In the debate over how to secure the Internet of Things and prevent the next generation of crippling cyberattacks, regulation opponents have a new ally.
The President’s Commission on Enhancing National Cybersecurity, when it reports next month, will recommend that the incoming administration rely on incentives and voluntary standards rather than contemplate more regulation.
“By and large, the commissioners felt that offering incentives versus regulation was the best way to approach these problems,” said retired Army Gen. Keith Alexander, a commission member and former director of NSA and Cyber Command chief.
He spoke at the commission’s final public meeting — held by telephone — as members briefed each other and the public on the results of their work over the past three months.
The commission is likely to recommend an approach to labeling IoT security based on the disclosures that the FDA requires on food packaging. One long-standing criticism of the market incentives approach to IoT security is that consumers — even if they decide to prioritize security in their purchasing decisions — have no way to trust a product’s advertised security level.
“We discussed a labeling system, similar to a nutrition label, indicating how a device complies with certain standards,” explained commission member Pat Gallagher.
The label would be a way of “providing that transparency, and we discussed how it could ultimately become a standard of care,” Gallagher said.
“Standard of care” is — among other things — a legal term, and companies that don’t meet a standard may be more likely to get sued.
Kiersten Todt, the commission’s executive director, told CyberScoop later that the report will be specific about where standards for the label should come from.
Other key news out of the meeting:
- The report will be delivered to the president on schedule Dec. 1, but there’s no word on when it might be made public.
- The commission discussed recommending a special assistant to the president — the rank of the national security adviser — “focused on cybersecurity.”
- The commission might recommend a public-private consortium be set up within the first 100 days of the new administration “to advise the president.”
- Federal IT governance issues — how far to centralize or decentralize authority over and responsibility for agency cybersecurity — are front and center. The commission plans to propose changes to the way government and private sector prepare and plan together for cyber incidents.
Throughout the report, Todt said the commission was striving to be “concrete and clear.” The challenge for commissioners drafting the recommendations, she said, was to be “specific enough to be actionable, but adaptable enough to be useful in whatever structure the new president choses.”
The commission will structure its recommendations around six “imperatives,” explained former FBI general counsel and Crowdstrike executive Steven Chabinsky. He said a great deal of thought and discussion had gone into them and their ordering:
- Better equipping the government to function effectively and securely in the digital age.
- Protecting and defending today’s internet by better managing cyber-risks in the public and private sectors.
- Shaping the internet of tomorrow by innovating for more robust networks in the future.
- Preparing consumers to drive in the digital age.
- Building cybersecurity workforce capabilities.
- Ensuring the U.S. can compete and function more effectively in a global economy.
Under the first imperative would be a series of recommendations relating to federal cybersecurity governance, explained commission member Maggie Wilderotter. This will include “specific actions that would clarify federal operational and mission roles, responsibilities and authorities; addressing capacity shortfalls; incentivizing agencies and the government workforce; and elevating the importance of enterprise risk management for government.”
Gallagher said that at the October working meeting, the commission — as CyberScoop has previously reported — debated whether changes might be needed to the definition of critical infrastructure.
“We discussed how the convergence of the IoT with the conventional internet is multiplying interdependencies and blurring the lines between traditional critical infrastructure and other aspects of the internet,” he said.