AGENCY:

Office of the Secretary, National Institute of Standards and Technology, International Trade Administration, and National Telecommunications and Information Administration, U.S. Department of Commerce.

ACTION:

Notice and Request for Public Comments.

SUMMARY:

The Department of Commerce's (Department) Internet Policy Task Force is conducting a comprehensive review of the nexus between cybersecurity and innovation in the Internet economy. On July 28, 2010, the Department published a Notice of Inquiry seeking comment from all Internet stakeholders on the impact of cybersecurity policy issues in the United States and around the world on the pace of innovation in the information economy. The Department now seeks further comment on its report entitled, “Cybersecurity, Innovation and the Internet Economy,” available at http://www.nist.gov/​itl. Through this Notice requesting comments on the report, the Department hopes to spur further discussion with Internet stakeholders that will lead to the development of a series of Administration positions that will help develop an action plan in this important area.

DATES:

Comments are due on or before 11:59 p.m. on August 1, 2011.

ADDRESSES:

Comments will be accepted by e-mail only. Comments should be sent to SecurityGreenPaper@nist.gov with the subject line “Comments on Cybersecurity Green Paper.” Comments will be posted at http://www.ntia.doc.gov/​internetpolicytaskforce/​.

FOR FURTHER INFORMATION CONTACT:

Jon Boyens, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 893, Gaithersburg, MD 20819, jon.boyens@nist.gov. Please direct media inquires to NIST's Office of Public Affairs at (301) 975-NIST.

SUPPLEMENTARY INFORMATION:

Over the past two decades, the Internet has become increasingly important to fueling the Nation's economic competitiveness, to promoting innovation, and to enhancing our collective well-being. As the Internet continues to grow in all aspects of our lives, the parallel issue of cybersecurity risks continues to increase and evolve.

Today's cybersecurity threats include indiscriminate and broad-based attacks designed to exploit the interconnectedness of the Internet. Increasingly, the threats also involve targeted attacks, the purpose of which is to steal, manipulate, destroy or deny access to sensitive data, or to disrupt computing systems. These threats are exacerbated by the interconnected and interdependent architecture of today's computing environment. Theoretically, security deficiencies in one area may provide opportunities for exploitation elsewhere.

Despite increasing awareness of the associated risks, broad swaths of the economy and individual actors, ranging from consumers to large businesses, do not take advantage of available technology and processes to secure their systems, and protective measures are not evolving as quickly as the threats. This general lack of investment puts firms and consumers at greater risk, leading to economic loss at the individual and aggregate levels and poses a threat to national security.

President Obama's Cyberspace Policy Review in May 2009 articulated the many reasons government must work closely with the private sector and other partners to address these risks. As stated in the Review, “information and communications networks are largely owned and operated by the private sector, both nationally and internationally. Thus, addressing network security issues requires a public-private partnership as well as international cooperation and norms.”

In addition, the Administration has promoted cybersecurity legislation that would catalyze the development of norms for practices of entities that maintain our critical infrastructure. These entities include sectors such as energy, critical manufacturing, and emergency services whose disruption would have a debilitating impact on individual security, national economic security, national public health and safety. The proposed legislation requires these entities to develop a baseline framework of protection based on risk—a function of threat, vulnerability, and consequences. The Department of Homeland Security (DHS), in coordination with sector-specific agencies and other relevant departments, would promulgate the list of covered entities using the established criteria and input from the Federal Government, state and local governments, and the private sector.

The U.S. Department of Commerce (Department) has focused its efforts on developing public policies and private sector norms whose voluntary adoption could improve the overall cybersecurity posture of private sector infrastructure operators, software and service providers, and users outside the critical infrastructure. Entities in these areas have not been the main focus of cybersecurity activities to date, yet they can be at great risk—and can put others at great risk—if they do not adequately secure their networks and services. Yet, attempting to develop policies to protect each industry with equal weight, regardless of criticality, will lead to placing too much emphasis on lesser concerns. We must instead find the right protections for each sector and sub-sector and promote the right policies to get them implemented.

