44th Presidency Commission Issues UpdateCybersecurity Takes Second Place to More Immediate Concerns
The 2008 report concluded that cybersecurity was among the major national security problems and that only a comprehensive national strategy consistent with American values would improve. The commission - a panel of lawmakers, former government and military IT and IT security officials and IT security thought-leaders - issued a series of recommendations, many incorporated into President Obama's Cyberspace Policy Review issued in May 2009 and cybersecurity legislation introduced in the last Congress, though no major IT security reform law was enacted.
"Our review of the last two years found that there has been progress in almost all of the areas we identify as critical, but in no area has this progress been sufficient," the new report says.
It's not that the White House ignored the recommendations, it just got bogged down on other matters. "Many in the current administration share these conclusions, but progress has been slow," the report says. "Cybersecurity unavoidably takes second place to more immediate concerns, such as the wars or the economy. This is understandable, but the result has been that despite good intentions, many important actions have been deferred."
The new report offers recommendations in 10 areas, many restating advice offered in the 2008 study:
- Coherent organization and leadership for federal efforts for cybersecurity and recognition of cybersecurity as a national priority.
- Clear authority to mandate better cybersecurity in critical infrastructure and develop new ways to work with the private sector.
- A foreign policy that uses all tools of U.S. power to create norms, new approaches to governance and consequences for malicious actions in cyberspace. The new policy should lay out a vision for the future of the global Internet.
- An expanded ability to use intelligence and military capabilities for defense against advanced foreign threats.
- Strengthened oversight for privacy and civil liberties, with clear rules and processes adapted to digital technologies.
- Improve authentication of identity for critical infrastructure.
- Build an expanded workforce with adequate cybersecurity skills.
- Change federal acquisition policy to drive the market toward more secure products and services.
- A revised policy and legal framework to guide government cybersecurity actions.
- Research and development focused on the hard problems of cybersecurity and a process to identify these problems and allocate funding in a coordinated manner.
"The cybersecurity debate is stuck," the report concludes. "Many of the solutions still advocated for cybersecurity are well past their sell-by date. Public-private partnerships, information sharing and self-regulation are remedies we have tried for more than a decade without success. We need new concepts and new strategies if we are to reduce the risks in cyberspace to the United States."