The Commerce Department's Internet Policy Task Force proposed a new policy framework for strengthening private-sector cybersecurity in a report (.pdf) issued June 8. According to the document, this proposal begins a "continuing conversation" and "multi-stakeholder process" that will a develop security best practices that can become industry policy standards for companies operating in the "Internet and Information Innovation Sector."

Such standards, says the report, will form the basis for voluntary codes of conduct intended for companies that rely on the Internet to do business, but are not part of the critical infrastructure sector, as defined in the White House cybersecurity proposal sent to lawmakers May 12.

"While securing energy, financial, health and other resources remain vital, the future of the innovation and the economy will depend on the success of Internet companies and ensuring that these companies are trusted and secure is essential. This is the area of our focus," writes Commerce Secretary Gary Locke in the report's introduction. The report later mentions the Homeland Security Department focuses on critical infrastructure and related sectors, and the Defense Department focuses on the security of military operations in cyberspace.

Cybersecurity best practices do exist, but they are not being employed by enough companies, explains Ari Schwartz, Internet policy advisor at the National Institute of Standards and Technology and member of the task force, in a post on The Commerce Blog.

"It is clear that the government should not be in the business of picking technology winners and losers; however, where consensus emerges that a particular standard or practice will markedly improve the Nation's collective security, the government should consider more proactively promoting industry-led efforts and widely accepted standards and practices and calling on entities to implement them," say report authors.

Once codes of conduct are established, compliance could be incentivized through stimulus grants, SBA loans and a refundable tax credit for cybersecurity investments suggests the report. "Lower cyberinsurance premiums for companies that adopt best practices and better data on the costs and benefits of strong cybersecurity," would also be helpful says Schwartz.  

Over time the standards appear to evolve into rules that are less voluntary. The report suggests codes of conduct could eventually be upheld by relevant law enforcement agencies, such as Federal Trade Commission and state attorneys general, "eventually leading to norms of behavior."

In line with the White House cybersecurity proposal, the task force advises Congress to enact a commercial data security breach law for electronic records "that includes notification provisions, encourages companies to implement strict data security protocols and allows states to build upon the framework in defined ways."

Report authors also recommend DOC promote the creation and adoption of formal cybersecurity-oriented curricula in schools in order to strengthen the future cybersecurity workforce. The department should also promote research and development of cybersecurity technologies that are deployable in the private sector.

The report is the first phase of the department's Cybersecurity and Innovation Notice of Inquiry. Commerce seeks further comment on the topics outlined in its report and will use the responses to build the Obama administration's "domestic policy and international engagement in the area of cybersecurity," according to the document.

For more:
- see the report, "Cybersecurity, Innovation and the Internet Economy" (.pdf)
- see a blog post from Ari Schwartz
- see the Commerce press release

Related Articles:
Reitinger: Cybersecurity bill applies 'light touch' to private sector regulation
White House unveils proposed cybersecurity legislation 
The White House's cybersecurity legislative proposal