In early 2010, the Department launched the Internet Policy Task Force (Task Force), charged with addressing the Internet's most pressing policy issues and with recommending new policies. After several months of consultations with stakeholders, the Task Force published a Notice of Inquiry (NOI) and convened a symposium on Cybersecurity, Innovation, and the Internet Economy leading to this preliminary set of recommendations in the Green Paper entitled “Cybersecurity, Innovation, and the Internet Economy” .^[1] In this paper, the Task Force asks many follow-up questions to gain additional feedback and to help the Department determine how to proceed. The goal of this undertaking is to ensure that the Task Force is on the right course with its recommendations and to identify technical and policy measures that might close the gap between today's status quo and reasonably achievable levels of cyber-protection outside of critical infrastructure sectors. The Green Paper will also serve as a vehicle to spur further discussion with Internet stakeholders on this important area of policy development.

In particular, many responses to the 2010 NOI highlighted a large group of functions and services that should be the subject of our efforts. The Task Force is calling this group the “Internet and Information Innovation Sector” (I3S). The I3S includes functions and Start Printed Page 34966services that create or utilize the Internet or networking services and have large potential for growth, entrepreneurship, and vitalization of the economy, but would fall outside the classification of covered critical infrastructure as defined by existing law and Administration policy. Business models may differ, but the following functions and services are included in the I3S:

• Provision of information services and content;
• Facilitation of the wide variety of transactional services available through the Internet as an intermediary;
• Storage and hosting of publicly accessible content; and
• Support of users' access to content or transaction activities, including, but not limited to application, browser, social network, and search providers.

The I3S is comprised of companies, from small businesses to “brick and mortar-based firms” with online services to large companies that only exist on the Internet. These companies are significantly impacted by cybersecurity concerns, yet do not have the same level of operational criticality that would cause them to be designated as covered critical infrastructure. The Task Force supports efforts to increase the security posture of I3S services and functions from cybersecurity risks without regulating these services as covered critical infrastructure. A primary goal of this Green Paper is to spark a discussion of the scope of this newly defined sector and the policies needed to protect it independently of, but in concert with, the discussion on protections within the critical infrastructure.

Request for Information

Request for Comment: This Notice seeks input on the report “Cybersecurity, Innovation, and the Internet Economy” (http://www.nist.gov/​itl). The questions below, which also appear in Appendix A of the report, are intended to assist in identifying issues. They should not be construed as a limitation on comments that parties may submit. Comments that contain references to studies, research and other empirical data that are not widely published should include copies of the referenced materials with the submitted comments.

1. How should the Internet and Information Innovation Sector (I3S) be defined? What kinds of entities should be included or excluded? How can its functions and services be clearly distinguished from critical infrastructure?

2. Is the Department of Commerce's focus on an I3S the right one to target the most serious cybersecurity threats to the Nation's economic and social well-being related to non-critical infrastructure?

3. What are the most serious cybersecurity threats facing the I3S as currently defined?

4. Are there other sectors not considered critical infrastructure where similar approaches might be appropriate?

5. Should I3S companies that also offer functions and services to covered critical infrastructure be treated differently than other members of the I3S?

6. Are there existing codes of conduct that the I3S can utilize that adequately address these issues?

7. Are there existing overarching security principles on which to base codes of conduct?

8. What is the best way to solicit and incorporate the views of small and medium businesses into the process to develop codes?

9. What is the best way to solicit and incorporate the views of consumers and civil society?

10. How should the U.S. Government work internationally to advance codes of conduct in ways that are consistent with and/or influence and improve global norms and practices?

11. Are the standards, practices, and guidelines indicated in section III, A, 2 and detailed in Appendix B of the Green Paper appropriate to consider as keystone efforts? Are there others not listed in the Green Paper that should be included?

