Federal civilian spending on cyber security research and development (R&D) should increase by about $4 billion over the next 10 years with a focus on creating systems with security built in, resiliency and ability to be defended, a presidential commission charged with cyber recommendations for the incoming administration says in its report.
A “high priority” should “be given to efforts that will result in the use, integration, and deployment of affordable, inherently secure, privacy-protecting, usable, functional, resilient, recoverable, and defensible systems,” says the Commission on Enhancing National Cybersecurity in one of its 16 recommendations.
Current federal cyber security R&D could be better coordinated and balanced and too much work is being done to create “reactive capabilities that identify threats and vulnerabilities,” says the 100-page report, Report on Securing and Growing the Digital Economy. However, it says, if more resources are “devoted to creating inherently secure technology products, systems and environments” systems will be very difficult to breach and will help shift the advantage away from attackers.”
The non-partisan commission was created by President Barack Obama in February to help guide the next administration on meeting the nation’s cyber security challenges. The report was delivered to Obama on Dec. 1 and publicly released on Dec. 2.
“As the Commission’s report counsels, we have the opportunity to change the balance further in our favor in cyberspace, but only if we take additional bold action to do so,” Obama said in a statement. “My Administration has made considerable progress in this regard over the last eight years. Now it is time for the next Administration to take up this charge and ensure that cyberspace can continue to be the driver for prosperity, innovation, and change, both in the United States and around the world.”
The report calls for the White House Office of Science and Technology Policy to lead the development of a public-private sector roadmap to develop secure and defensible systems. Another action items says that federal R&D spending should also go into “traditionally underfunded areas, including human factors and usability, policy, law, metrics, and the social impacts of privacy and security technologies, as well as issues specific to small and medium-sized businesses where research can provide practical solutions.”
The report says that efforts around many of the action items within each recommendation should begin within the first 100 days of the next administration and that proposals around R&D are achievable within two years.
The commission recommends that the incoming administration of President-elect Donald Trump quickly prepare a plan for implementing its recommendations in consultation with the private sector. It also calls for the new administration to increase cyber security funding across the federal government.
The report outlines six imperatives that include the recommendations and action items. The major imperatives are: protect, defend, and secure today’s information infrastructure and digital networks; innovate and accelerate investment for the security and growth of digital networks and the digital economy; prepare consumers to thrive in a digital age; build cybersecurity workforce capabilities; better equip government to function effectively and securely in the digital age; ensure an open, fair, competitive, and secure global digital economy.
The commission also identified nine broad findings, including that technology companies are under pressure to innovate and get to market quickly, “often at the expense of cybersecurity.” Other findings include that organizations and individuals still don’t do basic cyber security measures to mitigate risks, attackers still have the advantage, there is an abundance of cyber security “interdependencies” between and among various communities, businesses and industries to include supply chain risks, and that governments face operational challenges such as legacy information technology systems and competition for cyber security talent.