The US Department of Commerce should work with Internet business groups to establish voluntary codes of conduct and standards to protect against cyberattacks, a new report from the agency recommended.
The agency should help organise business groups to establish standards-setting processes, and it should promote cybersecurity best practices, said the 75-page report, released by the agency's Internet Policy Task Force.
The report's recommendations are aimed at what the DOC calls the Internet and information innovation sector, businesses with a large Internet or technology focus.
"A key role for government is to assist industry in developing these voluntary codes of conduct," the report said. "These codes of conduct should aim to unify various technical standards that currently exist and identify a broad set of responsibilities that industry members can use as a baseline for their own cybersecurity efforts."
Many companies have called for the US government to allow private companies to continue to develop security tools, but there is a role for the government in promoting best practices, the report said.
"It is clear that the government should not be in the business of picking technology winners and losers; however, where consensus emerges that a particular standard or practice will markedly improve the nation's collective security, the government should consider more proactively promoting industry-led efforts and widely accepted standards and practices and calling on entities to implement them," the report said.
The agency will next put the report out for public comment, said Ari Schwartz, Internet policy adviser at the DOC's National Institute of Standards and Technology (NIST). The DOC asks for comment on a number of questions, including what standards the Internet sector should embrace, he said.
"To build those codes of conduct, we really need to start with specific, existing standards and existing best practices," he said. "There could be a standard we don't list here that's very close to critical mass."
For example, the report recommends that web-based businesses deploy Domain Name System Security (DNSSEC) protocol extensions on the domains that host key websites. The report mentions several other security technologies and protocols.
The report is important because the US government needs to take a "fresh look" at Internet policy and cybersecurity, Commerce Secretary Gary Locke wrote in the report's introduction.
"The Internet is again at a crossroads," Locke wrote. "Protecting security of consumers, businesses and the Internet infrastructure has never been more difficult. Cyber attacks on Internet commerce, vital business sectors and government agencies have grown exponentially."
The US government should also support research to automate cybersecurity functions and should focus on creating incentives, including insurance and liability protection, for businesses that follow cybersecurity standards, the report recommended.
The report also called on the US government to increase cybersecurity education and research programs.
The Center for Democracy and Technology (CDT), a digital liberties and privacy group where Schwartz recently worked, praised the report for focusing on voluntary standards for industries not identified by the US government as core critical infrastructure. The DOC is taking the right approach in focusing on collaborative efforts to develop standards, CDT said.
"We're pleased that the [Obama] administration recognises that many Internet-based functions and services that consumers use every day should not be defined as part of the 'critical infrastructure' that is subject to a more prescriptive regulatory regime," CDT President Leslie Harris said in a statement.
The Software and Information Industry Association (SIIA), a trade group, also praised the report for advocating voluntary security standards. The technology industry "already complies with a large number of industry-specific and international security standards," Mark MacCarthy, SIIA's vice president for public policy, said in a statement.