The Commerce Department has released a “green paper” from its Internet Policy Task Force concerning “Cybersecurity, Innovation and the Internet Economy” (Commerce pdf; archive pdf). (Disclosure: I was one of the many people who met with the Commerce Department to discuss online privacy issues. This doesn’t mean that I endorse this report — I haven’t read it in-depth yet and don’t know what it contains.)
NOTE: Commerce will publish a Federal Register notice seeking public comment on this report. I’ll post that when it’s available. Here’s more about the report from a news release by the Commerce Department:
The U.S. Department of Commerce today released a report that proposes voluntary codes of conduct to strengthen the cybersecurity of companies that increasingly rely on the Internet to do business, but are not part of the critical infrastructure sector. The report, Cybersecurity, Innovation and the Internet Economy, focuses on the “Internet and Information Innovation Sector” (I3S) – these are businesses that range from small and medium enterprises and bricks-and-mortar firms with online services, to social networking sites and Internet-only business, to cloud computing firms that are increasingly subject to cyber attacks. […]
The report, developed by the Department’s Internet Policy Task Force, makes a number of specific recommendations for reducing I3S vulnerabilities:
- Establish nationally recognized but voluntary codes of conduct to minimize cybersecurity vulnerabilities. For example, the report recommends that businesses employ present-day best practices, such as automated security, to combat cybersecurity threats and that they implement the Domain Name System Security (DNSSEC) protocol extensions on the domains that host key Web sites. DNSSEC provides a way to ensure that users are validly delivered to the web addresses they request and are not hijacked.
- Developing incentives to combat cybersecurity threats. The report also recommends exploring and identifying incentives that could include reducing “cyberinsurance” premiums for companies that adopt best practices and openly share details about cyberattacks for the benefit of other businesses.
- Improve public understanding of cybersecurity vulnerabilities through education and research. Programs like the National Initiative for Cybersecurity Education should target awareness and training to the I3S and develop methods for cost/benefit analyses for cybersecurity expenditures.
- Enhance international collaboration on cybersecurity best practices to support expanded global markets for U.S. products. This should include enhanced sharing of research and development goals, standards, and policies that support innovation and economic growth.
This report follows a series of recent Internet security policy recommendations made by the Obama administration. In April, the Administration released the National Strategy for Trusted Identities in Cyberspace, which seeks to better protect consumers from fraud and identity theft. Last month, the Administration proposed legislation to require companies providing critical infrastructure services, such as the financial and energy sectors, to implement stronger cybersecurity practices (fact sheet). In addition, the Administration recently released a strategy for managing international issues in cyberspace.