Stakeholder Engagement on Cybersecurity in the Digital Ecosystem, 14360-14363 [2015-06344]

Download as PDF 14360 Federal Register / Vol. 80, No. 53 / Thursday, March 19, 2015 / Notices The meeting will be held on Monday, April 13, 2015, from 1:30 p.m. until 4 p.m. DATES: The meeting will be held via Internet Webinar. Detailed connection details are available at http://www.mafmc.org. To join the Webinar, follow this link and enter the online meeting room: http:// mafmc.adobeconnect.com/ april2015scoq/. Council address: Mid-Atlantic Fishery Management Council, 800 North State Street, Suite 201, Dover, DE 19901; telephone: (302) 674–2331. ADDRESSES: National Telecommunications and Information Administration [Docket No. 150312253–5253–01] RIN 0660–XC018 Stakeholder Engagement on Cybersecurity in the Digital Ecosystem National Telecommunications and Information Administration, U.S. Department of Commerce. ACTION: Request for Public Comment. AGENCY: [FR Doc. 2015–06317 Filed 3–18–15; 8:45 am] The Department of Commerce Internet Policy Task Force (IPTF) is requesting comment to identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers. The IPTF invites public comment on these issues from all stakeholders with an interest in cybersecurity, including the commercial, academic and civil society sectors, and from relevant federal, state, local, and tribal entities. DATES: Comments are due on or before 5 p.m. Eastern Time on May 18, 2015. ADDRESSES: Written comments may be submitted by email to securityRFC2015@ntia.doc.gov. Comments submitted by email should be machine-searchable and should not be copy-protected. Written comments also may be submitted by mail to the National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue NW., Room 4725, Attn: Cybersecurity RFC 2015, Washington, DC 20230. Responders should include the name of the person or organization filing the comment, as well as a page number, on each page of their submissions. All comments received are a part of the public record and will generally be posted to http:// www.ntia.doc.gov/category/internetpolicy-task-force without change. All personal identifying information (e.g., name, address) voluntarily submitted by the commenter may be publicly accessible. Do not submit Confidential Business Information or otherwise sensitive or protected information. NTIA will accept anonymous comments. BILLING CODE 3510–22–P FOR FURTHER INFORMATION CONTACT: FOR FURTHER INFORMATION CONTACT: Christopher M. Moore Ph.D., Executive Director, Mid-Atlantic Fishery Management Council, 800 N. State Street, Suite 201, Dover, DE 19901; telephone: (302) 526–5255. The purpose of the meeting is to develop a fishery performance report by the Council’s Surfclam and Ocean Quahog Advisory Panel. The intent of this report is to facilitate structured input from the Surfclam and Ocean Quahog Advisory Panel members to the Council and its Scientific and Statistical Committee (SSC). Although non-emergency issues not contained in this agenda may come before these groups for discussion, those issues may not be the subject of formal action during this meeting. Action will be restricted to those issues specifically listed in this notice and any issues arising after publication of this notice that require emergency action under section 305(c) of the Magnuson-Stevens Act, provided the public has been notified of the Council’s intent to take final action to address the emergency. SUPPLEMENTARY INFORMATION: Special Accommodations The meeting is physically accessible to people with disabilities. Requests for sign language interpretation or other auxiliary aids should be directed to M. Jan Saunders at the Mid-Atlantic Council Office, (302) 526–5251, at least 5 days prior to the meeting date. Rmajette on DSK2VPTVN1PROD with NOTICES DEPARTMENT OF COMMERCE Dated: March 16, 2015. Tracey L. Thompson, Acting Deputy Director, Office of Sustainable Fisheries, National Marine Fisheries Service. SUMMARY: Allan Friedman, National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue VerDate Sep<11>2014 15:18 Mar 18, 2015 Jkt 235001 PO 00000 Frm 00004 Fmt 4703 Sfmt 4703 NW., Room 4725, Washington, DC 20230; Telephone: (202) 482–4281; Email: afriedman@ntia.doc.gov. Please direct media inquiries to NTIA’s Office of Public Affairs: (202) 482–7002. SUPPLEMENTARY INFORMATION: Background: The Department of Commerce IPTF published a Notice of Inquiry (NOI) in 2010, focusing on the relationship between cybersecurity and the pace of innovation in the