Commerce recommends a new internet security plan

WFED's Jason Miller with Ari Schwartz, Internet Policy Advisor for the National Institute of Standards and Technology

wfedstaff | June 4, 2015 7:02 am

By Jason Miller
Executive Editor
Federal News Radio

The Obama administration now is turning its cybersecurity focus on a new part of the private sector. And it’s putting the charge in the Commerce Department’s lap to initiate discussions and convene decision-makers.

Commerce Wednesday issued the Cybersecurity, Innovation and the Internet Economy report focusing on helping non-covered critical infrastructure companies secure their computers and technology infrastructure-meaning those companies that don’t provide power, water, telecommunications, financial services and other critical services.

“This space is everything from small shops that are startups and have an online presence to large companies having social networking sites, but are not considered infrastructure but still are vital to the economy,” said Ari Schwartz, the Internet Policy Advisor for the National Institute of Standards and Technology, in an interview with Federal News Radio. “What we are trying to do is eventually build some kind of codes of conduct. In order to get there, we need to start to impress and build a better array of standards and best practices in this space and really try to get the companies in this space to implement what are known security standards.”


The report lists several security standards, such as Domain Name System Security (DNSec) or IP security (IPSec), which Schwartz said are on the “edge of critical mass” across the private sector. Commerce’s goal is to help reach that critical mass so more and more companies are taking steps to secure their computers and systems.

Commerce recommended improved methods for authenticating identity instead of passwords, which are easily stolen or hacked. It also emphasized using technology to make sure when users type in a Web address they actually go to that site rather than being hijacked.

Commerce also wants to develop incentives to encourage companies to buy security software and services. One idea is to give the companies that invest in better cybersecurity less legal liability if they are a victim of hacking.

The strategy is the third cybersecurity document the Obama administration released over the last month. In May, the White House released its proposed bill to Congress as well as an international cybersecurity strategy.

The administration also in April issued its National Strategy for Trusted Identities in Cyberspace to help the private sector move away from usernames and passwords toward more secure public key infrastructure tokens.

The latest report builds on NSTIC and adds to the effort to create, what many administration officials have called, a cyber ecosystem.

“In this space, we have much more of a question of how we will work with non-covered critical infrastructure,” Schwartz said. “DHS plays some role, but there is a role for NIST and Commerce to work more closely with these companies too.”

NIST will play a convening role, similar to what it is doing under NSTIC.

Schwartz said NIST is encouraging companies, experts and the general public to comment on the strategy, answer the assorted questions and comment on the security standards the report highlights.

He said NIST will issue a Federal Register notice by Monday giving the public 45 days to comment. Then by the fall, NIST will determine which standards it will bring working groups around for both short term and long term decisions and create a white paper.

The strategy also addresses education to target awareness and training, and research and development goals, standards and policies that support innovation and economic growth.

NIST’s role would include bridging gaps in security protection by developing guidelines and promote the development of security assurance standards such as Common Criteria, which is used to assess the security of products.

Commerce received positive feedback from industry groups and from the privacy and security community.

The Center for Democracy and Technology applauded the strategy for defining every day consumer services and not lumping them in with critical infrastructure.

“There is still a great deal of work to be done, including developing the contours of the government’s limited role in securing the Internet, Innovation and Information sector,” said Gregory Nojeim, director of CDT’s Project on Security, Freedom and Technology. “Moreover, there remains the huge, unanswered question of what should be the government’s role in securing the Internet itself, whether it is deemed critical or non-critical.”

The Software and Information Industry Association (SIIA) said the strategy also was a positive step toward a balanced international cybersecurity policy.

“This is a productive first attempt to define the sector,” said Mark MacCarthy SIIA vice president for public policy in a statement. “We appreciate the focus on services and functionalities as an attempt to more clearly define the line between covered critical infrastructure and the other parts of the Internet economy. SIIA also welcomes the call for the development and utilization of voluntary reasonable security practices by this sector. In fact, the industry already complies with a large number of industry-specific and international security standards.”

(Copyright 2011 by All Rights Reserved.)

This story is part of Federal News Radio’s daily Cybersecurity Update. For more cybersecurity news, click here.