Internet businesses should follow a code of conduct to reduce cyber-attacks and online fraud, the United States Department of Commerce recommended in a new report. The code of conduct should be developed jointly by the federal agency and the private sector.
The Department of Commerce should help organize business groups to establish voluntary standards and processes while promoting cyber-security best practices, according to the 75-page "Cybersecurity, Innovation and the Internet Economy" report released June 8 by the federal agency's Internet Policy Task Force.
The key role for the government is to assist the industry in developing voluntary codes of conduct that would unify various technical standards that currently exist, the report said. The codes of conduct will reflect a "broad set of responsibilities" that industry members can use as a baseline when trying to define their own cyber-security requirements.
"The government should not be in the business of picking technology winners and losers," the report warned. However, the government should "proactively" promote industry-led efforts and call on organizations to implement "widely accepted standards and practices" that would "markedly improve" the country's security stance, the report said.
One of the report's recommendations was that Web-based businesses should deploy Domain Name System Security protocol extensions on domains hosting key Websites to prevent Web hijacking. The report also recommended improved methods for user authentication.
The Commerce Department will put the report out for public comment to solicit information on a number of questions, such as what standards the sector should embrace.
"By increasing the adoption of standards and best practices, we are working with the private sector to promote innovation and business growth, while at the same time better protecting companies and consumers from hackers and cyber-theft," said Commerce Secretary Gary Locke.
The federal government should support research to automate cyber-security, create incentives for businesses that follow cyber-security standards and increase cyber-security education programs, the report recommended. The incentives will encourage businesses to make the necessary expenditures to improve security. An example of an incentive may be imposing less legal liability on companies that use best practices but still get hacked, the report suggested.
Security accounted for about 14 percent of the information technology budgets for North American and European companies in 2010, according to a recent analysis by Forrester.
Online transactions are about $10 trillion globally each year, and there were an estimated 55,000 new viruses, worms, spyware and other active threats daily, according to the Commerce Department report.
"Our economy depends on the ability of companies to provide trusted, secure services online. As new cyber-security threats evolve, it's critical that we develop policies that better protect businesses and their customers to ensure the Internet remains an engine for economic growth," Locke said.
The Commerce report covers businesses that do not qualify as "critical infrastructure" such as online retailers and social networking sites. The department classifies this sector as "Internet and information innovation," or businesses with a large Internet or technology focus. The White House has previously issued its guidelines on how cyber-security for critical infrastructure should be regulated by the Department of Homeland Security.
"We're pleased that the [Obama] administration recognizes that many Internet-based functions and services that consumers use every day should not be defined as part of the 'critical infrastructure' that is subject to a more prescriptive regulatory regime," said Leslie Harrie, president of the Center for Democracy and Technology, a digital liberties and privacy group.
"Today's recommendations will help foster innovation and dynamism in the face of evolving cyber-security threats," said Robert Holleyman, president and CEO of the Business Software Alliance, representing the entire software industry.