Obama Did Trump 'Great Favor' With Cybersecurity Report, Official Says
President-elect Donald Trump should welcome a cybersecurity report ordered by President Barack Obama, said one of the report’s authors Monday. The Commission on Enhancing National Cybersecurity released recommendations to the White House on actions the private and public sectors can take over the next decade to improve cyber defenses and raise awareness (see 1612020050). Trump hasn't been briefed on the report, but it was nonpartisan and written for any new president, the commission’s Executive Director Kiersten Todt said at a New America event. To achieve the report’s aims, Todt and state officials urged the new administration to embrace collaboration among federal, state and local governments.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The commission briefed Obama last week and the next step is for the president to contact Trump, Todt said. The commission saw the report’s release as the “starting line,” not the finish, she said. “This was not a victory lap tour for the Obama administration. … It was very much about looking into the future.” The commission is considering how to act on the suggestions, she said.
One concern is Trump will reject the report just because Obama asked for it, but Todt said, “I would push back on that pretty hard.” The commission wrote the report for the new administration without assuming which party would control the White House, she said: “This commission was nonpartisan from the beginning,” with Democratic and Republican members. The group tried to give enough flexibility so its guidelines could be used no matter who became president or how the new administration chose to organize itself, she said. No cybersecurity background was available to Obama when he took office, so he's "done the next administration a great favor" in providing a road map, she said.
The report’s most important takeaway for Trump should be that cybersecurity is a priority, Todt said. “The president-elect needs to come in and say to his cabinet and to his senior officials [that] this is a key issue for which you are all responsible.” Unlike eight years ago, cybersecurity is no longer “siloed” in the IT department, she said. “Cybersecurity is not a tangential issue that you’re trying to reconcile other resources with. It’s critical to the core mission of every agency, regardless of what the agency does.”
States want to see Trump embrace a “whole-of-government” approach to cybersecurity, said National Governors Association Program Director-Homeland Security and Public Safety Timothy Blute. Cybersecurity must be managed “in every city, in every state capitol and in Washington, D.C.,” he said. Governors seek more intelligence from the federal government to inform state cybersecurity decisions and clarification on how federal agencies will work with states and the industry in preparing and responding to incidents, he said. Federal agencies should better draw their specific lanes in cybersecurity, Blute said.
The next administration “can’t afford not to leverage state governments for the purpose of threat intelligence and … public awareness campaigns,” said New Jersey Chief Technology Officer Dave Weinstein. National Association of State Chief Information Officers Government Affairs Director Yejin Cooke stressed the need to include states, saying Trump should “consider states as partners, not top-down [and] paternalistic regulation abiders.” Federal grants would help state CIOs, who tend to lack funding and skilled workers, she said. Cooke urged harmonization of the many “disparate” federal security regulations that can complicate state efforts.
A “plethora of disparate cybersecurity requirements” across states may hold back the cybersecurity effort, warned Heather Hogsett, vice president-technology and risk strategy for the BITS Financial Services Roundtable, a group of banking industry executives. If not harmonized with the National Institute of Standards and Technology cybersecurity framework, there will be many conflicting rules requiring companies to use too many resources on compliance and not enough on security, she said. Requiring industry to report to many different regulators across the country creates many “honey pots” of sensitive information for hackers to target, she said.
States may write their own data breach laws when they tire of waiting for the federal government, replied University of Maryland Center for Public Policy and Private Enterprise Director David Mussington. “Some states are actually innovating in this,” and the federal government should look for and learn from the best approaches, he said. Using voluntary measures rather than mandates to deal with a critical matter like cybersecurity is an approach that may no longer work, he said. “Jawboning people into better individual cybersecurity behaviors is always useful,” he said, but “we have been doing that for a long time … and we don’t have the use case for where that succeeded.”
State and local governments will play a leading role in cybersecurity training because they control K-12 education, said National Initiative for Cybersecurity Education Leader-Academic Engagement Davina Pruitt-Mentle. The U.S. education secretary isn’t permitted to direct curriculum for grade schools, said New America Education Policy Program Director Kevin Carey. At a minimum, the federal government will need to work with states, and probably localities, he said. It’s unlikely states would adopt something as specific as cybersecurity to a broad curriculum framework, he said: The “best bet” is to go local and start with large school districts.