Whether or not Congress gives President Obama the money he wants for his ambitious new cybersecurity program, one element of that plan will outlast him and help map the way for the next decade of cyber policymaking.
The White House on Tuesday released an executive order establishing a Commission on Enhancing National Cybersecurity, one of the higher-profile items in Obama’s wide-ranging National Cybersecurity Action Plan.
“In [an] area where technology is constantly evolving, we’ve got to make sure that we’re setting up a long-term plan anticipating where IT is going and anticipating where the cybersecurity threats are going to be,” Obama said during remarks Tuesday on his cyber plan.
The president will select most of the commission’s members—there can be up to 12—but each of the four congressional leaders can recommend one person for membership, according to the executive order. Members will be selected based on experience in cybersecurity, law enforcement, IT management, privacy, Internet governance, digital media, and risk management.
“It’s very hard for policymakers to have enough critical mass on any one issue to move that issue forward.”
Like past presidential commissions, this one will have no authority to actually make policy changes. Instead, it will simply recommend how the government should address cybersecurity challenges and opportunities over the course of the next decade. But Ari Schwartz, Obama’s senior director for cybersecurity from 2013 to 2014, said that the commission was well-positioned to make certain issues a priority and speed action on them.
“There are so many things that people say are the most important area to focus on,” Schwartz, who is now the managing director of cybersecurity services at Venable LLP, said in an interview. “It’s very hard for policymakers to have enough critical mass on any one issue to move that issue forward.”
Cybersecurity information-sharing legislation became an area of consensus over the last three years, Schwartz said, and that was why it topped Congress’s cyber to-do list in 2015, culminating in the passage of the Cybersecurity Act.
The commission, Schwartz said, could play a similar role by highlighting issues that are known but not yet prioritized, thus building consensus around the need to act quickly on them.
Obama directed the commission to address five core topics, from integrating cybersecurity into the emerging Internet of Things to bolstering the security of government data and improving authentication technology.
Another priority is “increasing the quality, quantity, and level of expertise of the cybersecurity workforce,” a persistent challenge that formed a significant part of the broader plan announced on Tuesday. That plan included a call for Congress to allocate $62 million for college cybersecurity training and incentives programs.
Obama’s order mandates that the commission also recommend better ways for the government to partner with the private sector on protecting critical infrastructure like banks and power plants, a task widely considered an urgent priority in a country with sophisticated computer networks designed for speed and interoperability rather than security.
The White House will publish the commission’s report and any comments from Obama within 45 days of the report’s submission, the deadline for which is Dec. 1, 2016.
Joseph Hall, chief technologist at the Center for Democracy and Technology, said the commission “in general looks very good.”
“The timeline is quite constrained, with a report due in December,” Hall said in an email, “but we’re hopeful that will help instill some urgency into their work from the beginning.”
Both Schwartz and Hall highlighted the need for civil liberties voices on the commission, since its report could profoundly affect how the government collects and stores Americans’ personal information.
“Cybersecurity naturally involves deeply important issues involving privacy and the limits of surveillance and responses used in the pursuit of better cybersecurity,” Hall said. “A privacy and civil liberties expert would serve as a key check against overly intrusive proposals and practices that could have a chilling effect on free speech and access to information.”
Whether or not the next president takes this report’s advice is an open question. Schwartz said that, to maximize the commission’s credibility, Obama should appoint a bipartisan team for the chair and vice chair positions who should be on “as close to as equal footing as possible.”
Citing the widely praised 9/11 Commission Report, which analyzed government failures in the lead-up to the Sept. 11, 2001, terrorist attacks, Schwartz said that the cybersecurity commission’s leaders needed to be “willing to look beyond the partisanship side of it.”
Photo via Karen Neoh/Flickr (CC BY 2.0)