As many Lawfare readers know, I was honored to be one of 12 members of President Obama’s Commission on Enhancing National Cybersecurity. We turned in our final report to the White House on Thursday, December 1, and it was released to the public the next day. The report is organized around six imperatives for action, and I thought it might be helpful to readers to provide a personal commentary on the report. I encourage readers to look at the Executive Summary of the report and Chapter 1, the latter of which frames the issues in appropriate relief—the report can be found here.
A Presidential Executive Order established the commission in February 2016, and it gave the Commission a very broad charge:
The Commission will make detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices. The Commission's recommendations should address actions that can be taken over the next decade to accomplish these goals.
The commission’s first meeting was in April 2016, and at first I despaired at the prospect of generating a competent report in 7 months. In the end, I was really pleased with what the Commission was able to produce—and that is true even though the nature of a consensus report is that it is somewhat different than the report that would be produced by any individual commissioner working on his or her own.
From my own perspective, it’s worth calling attention to a number of salient points that are implied but not explicitly stated in the report.
- The market has failed to provide the United States with the cybersecurity posture that it needs. Indeed, if this were not true, the commission would not have been necessary in the first place. In my view, market failure is reflected in two ways—one easier to fix, the other harder.
- The first aspect of market failure is that individual entities do not do all that they should be doing to provide for their own cybersecurity needs—they don’t realize the scope and nature of the threats they face, they don’t know how to respond to those threats, they have higher and more immediate priorities for action, and so on. The report thus emphasizes ways for citizens and private sector entities to increase awareness and to plan for their cybersecurity needs using the NIST cybersecurity framework.
- The second aspect of market failure is that if these individual entities did do all that they needed to do to provide for their own cybersecurity needs (or more precisely, all that they could reasonably be expected to do), the resulting cybersecurity posture of the nation would be better than it is today. However, that posture would still be inadequate from a national perspective because of the interdependencies between these entities—the very concept of critical infrastructure rests on this premise. The report thus points out that the U.S. government has ultimate responsibility for defending the nation’s critical infrastructure, acknowledging that there are some cyber threats to the nation that the private sector working alone cannot be expected to handle. This second aspect of market failure is much harder to address than the first, because it is not in any entity’s self-interest to do for the nation more than it needs to do for itself.
- Tort liability for security lapses and inadequacies in IT-based products is inevitable. For many years, some prominent cybersecurity analysts have argued that liability laws are needed to force providers of IT products to attend to security. Others have argued that liability is the wrong way to fix the problem. The commission believes that this debate will be settled in the future with the advent of Internet-of-Things (IOT) devices that integrate computational capability and connectivity with physical real-world actions such as sensing the environment and more importantly acting to change the physical environment. The reason is that there is already a robust liability regime for products that cause harm to their uses, and the manufacturer of a toaster that burns down your house is liable for damages unless it can show that it behaved in a responsible way in building that toaster. Adding IOT connectivity to the toaster will not change this liability regime, and it is inconceivable that the manufacturer of an IOT-enabled toaster that burns down your house when a hacker penetrates it will be able to escape liability by bracketing off the computational parts of your toaster and saying “no no, that’s software – no liability for that component.” The report addresses this point by considering the value of liability relief under particular circumstances—which is an acknowledgement that liability is coming.
- Regulation to promote and enhance cybersecurity is not to be eschewed under all circumstances. While the report (properly) emphasized the role of incentives to align behavior with better cybersecurity outcomes, it also could have said that “regulation is not an appropriate way for the nation to obtain significantly better cybersecurity”—and it did not. Instead, the report pointed out that regulation should be considered only when the risks to public safety and security are material and the market cannot adequately mitigate these risks. Also, the report argued that broader use of the NIST Cybersecurity Framework would reduce the need for future regulation—a very clear statement that regulation might become necessary in the future if the goals sought by the NIST framework are not broadly achieved.
- Nontechnical aspects of cybersecurity are as important as cybersecurity technology, perhaps more so. Incentives for better cybersecurity are not a technical matter—they are matters of economics, psychology, organization, and policy, among other things. The most innovative and hackproof cybersecurity technology is useless if developers find it too difficult or expensive to use in their products or services and if users bypass or abandon its use because using it makes their experience too clumsy or inconvenient. For this reason, the report emphasizes the need for practically usable security.
- There is no silver bullet for fixing the improving the nation’s cybersecurity posture. The commission’s recommendations for action cover a broad waterfront, and I’ve fielded many phone calls from journalists who want me to say “what’s the most important thing in the report?” Apart from underscoring the importance of concerted national attention to cybersecurity, it’s really hard to point out one singularly important thing. It’s also been interesting to see press coverage of the report—the various stories are all over the map regarding what aspect of the report they focus on. What I learn from this data is that improving the national cybersecurity posture is an effort that has to be fought on many fronts simultaneously. Indeed, that fact alone may account for much of the difficulty in generating strong public support for any particular measure to enhance cybersecurity—for any necessary measure, there is always a gaggle of other people advocating something else that is also necessary, and in the zero-sum game of attention politics, it’s hard to get focus behind anything specific.
I also want to note the nonpartisan nature of how the Commission produced the report. The chair of the commission is known to be a Democrat. The vice-chair is known to be a Republican. Other than that, you would be hard-pressed to identify the political affiliations of anyone else on the commission on the basis of what they said, and the report is entirely neutral on the victor of the November election. (In a couple places, the report refers to the President and “his” cabinet, but I suspect that such references would have happened even if Secretary Clinton had won the election.)