On Dec. 2, President Obama’s Commission on Enhancing National Cybersecurity released its final report. The nonpartisan committee was chaired by former National Security Adviser Tom Donilon, and focused on critical infrastructure, the internet of things, public awareness and education, workforce challenges, and governance and accountability across stakeholders.
One notable aspect of the report’s recommendations was its emphasis on public-private partnerships. That was what was most exciting to Gus Hunt,Accenture Federal’s managing director and former CIA chief technology officer.
“Cybersecurity is something that affects everybody,” he told WashingtonExec. “All businesses, all governments, all individuals. It’s not something that any one segment can take by themselves; it’s going to take us acting together.”
Those actions range from building a roadmap to improve security of digital networks to creating exchange programs to developing an educated and experienced cyber workforce. One action item, for example, is for the next president to create an initiative to grow the workforce by 100,000 people by 2020.
These are some big numbers, said Barry Barlow, CTO at Vencore, but they’re not unprecedented. For example, the space workforce came together in seven years.
“I think [the cyber workforce]is an area where we do have to focus, perhaps more so than STEM,” he said. “The flip side of that is that it’s going to create a challenge because we’ve been focusing now for years on building out STEM efforts, and now we’re going to have to focus in on one part of that.”
That’s not the only case where the report’s recommendations will require a change in direction for initiatives already in place. Some of the public-private partnerships the report recommends already exist. Vencore, for example, is already part of the Defense Industrial Base Cybersecurity Sharing program, known as DIB or DIB CS. That program is run through the Defense Department. Additionally, the Computer Emergency Readiness Team is run out of Carnegie Mellon, and Commerce Department has numerous of different multistakeholder efforts to improve cybersecurity.
“It’s going to be challenging where you have to expand those partnerships ” Barlow said, “and I think they’re going to have to be addressed on an individual action-by-action basis.”
Samuel Visner, senior vice president of cybersecurity and resilience at ICF, and a professor of cybersecurity policy, operations and technology at Georgetown University, went a bit further.
“The report might have served us a little better if it had discussed … the need to build a more unified effort for homeland security and national defense,” he said. This “National Cyber Protection Agency,” as Visner called it, “would perhaps give us an organizational champion that could operate as a strong partner to U.S. CYBERCOM” and would coordinate those many partnerships.
Similarly, the creation of a broader, better defined cybersecurity research and development community would help leverage the work many companies and organizations like ICF are already doing.
“There are models we could borrow from, like after World War II and the Cold War,” Visner said, which would enable us to better integrate new innovations.
But it will be key, Hunt said, to make sure those innovations approach security holistically.
“One of my concerns is that cyber is treated as a separate thing which is problematic,” he said. “We need to think about it at a systems level, and not just at a ‘things’ level: Think about the half-life of a cybersecurity solution. Tools are important, but it’s really going to be about who can think about the space [as a whole]and how to secure the environment as it changes.”
Some of Accenture’s recent research, for example, has focused on some of the more human elements of cybersecurity, such as trust.
There are six imperatives in the report, each with its own list of recommendations and action items. When asked about how realistic these recommendations were, each industry expert was optimistic.
“There’s nothing in the report that I think cannot be achieved in terms of our national resources,” Visner said. “What we need to do is decide how these efforts are going to be led and what is the organizational structure around which they are going to be led.”