Commission on Enhancing National Cybersecurity Seeks Action in Trump's First 100 Days
The Commission on Enhancing National Cybersecurity publicly released a set of recommendations Friday to the White House on actions the private and public sectors can take over the next decade to improve cyber defenses and raise cyber awareness. As expected, the six main recommendation areas aim to provide a blueprint for the incoming administration of President-elect Donald Trump's cybersecurity objectives (see 1611220065). CENC officially delivered its recommendations to President Barack Obama Thursday as directed in the White House's February Cybersecurity National Action Plan (see 1602090068).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Implementation of most CENC recommendations “should begin in the near term, with many meriting action within the first 100 days of the Trump administration," the commission said. CENC made 16 policy recommendations across the report's six overarching “major imperatives,” including the need to protect and defend the U.S.'s existing IT infrastructure. The commission focused on the need to increase private sector investment in cybersecurity to promote growth in the digital economy, along with improving government's cybersecurity capabilities. CENC urged the White House to improve consumers' preparation “to thrive in the digital age” and improve the workforce's cybersecurity training. The commission also urged the White House to adopt policies to ensure an open, fair and secure digital economy.
CENC's recommendations included an expected call to promote the increased use of the National Institute of Standards and Technology's Cybersecurity Framework. The Trump administration “should build on the success of the Cybersecurity Framework to reduce risk, both within and outside of critical infrastructure, by actively working to sustain and increase use” of the framework, CENC said. The commission recommended the White House require all federal agencies to use the NIST framework. CENC also encouraged NIST to help establish a working group to develop “industry-led, consensus-based metrics” on framework use that can be used by the private sector and the departments of Homeland Security and Treasury.
The federal government should “better match” cybersecurity responsibilities with executive branch agencies, including by appointing an assistant to the president for cybersecurity under the National Security Adviser “to lead national cybersecurity policy and coordinate implementation of cyber protection programs,” CENC said. The commission urged the White House to clarify the Office of Management and Budget's role in U.S. cybersecurity, and particularly the roles of the federal information officer, federal information security officer and the senior OMB adviser for privacy “in managing cybersecurity-related operations in all agencies.”
CENC's recommendations for preparing consumers included an anticipated call for an independent organization to develop the equivalent of a cybersecurity “nutritional label” for tech devices and services that would be “ideally linked to a rating system of understandable, impartial, third-party assessment that consumers will intuitively trust and understand.” CENC also pressed the FTC to convene consumer groups and industry to develop a consumer's “bill of rights and responsibilities” for the digital age, plus documents to “inform consumers of their cybersecurity roles and responsibilities as citizens in the digital economy.”
CENC's recommendations for ensuring an open and secure global digital economy included the appointment of an ambassador for cybersecurity matters to “lead U.S. engagement with the international community on cybersecurity strategies, standards, and practices.” The U.S. should increase its engagement in international forums to “garner consensus from other nations and promote the use of sound, harmonized cybersecurity standards,” the commission said. CENC said the State Department should work with NIST to seek international partners to widen the reach of the NIST framework. State should also “continue its work with like-minded nations to promote peacetime cybersecurity norms of behavior,” the commission said.
CENC's recommendations “affirm the course that this Administration has laid out, but make clear that there is much more to do and the next Administration, Congress, the private sector, and the general public need to build on this progress,” Obama said in a statement. Trump's administration and the 115th Congress “can benefit from the Commission’s insights and should use the Commission’s recommendations as a guide,” Obama said. He directed CENC to brief Trump's transition team on the recommendations and said the federal government must “provide sufficient resources to meet the critical cybersecurity challenges called out in the Commission’s report.”
The recommendations “solidly recognize all of the problems and propose a process to address them,” said Venable cybersecurity and telecom lawyer Jamie Barnett in an email. “But one notable absence is a huge enable to any policy: resources. Only in a couple of places do the recommendations mention funding. The lack of security has huge costs, but getting the right security also costs. Until the federal government “commits strongly and deeply to tax and other incentives for small and medium businesses, these and other recommendations to improve cybersecurity will lag in implementation and effectiveness,” Barnett said. “What got America to the moon was both dedication and a commitment of significant resources.”