016 - Appendix 5 Cybersecurity Policy Overview

1 00:00:00,200 --> 00:00:04,799 Speaker 1: Section fifteen of Report on Securing and Growing the Digital Economy. 2 00:00:05,400 --> 00:00:08,919 This is a LibriVox recording. All LibriVox recordings are in 3 00:00:08,960 --> 00:00:12,960 the public domain. For more information or to volunteer, please 4 00:00:13,039 --> 00:00:18,760 visit LibriVox dot org. Recording by Colleen McMahon. Report on 5 00:00:18,839 --> 00:00:22,239 Securing and Growing the Digital Economy by the Commission on 6 00:00:22,399 --> 00:00:30,519 Enhancing National Cybersecurity. Appendix five Cybersecurity Policy Overview. This appendix 7 00:00:30,559 --> 00:00:35,520 provides an overview of selected cybersecurity policies established by recent 8 00:00:35,560 --> 00:00:43,000 administrations to address our nation's cybersecurity challenges. Clinton Administration Policies one. 9 00:00:43,679 --> 00:00:49,240 Executive Order EO one three zero one zero Critical Infrastructure 10 00:00:49,280 --> 00:00:54,520 Protection July fifteenth, nineteen ninety six. EO thirteen oh one 11 00:00:54,560 --> 00:00:59,399 OH established the President's Commission on Critical Infrastructure Protection, also 12 00:00:59,479 --> 00:01:02,439 known as the MARSH Commission. The purpose of this commission 13 00:01:02,560 --> 00:01:06,599 was to assess the vulnerabilities of critical infrastructures and develop 14 00:01:06,680 --> 00:01:10,719 recommendations for better protecting them. S two The Report of 15 00:01:10,760 --> 00:01:16,319 the President's Commission on Critical Infrastructure Protection Critical Foundations Protecting 16 00:01:16,359 --> 00:01:21,159 America's Infrastructures, October nineteen ninety seven. This report from the 17 00:01:21,200 --> 00:01:25,439 MARSH Commission concluded that our nation's critical infrastructure was facing 18 00:01:25,519 --> 00:01:29,519 increasing risks and that current defenses were minimal. The Commission 19 00:01:29,599 --> 00:01:33,120 recommended a joint effort between the public and private sectors 20 00:01:33,200 --> 00:01:38,159 to improve security. Section three Presidential Decision Directive sixty three 21 00:01:38,519 --> 00:01:44,000 p d D sixty three Critical Infrastructure Protection Sector Coordinators, 22 00:01:44,319 --> 00:01:47,959 August fourth, nineteen ninety eight, produced in response to the 23 00:01:48,000 --> 00:01:51,920 recommendations of the Marsh Commission. Pd D sixty three was 24 00:01:51,959 --> 00:01:55,640 the first U S policy statement on critical infrastructure, and 25 00:01:55,719 --> 00:01:59,480 it highlighted the need to better protect critical infrastructure from 26 00:01:59,480 --> 00:02:03,840 physical and cyber threats. PDD sixty three was revoked and 27 00:02:03,879 --> 00:02:08,520 replaced by Homeland Security Presidential Directive seven in two thousand three. 28 00:02:08,960 --> 00:02:14,919 Section four Defending America's Cyberspace National Plan for Information Systems Protection, 29 00:02:15,280 --> 00:02:19,039 Version one point zero two thousand This plan, which was 30 00:02:19,080 --> 00:02:23,599 created in support of PDD sixty three, proposed ten programs 31 00:02:23,639 --> 00:02:27,080 to aid the federal government in protecting critical US systems 32 00:02:27,080 --> 00:02:33,039 and networks. These programs include identifying critical infrastructure assets and vulnerabilities, 33 00:02:33,360 --> 00:02:39,919 detecting attacks, sharing attack information, training security specialists, strengthening research 34 00:02:39,960 --> 00:02:45,759 and development efforts, and increasing public outreach Bush Administration policies. 