12. Is there a level of consensus today around all or any of these guidelines, practices, and standards as having the ability to improve security? If not, is it possible to achieve consensus? If so, how?

13. What process should the Department of Commerce use to work with industry and other stakeholders to identify best practices, guidelines, and standards in the future?

14. Should efforts be taken to better promote and/or support the adoption of these standards, practices, and guidelines?

15. In what way should these standards, practices, and guidelines be promoted and through what mechanisms?

16. What incentives are there to ensure that standards are robust? What incentives are there to ensure that best practices and standards, once adopted, are updated in light of changing threats and new business models?

17. Should the government play an active role in promoting these standards, practices, and guidelines? If so, in which areas should the government play more of a leading role? What should this role be?

18. How can automated security be improved?

19. What areas of research in automation should be prioritized and why?

20. How can the Department of Commerce, working with its partners, better promote automated sharing of threat and related signature information with the I3S?

21. Are there other examples of automated security that should be promoted?

22. What conformance-based assurance programs, in government or the private sector need to be harmonized?

23. In a fast changing and evolving security threat environment, how can security efforts be determined to be relevant and effective? What are the best means to review procedural improvements to security assurance and compliance for capability to pace with technological changes that impact the I3S and other sectors?

24. What are the right incentives to gain adoption of best practices? What are the right incentives to ensure that the voluntary codes of conduct that develop from best practices are sufficiently robust? What are the right incentives to ensure that codes of conduct, once introduced, are updated promptly to address evolving threats and other changes in the security environment?

25. How can the Department of Commerce or other government agencies encourage I3S subsectors to build appropriate best practices?

26. How can liability structures and insurance be used as incentives to protect the I3S?

27. What other market tools are available to encourage cybersecurity best practices?

28. Should Federal procurement play any role in creating incentives for the I3S? If so, how? If not, why not?

29. How important is the role of disclosure of security practices in protecting the I3S? Will it have a significant financial or operational impact?

30. Should an entity's customers, patients, clients, etc. receive information regarding the entity's compliance with certain standards and codes of conduct?

31. Would it be more appropriate for some types of companies within the I3S to be required to create security plans Start Printed Page 34967and disclose them to a government agency or to the public? If so, should such disclosure be limited to where I3S services or functions impact certain areas of the covered critical infrastructure?

32. What role can the Department of Commerce play in promoting public-private partnerships?

33. How can public-private partnerships be used to foster better incentives within the I3S?

34. How can existing public-private partnerships be improved?

35. What are the barriers to information sharing between the I3S and government agencies with cybersecurity authorities and among I3S entities? How can they be overcome?

36. Do current liability structures create a disincentive to participate in information sharing or other best practice efforts?

37. What is the best means to promote research on cost/benefit analyses for I3S security?

38. Are there any examples of new research on cost/benefit analyses of I3S security? In particular, has any of this research significantly changed the understanding of cybersecurity and cybersecurity related decision-making?

39. What information is needed to build better cost/benefit analyses?

40. What new or increased efforts should the Department of Commerce undertake to facilitate cybersecurity education?

41. What are the specific areas on which education and research should focus?

42. What is the best way to engage stakeholders in public/private partnerships that facilitate cybersecurity education and research?

43. What areas of research are most crucial for the I3S? In particular, what R&D efforts could be used to help the supply chain for I3S and for small and medium-sized businesses?

44. What role does the move to cloud-based services have on education and research efforts in the I3S?

45. What is needed to help inform I3S in the face of a particular cyber threat? Does the I3S need its own “fire department services” to help address particular problems, respond to threats, and promote prevention or do enough such bodies already exist?

46. What role should Department of Commerce play in promoting greater R&D that would go above and beyond current efforts aimed at research, development, and standards?

47. How can the Department of Commerce work with other Federal agencies to better cooperate, coordinate, and promote the adoption and development of cybersecurity standards and policy internationally?

Footnotes