Privacy and security has become a major focus of the Department of Commerce.  The Department's Internet Policy Task Force has issued its second green paper, this one proposing the creation of nationally recognized voluntary codes of conduct to help strengthen cybersecurity.  Comments will be accepted on "Cybersecurity, Innovation and the Internet Economy" through August 1, 2011.

For several months now, hacks of major commercial computer systems, including that of Citigroup and the International Monetary Fund, have been front page news.   The latest green paper from Commerce discusses how to improve the Internet security practices of companies in the Internet and Information Innovation Sector (called "I3S") other than those classified as part of  “critical infrastructure.”   The I3S encompasses business that utilize the Internet or networking services and have a large potential economic impact, including e-commerce, social media, cloud computing, and other online providers.

As with the Department's first green paper released last December, the Department has asked interested parties to comment on the recommendations, as well as to provide responses to specific questions it posed to help develop the recommendations.  Some of these questions include:

  • What kinds of entities should be included or excluded from the covered businesses?  How can the the covered businesses' functions and services be clearly distinguished from critical infrastructure?
  • Should covered businesses that also offer functions and services to covered critical infrastructure be treated differently than other covered businesses?
  • Are there existing codes of conduct that covered businesses can utilize that adequately address these issues?
  • What process should the Department of Commerce use to work with industry and other stakeholders to identify best practices, guidelines, and standards in the future?
  • What are the right incentives to (a) gain adoption of best practices; (b) ensure that the voluntary codes of conduct that develop from best practices are sufficiently robust; and (c) ensure that codes of conduct, once introduced, are updated promptly to address evolving threats and other changes in the security environment?
  • How can the Department of Commerce work with other federal agencies to better cooperate, coordinate, and promote adoption and development of cybersecurity standards and policy internationally?

Stakeholders should consider providing comment to the Department to help inform the process.  Green papes on copyright and the global free flow of information are expected soon.