On Friday, the President’s Commission on Enhancing National Cybersecurity published its final report, making 16 recommendations and identifying 53 action items to improve cybersecurity in the United States. Established by Executive Order 13,718 last February, the nonpartisan Commission included 12 experts, some recommended by Democratic and Republican leaders in Congress and others selected by the Obama Administration.
The Commission drew on the Executive Order to identify particular topics of study, including, for example, federal governance, cybersecurity research and development, and the cybersecurity workforce, but on its own initiative (and as permitted by the Executive Order), the Commission also studied international issues. Many of the Commission’s recommendations should be uncontroversial, and its recommendation to continue international coordination efforts on cybersecurity issues should be one of them.
In Recommendation 6.1, the Commission counsels, “The Administration should encourage and actively coordinate with the international community in creating and harmonizing cybersecurity policies and practices and common international agreements on cybersecurity law and global norms of behavior.” To operationalize this recommendation, the Commission identifies several action items, including appointing an “Ambassador for Cybersecurity” at the State Department, continued promotion of peacetime norms of behavior, and assistance to other states for cybersecurity capacity building. The Commission separately notes the need for “continued progress toward international consensus on applying international law to cyberspace” (p.47).
There are many possible arguments in favor of these recommendations, but it’s important to understand the Commission’s argument for them. The Commission styled its final product as a “Report on Securing and Growing the Digital Economy,” and its justification for international engagement is an economic one. The Commission highlights the inefficiencies caused by the current lack of harmonization of standards and regulatory requirements—disparities that “force companies to devote resources to multiple compliance regimes rather than to innovation” (p.47)—and also the lack of effective international mechanisms to halt malicious activity by state and non-state actors in cyberspace.
Even for those who may be skeptical of international engagement and international law or norms in general, the Commission’s perception that international coordination is crucial should be persuasive. Many of the commissioners currently work for companies that are suffering the effects of the lack of international harmonization and instability caused by frequent cybersecurity incidents. In other words, they know whereof they speak.
Read the full piece at Just Security.