ISA Information Technology Sector Specific Recommendations and the Presidential Commission on Enhancing National Cybersecurity

June 7, 2017

ISA Information Technology Sector Recommendations

Source: Chapter 7 of The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity

Presidential Commission on Enhancing National Cybersecurity

Create a Cabinet-like Position to Upgrade Civilian IT and Security Infrastructure

“Attempts to build [a bureaucratic power base] through the position of cybersecurity coordinator were well intentioned, but a White House policy czar lacks the authority needed to effect real change… One federal agency, the Department of Homeland Security, should be tasked with the operational duty of extending help and assistance to all civilian agencies. The authority for cyber should flow to DHS so the department can become a managed security service provider, the federal equivalent of commercial consultants who set up security infrastructures, provide and train personnel, and assist with incident response.” Commission Action Item 5.4.1: The President should appoint and empower an Assistant to the President for Cybersecurity, reporting through the National Security Advisor, to lead national cybersecurity policy and coordinate implementation of cyber protection programs. (SHORT TERM)

Commission Action Item 5.5.2:  Congress should consolidate cybersecurity and infrastructure protection functions under the oversight of a single federal agency, and ensure this agency has the appropriate capabilities and responsibilities to execute its mission. (SHORT TERM)


Workforce Development

“Government should work with colleges and universities across the country to obtain a steady flow of recruits for cybersecurity positions… Congress should pass legislation to fund programs for education and research to lubricate the education system to create the best source of cybersecurity talent in the world.” Commission Recommendation 4.1: The nation should proactively address workforce gaps through capacity building, while simultaneously investing in innovations—such as automation, machine learning, and artificial intelligence—that will redistribute the future required workforce.

Commission Action Item 4.1.3: To better prepare students as individuals and future employees, federal programs supporting education at all levels should incorporate cybersecurity awareness for students as they are introduced to and provided with Internet-based devices.


Increase and Improve International Law Enforcement and Cooperation to Prevent Cyber War and Terrorism
“The new president should prioritize and initiate a concerted process to modernize international law and procedures with respect to clarifying criminal laws internationally… This would include a clarification of the roles and responsibilities nation-states have in protecting private organizations from international cyberattack, including those launched or supported by nation-states.” Commission Action Item 6.1.4: Congress should provide sufficient resources to the Department of Justice (DOJ) to fully staff and modernize the Mutual Legal Assistance Treaty (MLAT) process, including hiring engineers and investing in technology that enables efficiency. It should also amend U.S. law to facilitate transborder access to electronic evidence for limited legitimate investigative purposes, and should provide resources for the development of a broader framework and standards to enable this transborder access.

Commission Text: The federal government has the ultimate responsibility
for the nation’s defense and security and has significant operational responsibilities in protecting the nation’s rapidly changing critical infrastructure. The government also has cyber mission roles that need to be clarified, including better defining government (including individual agency) roles and responsibilities, and addressing missing or weak capabilities, as well as identifying and creating the capacity that is needed to perform these activities


Increase Government Research and Development Funding for Risky Technology Research

“The federal government has a significant role to play in incentivizing the development of new and innovating technologies… Rather than routinely cur research and development funding, the United States should emulate what our competitors are doing in other countries by providing increased government support for basic IT research and general purpose digital programs.” Commission Recommendation 2.2: The federal government should make the development of usable, affordable, inherently secure, defensible, and resilient/recoverable systems its top priority for cybersecurity research and development (R&D) as a part of the overall R&D agenda.

Public-Private Partnership

“There ought to be a collaborative effort between the public and private sectors using the existing partnership model as laid out in the National Infrastructure Protection Plan to test the effectiveness of the NIST Cybersecurity Framework… At a minimum, we need to define what using the framework entails in a practical sense, which, in turn, would be suitable for eligibility of access to a menu of federal incentives.” Commission Action Item 1.4.1:  NIST, in coordination with the NCP 3, should establish a Cybersecurity Framework Metrics Working Group (CFMWG) to develop industry-led, consensus-based metrics that may be used by industry to voluntarily assess relative corporate risk.

Commission Action Item 1.4.4: The private sector should develop conformity assessment programs that are effective and efficient, and that support the international trade and business activities of U.S. companies. (SHORT TERM)

Commission Text “The right mix of incentives must be provided, with a heavy reliance on market forces and supportive government actions, to enhance cybersecurity. Incentives should always be preferred over regulation.


Commission Action Item 1.4.5: The government should extend additional incentives to companies that have implemented cyber risk management principles and demonstrate collaborative engagement.