The final cybersecurity report for the Obama administration identified six key issues for improving cybersecurity...
and recommended actions to make positive changes, but experts disagreed on the key points and whether the recommendations will be heeded by the incoming administration.
The Commission on Enhancing National Cybersecurity is the nonpartisan group tasked by President Barack Obama "with developing actionable recommendations for securing and growing the digital economy by strengthening cybersecurity in the public and private sectors."
"Successful implementation of our recommendations will require significant commitment from both the public and private sectors and extensive cooperation and collaboration between the two. Indeed, enhancing the state of national cybersecurity will require the coordinated effort of a wide range of organizations and individuals," the report read. "It is critical that the next administration make cybersecurity a top priority, beginning during the transition period, so that progress can continue, accelerate and expand. The urgency of the situation demands that the next administration move forward promptly on our recommendations, working closely with Congress and the private sector."
Cooperation was a major theme of the report. The first recommendations of the cybersecurity report called for collaboration between the private and public sector to take on issues, such as securing against cyberattacks, hardening infrastructure, increasing the use of strong authentication and identity management, and improving security for small and medium-sized businesses.
"We need to recognize that neither the government nor the private sector can capably protect systems and networks without extensive and close cooperation," the report read. "Critical infrastructure owners and operators deserve clearer guidance and a set of common understandings on how government responsibilities, capabilities and authorities can lead to better collaboration and joint efforts in protecting cyberspace."
Morgan Reed, executive director of ACT | The App Association in Washington, D.C., agreed with the need for more collaboration. "Public-private collaboration will be critical to solving the big cybersecurity challenges that require more than mere technology or technique and will need data-sharing, training opportunities and legal interventions," Reed told SearchSecurity.
Ray Rothrock, chairman and CEO of cybersecurity analytics company RedSeal Inc., based in Sunnyvale, Calif., said information sharing is key to making such cooperation work.
"Collaboration is about trust, and sharing information with government can be a tough sell to a skeptical business audience. But we must try to get it right. Sharing intelligence is a key to success. The military knows that," Rothrock told SearchSecurity. "It can be a key to success in cyber, too. As we work to close the trust gap, let's also move ahead to set standards and let businesses and other organizations pick best-of-breed solutions for their networks. One size does not fit all."
The cybersecurity report also recommended the public and private sectors coming together to secure the internet of things (IoT), which has come under fire recently because of malware like Mirai abusing insecure devices connected through IoT to create massive distributed denial-of-service (DDoS) attacks.
Jeremy Grant, managing director at The Chertoff Group in Washington, D.C., and adviser to the FIDO Alliance, said while the cybersecurity report's "heavy focus on identity and authentication is spot on," he was happy to see IoT security addressed directly.
"I was pleased to see IoT get so much attention, given that the attacks of tomorrow are going to increasingly focus on exploiting weaknesses in IoT. We got a preview of this with the Mirai DDoS attacks earlier this fall," Grant told SearchSecurity via email. "It's an area that needs immediate focus -- particularly in improving the way systems authenticate to each other in the IoT world -- and government has an important role to play alongside industry in helping to drive progress."
The report also included recommendations calling for the White House to "coordinate with the international community in creating and harmonizing cybersecurity policies and practices and common international agreements on cybersecurity law and global norms of behavior."
"Today, the international digital economy lacks the coherent systems necessary to effectively address cross-border malicious cyberactivity. The varied individual country technology requirements, assessment regimes and cybersecurity policies fragment markets and force companies to devote resources to multiple compliance regimes, rather than to innovation," the report read. "The lack of global norms and standards forces industry to select markets where they can meet national requirements, avoiding or abandoning others. The lack of structure adds to disparities that can degrade national cybersecurity capabilities. The void in technical, policy and legal conventions hampers information sharing and interoperability. Moreover, it creates an opening for criminals to launch attacks and conduct other malicious cyberactivity."
Rothrock said, "International cooperation, both legal and behavioral, is a complex challenge."
