In February of this year, I directed the creation of a nonpartisan Commission on Enhancing National Cybersecurity, charging it with assessing the current state of cybersecurity in our country and recommending bold, actionable steps that the government, private sector, and the nation as a whole can take to bolster cybersecurity in today’s digital world. Yesterday, the members of the Commission – leaders from industry and academia, many with experience in government – provided their findings and recommendations to me. And earlier today I met with the Commission’s Chair, Tom Donilon, to discuss how we as a country can build on the Commission’s work and enhance our cybersecurity over the coming years. I want to thank the Commission members for their hard work and for their thoughtful and detailed recommendations. I am confident that if we implement the Commission’s recommendations, our economy, critical infrastructure, and national security will be better equipped to thrive in the coming years.
The Commission’s report makes clear that cybersecurity is one of the greatest challenges we face as a nation. That is why I have consistently made cybersecurity a top national security and economic security priority, reflected most recently by the Cybersecurity National Action Plan I announced in February and my 2017 Budget, which called for a more than 35 percent increase in Federal cybersecurity resources.
During my Administration, we have executed a consistent strategy focused on three priorities:
- Raising the level of cybersecurity defenses in the public and private sectors;
- Deterring and disrupting malicious cyber activity aimed at the United States or its allies; and
- Effectively responding to and recovering from cybersecurity incidents when they occur.
To strengthen our cybersecurity defenses across the country, in 2013 we convened experts from industry, academia and civil society to create the National Institute of Standards and Technology (NIST) Cybersecurity Framework. As the Commission notes, the Framework has become the gold standard for cybersecurity risk management, and I wholeheartedly support the Commission’s recommendations to expand its usage in the Federal government, the private sector, and abroad. We encouraged the formation of information sharing and analysis organizations, worked with Congress to enact tailored liability protections for private sector entities that share threat information with the government, and took steps to automate information sharing. As the Commission calls for, we launched public campaigns to promote cybersecurity awareness among consumers, including the “Lock Down Your Login” campaign encouraging consumers to better secure their identities online. We have given consumers more tools to secure their financial future by assisting victims of identity theft, improved the government’s payment security, and accelerated the transition to next-generation payment security. We have invested in cybersecurity research and development to lay the groundwork for stronger cyber defenses in the future. And I have clarified the roles and responsibilities of Federal agencies in responding to significant cyber incidents by issuing a new directive codifying eight years of lessons learned from incident response.
To strengthen government cybersecurity, we created the first-ever federal Chief Information Security Officer and drove dramatic improvements in Federal agencies’ use of strong authentication and in critical vulnerability patching. We have pushed to reduce the Federal government’s reliance on legacy technologies, proposing an innovative $3.1 billion fund to modernize costly and vulnerable information technology (IT) systems – a fund that the Commission proposes to expand. We updated the guidance for Federal agency IT management, cybersecurity, and privacy, introducing the kind of coordination that the Commission calls for. Agencies are increasingly centralizing their cybersecurity efforts and relying on the Department of Homeland Security (DHS) for shared services like vulnerability detection, network discovery and monitoring, intrusion detection and prevention, and cybersecurity assessments of high priority IT systems. Consolidating DHS’ cybersecurity and infrastructure protection missions within a single DHS line agency – as my Administration has proposed, and as the Commission recommends – would further strengthen DHS’ ability to support Federal and critical infrastructure cybersecurity. Finally, consistent with the Commission’s emphasis on improving the Nation’s cybersecurity workforce, my Administration has issued a comprehensive workforce strategy and has hired more than 6,000 new cybersecurity professionals in the Federal government in 2016 alone.
As the Commission recognizes, we have championed the application of international law to cyberspace; promoted voluntary international norms of state behavior during peacetime, securing over 30 countries’ commitment to these norms in the G20 and other international fora; and committed to confidence building measures to reduce escalation risk. We have secured commitments from China and other nations to oppose cyber-enabled theft of intellectual property and business secrets for commercial gain, sought to modernize the Mutual Legal Assistance process, and submitted legislation to enable greater cross-border data sharing between law enforcement agencies – another effort the Commission strongly supports. We have developed additional tools and cyber capabilities to deter and disrupt malicious cyber activity aimed at the United States. Finally, we created the Cyber Threat Intelligence Integration Center to ensure that there is a single government-wide source for integrated intelligence assessments on cyber threats
In total, the Commission’s recommendations affirm the course that this Administration has laid out, but make clear that there is much more to do and the next Administration, Congress, the private sector, and the general public need to build on this progress. Deepening public-private cooperation will help us better protect critical infrastructure and respond to cyber incidents when they occur. Expanding the use of strong authentication to improve identity management will make all of us more secure online. Increasing investments in research and development will improve the security of products and technologies. Investing in human capital, education, and the productivity of the cybersecurity workforce will ensure that this country’s best and brightest are helping us stay ahead of the cybersecurity curve. Continuing to prioritize and coordinate cybersecurity efforts across the Federal government will ensure that this critical challenge remains a top national security priority. And furthering the promotion of international norms of responsible state behavior will ensure that the global community is able to confront the ever-evolving threats we face.
The Commission’s recommendations are thoughtful and pragmatic. Accordingly, my Administration strongly supports the Commission’s work, and we will take additional action wherever possible to build on the work my Administration has already undertaken and to make progress on its new recommendations before the end of my term. Importantly though, I believe that the next Administration and the next Congress can benefit from the Commission’s insights and should use the Commission’s recommendations as a guide. I have asked the Commission to brief the President-Elect’s Transition Team at their earliest opportunity. Further, we must provide sufficient resources to meet the critical cybersecurity challenges called out in the Commission’s report. Before Congress adjourns for the year, it must act to fully fund the urgent cybersecurity needs that my Administration has identified in my 2017 Budget and elsewhere, investing in areas such as securing Federal information technology systems, protecting critical infrastructure, and investing in our cybersecurity workforce.
As the Commission’s report counsels, we have the opportunity to change the balance further in our favor in cyberspace – but only if we take additional bold action to do so. My Administration has made considerable progress in this regard over the last eight years. Now it is time for the next Administration to take up this charge and ensure that cyberspace can continue to be the driver for prosperity, innovation, and change – both in the United States and around the world.