information economy.1 Based on the comments received, the Department of Commerce published a Green Paper, Cybersecurity, Innovation, and the Internet Economy, in 2011.2 The Green Paper focused on the sector of the economy that creates or uses the Internet or networking services and falls outside the classification of critical infrastructure, as defined by existing law and Administration policy. In that document, the IPTF focused on two themes. First, there are real, evolving threats in cyberspace that not only put businesses and their online operations at risk, but threaten to undermine the trust on which much of the digital economy depends. Second, the pace of innovation in the highly dynamic digital ecosystem makes traditional regulation and compliance difficult and inefficient. Stakeholder response to the Green Paper provided a roadmap for the IPTF to continue its cybersecurity policy work. In September 2011, the IPTF, in coordination with the Department of Homeland Security, issued a NOI on possible approaches to creating a voluntary industry code of conduct to address the detection, notification, and mitigation of botnets, which led to an industry-led working group.3 In February 2013, the White House released Executive Order 13636 which called upon the Department of Commerce to work with industry to develop a framework for use by U.S. critical infrastructure to improve 1 U.S. Department of Commerce, Internet Policy Task Force, Notice of Inquiry, Cybersecurity, Innovation, and the Internet Economy, Dkt. No. 100721305–0305–01, 75 FR 44216 (July 28, 2010), available at: http://www.ntia.doc.gov/federalregister-notices/2010/cybersecurity-innovation-andinternet-economy. Responses to the Notice of Inquiry are available at: http://www.nist.gov/itl/ cybercomments.cfm. 2 U.S. Department of Commerce, Internet Policy Task Force, Cybersecurity, Innovation, and the Internet Economy (June 2011) (‘‘Green Paper’’), available at: http://www.nist.gov/itl/upload/ Cybersecurity_Green-Paper_FinalVersion.pdf. 3 U.S. Department of Commerce and U.S. Department of Homeland Security, Notice of Inquiry, Models To Advance Voluntary Corporate Notification to Consumers Regarding the Illicit Use of Computer Equipment by Botnets and Related Malware, Dkt. No. 110829543–1541–01, 76 FR 58466 (September 21, 2011), available at: http:// www.ntia.doc.gov/files/ntia/publications/botnet_ rfi.pdf. E:\FR\FM\19MRN1.SGM 19MRN1 Federal Register / Vol. 80, No. 53 / Thursday, March 19, 2015 / Notices Rmajette on DSK2VPTVN1PROD with NOTICES cybersecurity practices, and to undertake a study on incentives to encourage private sector adoption of cybersecurity protections.4 The Cybersecurity Framework was developed by the National Institute of Standards and Technology (NIST), an agency of the Department of Commerce, with the aid of broad stakeholder participation.5 The Cybersecurity Framework offers organizations a guide for understanding and implementing appropriate cybersecurity protections, and has been applied by a range of organizations, including a number that fall ‘‘outside the orbit of critical infrastructure or key resources,’’ the focus of the Green Paper effort.6 Following launch of the Cybersecurity Framework, NIST published a Request for Information (RFI) in August 2014 asking for stakeholder feedback on Cybersecurity Framework awareness, use, and next steps.7 In response to questions regarding next steps that could complement the Cybersecurity Framework process, stakeholders again identified the IPTF as a vehicle to facilitate further collaborative cybersecurity work, building on the models of multistakeholder participation initially discussed in the Green Paper.8 Accordingly, the IPTF proposes to facilitate one or more multistakeholder processes around key cybersecurity issues facing the digital ecosystem and economy. Multistakeholder processes, built on the principles of openness, transparency, and consensus, can generate collective guidance and foundations for coordinated voluntary action. Potential outcomes would vary by the issue discussed, but could include voluntary policy guidelines, procedures, or best practices. In the 4 Exec. Order No. 14636, Improving Critical Infrastructure Cybersecurity, 78 FR 11739 (February 12, 2013), available at https:// www.federalregister.gov/articles/2013/02/19/201303915/improving-critical-infrastructurecybersecurity. 