Commerce Department Proposes Voluntary Security Best Practices For Businesses

The Obama administration today published a green paper calling for voluntary codes of conduct aimed at beefing up security for online business, including adopting DNSSec and creating incentives such as cyber insurance premiums.

The U.S. Commerce Department report proposes several voluntary best practices for organizations outside of the critical infrastructure sector doing business online in its new "Cybersecurity, Innovation and the Internet Economy" report. Written by the Internet Policy Task Force at Commerce, the report recommends national, voluntary "codes of conduct" to reduce the security vulnerabilities such as DNSSec; incentives such as the reduction of cyber-insurance premiums for organizations that employ best practices and that share information about cyberattacks with others; public education on cybersecurity threats and weaknesses; and better global collaboration in cybersecurity.

But it was the report's shout-out to DNSSec that caught the attention of security experts. Renowned researcher and DNS expert Dan Kaminsky says this is yet another example of how DNSSec is catching on. "There are two things we are not used to in security: good news and engineering projects that take a few years," Kaminsky says. "DNSSec is special in that it really has been a complicated, extraordinarily long engineering effort and political effort … It's been a massive project, but it's working."

Kaminsky is the author of the open source Phreebird Suite 1.0, a real-time DNSSEC proxy that sits in front of a DNS server and digitally signs its responses.

DNSSEC has hit several milestones over the past year, with the root servers being signed and then, the .com domain following several other big domains like .gov and .edu.

"You're seeing the Department of Commerce really throwing its weight behind this," Kaminsky says. "If you're going to have a secure Internet, you're going to need to be able to authenticate servers and systems. We can't do that now with what we have, but we can do that with DNSSec."

The Commerce Department's Internet Policy Task Force plans to work with businesses to come up with security best practices that ultimately would be considered industry policy standards—the heart of the codes of conduct.

“Our economy depends on the ability of companies to provide trusted, secure services online. As new cybersecurity threats evolve, it’s critical that we develop policies that better protect businesses and their customers to ensure the Internet remains an engine for economic growth,” Secretary of Commerce Gary Locke said in a statement. “By increasing the adoption of standards and best practices, we are working with the private sector to promote innovation and business growth, while at the same time better protecting companies and consumers from hackers and cyber theft.”

Craig Spiezle, executive director of the Online Trust Alliance, whose organization provided input for the report, applauded the Commerce Department's proposal for businesses to adopt voluntary, accepted best security practices for online commerce. "As participants in the process, the Online Trust Alliance is pleased to see findings that reflect upon the work we've done in promoting private and public sector adoption of best security and privacy practices," Spiezle says.

The report calls for the consideration of providing incentives to businesses that adopt the best practices and codes of conduct for security or share details about attacks to help other businesses -- a reduced premium for cyber-insurance, for instance.

And aside from the National Initiative for Cybersecurity Education, the report calls for coming up with ways to provide cost-benefit analyses for security budgets and purchases and more global cooperation on cybersecurity best practices.

The full report can be downloaded the .comhere (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.