Cyber Commission Hopes to Brief Trump Before Christmas

A commission that recommended sweeping updates to the nation’s cybersecurity protections hopes to brief President-elect Donald Trump’s transition team on its findings before Christmas, the group’s executive director said Monday.

That will increase the likelihood the incoming administration can take action on many recommendations from the Obama-appointed Commission on Enhancing National Cybersecurity during its first 100 days, Executive Director Kiersten Todt said.

The commission briefed President Obama on Dec. 2 about its recommendations, which include a slate of 60-, 100- and 180-day goals for the incoming Trump team related to securing the internet of things, improving public-private cooperation on cybersecurity and beefing up the cyber workforce.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Commissioners are now awaiting an official invitation to brief the incoming Trump team, Todt said. The Trump administration has not reached out yet and she does not know if the briefing would be to transition team director, Vice President-elect Mike Pence, another insider or to someone designated to manage cyber issues for the team, Todt told Nextgov.

Obama urged the commission to brief the Trump team in a Friday statement after reviewing the report. He also urged Congress to fully fund a 35 percent increase in cyber spending included in his 2017 fiscal year budget to start the next administration off on the right foot.

“President Obama has done the next administration a great favor by bringing together some of the best and brightest minds for eight months to look at cybersecurity and to put together a road map,” Todt said during an event sponsored by the New America think tank.

“So the hope is, that this can be a starting place so the lag time is minimized as much as possible and so the new administration can take this and hit the ground running,” she added.

Todt downplayed concerns the Trump team will see the commission as an Obama administration holdover and ignore the report's recommendations.

“I would push back on that pretty hard,” she said. “This [report] is on the issues. When we look at a new administration, they’re looking to understand the issues and so the hope is that this is a pretty strong road map for doing so.”

Commissioners plan to continue advocating for the report’s recommendations after the transition is complete, Todt said. It’s unlikely that advocacy will reach the level of the 9/11 Commission, which continues to promote its policy recommendations more than a decade later, Todt said, but that could be a model.

Todt also praised as “a thoughtful approach” Trump’s plan to launch a Pentagon-led review of cyber vulnerabilities in U.S. “vital infrastructure,” announced in a video message shortly before Thanksgiving.

Some critics have worried the plan, which Trump sketched in very broad details, could signal a shift away from the Homeland Security Department’s traditional role as the lead agency for supporting the cybersecurity of private-sector networks.

It could, however, be a sign the incoming administration is “thinking creatively” about cyber issues and incorporating nontraditional approaches, Todt said. She stressed she had not spoken with the Trump team about the plan.

“I don’t think in any way that it means DHS or civilian agencies are taking a back seat at this point,” she said.

The commission recommended that the Trump administration:

• Appoint an ambassador for cybersecurity to lead engagement with the international community on cybersecurity priorities, standards and practices (within 180 days).
• Convene public- and private-sector leaders to organize a cybersecurity awareness and engagement campaign (within 100 days).
• Order the National Institute of Standards and Technology and the White House Office of Management and Budget to clarify federal agency responsibilities under the Federal Information Security Management Act. NIST and OMB should also align FISMA responsibilities with the NIST Cybersecurity Framework (within 100 days).
• Issue a national cybersecurity strategy (within 180 days).
• Establish an an interagency group led by the Justice Department to analyze current laws on government liability for cyber vulnerabilities in the internet of things (within 180 days).

The report also recommended that Obama direct NIST to work with industry to develop voluntary security standards for the internet of things within 60 days.