5 National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity Version 1.0, (February 12, 2014), available at: http://www.nist.gov/cyberframework/ upload/cybersecurity-framework-021214.pdf. 6 Green Paper at ii. 7 U.S. Department of Commerce, National Institute of Standards and Technology, Notice of Inquiry, Experience With the Framework for Improving Critical Infrastructure Cybersecurity, Dkt. No. 140721609–4609–01, 79 FR 50891 (August 26, 2014), available at: https://www.federalregister.gov/ articles/2014/08/26/2014-20315/experience-withthe-framework-for-improving-critical-infrastructurecybersecurity. 8 See, e.g., comments from the Information Technology Industry Council (ITI), US Telecom Association, and Microsoft on the Cybersecurity Framework RFI (August 2014), available at: http:// csrc.nist.gov/cyberframework/rfi_comments_10_ 2014.html. VerDate Sep<11>2014 15:18 Mar 18, 2015 Jkt 235001 digital ecosystem, the rapid pace of innovation often outstrips the ability of regulators to effectively administer key policy questions. Open, voluntary, and consensus-driven processes can work to safeguard the interests of all stakeholders while still allowing the digital economy to thrive. The focus of these processes is to address discrete security challenges in the digital ecosystem where collaborative voluntary action between diverse actors can substantially improve security for everyone. Each process will engage a wide range of participants to ensure that the outcomes reflect the consensus of the relevant community, and are fair, voluntary, and stakeholderdriven. These processes will be designed to complement, rather than duplicate existing initiatives, both inside and outside the government. They will be coordinated by the IPTF, under the leadership of the National Telecommunications and Information Administration (NTIA). Under its statutory authority, NTIA undertakes Internet policy initiatives that serve to protect, promote and reinforce an open, innovative Internet ecosystem and digital economy, and is the executive branch lead for promoting the multistakeholder approach to Internet policymaking.9 In partnership with its IPTF partners, NTIA has addressed other key challenges in Internet policy through multistakeholder processes, including an ongoing set of initiatives around privacy and digital copyright.10 These proposed cybersecurity processes will be coordinated with standards and technology work underway within the Department of Commerce focused on cybersecurity, including the Cybersecurity Framework, the National Cybersecurity Center of Excellence, and the National Strategy for Trusted Identities in Cyberspace.11 Through the comprehensive scope of all these efforts, 9 See 47 U.S.C. 901(c) (describing NTIA’s policy roles, including ‘‘[p]romoting the benefits of technological development in the United States for all users of telecommunications and information facilities;’’ ‘‘[f]ostering national safety and security, economic prosperity, and the delivery of critical social services through telecommunications;’’ and ‘‘[f]acilitating and contributing to the full development of competition, efficiency, and the free flow of commerce in domestic and international telecommunications.’’) 10 More information about the IPTF’s work on privacy and copyright initiatives, including multiple Requests for Comment, are available at: http://www.ntia.doc.gov/category/internet-policytask-force. 11 More information about the Cybersecurity Framework is available at: http://www.nist.gov/ cyberframework; the National Cybersecurity Center of Excellence at: http://nccoe.nist.gov; and the National Strategy for Trusted Identities in Cyberspace at: http://www.nist.gov/nstic. PO 00000 Frm 00005 Fmt 4703 Sfmt 4703 14361 the Department of Commerce seeks to foster innovation and to better secure the ecosystem to ensure that businesses, organizations and individuals can expand their trust, investment and engagement in the digital economy, while also reinforcing the voluntary, multistakeholder approach to Internet policymaking. Request for Comment: IPTF plans to facilitate a series of discussions around key cybersecurity challenges that may be addressed through a better shared understanding of the nature of the problem, and where multistakeholder discussion can be a catalyst for selfcoordination of cybersecurity activities. Outcomes would depend on the issues discussed, but may involve combinations of principles, practices, and the voluntary application of policies and existing standards. Initially, IPTF seeks to conduct a cybersecurity multistakeholder process focused on a definable area where consumers