A 'Light Touch' For Non-Critical Infrastructure Cybersecurity
This week, CDT filed comments responding to the recent green paper of the Department of Commerce Internet Policy Task Force, which outlined the Administration’s proposed approach to the cybersecurity challenges faced by companies outside the critical infrastructure and key resources designation. The green paper, issued in June, focused on a cluster of functions and services that it called the “Internet and Information Innovation Sector" or "I3S." The green paper laid out several policy recommendations intended to help this sector develop security best practices and voluntary codes of conduct as well as incentivize private sector cybersecurity efforts.
In our comments on the green paper, CDT applauded the Department’s proposed light regulatory touch for non-critical infrastructure, with its focus on voluntary standards, public-private cooperation, transparency, respect for privacy, and the protection of innovation. CDT also noted, however, that these same principles should also guide the development of cybersecurity regulations for critical infrastructure. We stressed that, for both critical and non-critical systems, the responsibility for monitoring privately-owned networks for intrusions should reside with the network owners, not the government.
CDT expressed support for the Department’s proposal that I3S members develop voluntary, enforceable codes of conduct that can afford companies an appropriate amount of freedom and flexibility in their approaches to cybersecurity.
CDT cautioned the Task Force to take an incremental approach in its efforts to improve cybersecurity information sharing, advocating that special attention be paid to the privacy issues. Specifically, CDT argued, the Department should explain how the information sharing regime it envisions for cybersecurity for the I3S sector would comply with Fair Information Practices principles and with the laws protecting the privacy of electronic communications.
CDT looks forward to working with the Task Force as it continues to develop a framework for enhancing cybersecurity of non-critical information networks and systems.