ISA Financial Sector Specific Recommendations and the Presidential Commission on Enhancing National Cybersecurity

June 7, 2017

ISA Financial Sector Recommendations

Source: Chapter 5 of The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity

Presidential Commission on Enhancing National Cybersecurity

Harmonize, Streamline, and Improve Regulations

“Regulations should encourage banks to take a risk-based approach, which is customized to the threats they face and takes into account the bank’s business model and resources available. Utilizing a standard mechanism such as the NIST Cybersecurity Framework to align the proliferation of different legal and regulatory cybersecurity requirements enables harmonization and adopts unified fundamental guidance for developing cybersecurity policies and practices within the industry.”                 Commission Action Item 1.4.3: Regulatory agencies should harmonize existing and future regulations with the Cybersecurity Framework to focus on risk management—reducing industry’s cost of complying with prescriptive or conflicting regulations that may no aid cybersecurity and may unintentionally discourage rather than incentivize innovation. (SHORT TERM)

Commission text: The private sector has voiced strong concerns about the ways in which regulatory agencies are beginning to use the Cybersecurity Framework—or in which they refer inconsistently to the Framework, as each agency makes different decisions about its application. Such disparate regulations risk redundancy and confusion among regulated parts of our economy. Federal regulators should harmonize their efforts relating to the Framework, an action called for in Executive Order 13636 but never executed.


Toss the Password Into The Dustbin of History

“The realities of today’s cyber-threat environment have resulted in the widespread leakage of Americans’ sensitive information, thanks to a data-breach epidemic. For consumers, the fallout has been an upswelling of identity theft and account takeovers. And as a result, the security model of identity authentication by user ID and password, including the use of “security questions,” is no longer acceptable. Increasingly, financial institutions and other online entities require more effective methods of achieving online authentication without an undue level of inconvenience.” Commission Recommendation 1.3: The next Administration should launch a national public–private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management.

Commission Text: Strong identity management is key to much of what we do in the digital economy. In 2004, an industry leader predicted the demise of the traditional password because it cannot “meet the challenge” of keeping critical information secure.11 His analysis was right; yet we still rely on username and password as the most common form of identification and authentication. In doing so, we are making it far too easy for malicious actors to steal identities or impersonate someone online.


Multifactor authentication

“The rollout of multifactor authentication for government websites, such as tax-related sites operated by the Internal Revenue Service, is far overdue.                 Commission Action Item 1.3.1: The next Administration should require that all Internet-based federal government services provided directly to citizens require the use of appropriately strong authentication.

Commission text: Coordinated efforts should immediately be initiated for a variety of external facing government services, including for tax services at the Internal Revenue Service; for immigration, secure flight, and entry/exit at the Department of Homeland Security; for social security accounts at the Social Security Administration; for passport services at the Department of State; and for health care programs at the Centers for Medicare and Medicaid Services. The Commission believes strongly that if government requires strong authentication, the private sector will be more likely to do the same


“We urge NIST to continue its engagement with the Fast Identity Online Alliance.” Commission Text: Other important work that must be undertaken to overcome identity authentication challenges includes the development of open-source standards and specifications like those developed by the Fast Identity Online (FIDO) Alliance.

Incentivize ISPs to Become More Active in Cybersecurity

“Internet service providers are a critical player for improving cybersecurity across the Internet. However, the majority of ISPs do not have incentive to implement well-established security protocols that would make launching cyberattacks harder for hackers. The system used to lookup web addresses, the domain name system, can be tricked into diverting users to legitimate sites. The domain name system security extensions protocol would mitigate that problem. Similarly, the protocol used to route Internet traffic between large network chunks, the border gateway protocol, is highly vulnerable to false routing. BGPSec is the protocol for preventing that hijacking of traffic through dodgy routers, but it, too, is underutilized. We believe the government should help coordinate the wider adoption of ISP cybersecurity standards for the benefit of all.” Commission Action Item 1.1.1: The President should direct senior federal executives to launch a private–public initiative, including provisions to undertake, monitor, track, and report on measurable progress in enabling agile, coordinated responses and mitigation of attacks on the users and the nation’s network infrastructure. (SHORT TERM)

Commission text: The Department of Commerce, in consultation with all other appropriate departments and agencies, should undertake a multi-stakeholder process that focuses on mitigating the impact of botnets, including denial-of-service attacks, and then expand to address other malicious attacks on users and the network infrastructure, such as the Domain Name System.



Encourage Development of More Cybersecurity Experts

“The need for talent specialized in cybersecurity is growing exponentially, while the supply of qualified experts is limited. The need is pervasive across the public and private sectors. There is a small number of specialized technology examiners employed by the federal banking regulators. Government, industry, and ultimately the nation will reap rewards from prioritizing the development of individuals trained in cyber defense. The new administration should consider leveraging the federal science, technology, engineering, and mathematics program to promote wider interest among students in technology jobs.”                 Commission Imperative 4: Build cybersecurity workforce capabilities.

                Recommendation 4.1: The nation should proactively address workforce gaps through capacity building, while simultaneously investing in innovations—such as automation, machine learning, and artificial intelligence—that will redistribute the future required workforce.

Action Item 4.1.1: The next President should initiate a national cybersecurity workforce program to train 100,000 new cybersecurity practitioners by 2020. (SHORT TERM)

Commission text: A national cybersecurity workforce program would help our nation develop cybersecurity talent pipelines. Such a program—with a specific focus on local and regional partnerships of employers, educational institutions, and community organizations—will help develop the skilled workforce necessary to meet the cybersecurity needs of local and regional industry.