On March 16, the U.S. Commerce Department’s Internet Policy Task Force (IPTF) published a Request for Public Comment for input on the key cybersecurity issues affecting the digital ecosystem and digital economic growth. The IPTF aims to coordinate and facilitate consensus-based multistakeholder processes to generate collective guidance and identify best practices. Through this effort, the IPTF seeks to broaden the focus of federal cybersecurity efforts beyond securing critical infrastructure. A number of key cybersecurity challenges have been identified in the Request for Public Comment, and the IPTF is inviting commenters to highlight other topic areas that the IPTF should consider including as part of this process.
The IPTF announcement is the latest in a series of activities following White House Executive Order 13636, which called upon the Commerce Department to work with industry to develop a framework to improve cybersecurity practices, and to undertake a study on incentives to encourage private sector adoption of cybersecurity protections. In February 2014, the National Institute of Standards and Technology (NIST), also part of the Commerce Department, released the Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 (Cybersecurity Framework). The Cybersecurity Framework offers organizations a guide for understanding and implementing appropriate cybersecurity protections, and NIST continues to monitor use of the Framework and consider additional guidance or updates.
With the release of this Request for Public Comment, the IPTF proposes to facilitate one or more multistakeholder processes around key cybersecurity issues. Potential outcomes would vary by the issue discussed, but could include voluntary policy guidelines, procedures, or best practices. Organizations will be free to choose whether to participate in any resulting code of conduct or standards.
The IPTF has identified a number of key cybersecurity topics for potential inclusion in these multistakeholder processes:
Network and Infrastructure Security
- Botnet Mitigation
- Core Internet Infrastructure: Naming, Routing, and Public Key Infrastructure
- Domain Name System (DNS), Border Gateway Protocol (BGP), and Transport Layer Security (TLS) Certificates
- Open Source Assurance
- Malware Mitigation
Web Security and Consumer Trust
- Web Security
- Trusted Downloads
- Cybersecurity and the Internet of Things
Business Process and Enabling Markets
- Managed Security Services
- Vulnerability Disclosure
- Security Investment and Metrics
The IPTF notes that the list of topics is not exhaustive and asks for comment generally on other cybersecurity challenges that could be best addressed in a multistakeholder process. The IPTF also seeks comment on what factors should be considered in selecting cybersecurity issues for consideration, as well as input on how best to implement the multistakeholder process.
Comments will be due 60 days from publication of the notice in the Federal Register. The IPTF seeks input and participation from a wide range of stakeholders, including Internet service providers, software developers, security vendors, equipment manufacturers, mobile application developers, cloud and content providers, vulnerability researchers, civil liberties advocates, digital infrastructure owners, digital economy experts, and others.