On 1 December The Commission on Enhancing National Cybersecurity issued their key deliverable, the report on Securing and Growing The Digital Economy. That is a good report. For policy-makers new to cybersecurity the introduction recaps issues the nation has been dealing with for quite some time now. And the many recommendations are things we should all support.
But in my opinion it is not a report that should be sent to the President or President Elect. It is far too long and detailed (over 100 pages long). Experienced security professionals can grasp it, but for those new to the topic it requires a deep understanding of reference material including two pages of obtuse acronyms and the many reference documents and definitions in an extended glossary. This is not anything we should expect any executive to spend much time on.
In its current form the President Elect and other executives have little choice but to speed-read the report and hope to glean a general gist. Or maybe take a briefing from the drafters and wish them well in executing it.
Which means the actions the report will drive are hard to predict. In fact, it is going to be easy for the President to ignore and may contribute to the observable tendency of new policy makers to forget the lessons learned of previous administrations in cyber security (administrations have been ignoring previous cybersecurity studies since at least the Carter Administration, see our reference list of cybersecurity wake up calls).
One of the nation’s great technologists, Junaid Islam, has advocated for a National Cybersecurity Strategy that Everyone can Implement. The business world, especially the small to mid-sized business world, needs simplified and executable approaches like the one Junaid articulated. We believe a similar approach is required for recommendations given to the President.
With that as an introduction, here are recommendation for what to give every new policy-maker in government, including the President Elect, on the topic of Cybersecurity:
The Nation’s 2017 Cybersecurity Action Plan
The nation needs a simple and understandable strategy for enhancing cybersecurity. Without it the cost of cyber crime and threats to our government will only increase. The good news is this problem has been studied for decades and professionals know what to do. What has been missing to this point is the right amount of leadership. Leaders at all levels should understand that cybersecurity is not just something for the IT department. Responsibility for reducing cyber risks cannot be delegated. No matter what the organization, if you lead it, you are responsible for efficiently mitigating cyber risks.
The following is our nation’s 2016 Cybersecurity Action Plan:
- The Department of Justice, working with the DHS, will support every federal, state and local law enforcement organization in the U.S. in enhancing anti-cyber crime activities. This includes providing local law enforcement organizations with information they need for informing all citizens and businesses in their jurisdictions on the nature of the cyber threat and prudent mitigation strategies. This approach is the only scalable way to give our citizens and businesses the protective information they need.
- The Federal Government will become the exemplar of optimal cyber defense, proving even large organizations can mitigate threats and enhance technology support to mission outcomes while reducing IT spend. We will do this through leadership, with every leader in the executive branch, including the chief executive, taking responsibility for outcomes. In doing this we will leverage the lessons learned from decades of cybersecurity reviews. We know what must be done and will do it.
- The executive branch will accelerate the exchange of best practices and lessons learned and will take continuous action to assist industry, academia, non-profits and all free nations in their responsibilities to defend themselves in cost-effective ways. The U.S. government will encourage all to understand best practices and avoid negligent behaviors in cyber security, and will work with the legislative branch to improve the legal regime governing responsible behavior and norms as required.
I should add one more observation. No matter what the federal government does, no business anywhere should expect that the government will protect them from cyber attack. This is your responsibility. The good news is there is a vast body of knowledge that professionals can use to help you meet your responsibilities to protect yourself. See, for example, Protecting Your Business From Cyber Threats.