CDT Comments Before the Department of Commerce in the Matter of Cybersecurity, Innovation, and the Internet Economy
The green paper deals broadly with establishing a framework for the cybersecurity challenges faced by companies outside the critical infrastructure and key resources designation. In particular, the green paper identifies an "Internet and Information Innovation Sector" ("I3S") and lays out several policy recommendations intended to help this sector develop security best practices and voluntary codes of conduct as well as incentivize private sector cybersecurity efforts. We applaud the Department for taking up this issue. We believe the Department's overall approach to non-critical network security is essentially the
right one, with a focus on incentives, transparency and best practices promoted through voluntary, collaborative endeavors with private industry.
However, while it is useful to distinguish between critical and non-critical systems, and while it is appropriate to develop government policy for improving the security of non-critical information and communications systems, we want to warn at the outset of our comments that the distinction can also be misleading. The green paper recommends an approach to cybersecurity policy
for non-critical infrastructures that is based on voluntary standards, public-private cooperation, transparency, respect for privacy, and the protection of innovation. Yet those very same principles should also govern the framing of policy for critical infrastructures, and it would be a mistake to take the distinction between critical and non-critical infrastructures as suggesting otherwise.