The Department of Commerce's Internet Policy Task Force is requesting comments on a report that proposes voluntary codes of conduct to strengthen the cybersecurity of companies that increasingly rely on the Internet to do business, but are not part of the critical infrastructure sector.
The report, Cybersecurity, Innovations and the Internet Economy, focuses on the "Internet and Information Innovation Sector" (I3S)—businesses that range from small and medium enterprises and bricks-and-mortar firms with online services, to social networking sites and Internet-only business, to cloud computing firms that are increasingly subject to cyber attacks.
"Our economy depends on the ability of companies to provide trusted, secure services online," writes Commerce Secretary Gary Locke in the publication. "As new cybersecurity threats evolve, it's critical that we develop policies that better protect businesses and their customers to ensure the Internet remains an engine for economic growth."
Global online transactions are currently estimated by industry analysts at $10 trillion annually. As Internet business grows, so has the threat of cybersecurity attacks. The number of Internet malware threats was estimated to have doubled between January 2009 and December 2010. In 2010, an estimated 55,000 new viruses, worms, spyware and other threats were bombarding the Internet daily.
Cybersecurity, Innovation and the Internet Economy, makes a number of specific recommendations for reducing I3S vulnerabilities:
- Establish nationally recognized but voluntary codes of conduct to minimize cybersecurity vulnerabilities. For example, the report recommends that businesses employ present-day best practices, such as automated security, to combat cybersecurity threats and that they implement the Domain Name System Security (DNSSEC) protocol extensions on the domains that host key web sites.
- Developing incentives to combat cybersecurity threats. For example, reducing "cyberinsurance" premiums for companies that adopt best practices and openly share details about cyber attacks for the benefit of other businesses.
- Improve public understanding of cybersecurity vulnerabilities through education and research. Programs like the National Initiative for Cybersecurity Education, which the National Institute of Standards and Technology (NIST) coordinates, should target awareness and training to the I3S and develop methods for cost/benefit analyses for cybersecurity expenditures.
- Enhance international collaboration on cybersecurity best practices to support expanded global markets for U.S. products. Including enhanced sharing of research and development goals, standards and policies that support innovation and economic growth.
The Internet Policy Task Force was created in April 2010 to identify and address the Internet's most pressing policy issues and to recommend new policies. It includes the Office of the Secretary, NIST, the International Trade Administration and the National Telecommunications and Information Administration. The Task Force was directed to look at establishing practices, norms and ground rules that promote innovative uses of information in four key areas where the Internet must address significant challenges: enhancing Internet privacy, improving cybersecurity, protecting intellectual property and encouraging the global free flow of information.
A June 15, 2011, Federal Register notice requests comments on the task force report by August 1, 2011. Comments should be emailed to SecurityGreenPaper@nist.gov with the subject line ''Comments on Cybersecurity Green Paper.'' The task force will continue to work with others in government to engage the domestic and global privacy community, and will consider publishing a refined set of policy recommendations in the future.