On December 1, 2016, the Commission on Enhancing National Cybersecurity issued its final report with a series of recommendations for the incoming administration on strengthening the country’s cybersecurity.  As explained below, the Commission’s recommendations include a number of public-private collaborations.

President Obama created the 12-member nonpartisan Commission in February 2016 by Executive Order and tasked it with making “detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector.”  The Commission included various industry executives, including from IBM, MasterCard, Microsoft, and Uber, and also included former directors of the NSA and the National Institute of Standards and Technology (“NIST”).  Four members of the Commission were chosen by the leaders of both parties in the U.S. House and U.S. Senate.

The Commission held public hearings during which it heard from representatives in industry, government, and academia.  The Commission also reviewed past cybersecurity reports by other agencies and organizations, and took public comments. 

In drafting its final report, the Commission’s stated goal was to develop recommendations that would be realistic to implement, given both political realities and market forces.  The Commission made no long-term recommendations; all of the recommendations and action items in the report are aimed at the short- and medium-term.

The report identifies six main imperatives for enhancing cybersecurity: (1) securing infrastructure, (2) investing in security and growth of networks, (3) preparing consumers for the digital age, (4) building cybersecurity workforce capabilities, (5) improving government cybersecurity capabilities, and (6) ensuring a competitive and secure global digital economy.  Within these imperatives, the report makes 16 different recommendations with 53 action items.  Many of these recommendations, as outlined below, require private sector involvement or collaboration. 

The report recommends that the federal government collaborate with the private sector to define and implement a new model for securing and defending infrastructure, to increase the use of strong authentication, and to improve the security of the Internet of Things.  Within these recommendations, the report suggests a number of specific action items.  For example, the report suggests that the President should create, through Executive Order, a new group reporting directly to the President, called the National Cybersecurity Private-Public Program, as a forum for addressing cybersecurity issues. The report also calls on the Department of Justice to convene an interagency study, including private-sector participation, assessing the current state of the law on liability for any damage caused by faulty Internet of Things devices.

The report also recommends that the private sector work with consumer organizations and the Federal Trade Commission (“FTC”) to provide consumers with better information about the security of connected products and services.  Specifically, the report suggests, for example, that the FTC work with consumer organizations and industry members to develop a digital-age Consumer’s Bill of Rights and Responsibilities.  The report also proposes that, within the first 100 days of the next administration, the President should convene a summit of business, consumer, education, and government leaders to create a national cybersecurity awareness campaign.

The Commission’s report is available here.  A complete list of the recommendations and action items appears in Appendix 1 on page 53.