WASHINGTON – The federal government is proposing industry guidelines to help ensure private companies and the government work together to protect U.S. cybersecurity, according to top homeland security and commerce officials.
“Cybersecurity is a shared responsibility,” Bruce W. McConnel, leader of the Department of Homeland Security’s Cyber + Strategy Team, said Tuesday at a Center for Strategic and International Studies panel on the role internet service providers have in fighting malware, like viruses and other harmful spam that can infect entire networks of computers. He said government efforts alone cannot protect the systems.
The Department of Commerce shares the work of cybersecurity with the Department of Homeland Security, and on Sept. 21 the agencies released a request for information to create a voluntary set of industry guidelines that would help detect and reduce the damage from botnets – a network of computers, or “bots”, that have been infected with malware. The request for information will remain open until Nov. 4.
Several officials said the guidelines are a first step, but the administration may propose legislation to set up mandatory regulations at some point.
But Department of Commerce General Counsel Cameron F. Kerry warned that “pure government planning in this space is a prescription for failure” and reiterated the need for joint efforts to build a code of conduct that focuses around security.
In June Secretary of Commerce Gary Locke recommended that the government and stakeholders convene to encourage industry security standards.
Such standards were recommended in a 2009 report issued by the Messaging Anti-Abuse Working Group, an industry association that Chairman Michael O’Reidran described as working globally to protect nearly 1 billion mailboxes against online exploitation. The association’s standards for mitigating botnet infections in residential computers emphasize the need for internet service providers to detect infections, actively inform customers and provide the tools necessary for fixing problems.
Despite the standards’ focus on ISPs, O’Reidran echoed the need for cybsercurity to be viewed as a “team sport.”
“Everybody has got to play their position,” he said.
“There are some great global models,” O’Reidran said, highlighting Australia and Germany. Australia encourages ISPs to inform consumers of infection, and Germany follows a protocol of notifying the consumer, cleaning the computer and protecting against future infection, O’Reidran said.