Preventing cybersecurity attacks is a shared responsibility. Cybersecurity should be a risk-based strategy that increases security and resiliency in cyberspace. We also need good cyber hygiene, good technology, and highly skilled cyber workers. Any effort to address cybersecurity should also recognize the significant concerns many U.S. companies and trading partners have with reports of U.S. government surveillance activity.
- Implementation of the Cybersecurity Act of 2015 should facilitate this risk-based strategy by promoting the sharing of actionable cyber threat information from government to industry, from industry to government, and among private companies. In developing the policies and procedures to implement the Act’s information sharing requirements, the Administration should prioritize the privacy of data.
- The U.S. government should share cyber threat information with the private sector in a timely and actionable manner. The current process does not provide companies with actionable, accurate, and timely information.
- A comprehensive risk-based cybersecurity strategy should increase the security and resiliency of all networks, and should prepare for and mitigate cyber attacks through the coordination of industry and government.
- Market-based incentives should be used to encourage companies to actively manage risks in accordance with industry standards and practices.
- Industry should be provided liability protection from frivolous lawsuits.