Administration proposes voluntary cybersecurity standards for Web firms

The Commerce Department would set up cybersecurity standards for businesses under a report released Wednesday by the agency.

The green paper is targeted at companies that rely on the Internet to do business but fall outside of critical infrastructure — which includes social-networking sites, online-only businesses and cloud computing firms. It recommends that Commerce work with industry to set up voluntary standards and best practices for firms that rely on the Web.

“Our economy depends on the ability of companies to provide trusted, secure services online. As new cybersecurity threats evolve, it’s critical that we develop policies that better protect businesses and their customers to ensure the Internet remains an engine for economic growth,” said Commerce Secretary Gary Locke in a statement.


“By increasing the adoption of standards and best practices, we are working with the private sector to promote innovation and business growth, while at the same time better protecting companies and consumers from hackers and cyber theft.”

Locke said ensuring consumers feel secure dealing with those firms online is vital to protecting the estimated $10 trillion in online transactions that take place annually around the world. Several industry groups praised the report's voluntary approach to improving cybersecurity.

The report suggests incentives such as public disclosure, cyber-insurance and liability protections to compel firms to adopt the new standards. The proposal comes as cybersecurity has become the technology topic du jour on the Hill, thanks to a series of high-profile data breaches in recent months, including an attack on Gmail accounts that Google blamed on China.

The headlines have helped build momentum for comprehensive cybersecurity legislation, which was previously mired in partisan gridlock and Senate turf battles. Both parties have indicated a willingness to reach a compromise on a bill, though they differ on how to handle private-sector networks.

Wednesday's report helped bring some clarity as to how cybersecurity responsibilities and oversight would be divided between the Departments of Homeland Security, Commerce and Defense under the Obama administration's plan.

The Pentagon, which recently described cyber-attacks as an act of war, is set to release its own strategy this month, which will reportedly clarify that a cyber-attack on government networks could result in a kinetic response from the U.S. military. The military is also in charge of protecting its own networks and those crucial to national security.

The White House released a legislative proposal last month that would put DHS in charge of regulating cybersecurity at firms deemed critical infrastructure, which includes utilities, financial institutions and core telecommunications.

Commerce would then be left to work with firms not under the oversight of DHS to create sector-specific standards that would be voluntarily adopted. There would likely be a strong incentive for firms to comply in order to maintain consumer trust and remain competitive with firms that do take part.

Commerce had scheduled a conference call with reporters on Wednesday to discuss the report, but postponed it until a later date.