National Cybersecurity Commission Report to Focus on Near-Term Fixes


Commissioners are eager to get the report into the Trump transition team’s hands.

A commission tasked with advising the Obama administration on how to secure cyberspace for the next decade will focus more on immediate fixes than long-term initiatives, the group’s leader said Friday.

That list includes developing security standards for internet-connected elements in cars, cameras and other internet of things devices and improving consumer awareness of cybersecurity so it becomes a “differentiator” in purchasing decisions, Kiersten Todt, executive director of the Commission on Enhancing National Cybersecurity, said during a panel discussion hosted by the Chertoff Group.

The commission, which was formed in the wake of the Office of Personnel Management data breach, began its work looking for a combination of “actionable recommendations and “longer term ambitious proposals,” Todt said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

“That’s still the case, but what we recognized in writing this is, really, none of these recommendations is long term,” she said. “The urgency of these issues is now. So what we hope is that many of these recommendations will be able to be executed.”

The commission, which includes former National Security Agency Director Keith Alexander and former National Security Adviser Tom Donilon among its members, is part of the president's Cybersecurity National Action Plan.

The group is scheduled to deliver its findings to the president Dec. 1. It’s not clear if the report will become public that same day though there’s a good chance it will because that would speed up the process of getting it into the hands of President-elect Donald Trump’s transition team, Todt told reporters.

While the report’s still coming together, Todt gave a few hints about its contents:

  • The commission isn’t planning any changes that gear the report to the incoming Trump administration. Commission authors have taken care, however, to be administration agnostic by not presuming cyber roles and responsibilities will be distributed precisely as they are now under the Obama administration.
  • The report will focus more on the private sector than internal government cybersecurity, but it will address some government issues. One thing the commission has been wrestling with is whether the ultimate responsibility for government cybersecurity should rest within agencies or be centralized, Todt said.
  • The report will not address the debate over cop-proof encryption systems, but will address issues of privacy more broadly.
  • The current focus on government-facilitated cyber information sharing through Information Sharing and Analysis Centers, and Information Sharing and Analysis Organizations—basically, sectoral and geographical groups—doesn’t sufficiently account for some threats more likely to target companies of a particular size than companies in a particular industry, commission members are hearing. “Small- and medium-sized businesses have almost as much in common with their brethren in other sectors as they do when you go up and down,” Todt said.
  • One focus will be on early childhood cyber education. The goal is both to start children practicing good cyber hygiene early and to help prepare a future cyber workforce. “When a child gets that first iPad in first grade, there should be that [cyber] education and awareness component,” Todt said.