Commerce Department Proposes Cybersecurity Framework for Online Businesses Outside Critical Infrastructure
A report by the Commerce Department proposes a new cybersecurity framework for companies that use online services but aren’t classified as covered critical infrastructure. Companies in this “Internet and Information Innovation sector” (I3S) are “outside the orbit of critical infrastructure or key resources,” Commerce Secretary Gary Locke said in the report. To reduce the number of vulnerabilities in the sector, the department makes recommendations that involve establishing voluntary codes of conduct, developing incentives to adopt cybersecurity practices and developing cybersecurity standards that extend into international markets. To craft the report, the department’s Internet Policy Task Force considered recommendations from a notice of inquiry last year that solicited comments on enhanced cybersecurity practices.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The proposal promotes I3S-specific voluntary codes of conduct. The attention to particular performance measures and widely accepted standards through codes of conduct “could help to encourage wider adoption of good practices and to avoid mandating security requirements on the I3S,” the report said. The department asks whether the government should facilitate the establishment of a “broadly stated, uniform set of cyber management principles for I3S entities to follow.” The key role for government is to help develop the codes, it said. The codes “should aim to unify various technical standards that currently exist and identify a broad set of responsibilities that industry members can use as a baseline for their own cybersecurity efforts."
The report recommends developing incentives to promote the adoption of cybersecurity best practices. Many of the incentives were suggested by technology companies, the department said. Some companies and groups, like TechAmerica and Triad Biometrics, supported tax incentives, government procurement and streamlined regulatory requirements, it said. Some companies suggested that best practices could be coupled with “cyberinsurance,” with reduced premiums related to the amount already invested by the companies, the report said. Some companies also urged the federal government to “remain involved in other international forums concerned with cybersecurity,” the report said. Many entities suggested appointing a cybersecurity ambassador at the State Department “to coordinate international engagement and strategy."
The step toward reducing cyber vulnerabilities was applauded by the Center for Democracy and Technology and the Software & Information Industry Association. SIIA agrees with the emphasis on “the need to avoid fragmented and unpredictable rules in the international sphere that frustrate innovation ... and the broad commercial success of the online environment,” said Mark MacCarthy, SIIA public policy vice president. CDT is pleased that the administration recognizes that many Internet-based functions “should not be defined as part of the ‘critical infrastructure’ that is subject to a more prescriptive regulatory regime,” President Leslie Harris said. A great deal of work needs to be done, said Gregory Nojeim, CDT director of the Project on Security, Freedom and Technology. There’s a huge unanswered question of “what should be the government’s role in securing the Internet itself, whether it is deemed critical or non-critical,” he said.
The Commerce Department “seeks comments on the I3S definition and the vision for the policies to protect the sector,” it said. Questions from the report and a request for comment will be published in the Federal Register later this week.