Where Innovation and Cybersecurity Meet

The Commerce Department's Internet Policy Task Force is seeking public comment on its comprehensive review of the nexus between cybersecurity and innovation in the Internet economy, according to a notice published Wednesday in The Federal Register.

Specifically, Commerce is requesting comment on a report it released last week called Cybersecurity, Innovation and the Internet Economy. In the notice, the agency said it "hopes to spur further discussion with Internet stakeholders that will lead to the development of a series of Administration positions that will help develop an action plan in this important area."

Commerce aims to better understand how to approach cybersecurity in the "Internet and Information Innovation Sector," I3S, which does the following:

• Provides information services and content;

• Facilitates a wide variety of transactional services available through the Internet as an intermediary;

• Stores and hosts publicly accessible content; and

• Supports users' access to content or transaction activities, including, but not limited to, applications, browsers, social networks, and search providers.

These are companies that do not traditionally fall into the covered critical infrastructure sectors that are the focus of many cybersecurity efforts but do have significant security concerns.

The NOI poses 47 questions. The list is thorough, touching on issues such as codes of conduct, best practices, liability, buying power, and incentives, among others, for improving the I3S cybersecurity posture.

Noticeably missing, however, is a question on or discussion of what I3S and other innovative entities should be doing to "bake" cybersecurity into the development and implementation process. The questions seem overly limited to the current approach of promoting innovation and fixing security later, which will always mean we are trying to catch up on cybersecurity.

There are some questions regarding research and development, but it is not clear if those are designed to address cybersecurity R&D for existing systems or for building stronger systems and services to begin with. True innovation in the years to come will only succeed if cybersecurity is considered a part of the innovation and not as an add-on to existing services and technologies.