35 00:02:46,360 --> 00:02:51,280 Section five, The National Strategy to Secure Cyberspace February two 36 00:02:51,319 --> 00:02:55,639 thousand three. This document provided a framework for ensuring that 37 00:02:55,680 --> 00:02:59,800 our nation's efforts to improve cybersecurity are effectively organized and 38 00:02:59,879 --> 00:03:03,599 US prioritized. The strategy emphasized the need for a wide 39 00:03:03,680 --> 00:03:08,960 range of Americans to have roles in cybersecurity. Six Homeland 40 00:03:09,000 --> 00:03:16,680 Security Presidential Directive seven HSPD seven Critical Infrastructure Identification, Prioritization 41 00:03:16,800 --> 00:03:22,960 and Protection December seventeenth, two thousand three. HSPD seven changed 42 00:03:23,039 --> 00:03:28,560 federal agency responsibilities related to critical infrastructure protection. Its policy 43 00:03:28,599 --> 00:03:32,879 statements included designating an agency to lead protection activities for 44 00:03:33,000 --> 00:03:38,280 each critical infrastructure sector. HSPD seven was revoked and replaced 45 00:03:38,319 --> 00:03:43,479 by Presidential Policy Directive twenty one in twenty thirteen. Seven 46 00:03:44,039 --> 00:03:49,360 National Infrastructure Protection Plan NIPP two thousand and six. The 47 00:03:49,520 --> 00:03:54,639 NIPP was created to address requirements from HSPD seven. The 48 00:03:54,800 --> 00:04:00,919 NIPP defined the federal government's approach to identify quote national priorities, 49 00:04:01,000 --> 00:04:05,479 goals and requirements for CI protection end of quote. Other 50 00:04:05,599 --> 00:04:10,400 information provided by the NIPP included the identification of federal 51 00:04:10,439 --> 00:04:15,840 agency responsibilities for critical infrastructure protection and the definition of 52 00:04:16,000 --> 00:04:20,160 the risk management framework to be used for assessing, prioritizing, 53 00:04:20,519 --> 00:04:26,560 and addressing risks to critical Infrastructure. Eight National Security Presidential 54 00:04:26,600 --> 00:04:32,759 Directive fifty four NSPD fifty four slash Homeland Security Presidential 55 00:04:32,800 --> 00:04:39,279 Directive twenty three HSPD twenty three Cybersecurity Policy January two 56 00:04:39,319 --> 00:04:45,480 thousand and eight. NSPD fifty four HSPD twenty three started 57 00:04:45,600 --> 00:04:51,360 the Comprehensive National Cybersecurity Initiative CNCI. The primary goals of 58 00:04:51,399 --> 00:04:55,040 the CNCI were quote to establish a front line of 59 00:04:55,040 --> 00:04:59,360 defense against today's immediate threats, to defend against the full 60 00:04:59,399 --> 00:05:03,040 spectrum of FA threats, and to strengthen the future cybersecurity 61 00:05:03,160 --> 00:05:10,160 environment end of quote. Obama Administration Policies nine NIPP two 62 00:05:10,199 --> 00:05:14,000 thousand and nine February two thousand and nine. This document 63 00:05:14,079 --> 00:05:17,879 refined the original NIPP from two thousand and six. Its 64 00:05:17,959 --> 00:05:22,560 changes included adding critical manufacturing as a critical infrastructure sector 65 00:05:23,040 --> 00:05:28,680 and merging education into the government facilities sector. Ten Cyberspace 66 00:05:28,839 --> 00:05:34,439 Policy Review Assuring a Trusted and Resilient Information and Communications Infrastructure, 67 00:05:34,800 --> 00:05:38,439 May two thousand and nine. This report documented the results 68 00:05:38,480 --> 00:05:41,439 of a sixty day review of the federal government's efforts 69 00:05:41,480 --> 00:05:46,480 regarding cybersecurity. It also made several recommendations, including the following 70 00:05:47,079 --> 00:05:51,519 quote The nation needs to develop the policies, processes, people, 71 00:05:51,639 --> 00:05:57,519 and technology required to mitigate cybersecurity related risks. End of quote. 