NTIA Seeks Comments on Cybersecurity Threats

We've previously reported on a drone-related multistakeholder process convened by the National Telecommunications and Information Administration (NTIA), which is part of the Department of Commerce and is responsible for telecommunications and technology policy. For several years, NTIA has considered important policy issues related to emerging technologies through these "multistakeholder processes," which bring together industry, public interest groups, and other interested parties to develop a consensus position or guidelines - generally non-binding and voluntary - for industry and others to follow. Recent multistakeholder discussions have included drones, the Internet of Things, and cybersecurity.

On the cybersecurity front, NTIA previously sought comment on the subject of "Stakeholder Engagement on Cybersecurity in the Digital Ecosystem," which in layperson's terms means "how we can protect data." That resulted in an initial set of findings, recommendations, and suggested resources put together by the participants.

The NTIA recently announced that it has extended a deadline to accept comments on the related subject of "Promoting Stakeholder Action Against Botnets and Other Automated Threats," which addresses specific kinds of threats to data that are automated and distributed. This is significant, as it signals that the Trump Administration is continuing work begun under the Obama Administration to understand and develop a coherent national policy on how to deal with cybersecurity threats, and that, for now at least, it is keeping some of that work under NTIA's purview.

In its notice, NTIA highlights its concern with the threat to Internet of Things (IoT) devices, and especially consumer-grade IoT devices. It outlines seven areas on which it seeks comment:

1. The approaches and mechanisms that are currently successful in combating cyber threats, whether laws, policies, best practices, standards, technologies, or other means;
2. Gaps in addressing automated and distributed threats, including what no longer works;
3. Specific and tangible steps that can be taken, whether by laws, policies, best practices, standards, technologies, or other means, to address botnets, as well
   as the public policy implications of the various approaches;
4. The appropriate roles of the various stakeholders - industry, academia, etc. - in collaborating on and addressing these threats;
5. The role of government in dealing with these issues, including whether incentives or specific policies can foster change;
6. Related international issues, given the "global nature of the Internet;" and
7. How to educate and help users, whether organizations or consumers.

Comments are due on July 13, 2017. For those of you looking for a more detailed discussion, the Department of Commerce's National Institute of Standards and Technology (NIST), one of the primary government offices looking at cybersecurity, will host a workshop on July 11-12, 2017; detailed information is available here.