and organizations will achieve the greatest benefit and consensus in a reasonable timeframe. While IPTF will avoid duplicating existing work, areas where stakeholders have identified the problem or begun to seek consensus around specific practices could provide a useful starting point. To identify potential cybersecurity topics that would benefit from a multistakeholder process, IPTF seeks comment from stakeholders on the following questions: 1. What security challenges could be best addressed by bringing together the relevant participants in an open, neutral forum to explore coordinated, voluntary action through principles, practices, and guidelines? For each issue, also provide comment on: i. Why this topic is a good fit for a multistakeholder process, and whether stakeholders might reasonably be expected to come to some consensus; ii. Why such a process would benefit the digital ecosystem as a whole; iii. How long a facilitated, participantled process on this topic should take to come to consensus; iv. What form an actionable outcome might take; and v. What pre-existing organizations and work already exist on the topic. 2. Please comment on which of the following topics could result in actionable, collective progress by stakeholders in a multistakeholder setting. For each issue, also provide comment on: i. Why or why not this topic is a good fit for a multistakeholder process, and whether stakeholders might reasonably be expected to come to some consensus; E:\FR\FM\19MRN1.SGM 19MRN1 14362 Federal Register / Vol. 80, No. 53 / Thursday, March 19, 2015 / Notices Rmajette on DSK2VPTVN1PROD with NOTICES ii. Why such a process would benefit the digital ecosystem as a whole; iii. How long a facilitated, participantled process on this topic should take to come to consensus; iv. What form an actionable outcome might take; and v. What pre-existing organizations and work already exist on the topic. Network and Infrastructure Security (a) Botnet Mitigation. Disrupting botnets requires coordinated action and transparency between ISPs, vendors, consumers, and the public sector, such as previous efforts of the voluntary public-private partnership between the U.S. Office of the Cybersecurity Coordinator and the U.S. Departments of Commerce and Homeland Security related to ISP codes of conduct.12 What additional collective steps can be taken to support efforts to create awareness and manage the effects of botnets? (b) Trust and Security in Core Internet Infrastructure: Naming, Routing, and Public Key Infrastructure. Key aspects of the Internet’s core infrastructure were designed and deployed without explicit security mechanisms (e.g., the Domain Name System (DNS) and Border Gateway Protocol (BGP)) and new threats have been discovered in the Internet’s Public-Key Infrastructure (i.e., PKIX). Technical solutions have been developed for many of these issues (e.g., DNSSEC, BGPSec and RPKI, DANE and certificate transparency) but uptake has been slow. What collective action can be taken to promote the voluntary adoption and diffusion of existing technical solutions to make the infrastructure more trustworthy? (c) Domain Name System (DNS), Border Gateway Protocol (BGP), and Transport Layer Security (TLS) Certificates. Key aspects of the Internet infrastructure have long been known to be vulnerable. While technical solutions exist for security vulnerabilities in routing, the domain name system and TLS certificates, uptake has been slow or is just beginning. What collective action can be taken to promote the voluntary adoption and diffusion of technical solutions, such as DNS Security (DNSSEC), to make the infrastructure more trustworthy? (d) Open Source Assurance. Many organizations depend on open source projects for a wide range of purposes across the digital economy. How can stakeholders better support improving 12 U.S. Department of Commerce, Press Release, White House Announces Public-Private Partnership Initiatives to Combat Botnets (May 30, 2012), available at: http://www.commerce.gov/news/pressreleases/2012/05/30/white-house-announcespublic-private-partnership-initiatives-combat-b. VerDate Sep<11>2014 15:18 Mar 18, 2015 Jkt 235001 the security of open source projects, and the distribution of patches? (e) Malware Mitigation. Disrupting and mitigating malware and malware networks can sometimes adversely impact consumers and stakeholders who may be inadvertently caught-up in the incident. How can existing models of mitigation and disruption better incorporate the needs and concerns of all relevant stakeholders? Web Security and Consumer Trust (f) Web Security. Many consumers assume that their connections with Web sites are secure, and that the Web sites themselves are secure, when there is little guarantee that safeguards are in place. What actions can improve web security and trust for consumers, including transport layer (Transport Layer Security, or TLS, often referred to as Secure Sockets Layer, or SSL) and web application security, potentially building on the success of existing stakeholder initiatives? 