Obama’s cyber commission looks to next administration and beyond

President Barack Obama's new cybersecurity commission has grand ambitions that include shaping how American society approaches Internet security under the next administration and beyond.

"Consider your recommendations as a down payment for the next administration, for the next decade," Lisa Monaco, the White House's top counterterrorism adviser, told the inaugural meeting of the Commission on Enhancing National Cybersecurity. "Think of your audience as society as a whole, not only the federal government."

The commission, which Obama established by executive order in February, has until Dec. 1 to deliver recommendations in a range of areas, including identity management, the cybersecurity of the Internet of Things, training the federal workforce and educating the public.

The commission's executive director is Kiersten Todt, a newly hired Commerce Department official and former risk management consultant. Tom Donilon, Obama's former national security adviser, and Sam Palmisano, former CEO of IBM, are also helping oversee the group. The 10 other members of the commission include retired Gen. Keith Alexander, former director of the National Security Agency; Patrick Gallagher, former head of Commerce's National Institute of Standards and Technology; and executives from Microsoft and Uber.

The commission's immediate task is to refine the scope of its work, Todt told FCW after the three-hour public meeting. How the group defines the issues will in part determine how successful the initiative is, she added.

The commission has lined up five public workshops, starting with one next month in New York City, to field ideas for addressing vexing national challenges. The July meeting, set for Houston, will focus on securing critical infrastructure using the oil and gas industry as an example, Todt said.

She added that the commission hopes to draw on ideas from startups at the public workshops.

Alexander, who is now CEO of IronNet Cybersecurity, told FCW that the commission is facing a difficult task. There is "a lot to get done in a short time," he said. When asked how, as the former director of a spy agency with offensive cyber capabilities, he would stay unbiased in his recommendations, Alexander said it would be biased to preclude anyone from the commission because of his or her work in government or the private sector.

In her remarks, Monaco touched on the burden of the federal government's legacy IT systems, which can be costly to maintain and vulnerable to hacking. She pointed to the massive data breach at the Office of Personnel Management last year as evidence.

"We have a culture of bureaucratic stasis, if you will, that does not incentivize cybersecurity," Monaco said, adding that agency leaders should think more like corporate CEOs in how they manage cyber risk.

After her remarks, the commissioners posed critical questions to Monaco. Annie Anton, a professor at the Georgia Institute of Technology, asked how the government was addressing what she said was a tension between a policy of not negotiating with terrorists but one of engaging with dispensers of ransomware, which encrypts a computer user's data until hackers are paid off.

Monaco said the administration was still gathering data on ransomware and mulling the policy implications.

There have been 321 reports of ransomware-related activity affecting 29 federal networks since June 2015, the Department of Homeland Security said in a recent letter to senators. DHS officials added that they were unaware of cases in which federal agencies had paid hackers to remove ransomware.