72 00:05:57,759 --> 00:06:02,160 Addressing network security issues require wires, a public private partnership, 73 00:06:02,319 --> 00:06:06,399 as well as international cooperation and norms. The United States 74 00:06:06,519 --> 00:06:10,759 needs a comprehensive framework to ensure coordinated response and recovery 75 00:06:10,759 --> 00:06:13,920 by the government, the private sector, and our allies to 76 00:06:14,000 --> 00:06:18,000 a significant incident or threat. End of quote quote. The 77 00:06:18,120 --> 00:06:21,959 United States needs to conduct a national dialogue on cybersecurity 78 00:06:22,360 --> 00:06:25,639 to develop more public awareness of the threat and risks, 79 00:06:26,040 --> 00:06:29,240 and to ensure an integrated approach toward the nation's need 80 00:06:29,319 --> 00:06:32,720 for security and the national commitment to privacy rights and 81 00:06:32,759 --> 00:06:38,439 civil liberties guaranteed by the Constitution and law. End of quote. 82 00:06:38,480 --> 00:06:41,680 The government needs to increase investment in research that will 83 00:06:41,680 --> 00:06:46,680 help address cybersecurity vulnerabilities while also meeting our economic needs 84 00:06:46,720 --> 00:06:52,240 and national security requirements. End of quote. Eleven National Strategy 85 00:06:52,279 --> 00:06:57,959 for Trusted Identities in Cyberspace Enhancing online choice, efficiency, security, 86 00:06:58,000 --> 00:07:02,399 and privacy. April two thousand and eleven. The National Strategy 87 00:07:02,439 --> 00:07:07,800 for Trusted Identities in Cyberspace NSTIC was created to improve 88 00:07:07,879 --> 00:07:11,720 the security of online transactions by encouraging the private sector 89 00:07:11,839 --> 00:07:15,399 to develop tools for securing the identities of individuals and 90 00:07:15,480 --> 00:07:21,639 other entities involved in online transactions. Twelve International Strategy for 91 00:07:21,720 --> 00:07:26,920 Cyberspace Prosperity, Security, and Openness in a Networked World, May 92 00:07:26,959 --> 00:07:33,199 twenty eleven. This strategy complemented other Obama administration cybersecurity policies 93 00:07:33,439 --> 00:07:37,839 by emphasizing the need for international cooperation to achieve technology 94 00:07:37,920 --> 00:07:43,319 reliability and security. Principles from the strategy include strengthening partnerships 95 00:07:43,360 --> 00:07:47,360 with a wide variety of stakeholders, implementing measures to dissuade 96 00:07:47,399 --> 00:07:53,279 and deter adversaries, and facilitating the development of global cybersecurity capabilities. 97 00:07:54,040 --> 00:07:59,079 Thirteen Executive Order one three five eight seven Structural Reforms 98 00:07:59,120 --> 00:08:02,120 to improve the secure purity of classified networks and the 99 00:08:02,160 --> 00:08:07,959 responsible sharing and safeguarding of classified information. October seven, twenty eleven. 100 00:08:08,920 --> 00:08:12,959 EO one three five eight seven directed federal agencies to 101 00:08:13,000 --> 00:08:16,720 better protect the security of their classified information and for 102 00:08:16,759 --> 00:08:21,040 such information involving people, to also protect the individual's privacy 103 00:08:21,199 --> 00:08:26,079 and civil liberties. Fourteen Executive Order one three six three 104 00:08:26,160 --> 00:08:33,200 six Improving Critical Infrastructure Cybersecurity February twelve, twenty thirteen. EO 105 00:08:33,399 --> 00:08:36,559 one three six three six initiated the development of a 106 00:08:36,679 --> 00:08:41,799 voluntary cybersecurity framework for organizations to use in reducing cyber 107 00:08:41,919 --> 00:08:46,039 risk to critical infrastructure. EO one three six three six 108 00:08:46,159 --> 00:08:50,639 also directed the Department of Homeland Security DHS to produce 109 00:08:50,679 --> 00:08:54,080 a list of critical infrastructure systems and assets that