Guest blog post by Ari Schwartz, Internet Policy Adviser at the National Institute of Standards and Technology, and member of the Internet Policy Task Force at the Department of Commerce.
As we all know, the Internet has led to incredible commercial growth and an unprecedented means for self-expression and innovation. Some industry analysts now estimate that the Internet now carries some $10 trillion in online transactions annually.
However, each time a new technology dramatically expands the boundaries of commerce, there are dishonest, dangerous people who try to disrupt and exploit the new pathways for their own gain. Therefore, it should come as no surprise that as the Web, e-mail, and e-commerce have become the electronic version of Main Street, hackers, spammers, and cybercriminals have emerged as major threats to its welfare. An estimated 67,000 new malicious viruses, worms, spyware and other threats are released every day.
To paraphrase Willy Sutton: It’s where the money. . . and the information is.
A new Commerce Department report issued today calls for a public-private partnership and voluntary codes of conduct to help strengthen the cybersecurity of companies that increasingly rely on the Internet to do business, but are not part of the critical infrastructure sector as defined by the administration’s recent cybersecurity legislative proposal. Issued by the department’s Internet Policy Task Force, the report targets what it calls the Internet and Information Innovation Sector or the I3S. These are businesses that range from Mom and Pop manufacturers or startups that sell most of their products and services online to social networking sites like Facebook and Twitter to cloud computing firms that provide anytime, anywhere access to applications and personal or public data.
Even though many effective methods exist to combat cybersecurity threats, not enough companies have implemented these proven methods. The reasons are as varied as the threats—lack of staff members with cybersecurity expertise, lack of appreciation for the risk to business operations, or lack of access to training and other educational resources.
To reverse this trend and expand the number of businesses implementing effective cybersecurity strategies, we need the public and private sectors to join forces and establish voluntary rules of the road or “codes of conduct.” The place to start to build these codes would be through promotion of existing standards and best practices like IT protocols that prevent the hijacking of Web sites (such as DNSSEC), or automated programs that alert business owners to unauthorized activities on their Web servers.
To be successful in promotion of these standards and best practices and to make the codes of conduct effective, we also need better incentives like lower cyberinsurance premiums for companies that adopt best practices and better data on the costs and benefits of strong cybersecurity.
The Task Force hopes their new “green paper” will begin a dialogue with I3S companies that helps them protect their bottom line and ensures that the Internet can continue to be a major source of innovation. At the same time, they will be helping make the Internet a little less Wild West and little more like a Main Street we trust and enjoy.