US agency calls for new cybersecurity standards
- 09 June, 2011 05:07
The U.S. Department of Commerce should work with Internet business groups to establish voluntary codes of conduct and standards to protect against cyberattacks, a new report from the agency recommended.
The agency should help organize business groups to establish standards-setting processes, and it should promote cybersecurity best practices, said the 75-page report, released Wednesday by the agency's Internet Policy Task Force. The report's recommendations are aimed at what the DOC calls the Internet and information innovation sector, businesses with a large Internet or technology focus.
"A key role for government is to assist industry in developing these voluntary codes of conduct," the report said. "These codes of conduct should aim to unify various technical standards that currently exist and identify a broad set of responsibilities that industry members can use as a baseline for their own cybersecurity efforts."
Many companies have called for the U.S. government to allow private companies to continue to develop security tools, but there is a role for the government in promoting best practices, the report said.
"It is clear that the government should not be in the business of picking technology winners and losers; however, where consensus emerges that a particular standard or practice will markedly improve the Nation's collective security, the government should consider more proactively promoting industry-led efforts and widely accepted standards and practices and calling on entities to implement them," the report said.
The agency will next put the report out for public comment, said Ari Schwartz, Internet policy adviser at the DOC's National Institute of Standards and Technology (NIST). The DOC asks for comment on a number of questions, including what standards the Internet sector should embrace, he said.
"To build those codes of conduct, we really need to start with specific, existing standards and existing best practices," he said. "There could be a standard we don't list here that's very close to critical mass."
For example, the report recommends that Web-based businesses deploy Domain Name System Security (DNSSEC) protocol extensions on the domains that host key websites. The report mentions several other security technologies and protocols.
The report is important because the U.S. government needs to take a "fresh look" at Internet policy and cybersecurity, Commerce Secretary Gary Locke wrote in the report's introduction.
"The Internet is again at a crossroads," Locke wrote. "Protecting security of consumers, businesses and the Internet infrastructure has never been more difficult. Cyber attacks on Internet commerce, vital business sectors and government agencies have grown exponentially."
The U.S. government should also support research to automate cybersecurity functions and should focus on creating incentives, including insurance and liability protection, for businesses that follow cybersecurity standards, the report recommended.
The report also called on the U.S. government to increase cybersecurity education and research programs.
The Center for Democracy and Technology (CDT), a digital liberties and privacy group where Schwartz recently worked, praised the report for focusing on voluntary standards for industries not identified by the U.S. government as core critical infrastructure. The DOC is taking the right approach in focusing on collaborative efforts to develop standards, CDT said.
"We're pleased that the [Obama] administration recognizes that many Internet-based functions and services that consumers use every day should not be defined as part of the 'critical infrastructure' that is subject to a more prescriptive regulatory regime," CDT President Leslie Harris said in a statement.
The Software and Information Industry Association (SIIA), a trade group, also praised the report for advocating voluntary security standards. The technology industry "already complies with a large number of industry-specific and international security standards," Mark MacCarthy, SIIA's vice president for public policy, said in a statement.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is email@example.com.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Spiceworks' free management software gets integrated MDM
Spear-Phishing Email: Most Favored APT Attack Bait
This research paper presents findings on APT-related spear phishing from February to September 2012. We analysed APT-related spear-phishing emails collected throughout this period to understand and mitigate attacks. The information we gathered not only allowed us to obtain specific details on spear phishing but also on targeted attacks. We found, for instance, that 91% of targeted attacks involve spear-phishing emails, reinforcing the belief that spear phishing is a primary means by which APT attackers infiltrate target networks.
Agentless Security for Virtual Environments
Virtualised datacentres, desktops, and cloud computing should be secured by the same strong protection technologies as physical machines. However, traditional agent-based solutions that are not architected for virtualisation can result in a number of significant operational security issues. Find out more about the first agentless security platform solution.
Staying Ahead of the Data Explosion
The total volume of data being processed and stored by businesses is rising exponentially. IDC has estimated that the size of the "digital universe" will increase 29 fold between 2010 and 2020. Data storage technology has undergone a steady increase in capacity, along with a steady decline in the cost per unit to store information. Unfortunately, data storage capacity is not keeping pace with data growth and necessitating greater intelligence in the storage infrastructure. Read more.