Back in February 2016, as part of his $19 billion cyber security action plan, President Obama established a nonpartisan commission (the Commission on Enhancing National Cyber Security) to formulate recommendations for how the government and private businesses can bolster cyber security over the next decade. On December 2, 2016, the Commission issued a 100 page report covering a wide-range of recommendations and actions items for enhancing cyber security for the government, private sector business, and the public at large.
The report identifies six "imperatives" for enhancing cyber security, which, in turn, include sixteen recommendations and fifty three suggested action items. As noted above, the report places a heavy emphasis on cooperation, noting: "Successful implementation of our recommendations will require significant commitment from both the public and private sectors and extensive cooperation and collaboration between the two. Indeed, enhancing the state of national cyber security will require the coordinated effort of a wide range of organizations and individuals." The report also stresses the urgency for addressing cyber security issues to the incoming administration stating: "It is critical that the next President and his Administration and Congress begin immediately to tackle each one of the issues raised in this report. The Commission considers this report a direct memo to the next president."
The six overarching imperatives set forth in the Report are:
- Protect, defend, and secure today's information infrastructure and digital networks.
- Innovate and accelerate investment for the security and growth of digital networks and the digital economy.
- Prepare consumers to thrive in a digital age.
- Build cyber security workforce capabilities.
- Better equip government to function effectively and securely in the digital age.
- Ensure an open, fair, competitive, and secure global digital economy.
Among the recommendations and action items associated with the imperatives is a recommendation that the public and private sector collaborate to create a "roadmap" for securing networks against cyber attacks and to improve the security of the Internet of Things (the term that refers to all of the various devices that are now connected to – and operated through – the internet, including everything from garage door openers to refrigerators).
The report also calls for the government to provide incentives to businesses that have implemented cyber risk management principles and that work collaboratively with the public sector on enhancing cyber security. This recommendation has already seen some implementation during the current administration, as existing legislation provides certain protections from liability for entities that share information on cyber attacks and cyber threats. The report suggests that the current scheme needs to be pushed even farther to ensure that information sharing is even more encouraged and becomes the norm.
The report further recommends that an independent organization create a digital "nutrition label" for technology products and services, so that consumers are aware of the potential cyber security risks associated with different products and services. In this regard, the report places an emphasis on educating the public about cyber security and risks. It also calls for the new president to create a national cyber security workforce program to train 100,000 new cyber security practitioners by 2020.
Of significant importance to businesses, the report also recommends that the government "harmonize existing and future regulations" to "reduce cost of complying with prescriptive or conflicting regulations that may not aid cyber security and may unintentionally discourage rather than incentivize innovation." This would be a welcome initiative to businesses given the plethora of regulations that are popping up from various federal and state agencies.
The report does not have the force of law and it is unclear how the incoming administration will tackle the difficult and still evolving world of cyber security, and whether some or any of the recommendations and action items contained in the report will become initiatives of the new government in 2017 and beyond is uncertain. However, cyber security remains a substantial concern for both the government and private sector, and there does not appear to be any magical solution on the horizon that will curtail data breaches and network attacks. As such, the government, in one way or another, will continue to address cyber security, and the Commission's extensive report should certainly have at least some influence on the course taken in doing so.
In this regard, both businesses and government entities, if they have not done so already, should make addressing their own cyber security an action item going forward. Waiting until after a data breach has occurred to address your company's cyber security will only increase the already high costs and losses created by a breach event. Moreover, as cyber security and data breach issues have become more prominent and mainstream over the last several years, both federal and state agencies tasked with protecting the public and consumers who are affected by breaches have made it known that they expect businesses to be taking proactive steps to address and enhance their cyber security. Thus, a business that experiences a data breach that has been lax in addressing its own cyber security issues will not only be confronted with angry customers, but also by angry government agencies that will be less forgiving in assessing fines and penalties.
If you have any questions about the content of this alert or the firm's Cyber Security services, please contact Nicholas J. DiCesare at 716-566-1524 or ndicesare@barclaydamon.com or any of the Barclay Damon attorneys with whom you normally work.