As part of a broader effort to strengthen national security and inform future administrations, the US Commission on Enhancing National Cybersecurity last week issued recommendations that encompass critical infrastructure and convergence driven by the Internet of Things, workforce development, public-private partnership, and information sharing.
President Obama established the Commission in February of this year to improve cybersecurity across the country. Twelve commissioners representing industry, academia, and former government officials were appointed to develop recommendations.
The 100-page "Securing and Growing the Digital Economy" report by the commission, which contains short- and long-term guidance for improving cybersecurity across the public and private sectors, comes at a time when cyber threats are constant and becoming more dangerous.
"It's bad and getting worse," says Gus Hunt, former CTO of the CIA and current cybersecurity lead at Accenture Federal Services, of the current state of cybersecurity. "If you think about the threat level that has begun to emerge, things are not looking up."
The Commission's recommendations are outlined in six key areas:
Peter Lee, a member of the Commission and CVP at Microsoft Research, explained how the Commission came up with its recommendations. "Soon after we got started in March, we held a series of public meetings where we took in quite a lot of input from stakeholders in different parts of the cybersecurity landscape," he says.
"I came with a perspective on the tech industry, where technology might be going, and what the interests would be between Silicon Valley and the US government, as well as how that partnership might be harnessed to make improvements," Lee says. "I also have the responsibility of managing a large part of Microsoft Research, and tend to have a more technical and future-oriented view," which helped inform his insight.
The Internet of Things was a key concern, especially with respect to critical infrastructure (CI). Commissioners urged government to address the convergence of IoT and CI by establishing programs for government agencies and private organizations to evaluate potential cyberattacks and determine next steps.
"These programs would move beyond tabletop exercises and seek to establish public-private joint collaboration by examining specific cyber protection and detection approaches and contingencies, testing them in a simulation environment, and developing joint plans for how the government and private sector would execute coordinated protection and detection activities, responding together, in alignment with the National Cyber Incident Response Plan," the report states.
Over the next decade, the distinction between critical infrastructure and other products (cars, consumer goods) will continue to fade as devices become more connected, says Lee.
"As time goes on, the computing technology in your child's teddy bear is going to be every bit as meaningful to the nation's cybersecurity as the computer control for our national electric grid," he notes. Connected devices will evolve to the point where even simple consumer products could become a meaningful element of a botnet.
The Commission recommended that the government set baseline standards for connected products and label them accordingly so consumers have a better idea of their security. This would help improve consumer education and awareness of cybersecurity, says Hunt.
"Security has to be built in, easily engaged with, and when possible, completely transparent for the user because users don't understand [security]," he explains. "They make mistakes, and they make all of us vulnerable."
Workforce development is another key issue, says Lee, and both government and industry experts interviewed by the Commission cited a lack of supply of cybersecurity practitioners. The report states the next president should initiate a program to train 100,000 new cybersecurity practitioners by 2020.
This program would develop security talent through local and regional partnerships among employers, educational institutions, and community organizations, according to the report. The government and private sector should also collaborate to sponsor a network of security bootcamps, with the idea of building critical skills in a shorter timeframe.
National cybersecurity should be viewed as a shared responsibility, both experts agree. Education should start as early as K-12 levels so children learn basic security practices at a young age.
Identity management is important to address because a tremendous amount of security breaches begin with the theft of a user ID or password, Lee says.The Commission urged government to make authentication stronger and easier to use, something he says Microsoft has done to prevent intrusions caused by password theft.
However, neither the government nor private sector can make the necessary improvements alone. For this reason, the Commission called for a more active collaboration and partnership between the public and private sectors.
This relationship extends to information sharing, which can be powerful for mitigating risk, Lee notes. Bad actors have an advantage because they embrace the latest technologies and receive direct rewards for new tools and exploits. Those trying to mitigate threats can do so by sharing information as threats emerge.
"If we can create a situation where network operators are able to share data more safely and quickly, the damage caused by botnets can be dramatically reduced," for example, says Lee.
A challenge for companies in sharing information is navigating legal liability risks, he notes. The report recommends government work with the private sector to identify changes in regulations or policies that would encourage companies to more freely share risk management practices.
"Cyber, most interestingly, is the world's first frictionless weapon system," says Accenture's Hunt. "We're at a juncture where we have to go at this in a new way, with focus and vigor and hopefully, bring together the government, state, and private sector," Hunt says.