The Commission on Enhancing National Cybersecurity kicked off with a three-hour meeting in Washington, D.C., April 14, the first in a series of public and private conferences over the next eight months intended to set the government's cybersecurity agenda for the coming decade.
The working group was brought together by President Barack Obama to develop actionable recommendations for improving the nation's cybersecurity posture and inform the next administration of the challenges of our increasingly digital world.
The commissioners spent most of the meeting getting on the same page — identifying the problem at hand and defining the scope of their work. Per their charter, the group plans to look at issues like government operations and acquisition, public awareness and education, critical infrastructure, using cyber insurance as an incentive and securing the Internet of Things.
While they have the option to expand this purview, Commissioner Peter Lee, corporate vice president for Microsoft Research, noted the group has a broad agenda already and should define their workflow in a way that will be most valuable.
Lee suggested splitting their work into two categories: actionable recommendations for today and forward looking pronouncements on the future.
Steven Chabinsky, general counsel and chief risk officer at CrowdStrike, also warned against the commission's work becoming redundant, noting that the last two administrations put out comprehensive national policies on cybersecurity that were also intended to be frameworks for the future.
"The challenge for this commission is not to have the fourth document that looks the same," he said.
Joe Sullivan, chief security officer at Uber, suggested the commission's work should spur an era of government investment in cybersecurity, just like the New Deal did for infrastructure.
In the wake of the Great Depression, "The government spent a ton of money on the infrastructure we still drive on today," Sullivan said. "When I think about cybersecurity and the role of government right now … we see the government show up after something bad has happened to help us find the bad guys or sanction people who haven't done enough."
Rather than be reactionary, Sullivan said he wants to see the government make investments in cybersecurity across sectors.
"We never see the government laying the foundation for a safe road ahead," he said. "Because of how [the commission is] positioned today, we can focus on that side of things. Can we be the New Deal for the Internet?"
The commission also got some guidance from Lisa Monaco, deputy national security advisor and assistant to the president for homeland security and counterterrorism.
Monaco told the commissioners that their work, "first and foremost," should be to develop a national agenda for government to follow over the next 10 years.
Second, "Think of your audience as society as a whole, not only the federal government," she said. "And, finally, provide actionable, concrete recommendations that address the root causes of the challenges."
While it will be incumbent on the commissioners to come up with these recommendations, public input will be a significant part of their work. The group tentatively set five public hearings, scattered around the country to elicit comments on specific topics.
- May — New York City: Best practices in individual sectors, with a focus on the financial sector.
- June — Silicon Valley: Research and development strategies.
- July — Houston: Critical infrastructure, with a focus on oil, gas and energy sectors.
- August — Midwest (Minneapolis or Chicago): Retail industry.
- September — Washington: Comments on final draft document.
Commissioners will also hold a number of private meetings to deliberate on what they've heard and pull together a draft document in time for a final public meeting in D.C. this fall.