Should the government certify private sector website security?

July 29, 2010 — 8:07am ET | By David Perera

Tools

Tags
DHS
Commerce Department
cyber insurance
Common Criteria
Philip Reitinger
cybersecurity

The Commerce Department is soliciting public comment on the role of government in private sector cybersecurity.

In a notice of inquiry (.pdf) released July 28 by the department's Internet Policy Task Force, Commerce notes that online commerce in 2007 amounted to more than $3 trillion in revenue for U.S. companies. Even as overall retail sales fell in 2009, online retail sales grew by 2 percent.

"Let's not pretend we live in an unregulated system now," said Philip Reitinger, deputy undersecretary of national protection and programs directorate at the Homeland Security Department, during a July 27 panel that discussed the notice. Market forces, he said will not necessarily correct today's cybersecurity problems.

Among the topics that the notice puts forward for comment is whether the government should set up a third party verification system of website security.

The notice also asks whether product assurance requirements such as U.S. Common Criteria actually inhibit effective cybersecurity or innovation in general.

Other areas of inquiry include whether incentives would cause businesses to report more information about security breaches, data losses and even how much they invest in cybersecurity. Commerce also asks if public policy could create a cyber-risk measurement framework for developing cyber insurance, and to what extent a predicable limitation to financial risk through cyber insurance would affect investment in cybersecurity efforts.

Responses, which will be incorporated into a Commerce report, are due by Sept. 13.

For more:
- download the notice of intent as printed in the Federal Register (.pdf)

SHARE WITH: