IPTF Request for Cybersecurity Input Seen Continuing Earlier Work
The Department of Commerce Internet Policy Task Force’s March 13 request for comment on possible cybersecurity issues the IPTF should address through multistakeholder work is a continuation of its earlier work on cybersecurity issues, industry stakeholders told us. The IPTF’s reopening of its cybersecurity work shows that Commerce is seeking ways to explore cyber items not directly addressed by the National Institute of Standards and Technology’s Cybersecurity Framework, stakeholders said. NIST is one of the federal agencies that the IPTF comprises. The IPTF said in its request for comment (see 1503160059), published in the March 19 Federal Register, that it seeks input from industry stakeholders on cyber-related topics that veer away from securing critical infrastructure sectors while also complementing federal initiatives like the NIST framework that focus on those sectors. Comments are due May 18 (see 1503190059).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Commerce views the IPTF’s new exploration of cybersecurity issues as an evolution of the IPTF’s earlier work, which began with a 2010 request for comment on cybersecurity issues in the commercial sector and the Internet economy, an NTIA spokeswoman said. NTIA is leading the new cybersecurity work in consultation with NIST and Commerce’s Office of the Secretary. An IPTF 2011 green paper recommended that noncritical infrastructure companies that use online services should have a cybersecurity framework (see report in the June 9, 2011, issue). The paper “found that there are real and evolving threats in cyberspace that put businesses and their online operations at risk and could undermine trust in the digital economy,” the NTIA spokeswoman said. “The paper also found that it would be difficult to address these issues through traditional regulation given the fast-paced and interconnected nature of the digital ecosystem.”
The IPTF’s earlier worked preceded President Obama's 2013 cybersecurity executive order and the NIST framework process. The IPTF's new work on cybersecurity "seems to be largely a continuation of what they've done before," said Software & Information Industry Association (SIIA) Senior Director-Public Policy David LeDuc. The IPTF's renewed interest also partly reflects Commerce’s “desire to continue expanding its private sector outreach” on cybersecurity issues beyond the NIST framework, said Norma Krayem, a policy adviser at Squire Patton.
The Information Technology Industry Council and others who participated in NIST’s development of the Cybersecurity Framework urged Commerce in post-development feedback last year to reconstitute the IPTF’s noncritical infrastructure cyber work, said ITI Global Cybersecurity Policy Director Danielle Kriz. The NIST framework “is one discreet work product, a very important one, but it’s just meant to address cybersecurity risk management,” she said. “There’s still a lot of other things that Commerce can be doing to help improve cybersecurity. Helping entities manage their risk is important, but there are other facets to cybersecurity.”
The IPTF proposed multiple topics for further exploration -- including botnet and malware mitigation, open source assurance, domain name systems and the cyber vulnerability disclosure process -- while also “throwing the door wide open” to stakeholder input on other possible topics, Kriz said. ITI, SIIA and several others told us they plan to actively respond to the IPTF’s request but are still assessing what they want to say. SIIA is still assessing which topics its members would be most interested in having the IPTF explore, though the IPTF has “already laid out some really good possibilities,” LeDuc said. For instance, additional attention could be helpful on botnet mitigation, along with domain name systems and open source assurance, he said.
The list of issues IPTF gave as possible focus topics is already extensive, so “it will be interesting to see how they boil down” those topics and stakeholder input to determine the most important issues, Kriz said. The IPTF “has done a good job of highlighting a number of areas,” and “would be best served to take the guidance and focus on just a few areas,” LeDuc said. “It would be a lot to bite off for them to look at all of these topics.” The topics the IPTF chooses may require differing multistakeholder processes and amounts of time to produce effective results, Kriz said. NIST’s framework development process could serve as a “good guide” for the IPTF’s multistakeholder work, LeDuc said. “The IPTF is also quite experienced with these processes. I think it’s encouraging that they can draw on that experience and use it as a core model.”