On Oct. 29, 1969, the first electronic message was sent on ARPANET, the precursor to today’s Internet. Despite crashing the system, that message is the reason today is designated International Internet Day. To mark the day, and the approaching end of Cybersecurity Awareness Month, Charles Romine, Director of the Information Technology Laboratory at the National Institute of Standards and Technology, has summarized NIST’s work on improving the security of the Internet and IT systems.

NIST has been conducting cybersecurity research for as long as there has been a cyberspace to secure.  NIST issues the Federal Information Processing Standards that help to protect the federal government’s information systems and help agencies comply with the Federal Information Security Management Act. These standards and guidelines are often used by the private sector and state and local governments, and therefore have a broad impact on IT systems across the country and around the world.

Through the National Cybersecurity Center of Excellence (NCCoE), which was established in collaboration with the State of Maryland and Montgomery County, Md., we have been working directly with the private sector since 2012. The center’s goal is to accelerate the adoption of secure technologies through public-private collaborations that identify and address today’s most pressing cybersecurity challenges. We recently awarded a contract to establish the first Federally Funded Research and Development Center devoted to cybersecurity to support the NCCoE, providing needed flexibility in staffing and bringing in partners from industry and academia.

Guest post by Michael Daniel, Special Assistant to the President and the Cybersecurity Coordinator. Cross-post from Whitehouse.gov

The systems that run our nation’s critical infrastructure such as the electric grid, our drinking water, our trains, and other transportation are increasingly networked. As with any networked system, these systems are potentially vulnerable to a wide range of threats, and protecting this critical infrastructure from cyber threats is among our highest security priorities. That is why, earlier this year, the President signed an Executive Order designed to increase the level of core capabilities for our critical infrastructure to manage cyber risk. The Order does this by focusing on three key areas: information sharing, privacy, and adoption of cybersecurity practices.

To promote cybersecurity practices and develop these core capabilities, we are working with critical infrastructure owners and operators to create a Cybersecurity Framework – a set of core practices to develop capabilities to manage cybersecurity risk. These are the known practices that many firms already do, in part or across the enterprise and across a wide range of sectors. The draft Framework will be complete in October. After a final Framework is released in February 2014, we will create a Voluntary Program to help encourage critical infrastructure companies to adopt the Framework. 

While this effort is underway, work on how to incentivize companies to join a Program is also under consideration. While the set of core practices have been known for years, barriers to adoption exist, such as the challenge of clearly identifying the benefits of making certain cybersecurity investments. As directed in the EO, the Departments of Homeland Security, Commerce, and Treasury have identified potential incentives and provided their recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs.

As part of the Executive Order  signed by President Obama last month directing agencies to use their existing authorities and work with the private sector to better protect our nation’s power, water, and other critical systems, the Commerce Department is preparing a report on ways to incentivize companies and organizations to improve their cybersecurity.  To better understand what stakeholders –  such as companies, trade associations, academics and others – believe would best serve as incentives, the Department has released a series of questions to gather  public comments in a Notice of Inquiry published today.

The national and economic security of the United States depends on the strength of our nation’s critical infrastructure. The cyber threat to critical infrastructure is growing, and represents one of the most serious national security challenges that the United States must confront. As the President stated in the Executive Order, “repeated cyber intrusions into America’s critical infrastructure demonstrate a need for improved cybersecurity.”

As a first step toward protecting critical infrastructure, the Executive Order tasks the Department of Homeland Security (DHS) to identify the systems that could be affected by a cybersecurity incident which could in catastrophic regional or national effects on public health or safety, economic security, or national security.  Second, the National Institute of Standards and Technology (NIST) will develop a framework consisting of a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. This Cybersecurity Framework will provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach to improving cybersecurity, which will help owners and operators of critical infrastructure identify, assess and mange cyber risk. Third, DHS will work with sector-specific agencies to develop the Critical Infrastructure Cybersecurity Program to promote voluntary adoption of the Framework.

Today, President Obama declared March 4-10, 2012 as National Consumer Protection Week, building on a coordinated effort that encourages consumers nationwide to take full advantage of their consumer rights and make better-informed decisions. The Commerce Department is using this occasion to showcase the efforts of our Internet Policy Task Force, which is leveraging the expertise of several Commerce bureaus that are aimed at ensuring continued innovation in the Internet economy and preserving consumer trust in Internet commerce and online interactions. In particular, the Task Force continues to move forward in our work to promote new efforts that will lead to improved Internet privacy protection and better security for consumers online.

