Trump’s first 100 days should include cybersecurity action, commission says

The incoming Trump administration should in its first 100 days launch programs to train 150,000 cyber-professionals during the next four years, start developing a voluntary system of cybersecurity-standards labeling for consumer technology and insist on strong authentication when citizens log on to government websites, according to the Commission on Enhancing National Cybersecurity.

The three proposals are among more than 50 in the commission’s report, which acknowledges that “Many [of them] require a commitment of financial resources far above the level we see today.” The report was published Friday afternoon shortly after being formally presented to President Obama, who established the commission in February.

“The Commission’s recommendations affirm the course that this administration has laid out, but make clear that there is much more to do and the next administration, Congress, the private sector, and the general public need to build on this progress,” said Obama in a statement. Calling the recommendations “thoughtful and pragmatic,” he said he had urged the commissioners to brief the Trump transition team “at their earliest opportunity.”

“I believe that the next administration and the next Congress can benefit from the commission’s insights and should use the commission’s recommendations as a guide,” he concluded. The commission itself said that, given the urgency of the cybersecurity problem, “many” of its recommendations should and could be initiated in the new administration’s first 100 days.

The report is the culmination of a process started with an executive order by Obama in February, as part of the Cybersecurity National Action Plan he launched that month.

It is organized around six “imperatives:”

• Protect, defend, and secure today’s information infrastructure and digital networks.
• Innovate and accelerate investment for the security and growth of digital networks and the digital economy.
• Prepare consumers to thrive in a digital age.
• Build cybersecurity workforce capabilities.
• Better equip government to function effectively and securely in the digital age.
• Ensure an open, fair, competitive, and secure global digital economy.
• Each imperative contains one or more recommendations, 16 in all, which in turn are broken down into discrete proposals or “action items” — 53 of them.

Most dramatically, the commissioners urge the Trump administration (recommendation 4.1) to commit itself to a national cybersecurity workforce training program and a national cybersecurity apprenticeship program that would, between them, produce 150,000 new cyber-professionals during the new president’s first four year term. Another action item under the workforce recommendation proposes incentives for cybersecurity education in the form of loan forgiveness or subsidies for students.

The commission also exhorts the incoming administration (recommendation 3.1) to help empower consumers to take more account of cybersecurity in their technology purchase decisions. As part of this work, “an independent organization should develop the equivalent of a cybersecurity ‘nutritional label’ for technology products and services — ideally linked to a rating system of understandable, impartial, third-party assessment that consumers will intuitively trust and understand.”

The Federal Trade Commission should also develop a “Consumers Bill of Rights and Responsibilities for the Digital Age,” along with standardized disclosure form templates — analogous to those used for interest rate disclosures on credit cards — to “inform consumers of their cybersecurity roles and responsibilities as citizens in the digital economy.”

Finally, the new administration should convene a “summit of business, education, consumer, and government leaders at all levels to plan for the launch of a new national cybersecurity awareness and engagement campaign” for Americans.

In almost all of its recommendations, the commission urges public-private partnerships, including (recommendation 1.3) to boost the use of “strong authentication to improve identity management.” As part of this partnership, “The next Administration should require that all internet-based federal government services provided directly to citizens require the use of appropriately strong authentication.”

Some recommendations are considered too urgent to wait even 100 days. These include moves to secure the Internet of Things (recommendation 2.1) in the face of mounting evidence that the explosive growth of web-connected consumer devices is effectively a suicide belt for the internet — providing hackers with millions of vulnerable devices, which, when herded into botnets, can blow even a huge e-commerce site like PayPal offline.

Within 60 days of assuming office , the new president “should issue an executive order directing [the National Institute of Standards and Technology] to work with industry and voluntary standards organizations to identify existing standards, best practices, and gaps for [IoT] deployments … and to jointly and rapidly agree on a comprehensive set of risk-based security standards.”

Commissioners state that the cybersecurity “nutritional label” they propose “should be based, at least in part, on whether and to what degree a given device conforms to the standards and best practices that NIST identifies.”

In public discussions, at least some commissioners have expressed the view that these best practices ought sooner rather than later to be considered a “standard of care” for the IoT. That’s a legal term of art and companies that don’t meet such a standard may be more likely to get sued.

Meanwhile, the Department of Justice should lead “an interagency study with the Departments of Commerce and Homeland Security and work with the Federal Trade Commission, the Consumer Product Safety Commission, and interested private sector parties to assess the current state of the law with regard to liability for harm caused by faulty IoT devices and provide recommendations within 180 days.”

If there are gaps in the laws that protect consumers and incentivize adequate security standards, the president should “present Congress with a legislative proposal to address identified gaps, as well as explore actions that could be accomplished through executive order.”