"Cyberthreats move across borders with little friction. And there are legal and cultural differences in how nations deal with cyberthreats. As difficult as this will be, we must start somewhere," Rothrock said. "The United Nations may be the best place to begin the global dialog. But we should remember that no nation has enough standing in cyber to force its will onto others."
Government security, infrastructure and the skills gap
The report gave five recommendations to help the government get its house in order. The cybersecurity report suggested the following:
- Consolidating IT infrastructure between federal agencies to improve internet connectivity in agencies and make it easier to procure standard devices and services;
- Promoting faster adoption of technology and phasing out older tech;
- Shifting from cybersecurity requirements in federal agencies to risk-based management;
- Reorganizing cybersecurity leadership and responsibility; and
- Clarifying cybersecurity mission responsibilities throughout government.
Grant said he was also glad to see the focus on improving the government's own cybersecurity "through a focus on building modern, secure, shared IT services."
"The government has thousands of archaic, stand-alone IT systems that are awful in two respects: They suck up billions of dollars in maintenance each year and they are nearly impossible to secure," Grant said. "Supporting these systems is not a core part of any agency's mission -- the report wisely suggests that agencies get out of that business and instead leverage new, common-use IT services for many applications that can be shared across agencies."
One section of the cybersecurity report included a number of recommendations aimed at filling the infosec skills gap, including building capacity in automation, machine learning and artificial intelligence, and creating programs to help train new cybersecurity practitioners.
Reed said this was "the most important investment the new administration can make."
"Solving the skills gap will take time, but investments in the workforce will help protect America's digital infrastructure, as well as our innovation leadership," Reed said. "We need to create great minds who can solve today's problems and prepare to take on the next generation of cyber challenges tomorrow."
Rothrock disagreed and said securing critical infrastructure "is the single most important thing for cyber warriors to address."
"If the infrastructure fails, everything fails. Imagine what would happen if financial transactions could not be processed, if public water systems stopped working, if the electric grid stopped buzzing. The consequences are almost unimaginable," Rothrock said. "Dealing with this threat to civil society should be a top priority for the new administration. President-elect [Donald] Trump should make our digital infrastructure as high of a priority as roads, bridges and airports."
The next administration
Coming at the end of the Obama presidency, the cybersecurity report is intended to offer recommendations for the incoming Trump administration.
"It is critical that the next president and his administration and Congress begin immediately to tackle each one of the issues raised in this report. The commission considers this report a direct memo to the next president," the report read. "The recommendations reflect what the commissioners believe are the highest-priority actions to take. Some recommendations call for actions within the first 100 days of the new administration."
Rothrock said, "The new administration should not ignore these recommendations, and I don't think it will. The commission was bipartisan and the problem is bipartisan. It affects the economy everywhere and creates a lack of trust in institutions. I remain optimistic. Cybersecurity is not a partisan issue; there are smart people on both sides of the aisle working on it."
Reed was not as optimistic.
"These types of commissions are hit or miss, even without major changes in the government's leadership along the way. They certainly will be reviewed by the new administration as they decide on their own cybersecurity strategy, and we will likely see some of these concepts implemented by President-elect Trump," Reed said. "Ultimately, though, the U.S. is at the center of an $8 trillion global digital economy; questions about cybersecurity aren't merely an interesting exercise, but are critical to our economic health."
Grant said although cybersecurity is a recent government concern, "the history here is quite positive when it comes to these kinds of reports."
"Eight years ago, the CSIS Commission on Cybersecurity for the 44th Presidency produced a report that was heavily influential in shaping the Obama administration's approach to protecting cyberspace," Grant said. "The recommendations in this new report are nonpartisan, well-crafted and signed off on by a 'who's who' of important leaders from industry and academia. If the Trump administration is serious about improving the country's cybersecurity, they'll give this new report serious consideration."
Learn more about how military cybersecurity skills can help fill the security hiring gap.
Find out about a costly government cybersecurity system that needs major changes.