could 110 00:08:54,120 --> 00:08:58,000 be disrupted by a cyber attack, and directed federal agencies 111 00:08:58,039 --> 00:09:01,279 to notify private organizations if they were the target or 112 00:09:01,360 --> 00:09:07,559 victim of malicious cyberactivity. Fifteen Presidential Policy Directive twenty one 113 00:09:07,840 --> 00:09:13,679 PPD twenty one Critical Infrastructure Security and Resilience, February twelfth, 114 00:09:13,679 --> 00:09:18,879 twenty thirteen. This directive recognized the importance of strengthening critical 115 00:09:18,879 --> 00:09:24,240 infrastructure security and resilience, and it recommended accomplishing such strengthening 116 00:09:24,360 --> 00:09:30,440 through collaboration among federal, state, local, tribal, and territorial government agencies, 117 00:09:30,720 --> 00:09:35,039 as well as public and private sector organizations. PPD twenty 118 00:09:35,039 --> 00:09:39,639 one detailed federal agency roles and responsibilities related to critical 119 00:09:39,639 --> 00:09:44,120 infrastructure security and resilience, and it triggered several actions by 120 00:09:44,159 --> 00:09:51,279 these agencies in consequence. Sixteen NIPP twenty thirteen, December twenty thirteen, 121 00:09:51,919 --> 00:09:55,440 as directed by PPD twenty one, The two thousand nine 122 00:09:55,519 --> 00:09:59,039 version of the NIPP was revised and re released. The 123 00:09:59,159 --> 00:10:01,720 changes were more much more extensive than those made in 124 00:10:01,720 --> 00:10:04,320 two thousand and nine to the two thousand and six version. 125 00:10:04,720 --> 00:10:09,120 The twenty thirteen version of the NIPP quote reflects changes 126 00:10:09,159 --> 00:10:13,639 in the critical infrastructure risk policy and operating environments, and 127 00:10:13,759 --> 00:10:16,879 is informed by the need to integrate the cyber, physical, 128 00:10:16,960 --> 00:10:20,799 and human elements of critical infrastructure in managing risk. End 129 00:10:20,840 --> 00:10:27,200 of quote seventeen Framework for Improving Critical Infrastructure Cybersecurity, February 130 00:10:27,240 --> 00:10:32,360 twenty fourteen, commonly known as the Cybersecurity Framework. This document 131 00:10:32,559 --> 00:10:37,600 quote enables organizations, regardless of size, degree of cybersecurity risk, 132 00:10:37,960 --> 00:10:42,559 or cybersecurity sophistication, to apply the principles and best practices 133 00:10:42,600 --> 00:10:46,240 of risk management to improving the security and resilience of 134 00:10:46,320 --> 00:10:51,600 critical infrastructure. End of quote eighteen Office of Management and 135 00:10:51,639 --> 00:10:57,240 Budget omb M fifteen oh one Fiscal Year twenty fourteen 136 00:10:57,360 --> 00:11:01,279 twenty fifteen Guidance on Improving Federal invs. Information Security and 137 00:11:01,320 --> 00:11:07,320 Privacy Management Practices, October third, twenty fourteen. This memorandum made 138 00:11:07,360 --> 00:11:11,919 several changes to federal cybersecurity practices, including a shift from 139 00:11:12,000 --> 00:11:16,960 periodic to continuous risk assessment and cybersecurity monitoring. It also 140 00:11:17,039 --> 00:11:21,679 authorized DHS to scan federal agency's publicly accessible networks for 141 00:11:21,759 --> 00:11:26,960 the presence of vulnerabilities. Nineteen Executive Order one three six 142 00:11:27,120 --> 00:11:33,000 nine one Promoting Private Sector Cybersecurity Information Sharing February thirteenth, 143 00:11:33,120 --> 00:11:37,799 twenty fifteen. This EO promoted the creation of entities such 144 00:11:37,840 --> 00:11:44,240 as Information Sharing and Analysis Organizations issaos that enable businesses, 145 00:11:44,360 --> 00:11:49,360 government agencies, and other organizations to share cybersecurity information with 146 00:11:49,440 --> 00:11:54,200 each other. Twenty fact sheet Enhancing and Strengthening the Federal 147 00:11:54,240 --> 00:11:59,840 Government's Cybersecurity June twelfth, twenty fifteen. This effort, better known 148 00:11:59,879 --> 00:12:04,240 as the thirty Day Cybersecurity Sprint, directed federal agencies to 149 00:12:04,279 --> 00:12:08,919 make several immediate improvements to their cybersecurity policies and processes. 