The Commission on Enhancing National Cybersecurity [“Commission”] was created by an executive order issued by President Obama in 2013. The Commission will work to enhance the security and safety of sensitive information and intellectual property within the private and public sectors by improving our nations strategies in combating cyber threats.

Many industries have a vested interest in the future of the Commission and the impact it may have on the future of technology. The Financial Services Sector Coordinating Council [“FSSCC”] submitted a letter of recommendation to the Commission during its Request for Information period. Financial institutions have been hit hard by threatened and actualized cyber-attacks, and have become increasingly wary of the evolving cyber challenges their industry faces and the industries preparedness for a breach of their customers most sensitive information. The FSSCC urged the Commission to focus on the current and future risks posed by widely-used and consistently evolving consumer technologies including mobile devices, cloud services and wearable technology to ensure cybersecurity stays relevant in light of technological advances.

A major goal of the Commission, and one the FSSCC supports, is centralizing the currently non-centralized national cybersecurity framework. The FSSCC reported concerns of “disparate approaches” by financial service agencies that have created inefficiencies in the private sector to keep up with the frequently overlapping regulations being imposed by various agencies. What has resulted is the wasteful allocation of funds. Firms now must direct funds towards synthesizing and analyzing the various regulations instead of focusing efforts on actually implementing security measures to protect the firm from cyber-attacks. The White House has charged the Commission with making recommendations to strengthen cybersecurity in the public and private sectors. The Commission will be faced with the difficult, and potentially impossible challenge of protecting privacy and enhancing the security of sensitive and valuable information.

Implementing a plan to centralize cybersecurity is particularly  timely in an election year, especially in the current election where the polarity in partisan views have deepened. While the Commission is an independent agency, and thus intentionally separate from the control of the executive branch, a new president may still have the opportunity to fill any vacant spots in the Commission during their presidency and effect whether the Comission leans right or left. Both candidates have been involved in the conversation surrounding the threats posed to national cybersecurity, especially foreign threats. Particularly, Republican Candidate Donald Trump made controversial comments regarding his hope for Russia to “find” and disseminate emails sent during Democratic candidate Hillary Clinton’s term as Secretary of State. On the flip side, Clinton was involved in a federal investigation regarding her use of a private email server for work-related emails during her tenure as secretary of state. The candidate’s run-ins with cybersecurity may give insight into how a Trump Administration or a Clinton Administration would handle national cybersecurity issues, which could implicate the security and safety of some of our countries most valuable assets.

— Katie O’Brien


2 Responses to Centralizing Cybersecurity in the Digital Age

  1. jtparisi says:

    I think this is a step in the right direction, but it’s interesting to note that centralizing cybersecurity comes with it’s own risks as well. For example, what if the Commission itself is subject to a security breach and that breach causes a domino effect leading to plenty more breaches outside of the Commission?

    It’s definitely interesting to consider the flaws that the Commission could have, and consider that creating the Commission surely isn’t the only step needed to achieve cybersecurity goals.

  2. econklin says:

    The development of the NIST framework is a good start, and at least with respect to public companies, the benefit of improved cybersecurity practices would extend beyond reduced risk of operational disruption and customer privacy breaches. Public companies currently have uncertain reporting obligations with respect to their cybersecurity policies, procedures, and notification of breaches. The SEC issued guidance on cybersecurity-related disclosures in 2011. Yet the non-mandatory nature of guidance, coupled with companies’ uncertainty as to when cybersecurity risks and breaches are “material” enough to warrant disclosure, has by and large not warranted useful information about companies’ true cybersecurity exposure. The massive 2014 Yahoo! breach that was only recently made public may provide an opportunity for the SEC (or the plaintiffs’ bar) to test the waters on the cybersecurity disclosures public companies ought to be making.