In February of 2016, the President issued an Executive Order establishing the Commission on Enhancing National Cybersecurity within the Department of Commerce. The Commission was charged with “recommending bold, actionable steps that the government, private sector, and the nation as a whole can take to bolster cybersecurity in today’s digital world, and reporting back by the beginning of December.”
On December 1 the Commission issued its final Report on Securing and Growing the Digital Economy. The Commission urged the incoming administration to strengthen cybersecurity efforts within its first 100 days. The report includes 16 major recommendations and related actions that can hopefully serve as a useful framework for significantly enhancing the Nation’s cybersecurity.
The widespread success of the Internet in the 1990s has led to a historical transition from the industrial age of the past two centuries to an economy and society increasingly based on global, digital interactions. This transition has significantly accelerated over the past decade with the advent of billions of smartphones, tens of billions of IoT devices and huge amounts of data, all now connected via Internet-based broadband networks.
At the same time, Internet threats have been growing. Large-scale fraud, data breaches, and identity thefts are becoming more common. Companies are finding that cyber-attacks are costly to prevent and recover from. As we move from a world of physical interactions and paper documents, to a world primarily governed by digital data and transactions, our existing methods for protecting identities and data are proving inadequate.
Why is the Internet so vulnerable to these threats? Why wasn’t stronger security designed into the original Internet infrastructure? MIT research scientist and Internet pioneer David Clark addressed this question in a recent article about the early design choices that have led to today’s Internet.
The Internet is basically a general purpose data network that supports a remarkable variety of applications. Being general purpose was a fundamental design choice. It has enabled the Internet to keep growing and adapting to widely different applications and become one of, if not, the most prolific innovation platform the world has ever seen.
Just about everything else, including security, is the responsibility of the applications running on the Internet. Consequently, there’s no one overall owner responsible for security, making security significantly harder to achieve. As Clark points out, “the design decisions that shaped the Internet as we know it likely did not optimize secure and trustworthy operation.” That’s what we now have to fix.
The Commission reviewed past reports on cybersecurity, consulted with technical and policy experts and issued open solicitations for input. It held a number of public meetings around the country, - each focused on a different sector of the economy. These included a meeting in New York City on the financial sector in which I was a panelist. Their work led to a broad set of findings, including:
- “Technology companies are under significant market pressure to innovate and move to market quickly, often at the expense of cybersecurity. In many industries, being first to market continues to take priority over being secure to market.”
- “The attacker has the advantage. Some threats against organizations today are from teams composed of highly skilled attackers that can spend months, if not years, planning and carrying out an intrusion.”
- “Technological complexity creates vulnerabilities. Complexity today is affected by the continuously changing and interdependent environment, the increased number of mobile clients, and the compressed time available from when a product is first conceptualized to when it goes to market.”
- “Governments are as operationally dependent on cyberspace as the private sector,” but they also face additional cybersecurity challenges beyond those of the private sector.
- “Trust is fundamental. The success of the digital economy ultimately relies on individuals and organizations trusting computing technology and trusting the organizations that provide products and services and that collect and retain data.”
The bulk of the 90-page report describes in detail the Commission’s 16 recommendations and 53 associated action items, which are organized into six major imperatives. These are:
Protect, defend, and secure today’s information infrastructure and digital networks. We can no longer just focus on identifying and protecting critical digital infrastructures, given their interconnections, interdependencies and risks to all aspects of the economy and society as well as to our personal lives.
The Commission’s overriding recommendation is that the private sector and government should collaborate on a roadmap for improving the security and robustness of digital networks. This includes collaboration in implementing a new model for defending and securing our converging cyber and physical words, and launching a public-private initiative for increasing the use of strong authentication to improve identity management.
Innovate and accelerate investment for the security and growth of digital networks and the digital economy. As our physical and digital infrastructures increasingly converge, they’re all similarly susceptible to cyber threats, as are the wide assortment of smart, connected products and services they support. A rapidly expanding Industrial IoT introduces a whole new set of cybersecurity challenges, not only because of the large numbers of projected IoT devices, - 10s of billions by 2025 growing to 100s of billions in the decades ahead, - but also the expectation that they will generate significantly more data than the vast amounts already generated by existing applications and devices.
The Commission recommends that the federal government and the private sector join forces in improving the security of the Internet of Things, and that improving such IoT security should be a top priority in the government’s overall R&D agenda.
Prepare consumers to thrive in a digital age. The responsibility for security has mostly fallen on users of Internet applications and Internet-connected devices. Given the accelerated pace of digital innovations, and the difficulty of understanding the accompanying cybersecurity threats, this places an unreasonable burden on the shoulders of consumers.
“Engineers and designers should create products and systems with security built in and provide consumers with the ability to know how their user experience will be protected. The burden of primary responsibility for cybersecurity should be driven up the chain from the consumer to the manufacturer.”
The Commission recommends that companies should work closely with consumer organizations and with the Federal Trade Commission to help consumers make better informed decisions about security. In addition, the federal government should support research in improving the overall cybersecurity and usability of consumer products and services.
Build cybersecurity workforce capabilities. According to a recent security workforce study, 1.5 million more cybersecurity professional will be needed around the world by 2020, with a significant portion in the US. “The cybersecurity workforce is expected to continue to grow over the next several years, but not at a rate commensurate with the growing threats. Consequently, we need to continue to expand existing initiatives and develop new ones that will grow our nation’s workforce.” The nation should proactively address these potential workforce gaps.
Better equip government to function effectively and securely in the digital age. Government faces a dual challenge. “The next President must ensure that the federal government is a leader in cybersecurity, both to secure its own operational systems and to carry out its mission to protect and defend our nation’s private networks when a major incident occurs.”
The Commission recommends that the federal government should consolidate its basic network operations to better share components and best practices - instead of having every civilian agency manage its own IT infrastructure as is mostly the case today. In addition, government agencies should be encouraged to accelerate the pace at which they refresh their technologies.
Ensure an open, fair, competitive, and secure global digital economy. “The United States operates in a global economy with partners, suppliers, customers, and competitors around the world. Business is now conducted at Internet speeds in digital markets and does not stop at boundaries or borders. The digital economy also depends on an open, interoperable, secure, and reliable Internet that links every corner of the globe.”
The Commission recommends coordinating with the international community to create and harmonize cybersecurity policies, legal agreements and global norms of behavior, including the appointment of an Ambassador for Cybersecurity to direct U.S. international efforts on cybersecurity strategies, standards, and practices.
Having led the development and deployment of the Internet, the US now has the opportunity to lead in securing the cyberspace foundations of our growing digital economy. “All of these recommendations and actions highlight the need for the private sector, government, and the American public to recognize cybersecurity as an integral part of our welfare with serious implications for our country’s national and economic security and our prospects to maintain a free and open society.”