 In February, the Obama administration unveiled a “Consumer Privacy Bill of Rights” as part of a comprehensive blueprint to improve consumers’ privacy protections and ensure that the Internet remains an engine for innovation and economic growth. The president’s report called on the Commerce Department’s NTIA to begin convening companies, privacy advocates and other stakeholders to develop and implement enforceable privacy policies based on the Consumer Privacy Bill of Rights.

NTIA is now moving forward and seeking public input on what issues should be addressed through the privacy multistakeholder process and how to structure these discussions so they are open, transparent, and most productive. Today, NTIA issued a formal request for comment (PDF). The comment period will remain open until March 26, 2012.

As NTIA Administrator Lawrence Strickling illustrated last week, we hope to receive meaningful suggestions and input from a range privacy stakeholders.  Their continued involvement will be key for the future of consumer protection and we need your help to make it a success.

The report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” (PDF) resulted from a comprehensive review of Internet privacy policy and innovation in the Internet economy lead by the Commerce Department’s Internet Policy Task Force.

Guest blog post by Simon Szykman, Chief Information Officer, U.S. Department of Commerce

You missed it! The Department of Commerce's Office of the Chief Information Officer (OCIO) hosted its inaugural Innovating Security Conference to increase knowledge and awareness of various initiatives, exchange information and ideas, and engage in discussions on ways to further protect and strengthen the security posture of the department’s information systems. Facing security threats that are evolving and growing in sophistication, while at the same time anticipating a constrained outlook for the future due to budget pressures, it is imperative for organizations across the department to pursue improvements in both efficiency and effectiveness by examining operations, collaborating on common objectives, improving information sharing, and identifying opportunities to leverage one another’s independent activities.

The two-day conference is one means of moving toward a higher level of efficiency and effectiveness by emphasizing internal collaborations and open dialogue. The conference included participation and invited speakers from Commerce, as well as from other federal agencies and the private sector, in order to leverage their best practices, lessons learned and knowledge in areas related to information system security. In addition to keynote and panel sessions, service offerings of Commerce internal service providers as well as industry vendors were highlighted during the event.

Guest blog post by Leslie Harris, President and CEO of the Center for Democracy & Technology.

Today the Administration released an ambitious, long-term strategy document called the National Strategy for Trusted Identities in Cyberspace (NSTIC). The Strategy puts forth a vision where individuals can choose to use a smaller number of secure, privacy-preserving, and convenient online identities. This would be a shift away from today’s norm of numerous usernames, passwords, and online accounts scattered across the Web.

Importantly, the Administration has turned to the private sector to make this vision a reality. The Strategy is not a national ID program—in fact, it’s not an ID “program” at all. It is a call for leadership and innovation from private companies. The government’s role must now be to advocate for its citizens and to support the development of a fair and useful system.

Why should the American people care about a “strategy” for Internet identity?

First, a growing number of our Internet transactions require an identity. We’re continually prompted to create new accounts to participate in online social networking, shopping, banking, and forums. Most of us have no idea how our identifying information will be used or shared. It certainly doesn’t help that we have to offer a fresh set of information to every new service that comes along. Without a new approach, this trend will continue. We deserve better control over our identity and stronger assurances that it will not be misused. Innovation isn’t slowing down; we have to catch up.

U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt are in Stanford, Calif., today at the Stanford Institute for Economic Policy Research to discuss the Obama administration’s efforts to enhance online security and privacy and next steps in meeting the challenges of a growing cyber world, with local industry and academic leaders in Silicon Valley.

The public and private sectors have critical roles to play in creating a system that allows people to complete online transactions with greater confidence that their personal information is safe. Through its forthcoming National Strategy for Trusted Identities in Cyberspace (NSTIC), the administration aims to support private-sector cybersecurity innovations by focusing on establishing identity solutions and privacy-enhancing technologies that will make the online environment more secure and convenient for users and consumers. E-commerce worldwide is estimated at $10 trillion of business online annually.  Release | Remarks  |  Video  |  FAQ

U.S. Commerce Secretary Gary Locke announced today at the Business Software Alliance Cybersecurity Forum that the Commerce Department’s National Institute of Standards and Technology (NIST) will coordinate and facilitate the implementation of the Obama administration’s National Initiative for Cybersecurity Education (NICE). This initiative expands the government’s cyber security education efforts into a national focus that will establish an operational, sustainable and continually-improving cyber security education program for the public and private sectors focused on sound cyber practices. (More) (Remarks)