Threat Intelligence
12/6/2016
01:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

US Presidential Commission Outlines Key Cybersecurity Actions For Future Administrations

Report outlines ways to lock down critical infrastructure as well as IoT - and the urgent need to expand the security workforce by 2020 with 100,000 new jobs.

As part of a broader effort to strengthen national security and inform future administrations, the US Commission on Enhancing National Cybersecurity last week issued recommendations that encompass critical infrastructure and convergence driven by the Internet of Things, workforce development, public-private partnership, and information sharing.

President Obama established the Commission in February of this year to improve cybersecurity across the country. Twelve commissioners representing industry, academia, and former government officials were appointed to develop recommendations. 

The 100-page "Securing and Growing the Digital Economy" report by the commission, which contains short- and long-term guidance for improving cybersecurity across the public and private sectors, comes at a time when cyber threats are constant and becoming more dangerous. 

"It's bad and getting worse," says Gus Hunt, former CTO of the CIA and current cybersecurity lead at Accenture Federal Services, of the current state of cybersecurity. "If you think about the threat level that has begun to emerge, things are not looking up."

The Commission's recommendations are outlined in six key areas:

  • Security of the information infrastructure and digital networks
  • Acceleration and investment in security and growth of digital networks and digital economy
  • Preparing consumers for the digital age
  • Building cybersecurity workforce capabilities
  • Equipping government to effectively and securely function in the digital age
  • An open, fair, competitive, and secure global digital economy

Peter Lee, a member of the Commission and CVP at Microsoft Research, explained how the Commission came up with its recommendations. "Soon after we got started in March, we held a series of public meetings where we took in quite a lot of input from stakeholders in different parts of the cybersecurity landscape," he says.

"I came with a perspective on the tech industry, where technology might be going, and what the interests would be between Silicon Valley and the US government, as well as how that partnership might be harnessed to make improvements," Lee says. "I also have the responsibility of managing a large part of Microsoft Research, and tend to have a more technical and future-oriented view," which helped inform his insight.

The Internet of Things was a key concern, especially with respect to critical infrastructure (CI). Commissioners urged government to address the convergence of IoT and CI by establishing programs for government agencies and private organizations to evaluate potential cyberattacks and determine next steps.

"These programs would move beyond tabletop exercises and seek to establish public-private joint collaboration by examining specific cyber protection and detection approaches and contingencies, testing them in a simulation environment, and developing joint plans for how the government and private sector would execute coordinated protection and detection activities, responding together, in alignment with the National Cyber Incident Response Plan," the report states.

Over the next decade, the distinction between critical infrastructure and other products (cars, consumer goods) will continue to fade as devices become more connected, says Lee.  

"As time goes on, the computing technology in your child's teddy bear is going to be every bit as meaningful to the nation's cybersecurity as the computer control for our national electric grid," he notes. Connected devices will evolve to the point where even simple consumer products could become a meaningful element of a botnet.

The Commission recommended that the government set baseline standards for connected products and label them accordingly so consumers have a better idea of their security. This would help improve consumer education and awareness of cybersecurity, says Hunt.

"Security has to be built in, easily engaged with, and when possible, completely transparent for the user because users don't understand [security]," he explains. "They make mistakes, and they make all of us vulnerable."

Workforce development is another key issue, says Lee, and both government and industry experts interviewed by the Commission cited a lack of supply of cybersecurity practitioners. The report states the next president should initiate a program to train 100,000 new cybersecurity practitioners by 2020.

This program would develop security talent through local and regional partnerships among employers, educational institutions, and community organizations, according to the report. The government and private sector should also collaborate to sponsor a network of security bootcamps, with the idea of building critical skills in a shorter timeframe.

National cybersecurity should be viewed as a shared responsibility, both experts agree. Education should start as early as K-12 levels so children learn basic security practices at a young age.

Identity management is important to address because a tremendous amount of security breaches begin with the theft of a user ID or password, Lee says.The Commission urged government to make authentication stronger and easier to use, something he says Microsoft has done to prevent intrusions caused by password theft.

However, neither the government nor private sector can make the necessary improvements alone. For this reason, the Commission called for a more active collaboration and partnership between the public and private sectors.

This relationship extends to information sharing, which can be powerful for mitigating risk, Lee notes. Bad actors have an advantage because they embrace the latest technologies and receive direct rewards for new tools and exploits. Those trying to mitigate threats can do so by sharing information as threats emerge.

"If we can create a situation where network operators are able to share data more safely and quickly, the damage caused by botnets can be dramatically reduced," for example, says Lee.

A challenge for companies in sharing information is navigating legal liability risks, he notes. The report recommends government work with the private sector to identify changes in regulations or policies that would encourage companies to more freely share risk management practices.

"Cyber, most interestingly, is the world's first frictionless weapon system," says Accenture's Hunt. "We're at a juncture where we have to go at this in a new way, with focus and vigor and hopefully, bring together the government, state, and private sector," Hunt says.

Related Content:

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance & Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she's not catching up on the latest in tech, Kelly enjoys ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.