150 00:12:09,360 --> 00:12:12,879 It also formed a Cybersecurity Sprint team to review federal 151 00:12:12,919 --> 00:12:18,679 cybersecurity policies and processes, identify shortcomings and priorities, and recommend 152 00:12:18,720 --> 00:12:21,919 how to address them. In addition, the Sprint directed the 153 00:12:21,960 --> 00:12:25,720 development of a federal cybersecurity strategy based on the following 154 00:12:25,879 --> 00:12:33,120 key principles. Protecting data, improving situational awareness, increasing cybersecurity proficiency, 155 00:12:33,519 --> 00:12:40,320 increasing awareness, Standardizing and automating processes, controlling, containing, and recovering 156 00:12:40,360 --> 00:12:46,399 from incidents, Strengthening systems life cycle security, reducing attack surfaces 157 00:12:47,200 --> 00:12:51,639 twenty one. Office of Management and Budget M sixteen four. 158 00:12:52,039 --> 00:12:58,080 Cybersecurity Strategy and Implementation Plan CSIP for the Federal Civilian Government, 159 00:12:58,320 --> 00:13:03,279 October thirty, twenty fifteen. The CSIP resulted from the thirty 160 00:13:03,360 --> 00:13:08,679 Day Cybersecurity Sprint. The CSIP established five objectives for Federal 161 00:13:08,720 --> 00:13:14,399 Civilian agencies a quote Prioritized identification and protection of high 162 00:13:14,480 --> 00:13:19,840 value information and assets. B Timely detection of and rapid 163 00:13:19,879 --> 00:13:24,799 response to cyber incidents. C Rapid recovery from incidents when 164 00:13:24,799 --> 00:13:28,159 they occur, and accelerated adoption of lessons learned from the 165 00:13:28,200 --> 00:13:32,799 Sprint assessment. D Recruitment and retention of the most highly 166 00:13:32,919 --> 00:13:37,279 qualified cybersecurity workforce talent the federal government can bring to bear, 167 00:13:37,960 --> 00:13:42,320 and E Efficient and effective acquisition and deployment of existing 168 00:13:42,360 --> 00:13:46,639 and emerging technology end of quote. Twenty two fact sheet 169 00:13:46,879 --> 00:13:51,960 Cybersecurity National Action Plan, February ninth, twenty sixteen. This plan 170 00:13:52,039 --> 00:13:56,200 initiated several actions to improve cybersecurity for the federal government, 171 00:13:56,320 --> 00:14:01,279 the private sector, and individuals, including the following A. Establish 172 00:14:01,360 --> 00:14:05,639 the Commission on Enhancing National Cybersecurity. B Propose an IT 173 00:14:06,039 --> 00:14:11,360 modernization fund for the replacement of legacy technologies. C. Encourage 174 00:14:11,440 --> 00:14:16,960 users to adopt multi factor authentication. D. Propose a significant 175 00:14:17,000 --> 00:14:23,080 budget increase for federal cybersecurity efforts. Twenty three Federal Cybersecurity 176 00:14:23,120 --> 00:14:28,320 Research and Development Strategic Plan, February ninth, twenty sixteen. The 177 00:14:28,399 --> 00:14:33,279 plan defined three cybersecurity R and D goals. One Within 178 00:14:33,320 --> 00:14:35,759 the next one to three years, achieve the science and 179 00:14:35,799 --> 00:14:41,600 technology advances needed to quote counter adversaries asymmetrical advantages with 180 00:14:41,679 --> 00:14:45,480 effective and efficient risk management end of quote, meaning the 181 00:14:45,519 --> 00:14:51,159 ability to identify, assess, and respond to cybersecurity