Data Protection Report - Norton Rose Fulbright

The US Commission on Enhancing National Cybersecurity, a nonpartisan group established by President Obama in early 2016, released its final report on December 1, 2016. The report provides an in-depth view of cybersecurity challenges facing the digital economy, and provides a roadmap for addressing those challenges. For some issues, the Commission recommends that the next presidential administration take action within its first 100 days in office. Here are the six “imperatives” discussed in the Commission’s report.

  • Imperative 1: Protect, Defend, and Secure Information Infrastructure and Digital Networks.

The Commission recommends establishing public-private partnerships to address cybersecurity risks associated with interconnected systems, which can expose multiple business sectors via a single attack. The Commission cites as an example the recent DDoS attack on Dyn, which caused multiple websites and online services to become inaccessible. (See also our colleagues’ recent post on the legal implications of DDoS attacks.) The report states that tackling a task of this size will require government leadership and coordination, because the private sector is not equipped to mitigate and respond to large-scale cyberattacks. The Commission suggests that public-private partnerships will foster information sharing, coordinated incident response, and cooperation to facilitate end-to-end risk management. The Commission recommends that the government incentivize private organizations’ cooperation by shielding them from liability for voluntarily disclosures of information.

The Commission also advocates for broader use of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which the FTC previously has lauded as establishing a set of best practices for private organizations and the government. The Commission recommends government-wide adoption of the Framework and supporting private organizations that transition to or implement the Framework by offering incentives and resources.

  • Imperative 2: Innovate and Accelerate Investment for the Security and Growth of Digital Networks and the Digital Economy.

The Commission recognizes the increasing use of Internet-connected devices (i.e., the Internet of Things or IoT) and the possibility that those devices may facilitate the compromise of critical infrastructure and systems. Many of these devices have security vulnerabilities that may compromise entire networks. More often than not, these connected devices are rushed to market before they are secured. To combat this tendency, the Commission recommends creating federal standards for the Internet of Things. The standards would set forth best practices for device makers, including a mandate to embed privacy and security features in the devices’ design (which the FTC has long advocated).

  • Imperative 3: Prepare Consumers to Thrive in a Digital Age.

The Commission advocates establishing cybersecurity outreach programs that will change consumer behavior by promoting awareness of cyber threats. Under this proposal, the government’s consumer protection agencies would lead the development and delivery of an education program that instructs consumers how to secure their devices and information. The Commission is also proposing “cybersecurity nutritional labels.” The labels would function like a rating system for connected devices, signaling to a consumer when a product or service is rated secure or as lacking cyber controls.

  • Imperative 4: Build Cybersecurity Workforce Capabilities.

The Commission recommends developing a US cybersecurity talent pool. Currently, the cybersecurity sector is understaffed despite high demand, and the Commission predicts that the economy will need 100,000 new cyber-sector employees by 2020. To meet that demand, the Commission advocates apprenticeship programs, rotational programs, early education, and additional support for college students entering the field.

  • Imperative 5: Better Equip Government to Function Effectively and Securely in the Digital Age.

Recent high profile hacking attacks have demonstrated that sophisticated cyberattacks are a national security concern. The Commission is urging the incoming administration to improve federal government networks, including by consolidating and updating legacy systems. Currently, federal agencies use a wide array of systems, many of which are outdated and difficult, if not impossible, to properly secure. This Commission’s plan would require a significant investment in the US cyber infrastructure to improve its resilience against cyberattacks.

  • Imperative 6: Ensure an Open, Fair, Competitive, and Secure Global Digital Economy.

Globalization and the interconnected nature of the Internet mean cooperation is essential for effective implementation of the Commission’s proposed plan. The final imperative focuses on increased international cooperation around cybersecurity threats. Many of the recommendations included in the report are reiterated and applied to the international community. For instance, the Commission recommends that that State Department assume responsibility for facilitating development of global cybersecurity norms.

Our Take

Taken as a whole, the report is a detailed, nonpartisan roadmap for the incoming administration. It identifies many of the key concerns facing the digital economy, and provides specific, actionable guidance  on achieving those milestones. The Commission concedes, however, that achieving those objectives will require a massive federal undertaking.

Cybersecurity was one of the key issues in the election. It is a pressing issue before Congress today – in connection with  the hacking the CIA concluded was perpetrated at the direction of the Russian government, for instance – and will remain an issue in the years to come, both in the civil sector and in the military sector (both offensive and defensive). Getting to a level of cybersecurity in the US (and internationally) that can effectively protect the US and other communities from cyberattacks will require massive private and public investment, and it will require innovation. Cybersecurity is a non-partisan issue that the incoming administration will have no choice but to address in a significant way. The Commission’s report is a good start – one of the early steps on which the incoming administration may build.

To that end, President Obama has endorsed the report’s findings and recommendations, and the director of the Commission anticipates that the group will meet with President-Elect in the coming weeks to discuss its findings.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.