The final cybersecurity report for the Obama administration identified six key issues for improving cybersecurity and recommended actions to make positive changes, but experts disagreed on the key points and whether the recommendations will be heeded by the incoming administration. The Commission on Enhancing National Cybersecurity is the nonpartisan group tasked by President Barack Obama "with developing actionable recommendations for securing and growing the digital economy by strengthening cybersecurity in the public and private sectors."
"Successful implementation of our recommendations will require significant commitment from both the public and private sectors and extensive cooperation and collaboration between the two. Indeed, enhancing the state of national cybersecurity will require the coordinated effort of a wide range of organizations and individuals," the report read. "It is critical that the next administration make cybersecurity a top priority, beginning during the transition period, so that progress can continue, accelerate and expand. The urgency of the situation demands that the next administration move forward promptly on our recommendations, working closely with Congress and the private sector." Cooperation was a major theme of the report. The first recommendations of the cybersecurity report called for collaboration between the private and public sector to take on issues, such as securing against cyberattacks, hardening infrastructure, increasing the use of strong authentication and identity management, and improving security for small and medium-sized businesses.
"We need to recognize that neither the government nor the private sector can capably protect systems and networks without extensive and close cooperation," the report read. "Critical infrastructure owners and operators deserve clearer guidance and a set of common understandings on how government responsibilities, capabilities and authorities can lead to better collaboration and joint efforts in protecting cyberspace."
Morgan Reed, executive director of ACT | The App Association in Washington, D.C., agreed with the need for more collaboration. "Public-private collaboration will be critical to solving the big cybersecurity challenges that require more than mere technology or technique and will need data-sharing, training opportunities and legal interventions," Reed told SearchSecurity. Ray Rothrock, chairman and CEO of cybersecurity analytics company RedSeal Inc., based in Sunnyvale, Calif., said information sharing is key to making such cooperation work.
"Collaboration is about trust, and sharing information with government can be a tough sell to a skeptical business audience. But we must try to get it right. Sharing intelligence is a key to success. The military knows that," Rothrock told SearchSecurity. "It can be a key to success in cyber, too. As we work to close the trust gap, let's also move ahead to set standards and let businesses and other organizations pick best-of-breed solutions for their networks. One size does not fit all."
The cybersecurity report also recommended the public and private sectors coming together to secure the internet of things (IoT), which has come under fire recently because of malware like Mirai abusing insecure devices connected through IoT to create massive distributed denial-of-service (DDoS) attacks.
Jeremy Grant, managing director at The Chertoff Group in Washington, D.C., and adviser to the FIDO Alliance, said while the cybersecurity report's "heavy focus on identity and authentication is spot on," he was happy to see IoT security addressed directly.
"I was pleased to see IoT get so much attention, given that the attacks of tomorrow are going to increasingly focus on exploiting weaknesses in IoT. We got a preview of this with the Mirai DDoS attacks earlier this fall," Grant told SearchSecurity via email. "It's an area that needs immediate focus -- particularly in improving the way systems authenticate to each other in the IoT world -- and government has an important role to play alongside industry in helping to drive progress."
The report also included recommendations calling for the White House to "coordinate with the international community in creating and harmonizing cybersecurity policies and practices and common international agreements on cybersecurity law and global norms of behavior."
"Today, the international digital economy lacks the coherent systems necessary to effectively address cross-border malicious cyberactivity. The varied individual country technology requirements, assessment regimes and cybersecurity policies fragment markets and force companies to devote resources to multiple compliance regimes, rather than to innovation," the report read. "The lack of global norms and standards forces industry to select markets where they can meet national requirements, avoiding or abandoning others. The lack of structure adds to disparities that can degrade national cybersecurity capabilities. The void in technical, policy and legal conventions hampers information sharing and interoperability. Moreover, it creates an opening for criminals to launch attacks and conduct other malicious cyberactivity."
Rothrock said, "International cooperation, both legal and behavioral, is a complex challenge."
"Cyberthreats move across borders with little friction. And there are legal and cultural differences in how nations deal with cyberthreats. As difficult as this will be, we must start somewhere," Rothrock said. "The United Nations may be the best place to begin the global dialog. But we should remember that no nation has enough standing in cyber to force its will onto others."