-definition video to our phones over the cellular network and hear about numerous nation-state attacks against private industry. I’m sure many of us also picked up Internet of Things home-automation devices on Black Friday. Attacks against Internet-connected services have dramatic impact on us, our companies and the economy as a whole.  This report attempts to address cybersecurity in this context.

Innovation vs. Security

Security is often antithetical to innovation. Innovation thrives on speed and freedom to try new things. Frankly, innovation drives our economy, and that’s even more true as we transition to a digital economy. Security is achieved by procedures and controls that can weigh down the development process and slow the pace of innovation. The Commission’s report overtly addresses this concern with recommendations to balance the impact of security on the speed of innovation.

Further, there’s a realization that the state of cybersecurity tools is not sufficient to address the risks we face today. There’s a need to accelerate the speed of innovation in cybersecurity to catch up to adversaries and get enterprises on a defensible footing.

The second imperative in the report, “Innovate and Accelerate Investment for the Security and Growth of Digital Networks and the Digital Economy,” is full of recommendations that address this problem. A challenge for implementers, however, is the diversity of stakeholders called out in the second imperative. Managing activities in the National Institute of Standards and Technology; U.S. departments of Homeland Security, Justice and Commerce; the Federal Trade Commission and Consumer Product Safety Commission—while facilitating innovation—will require careful orchestration to not actually slow down the industry.

Building a Secure Foundation

One of the report’s foundational principles is the concept of building a secure, defensible foundation. Principle 4 states:

Private sector and government collaboration before, during, and after an event is essential in creating and maintaining a defensible and resilient cyber environment.

While security experts will immediately see the wisdom in this statement, I should point out it’s an important change from past reports. Previous government reports have spent much real estate around sharing information about threats and attacks. Although this type of information sharing is important, it is, by nature, reactionary. Successful attacks are the result of successful exploits of vulnerable systems. By building more secure systems, we can avoid the attacks altogether.

The ideas in this report focus as much around the proactive need to build defensible systems as the need to coordinate responses. Coordinating risk management practices, sharing best practices for system development and building more resilient systems as a matter of course would have a material impact on the security of our digital economy. While we’re still a long way from realizing these goals, the Commission put an important stake in the ground with respect to building security in.

Looking Ahead

Next time, I’ll share takeaways on the types of public/private partnerships the report calls out. I’ll also share suggestions on what you can do to help implement the Commission’s recommendations.

Feel free to share your initial thoughts on the report with us.

Bruce

By Bruce Potter / December 14, 2016