Commerce calls for voluntary cybersecurity codes

A Commerce Department report on cybersecurity contained few specifics on protecting information networks, but that didn't seem to bother industry coalitions and privacy groups that oppose strict government involvement in cybersecurity.

Business groups welcomed the Commerce Department's call for voluntary codes of conduct to keep information safe on the Internet.

The 75-page document released Wednesday is slim on hard details. Instead, the report urges businesses that aren't "critical infrastructure" to study the possibilities and agree on some common approaches. That played well with businesses, who oppose heavy regulation; and privacy advocates, who fear government overreach.

"We're pleased that the administration recognizes that many Internet-based functions and services that consumers use every day should not be defined as part of the critical infrastructure that is subject to a more prescriptive regulatory regime," said Leslie Harris, president of the Center for Democracy and Technology.

And the Business Software Alliance applauded the department for embracing a "flexible, non-regulatory" approach to cybersecurity.

"Today's report establishes a solid framework for industry and government to collaborate in designing effective cybersecurity standards and practices," said BSA president Robert Holleyman. "Collaboration is vitally important because it recognizes the fact that everyone has roles and responsibilities in strengthening cybersecurity. It is too big a job for either the public or private sector to handle alone."

One specific recommendation in the Commerce report: adoption of the Domain Name System Security protocol extensions, which use a digital signature that a server can check and verify to identify the sender of an e-mail or data.

"By increasing the adoption of standards and best practices, we are working with the private sector to promote innovation and business growth, while at the same time better protecting companies and consumers from hackers and cyber theft," Commerce Secretary Gary Locke said in a statement.

The report, developed by the Department's Internet Policy Task Force, notes the staggering numbers associated with Internet use in 2011.

"Global online transactions are currently estimated by industry analysts at $10 trillion annually," the report reads.

"The number of Internet malware threats was estimated to have doubled between January 2009 and December 2010. In 2010, an estimated 55,000 new viruses, worms, spyware, and other threats were bombarding the Internet daily."

The report also recommends seeking out incentives to get companies to collaborate in protecting themselves, including reduced "cyberinsurance" premiums for companies that adopt best practices and the open sharing of details about cyberattacks.

Public education is also important, the report said, identifying programs such as the National Initiative for Cybersecurity Education.

Last month, the White House released its own cybersecurity review. On Tuesday, Sen. Robert Menendez , D-N.J., said he plans to introduce cybersecurity legislation that mirrors a bill in the House, calling for more research and development for federal networks as well as more collaboration between the government and the private sector.

On Monday, the Securities and Exchange Commission told Congressional lawmakers that companies that experience cyberattacks must tell their investors.

"Whether a company is required to provide risk factor disclosure regarding potential cyber attacks, including the potential financial or reputational impacts of the attacks, will depend on the facts and circumstances of the company, and the determination of various factors, including the probability of the risk occurring and the magnitude of the risks," SEC Chairwoman Mary Schapiro wrote in a letter to Senate Commerce Chairman Jay Rockefeller , D-W.Va.