Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/6/2016
01:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

US Presidential Commission Outlines Key Cybersecurity Actions For Future Administrations

Report outlines ways to lock down critical infrastructure as well as IoT - and the urgent need to expand the security workforce by 2020 with 100,000 new jobs.

As part of a broader effort to strengthen national security and inform future administrations, the US Commission on Enhancing National Cybersecurity last week issued recommendations that encompass critical infrastructure and convergence driven by the Internet of Things, workforce development, public-private partnership, and information sharing.

President Obama established the Commission in February of this year to improve cybersecurity across the country. Twelve commissioners representing industry, academia, and former government officials were appointed to develop recommendations. 

The 100-page "Securing and Growing the Digital Economy" report by the commission, which contains short- and long-term guidance for improving cybersecurity across the public and private sectors, comes at a time when cyber threats are constant and becoming more dangerous. 

"It's bad and getting worse," says Gus Hunt, former CTO of the CIA and current cybersecurity lead at Accenture Federal Services, of the current state of cybersecurity. "If you think about the threat level that has begun to emerge, things are not looking up."

The Commission's recommendations are outlined in six key areas:

  • Security of the information infrastructure and digital networks
  • Acceleration and investment in security and growth of digital networks and digital economy
  • Preparing consumers for the digital age
  • Building cybersecurity workforce capabilities
  • Equipping government to effectively and securely function in the digital age
  • An open, fair, competitive, and secure global digital economy

Peter Lee, a member of the Commission and CVP at Microsoft Research, explained how the Commission came up with its recommendations. "Soon after we got started in March, we held a series of public meetings where we took in quite a lot of input from stakeholders in different parts of the cybersecurity landscape," he says.

"I came with a perspective on the tech industry, where technology might be going, and what the interests would be between Silicon Valley and the US government, as well as how that partnership might be harnessed to make improvements," Lee says. "I also have the responsibility of managing a large part of Microsoft Research, and tend to have a more technical and future-oriented view," which helped inform his insight.

The Internet of Things was a key concern, especially with respect to critical infrastructure (CI). Commissioners urged government to address the convergence of IoT and CI by establishing programs for government agencies and private organizations to evaluate potential cyberattacks and determine next steps.

"These programs would move beyond tabletop exercises and seek to establish public-private joint collaboration by examining specific cyber protection and detection approaches and contingencies, testing them in a simulation environment, and developing joint plans for how the government and private sector would execute coordinated protection and detection activities, responding together, in alignment with the National Cyber Incident Response Plan," the report states.

Over the next decade, the distinction between critical infrastructure and other products (cars, consumer goods) will continue to fade as devices become more connected, says Lee.  

"As time goes on, the computing technology in your child's teddy bear is going to be every bit as meaningful to the nation's cybersecurity as the computer control for our national electric grid," he notes. Connected devices will evolve to the point where even simple consumer products could become a meaningful element of a botnet.

The Commission recommended that the government set baseline standards for connected products and label them accordingly so consumers have a better idea of their security. This would help improve consumer education and awareness of cybersecurity, says Hunt.

"Security has to be built in, easily engaged with, and when possible, completely transparent for the user because users don't understand [security]," he explains. "They make mistakes, and they make all of us vulnerable."

Workforce development is another key issue, says Lee, and both government and industry experts interviewed by the Commission cited a lack of supply of cybersecurity practitioners. The report states the next president should initiate a program to train 100,000 new cybersecurity practitioners by 2020.

This program would develop security talent through local and regional partnerships among employers, educational institutions, and community organizations, according to the report. The government and private sector should also collaborate to sponsor a network of security bootcamps, with the idea of building critical skills in a shorter timeframe.

National cybersecurity should be viewed as a shared responsibility, both experts agree. Education should start as early as K-12 levels so children learn basic security practices at a young age.

Identity management is important to address because a tremendous amount of security breaches begin with the theft of a user ID or password, Lee says.The Commission urged government to make authentication stronger and easier to use, something he says Microsoft has done to prevent intrusions caused by password theft.

However, neither the government nor private sector can make the necessary improvements alone. For this reason, the Commission called for a more active collaboration and partnership between the public and private sectors.

This relationship extends to information sharing, which can be powerful for mitigating risk, Lee notes. Bad actors have an advantage because they embrace the latest technologies and receive direct rewards for new tools and exploits. Those trying to mitigate threats can do so by sharing information as threats emerge.

"If we can create a situation where network operators are able to share data more safely and quickly, the damage caused by botnets can be dramatically reduced," for example, says Lee.

A challenge for companies in sharing information is navigating legal liability risks, he notes. The report recommends government work with the private sector to identify changes in regulations or policies that would encourage companies to more freely share risk management practices.

"Cyber, most interestingly, is the world's first frictionless weapon system," says Accenture's Hunt. "We're at a juncture where we have to go at this in a new way, with focus and vigor and hopefully, bring together the government, state, and private sector," Hunt says.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...
CVE-2018-7844
PUBLISHED: 2019-05-22
A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading memory blocks from the controller over Modbus.
CVE-2018-7853
PUBLISHED: 2019-05-22
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading invalid physical memory blocks in the controller over Modbus
CVE-2018-7854
PUBLISHED: 2019-05-22
A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a denial of Service when sending invalid debug parameters to the controller over Modbus.