If the White House was expecting pre-planned results from the new presidential cybersecurity commission, the panel’s first meeting surely disabused anyone of that possibility.
The Commission on Enhancing National Cybersecurity held its inaugural session on April 14 in the ornate library reading room at the Department of Commerce. Its members quickly got into a wide-ranging dialogue that challenged preconceptions about cybersecurity and suggested how difficult it is to wrestle cyber into traditional policy baskets.
Created by an Obama executive order signed in February, the commission is chaired by former National Security Adviser Tom Donilon and vice-chaired by former IBM CEO Sam Palmisano.
The panel includes retired Army Gen. Keith Alexander, who led U.S. Cyber Command and the National Security Agency. Alexander was NSA director when fugitive contractor Edward Snowden began his infamous leaks about government surveillance.
Alexander’s key point during last week’s meeting seemed to be the urgent need to “fix the government-industry relationship” that has been so frayed by mistrust and suspicions between Washington and techies.
The commission membership was announced on the eve of the opening session and includes former government officials and representatives from Microsoft, Mastercard, CrowdStrike, Uber, other tech and communications groups and academia.
Patrick Gallagher, who led development of the government’s landmark framework of voluntary cybersecurity standards in 2013-2014 and now serves as chancellor of the University of Pittsburgh, is another member of note on a panel that brims with experience in cybersecurity policy and front-line cyberdefense.
Most safety standards are developed by industry and are voluntary, Gallagher noted, but the crucial ingredient, still undefined in the cyberspace, is accountability.
“A lot of smart people are working on this, and we still see the same mistakes over and over,” he said. The “notion” that human behavior can be re-engineered is “probably wrong.”
“It always starts out as a technology problem and ends as something else,” said commission member Herbert Lin of Stanford University. “Often the technology is the smallest part of the problem.”
As the three-hour opening session bounced from ransomware, tensions between Silicon Valley and the government, and how to measure success in cybersecurity, government officials observing from the sidelines expressed satisfaction that this group would distill these issues into practical recommendations for industry, consumers and the next president.
“Part of the reason why the president picked the people that he did — these people are good at narrowing it down,” White House cybersecurity coordinator Michael Daniel told InsideCybersecurity.com. “They’ll start with a broad discussion and narrow it down. What we want are very tight, clear, technology-rooted recommendations for the next administration.”
The plan for the next few months appears designed to quickly move the panel’s discussions from the philosophical to the practical.
The commission will hold five public workshops around the country starting with a May session in New York City on cyber “best practices” that will “use the financial sector as a tool” for spurring discussion, according to executive director Kiersten Todt.
The group will hold a June session on research and development, technology and innovation; a July session on critical infrastructure that will discuss lessons from the oil and gas industry; and an August workshop on the retail sector and consumer issues.
The wrapup will come in the fall in Washington, D.C., prior to a Dec. 1 deadline for the commission’s recommendations.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” coming in May from Rowman and Littlefield.
