U.S. consumers could one day see cybersecurity ratings on technology products, much like today's EnergyStar ratings, if the findings of a government-sponsored cybersecurity commission are heeded. Although like much in Washington right now, a lot depends on incoming U.S. President Donald Trump and his views on cybersecurity are far from clear.
The report, published on Friday by the Commission on Enhancing National Cybersecurity, also suggests usernames and passwords are replaced with something more secure and wants 150,000 cybersecurity experts trained over the next four years to help the U.S. defend against hacking threats.
The commission has the support of President Obama and began its work in February this year, with executives at Microsoft, IBM, Uber and former U.S. government officials. However, in releasing its findings, Obama acknowledged it’ll be up to the next president and U.S. Congress to more fully implement what the commission has recommended.
“As the Commission’s report counsels, we have the opportunity to change the balance further in our favor in cyberspace – but only if we take additional bold action to do so,” Obama said in a statement.
Among the recommendations include better collaboration between the government and the private sector on protecting the country’s network infrastructure, and designing better authentication systems for users.
“An ambitious but important goal for the next Administration should be to see no major breaches by 2021 in which identity -- especially the use of passwords -- is the primary vector of attack,” the commission said in its 100-page report.
The Internet of Things is also badly in need of better security standards, according to the commission. In October, easily hacked internet-connected cameras and DVRs were used to launch a massive distributed denial-of-service attack that disrupted internet access across the U.S. The commission is advising that U.S. government agencies explore whether manufacturers should be legally liable for any harm caused by poorly secured IoT devices.
“It’s an outstanding report,” said Keith Lowry, a former chief of staff with the U.S. Department of Defense. He generally agreed with the recommendations and called them a good starting point for the U.S. to tackle its cybersecurity issues.
The problem is that the U.S. government, especially Congress, isn’t known for taking swift action, he said. Many of the recommendations in the report also hope to be achieved in either two to five years, at a time when the tech industry is rapidly changing.
“In the digital world, two years is just too long,” said Lowry, who is a senior vice president at security provider Nuix. New hacking methods are constantly being invented, and as a result, the U.S. government is continually playing catch-up to stop them, he said.
It’s also unclear how Trump will approach cybersecurity issues. During this year’s presidential campaign, he didn't speak on the matter extensively, but he did call for the formation of a “cyber review team” to evaluate U.S. cyber defenses and provide recommendations.
On Monday, Trump’s transition team didn’t immediately respond for comment on the commission’s report. However, the new U.S. President will probably try to set himself apart from Obama administration, said Jim Reavis, CEO of the Cloud Security Alliance, a non-profit devoted to promoting the best security practices.
“There is just too much political capital to be lost by praising this report too much or following it too closely,” Reavis said.
Nevertheless, the commission’s report includes worthwhile recommendations, such as the need to train new cybersecurity experts, Reavis said. But he expects the private industry, and not the federal government, will be the ones taking the lead on improving the U.S.’s cybersecurity.
“A lot of the commission’s report are just starting points,” he said. “But it’s going to be that follow-through by the private sector that can make this successful.”