risks. Two 182 00:14:51,200 --> 00:14:54,320 Over the next three to seven years, achieve advances to 183 00:14:54,399 --> 00:15:00,600 quote reverse adversaries asymmetrical advantages through sustainably secure systems development 184 00:15:00,600 --> 00:15:04,120 and operation end of quote. And three over the next 185 00:15:04,159 --> 00:15:08,080 seven to fifteen years, achieve advances quote for effective and 186 00:15:08,120 --> 00:15:12,679 efficient de terrance of malicious cyberactivities via denial of results 187 00:15:12,720 --> 00:15:17,320 and likely attribution end of quote. Twenty four Executive Order 188 00:15:17,360 --> 00:15:21,440 one three seven one eight Commission on Enhancing National Cybersecurity, 189 00:15:21,720 --> 00:15:26,039 February ninth, twenty sixteen. This EO established the commission that 190 00:15:26,080 --> 00:15:29,360 produced the present report. See Appendix four for a copy 191 00:15:29,399 --> 00:15:33,080 of EO one three seven one eight's text. Twenty five 192 00:15:33,519 --> 00:15:38,600 Presidential Policy Directive forty one United States Cyber Incident Coordination 193 00:15:39,080 --> 00:15:43,799 July twenty sixth, twenty sixteen APD forty one clarified roles 194 00:15:43,799 --> 00:15:49,200 and responsibilities related to cybersecurity incident handling. It also directed 195 00:15:49,240 --> 00:15:54,080 the formation of a Cyber Unified Coordination Group UCG to 196 00:15:54,200 --> 00:16:00,000 coordinate incident response efforts for the most serious incidents. Policy themes. 197 00:16:00,240 --> 00:16:04,759 Common themes among these cybersecurity policies include the following Improving 198 00:16:04,840 --> 00:16:09,879 the security of our nation's critical infrastructure, Encouraging joint efforts 199 00:16:10,080 --> 00:16:13,840 involving a wide variety of public and private sector organizations 200 00:16:14,080 --> 00:16:19,879 to improve global cybersecurity, Improving federal cybersecurity policies and practices, 201 00:16:20,200 --> 00:16:25,039 especially in terms of incident response capabilities, using risk management 202 00:16:25,120 --> 00:16:31,440 principles to assess vulnerabilities and select mitigations. Encouraging cybersecurity information 203 00:16:31,519 --> 00:16:36,759 sharing among public and private sector organizations, Increasing public awareness 204 00:16:36,759 --> 00:16:42,799 of cybersecurity, and increasing investments in cybersecurity research. Notably absent 205 00:16:42,840 --> 00:16:46,320 from these themes is regulation. Except for a brief period 206 00:16:46,360 --> 00:16:50,759 in the Obama administration, the past three administrations have consistently 207 00:16:50,960 --> 00:16:56,759 eschewed regulation as a policy solution for cybersecurity policy criticisms. 208 00:16:57,399 --> 00:17:00,879 Fault has been found with the cybersecurity policies proposed by 209 00:17:00,919 --> 00:17:04,279 recent administrations, as well as with how those policies have 210 00:17:04,319 --> 00:17:08,039 been implemented. Here are examples of well supported criticism from 211 00:17:08,079 --> 00:17:12,039 the past few years. In February twenty thirteen, the Government 212 00:17:12,039 --> 00:17:17,759 Accountability Office GOO released a report GAOSH one three DEASH 213 00:17:17,799 --> 00:17:23,319 one eight seven titled Cybersecurity National Strategy Roles and Responsibilities 214 00:17:23,440 --> 00:17:26,759 need to be Better defined and more effectively implemented. It 215 00:17:26,799 --> 00:17:33,440 criticized federal cybersecurity strategy documents as follows. Although the federal 216 00:17:33,440 --> 00:17:37,200 strategy to address cybersecurity issues has been described in a 217 00:17:37,279 --> 00:17:42,119 number of documents, no integrated, overarching strategy has been developed 218 00:17:42,240 --> 00:17:46,680 that synthesizes these documents to provide a comprehensive description of 219 00:17:46,720 --> 00:17:52,119 the current strategy, including priority actions, responsibilities for performing them, 220 00:17:52,480 --> 00:17:56,559 and timeframes for their completion. Existing strategy documents have not 221 00:17:56,599 --> 00:18:00,400 always addressed key elements of the desirable characteristics of a 222 00:18:00,400 --> 00:18:05,200 strategic approach. Among the items generally not included in cybersecurity 223 00:18:05,240 --> 00:18:10,200 strategy documents are mechanisms such as milestones and performance measures, 224 00:18:10,559 --> 00:18:15,559 costs and resource allocations. Clear delineations of roles and responsibilities, 225 00:18:16,039 --> 00:18:20,480 and explanations of how the documents integrate with other national strategies. 226 00:18:21,160 --> 00:18:23,680 The items that have generally been missing are key to 227 00:18:23,759 --> 00:18:26,920 helping ensure that the vision and priorities outlined in the 228 00:18:27,000 --> 00:18:32,200 documents are effectively implemented. Without an overarching strategy that includes 229 00:18:32,279 --> 00:18:35,839 such mechanisms, the government is less able to determine the 230 00:18:35,880 --> 00:18:38,920 progress it is made in reaching its objectives and to 231 00:18:38,960 --> 00:18:43,240 hold key organizations accountable for carrying out planned activities. End 232 00:18:43,279 --> 00:18:47,640 of December twenty thirteen saw the release of Liberty and 233 00:18:47,680 --> 00:18:51,519 Security in a Changing World Report and Recommendations of the 234 00:18:51,559 --> 00:18:57,079 President's Review Group on Intelligence and Communications Technologies regarding E 235 00:18:57,480 --> 00:19:00,640 one three five eight seven. This report issued the following 236 00:19:00,680 --> 00:19:05,759 findings and recommendations quote. In recognition of the need to 237 00:19:05,799 --> 00:19:10,519 improve security on government networks with classified data, President Obama 238 00:19:10,599 --> 00:19:14,000 issued Executive Order one three five eight seven to improve 239 00:19:14,039 --> 00:19:17,599 the security of classified networks against the insider threat. We 240 00:19:17,759 --> 00:19:20,839 have found that the implementation of that directive has been 241 00:19:20,920 --> 00:19:24,079 at best uneven and far too slow. Every day that 242 00:19:24,160 --> 00:19:28,559 it remained unimplemented, sensitive data and therefore potentially lives are 243 00:19:28,599 --> 00:19:33,119 at risk. Interagency implementation monitoring was not performed at a 244 00:19:33,119 --> 00:19:39,119 sufficiently high level in OMB or the NSS National Security Staff. 245 00:19:39,480 --> 00:19:43,160 The administration did not direct the reprogramming of adequate funds. 246 00:19:43,759 --> 00:19:46,880 Officials who were tardy in compliance were not held accountable. 247 00:19:47,240 --> 00:19:51,240 No central staff was created to enforce implementation or share 248 00:19:51,279 --> 00:19:55,279 best practices and lessons learned. End of quote. We believe 249 00:19:55,359 --> 00:19:58,480 that the implementation of Executive Order one three, five, seven 250 00:19:58,519 --> 00:20:02,119 eight should be greatly excelledlerated. The deadlines should be moved 251 00:20:02,160 --> 00:20:04,960 up and enforced, and the adequate funding should be made 252 00:20:05,000 --> 00:20:09,079 available within agency budget sealings. And a Deputy Assistant to 253 00:20:09,119 --> 00:20:13,599 the President might be directed to enforce implementation. The interagency 254 00:20:13,640 --> 00:20:16,880 process might be co led by the Deputy Director of OMB. 255 00:20:18,160 --> 00:20:21,640 End of section fifteen. Recording by Collie McMahon