Commerce Department Calls for Improved Cybersecurity Through Voluntary Self-Regulatory Standards

The report is entitled “Cybersecurity, Innovation and the Internet Economy.”  It discusses how to improve the Internet security practices of companies in the Internet and Information Innovation Sector other than those classified as part of  “critical infrastructure.”  These are the myriad companies that provide information services and content, facilitate transactional services over the Internet, store and host publicly accessible content, and support users’ access to content or transaction activities.  This does not include companies in sectors that implicate national security interests such as the defense, energy, financial, healthcare, and core telecommunications sectors, that are subject to other governmental cyber-security strategies.

To increase the online security of businesses, the green paper preliminarily recommends that the Department of Commerce do the following:

(1) Work with multi-stakeholder groups to develop, when necessary, nationally recognized and consensus-based cybersecurity standards and practices specific to the covered businesses.  This would include proactively promoting the adoption of particular keystone standards and practices, accelerating the promotion of automation in security, and improving and modernizing security assurance of third-party products.  One example provided by the report is the Domain Name System Security (DNSSEC) protocol extensions, which provide a way to ensure that users are validly delivered to the web addresses they request.

(2) Work with industry to create, through public policy and public/private partnerships and other means, new incentives for firms to follow nationally recognized standards and practices as consensus around them emerges.  This would include continuing to advocate for the adoption of a national breach notification law, facilitating the sharing of information about security breaches as they occur, and evaluating other public policy tools that can be used to promote cybersecurity best practices (such as liability protection and reducing “cyberinsurance” premiums for companies that adopt best practices and openly share details about cyberattacks).

(3) Work with the covered businesses and other federal agencies to deepen private sector and public understanding of cybersecurity vulnerabilities, threats, and responses in order to improve incentives, research and development, and education.  This would include developing a better understanding (at both the firm and the macro-economic level) of the costs of cyber-incidents and the benefits of greater security, the tailoring of future awareness-raising efforts (including through the National Initiative for Cybersecurity Education), and facilitating research and development for deployable technologies.

(4) Continue to enhance the Department’s international collaboration and cooperation activities regarding cybersecurity.  The green paper posits that continuing to work with international governments and businesses would promote shared research and development goals, enable the sharing of best practices and threat information, and promote cybersecurity standards and policies that are in line with and/or influence global practices.

The Department has asked interested parties to comment on the recommendations in the green paper, as well as to provide responses to specific questions it posed to help develop the recommendations.  Some of these questions include:

• What kinds of entities should be included or excluded from the covered businesses?  How can the the covered businesses’ functions and services be clearly distinguished from critical infrastructure?

• Should covered businesses that also offer functions and services to covered critical infrastructure be treated differently than other covered businesses?

• Are there existing codes of conduct that covered businesses can utilize that adequately address these issues?

• What process should the Department of Commerce use to work with industry and other stakeholders to identify best practices, guidelines, and standards in the future?

• What are the right incentives to (a) gain adoption of best practices; (b) ensure that the voluntary codes of conduct that develop from best practices are sufficiently robust; and (c) ensure that codes of conduct, once introduced, are updated promptly to address evolving threats and other changes in the security environment?

• How can the Department of Commerce work with other federal agencies to better cooperate, coordinate, and promote adoption and development of cybersecurity standards and policy internationally?

The green paper comes on the heels of the Administration’s May report detailing its stance on cybersecurity policy, and its announcement that it will collaborate with experts in the private sector develop a new cybersecurity strategy.  The Department of Commerce’s position on cybersecurity should inform the Administration’s cybersecurity strategy as it progresses.

Authored by Bret Cohen