US agency calls for new cybersecurity standards

The Department of Commerce should help private groups establish voluntary codes of conduct, a report says

The U.S. Department of Commerce should work with Internet business groups to establish voluntary codes of conduct and standards to protect against cyberattacks, a new report from the agency recommended.

The agency should help organize business groups to establish standards-setting processes, and it should promote cybersecurity best practices, said the 75-page report, released Wednesday by the agency's Internet Policy Task Force. The report's recommendations are aimed at what the DOC calls the Internet and information innovation sector, businesses with a large Internet or technology focus.

"A key role for government is to assist industry in developing these voluntary codes of conduct," the report said. "These codes of conduct should aim to unify various technical standards that currently exist and identify a broad set of responsibilities that industry members can use as a baseline for their own cybersecurity efforts."

Many companies have called for the U.S. government to allow private companies to continue to develop security tools, but there is a role for the government in promoting best practices, the report said.

"It is clear that the government should not be in the business of picking technology winners and losers; however, where consensus emerges that a particular standard or practice will markedly improve the Nation's collective security, the government should consider more proactively promoting industry-led efforts and widely accepted standards and practices and calling on entities to implement them," the report said.

The agency will next put the report out for public comment, said Ari Schwartz, Internet policy adviser at the DOC's National Institute of Standards and Technology (NIST). The DOC asks for comment on a number of questions, including what standards the Internet sector should embrace, he said.

"To build those codes of conduct, we really need to start with specific, existing standards and existing best practices," he said. "There could be a standard we don't list here that's very close to critical mass."

For example, the report recommends that Web-based businesses deploy Domain Name System Security (DNSSEC) protocol extensions on the domains that host key websites. The report mentions several other security technologies and protocols.

The report is important because the U.S. government needs to take a "fresh look" at Internet policy and cybersecurity, Commerce Secretary Gary Locke wrote in the report's introduction.

"The Internet is again at a crossroads," Locke wrote. "Protecting security of consumers, businesses and the Internet infrastructure has never been more difficult. Cyber attacks on Internet commerce, vital business sectors and government agencies have grown exponentially."

The U.S. government should also support research to automate cybersecurity functions and should focus on creating incentives, including insurance and liability protection, for businesses that follow cybersecurity standards, the report recommended.

The report also called on the U.S. government to increase cybersecurity education and research programs.

The Center for Democracy and Technology (CDT), a digital liberties and privacy group where Schwartz recently worked, praised the report for focusing on voluntary standards for industries not identified by the U.S. government as core critical infrastructure. The DOC is taking the right approach in focusing on collaborative efforts to develop standards, CDT said.

"We're pleased that the [Obama] administration recognizes that many Internet-based functions and services that consumers use every day should not be defined as part of the 'critical infrastructure' that is subject to a more prescriptive regulatory regime," CDT President Leslie Harris said in a statement.

The Software and Information Industry Association (SIIA), a trade group, also praised the report for advocating voluntary security standards. The technology industry "already complies with a large number of industry-specific and international security standards," Mark MacCarthy, SIIA's vice president for public policy, said in a statement.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Tags U.S. Department of CommercesecurityregulationGary LockeCenter for Democracy and TechnologyMark MacCarthyLeslie HarrisAri SchwartzgovernmentSoftware and Information Industry Association

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?