Workforce tops cyber commission to-do list

The Commission on Enhancing National Cybersecurity has concluded its public hearings and is now digging into the work of determining priorities and recommendations for the next administration.

A week after receiving more than 170 responses to a request for information, and after a full day of panel discussions and public comments in Washington on Sept. 19, the commission's executive director, Kiersten Todt, told FCW that, "the sleeves are definitely rolled up right now."

The commission's mandate is to produce "detailed short-term and long-term recommendations to strengthen cybersecurity in both the public and private sectors," and deliver those recommendations in a report due Dec. 1.

Todt told FCW that over the course of five public hearings, the commissioners heard a wide range of comments, but one of the most commonly raised subjects was the challenge of meeting cyber workforce needs in government.

"One of the key elements that we're hearing there is it's not so much about bringing in new people, but it's how do you transfer skill sets within a current workforce?" said Todt.

Though, panelists who addressed the commission in Washington argued that the federal government is lacking both the right quality and quantity of cybersecurity professionals. Speakers stressed the need to train, recruit and retain top cybersecurity talent using every possible tool from tuition repayment to bonus pay to immigration reform.  

Todt said that another topic that has come up repeatedly is the relationship between incentives and human behavior. "It's this sense that this is not a technology problem -- we have to get at where the human behavior plays into it, and so with that comes public awareness and education," she said.

"How do you make this something where people choose cybersecurity as a differentiator in their products -- that when they're looking to choose between a few, the security of that product becomes important," said Todt.

She said that one of the challenges is figuring out how to increase transparency in cyber products, and create the equivalent of food nutrition labels that help consumers choose software and applications that meet high security standards.

"What we're looking at is the responsibility a consumer needs to bear," she added. "It's not that they need to bear all of it, but what's the balance between the software provider, the developer and the consumer?"

Todt said that consumer behavior and accountability is something new the commission is exploring that hasn't been in previous reports on cybersecurity. Another new element in    this report she said is the Internet of Things. In particular, how the IOT can create more opportunities for data manipulation and what should be done to mitigate that risk.

"Data manipulation can kill you a lot faster than data theft can, and so it's not about securing your fitbit," but about securing things like pacemakers and other medical devices said Todt.

Representatives of government and industry who addressed the commissioners stressed the need to shift from a compliance mentality to a risk analysis and mitigation framework going forward. They also pushed for clearer cybersecurity standards and strategies – though there was little agreement on what agencies or entities should take the lead on laying out those standards and strategies.

"There's some pretty strong feelings on that right now, because there's some very developed ideas on the commission," said Todt. "I will just say looking at who owns the strategy is one of the key questions that this commission is going to answer."

She said the 12 commissioners bring a wide range of public and private sector experience to the table and that among them they have "a lot of ideas… and it's not only reaching consensus, but it's reaching agreement on the prioritization."

Todt said that the commission is looking to focus on the most important recommendations and avoid putting out a long laundry list or worse, "a pretty book that sits on a binder that says 'great job for the last eight years.'"

The report will be delivered to President Obama less than two months before his term ends. But, Todt argued that the timing of the report provides a "unique opportunity and time to make an impact."

She said that the report comes at a time when industry no longer needs to be convinced that cybersecurity is important – that it sees all the breaches and violations and wants leadership and action.

Plus, she said that, "there is no better time to emphasize a priority change and to set out an agenda priority than a new administration."

But, Todt emphasized that beyond the report, it will be critical for the next president "to come and state at the very beginning that cybersecurity is a priority for his or her administration."