Stakeholders praise task force’s efforts to develop stakeholder processes to confront cybersecurity issues where regulations might not be effective, but caution against mandatory requirements

The U.S. Department of Commerce’s Internet Policy Task Force (IPTF) is currently reviewing feedback collected in response to a Request for Public Comment on cyber threats facing the digital ecosystem and economy, with the goal of using that advice to help drive future cybersecurity stakeholder discussions and workshops. Recognizing that the rapid speed of technological and digital innovation “makes traditional regulation and compliance difficult and inefficient,” the IPTF hopes that open dialog and collaboration among public and private stakeholders will develop a consensus and the best practices needed to improve stakeholder cybersecurity where traditional regulation falls short. But while many of the RPC respondents praised the IPTF’s efforts, others cautioned that any discussions must focus on flexible and voluntary ways to improve cybersecurity.

Back in March the IPTF issued a request for public comment entitled “Stakeholder Engagement on Cybersecurity in the Digital Ecosystem” where it announced its plans to facilitate a number of multi-stakeholder processes on the topic and asked the public to provide comments that would shape the IPTF’s future efforts. Specifically, IPTF asked stakeholders to help identify and weigh in on a number of cybersecurity issues where coordinated action, consensus and best practices could improve security in lieu of regulations.

Many of the RPC respondents praised the IPTF’s efforts, but others cautioned that discussions must focus on flexible and voluntary ways to improve cybersecurity.

Among the questions posed, the IPTF asked interested parties to address whether a multi-stakeholder process could lead to actionable, collective progress on the following issues:

  • Botnet mitigation;
  • Voluntary adoption and diffusion of existing technical solutions to make the Internet’s core infrastructure more secure and trustworthy;
  • Improving the security of open source projects and distribution of patches;
  • Improving web security and consumer trust;
  • Mitigating malvertising threats;
  • Improving consumer security when downloading material via existing standards and best practices for online apps and downloadable tools;
  • Fostering voluntary frameworks that enable Internet of Things (IoT) innovation while addressing the risks associated with cyber-physical systems;
  • Responsibly managing vulnerability disclosures without putting consumers at risk; and
  • The availability of robust, practical and actionable metrics that organizations can use to understand security investment, educate consumers and clients on security practices, and promote the market demand for security.

The IPTF also asked for stakeholders to comment on the methods, structure and mechanics of any eventual multi-stakeholder meetings, and what types of consensus outcomes can promote actual security benefits.

Thirty-four individuals and organizations provided comments, with many respondents praising the IPTF’s efforts and providing direct feedback on the various issues that the IPTF identified in the request. Some such as the Telecommunication Industry Association (TIA) advised that the IPTF’s multi-stakeholder discussions should center on “flexible, scalable, and voluntary ways to improve cybersecurity in the digital ecosystem,” but cautioned against any processes that recommend or contemplate imposing mandates or requirements on stakeholders. Instead, the TIA advised that “the most effective solution to ensuring innovation in cybersecurity solutions is to rely on voluntary use of internationally-accepted standards and best practices.”

The TIA further advised that the IPTF’s multi-stakeholder discussions invite participation from both public and private organizations from abroad, and provide workshops around the country to help small businesses gain knowledge of cybersecurity issues. The TIA and others such as the Computer & Communications Industry Association (CCIA) stressed that the IPTF’s work should avoid redundancy by building on current cybersecurity policies and efforts of other organizations.

Companies that operate in the cyber environment should keep a watchful eye out for any eventual workshops or public discussions hosted by the IPTF on these topics. Given that the IPTF has placed a great emphasis on inclusion and collaboration with stakeholders in confronting the cyber threats faced by businesses and consumers, interested parties should expect an opportunity to give voice to these and other concerns in a forum hosted by the IPTF in the near future.

Moreover, it is currently unclear what solutions the IPTF might propose to the above-listed cyber issues, or to what degree it will incorporate the responses it received into future discussions. However, it is unlikely that the IPTF would advocate for more regulatory measures, given its previous acknowledgement that traditional regulatory methods are not able to keep pace with the growth of digital innovation, and the responses of organizations like the TIA and CCIA. All concerned parties should pay attention to the IPTF’s cybersecurity efforts and workshops to make sure that any proposed voluntary methods are comprehensive, likely to be effective, and flexible enough to change with an ever-evolving digital landscape.