Secure computers, commission urges
Transition memo meant for Trump offers options for U.S. cybersecurity
WASHINGTON — A national commission on Friday delivered 16 urgent recommendations to improve the nation’s cybersecurity, after the worst hacking of U.S. government systems in history and accusations that Russia meddled in the U.S. presidential election by hacking Democrats.
The Presidential Commission on Enhancing National Cybersecurity, which was expected to spell out actions the U.S. can take over the next 10 years, instead urged more immediate actions within two to five years. In its 100-page report, the commission suggested the administration of President-elect Donald Trump consider some items “deserving action” within the first 100 days.
It recommended that Trump create an assistant to the president for cybersecurity, who would report through the national security adviser, and establish an ambassador for cybersecurity, who would lead efforts to create international rules. It urged steps, such as getting rid of traditional passwords, to end the threat of identity theft by 2021 and said Trump’s administration should train 100,000 new cybersecurity workers by 2020.
Other ideas included helping consumers to judge products using an independent “nutritional label” for technology products and services.
The White House requested the report in February and intended it to serve as a transition memo for the next president. The commission included 12 of what the White House described as the brightest minds in business, academia, technology and security. It was led by Tom Donilon, President Barack Obama’s former national security adviser.
The panel studied issues that included sharing information with private companies about cyber threats, the lack of talented American security engineers and distrust of the U.S. government by private businesses, especially in Silicon Valley. Classified documents stolen under Obama by Edward Snowden, a contractor for the National Security Agency, revealed government efforts to hack into the data pipelines used by U.S. companies to serve customers overseas.
One commissioner, Herbert Lin of Stanford University, said some senior information technology managers distrust the federal government as much as they distrust China, widely regarded as actively hacking in the U.S.
Obama said in a written statement after meeting with Donilon that his administration will take additional action “wherever possible” to build on its efforts make progress before he leaves office next month. He urged Trump and the next Congress to treat the recommendations as a guide.
“Now it is time for the next administration to take up this charge and ensure that cyberspace can continue to be the driver for prosperity, innovation, and change both in the United States and around the world,” Obama said.
Trump has already promised his own study by a “Cyber Review Team” of people he said he will select from military, law enforcement and private sectors. He said his team
Trump has already promised his own study by a “Cyber Review Team” of people he said he will select from military, law enforcement and private sectors.
will develop mandatory cyber-awareness training for all U.S. government employees, and he has proposed a buildup of U.S. military offensive and defensive cybercapabilities that he said will deter foreign hackers.
The new report suggested that the government should remain the only organization responsible for responding to large-scale attacks by foreign countries.
It was not immediately clear whether Trump would accept the group’s recommendations.
Obama has a mixed legacy on cybersecurity.
Under Obama, hackers stole personal data from the U.S. Office of Personnel Management on more than 21 million current, former and prospective government employees, including details of security-clearance background investigations for federal agents, intelligence employees and others. The White House also failed in its efforts to convince Congress to pass a national law — similar to laws passed in some states — to require hacked companies to notify affected customers.
But the Obama administration also became more aggressive about publicly identifying foreign governments it accused of hacking U.S. victims, arrested some high-profile hackers overseas, successfully shut down some networks of hacked computers used to attack online targets, enacted but never actually used economic sanctions against countries that hacked U.S. targets, and used a sophisticated new cyberweapon called Stuxnet against Iran’s main nuclear enrichment facilities.
Congress passed a law in late 2015 to encourage companies and the government to share information about online threats.