On August 10, the National Institute of Standards and Technology, on behalf of the brand new White House Commission on Enhancing National Cybersecurity, placed a request for information (RFI) in the Federal Register.
The list of topics was extensive, effectively asking for feedback on any issue related to cybersecurity that might come up over the next decade.
Security pros, trade associations and businesses can’t wait to reply.
“We’re excited that it’s a little more open than RFIs normally are. We can respond in a little more open manner about issues we don’t normally get to touch on, ” said Brendan Peter, vice president of global government relations at CA Technologies.
Organizations are putting their focus on different things in their responses.
Companies that sell security products, for example, are focusing on greater adherence to best practices for cybersecurity. Those practices, experts say, could prevent many of the disastrous hacks that now befall businesses and individuals.
Peter said much of CA’s focus would on the importance of identity management, including tried and true solutions like making keeping credentials in check, learning to avoid phishing attacks and appropriately making sure users cannot access more than is necessary.
Intel Security’s priorities are similarly rooted in network administrators following good practices, including increasing adoption of the National Institute of Standards and Technology’s Cybersecurity Framework — a series of guidelines that emphasize good planning over flashy technology.
Both CA and Intel plan to look at “internet of things” issues, where everyday items are connected to networks. Intel’s top advice will be integrating security into the design process, while CA will look to improve industry norms.
Government’s role, said Kent Landfield, Intel Security’s director of standards and technology policy, does not have to be much more than encouraging industries to develop best practices.
“A lot of the problem is getting everyone in the same place,” he said.
The U.S. Chamber of Commerce, too, will look to promote the NIST framework.
“We firmly believe in the framework and want to sustain all the momentum behind it, said Matt Eggers, executive director for cybersecurity policy.
But the business group also will push for the government to improve domestic cybersecurity by developing a more deliberate system of responding to international attacks.
“We need to ensure higher costs for illicit actors,” he said
Eggers pointed to international norms proposed by Secretary of State John KerryJohn KerryUS sending delegation to Turkey to weigh extradition of cleric: report John Kerry to fly to Africa for terror talks White House sets out suggestion box for cybersecurity MORE during a 2015 visit to South Korea. Most relevantly, they included a ban on state hacking to steal intellectual property and state secrets and international cooperation on cybersecurity investigations.
Eggers also planned to push for recent information sharing legislation “to stay on track.”
Information sharing, however, is still a controversial issue. Though few argue that governments and businesses should not share threat intelligence, civil libertarians still worry about privacy.
“It would be dangerous to except that the [Cybersecurity Information Sharing Act] solved real problems with privacy or civil liberties infirmities,” said Gabe Rottman, deputy director of the Freedom, Security and Technology Project at the Center for Democracy and Technology.
Rottman said the CDT would use its submission to the RFI to highlight what it sees as privacy shortcomings in cybersecurity legislation. For example, the CDT believes the information rules put in place under the Cybersecurity Information Sharing Act lack adequate protections for individual’s private information.
He also pointed to various proposed methods of fighting botnets, which are networks of hijacked computers used by criminals. Many of the proposed methods, including controversial changes to the rules of evidence gathering that are supported by the Department of Justice, permit law enforcement to hack a computer attached to a botnet without contacting an owner first.
Comments on the RFI will be accepted until September 9.