BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Commerce Department: Recent Wave Of Cyberattacks Sounds An Urgent Wake-up Call

This article is more than 10 years old.

The Commerce Department is understandably freaked out about cybersecurity. After name-checking recent breaches at Citibank, RSA/Lockheed Martin, and Sony ("One of the archetypal brands of the last 50 years was felled"), hacks of Nasdaq and the IMF, and the pitiful defacing of the PBS website, the Commerce Department's general counsel decried the state of security on the Internet during a keynote address at the Computers, Freedom and Privacy Conference in D.C. on Tuesday morning.

"You probably heard today that the Senate was attacked, as well," added Commerce counsel Cameron Kerry. "What I would say to you today is that we're closer to a darker scenario [for the future of e-commerce]."

"As we move to a cloud computing world, the principle barrier for the development of new services there is a lack of confidence in security," said Kerry, saying that the market for online transactions will never reach its predicted $24 trillion if gatekeepers for information can't figure out how to keep it secure. He compared commerce in the cloud to the initial growth of the use of credit cards, and the introduction of encryption to sooth people's security concerns.

He laid out two priorities for the Commerce Department: cybersecurity and privacy. "The response can't wait for legislation or regulation," said Kerry. "It must begin yesterday."

When it does come to legislation and regulation, though, Commerce is pushing for companies to get on board with "trusted identities in cyberspace" -- enhanced verification of people's identities beyond the standard name/password approach -- and a "privacy bill of rights" -- introduced in the Senate by Cameron Kerry's brother, John Kerry. The Kerry brothers are apparently tag-teaming on privacy protection policy-making.

So what does that mean for businesses? When it comes to privacy, Kerry says they're going to have to start "entering into conversations with their customers about how they use their information. It should be about active choices not a one-time click."

The Commerce Department is acutely aware of the failure of law to keep up with the speed of the Internet, said Kerry, so they embrace principle-based rules and a multi-stakeholder approach. As for principles they're pushing for now with the cybersecurity legislation the Obama administration has endorsed, the Commerce Department:

  • Wants standardized breach notification requirements so that procedures for breached companies notifying their customers are simplified, rather than the current environment of a patchwork of laws that vary from state to state.
  • Will encourage companies to have better data security, especially for power grids, water systems, and other core critical infrastructure.
  • Push to increase criminal penalties for those hacking into these systems.
  • Encourages the sharing of information with law enforcement, to improve the nation's ability to detect and prevent cyberattacks.

"If we're going to lead in this area, we realize we have to get our own house in order," said Kerry, who admitted the department has had a series of "minor but recurring" data breaches. "So we created a privacy officer position." (Note to companies: if you don't have a chief privacy officer already, you may want to think about hiring one soon.)

Commerce increased its use of encryption of information and "privacy awareness," including an interactive, role-playing game for employees on how to handle personal information. (Given government employees' terrible record of losing laptops with loads of citizens' info, I hope a don't-leave-your-laptop-in-the-car challenge is something that results in loss of points in this game.)

"This recent wave of cybersecurity attacks and breaches sounds an urgent wake-up call," said Kerry. "We can build a cyberspace that deserves the trust of the global user community, supports commerce and prevents criminals from exploiting it."