13 (g) Malvertising. Several popular Web sites have inadvertently spread malware through ‘‘malvertising,’’ when malicious code is served from legitimate advertising networks. How can diverse stakeholders work together to limit this risk? (h) Trusted Downloads. Internet users often download content and applications online without clear assurance of the security of the site. Are there best practices and existing standards that providers of online applications and downloadable tools can adopt to ensure consumer protection without impacting innovation or business models? (i) Cybersecurity and the Internet of Things. As the Internet of Things matures and more systems integrate information technologies (IT) and operational technologies (OT), cybersecurity is enmeshed in a broader risk context that includes safety, reliability, and resilience.14 How can we foster the emergence of voluntary policy frameworks, informed by market dynamics, that enable Internet of Things innovation while addressing the full 13 See, e.g., Open Web Application Security Project (OWASP), Top 10 List (‘‘represent[ing] a broad consensus about the most critical web application security flaws’’), available at: https:// www.owasp.org/index.php/Category:OWASP_Top_ Ten_Project. 14 See, e.g., NIST Cyber-Physical Systems Homepage, available at: http://www.nist.gov/cps; see also, FTC Staff, Internet of Things: Privacy & Security in a Connected World (January 2015), available at: http://www.ftc.gov/system/files/ documents/reports/federal-trade-commission-staffreport-november-2013-workshop-entitled-internetthings-privacy/150127iotrpt.pdf. PO 00000 Frm 00006 Fmt 4703 Sfmt 4703 spectrum of risks associated with cyberphysical systems? (j) Privacy. As noted in the Cybersecurity Framework, privacy and civil liberties implications may arise when personal information is used, collected, processed, maintained, or disclosed in connection with an organization’s cybersecurity activities. How can risks to privacy or civil liberties arising from the application of cybersecurity measures or best practices be addressed in this process(es)? Business Processes and Enabling Markets (k) Managed Security Services: Requirements and Adoption. Managed security services (MSS) allow many firms, particularly small- and mediumsized businesses, to secure themselves without acquiring expensive in-house expertise, yet there are obstacles preventing seamless market cooperation and accountability between clients and vendors. How can a common understanding of security needs by stakeholders enable faster and more efficient adoption to improve security without sacrificing accountability? (l) Vulnerability Disclosure. The security of the digital economy depends on a productive relationship between security vendors and researchers of all types who discover vulnerabilities in existing technology and systems, and the providers, owners, and operators of those systems. How can stakeholders build on existing work in this space to responsibly manage the vulnerability disclosure process without putting consumers at risk in the short run? 15 (m) Security Investment and Metrics. Market solutions for security require good information. What types of robust, practical, and actionable metrics can be used within organizations to understand security investment, and by consumers and clients to understand security practices and promote market demand for security? This list is not exhaustive. The IPTF welcomes comments on any of these topics, as well as descriptions of other topics that the IPTF and stakeholders should consider for the cybersecurity multistakeholder process. Note that comments are directly sought on which topics to address through the process, rather than the best solution to any given question. 3. Please comment on what factors should be considered in selecting the issues for multistakeholder processes. 15 See, e.g., Vulnerability Disclosure Overview, ISO Standard 29147 (2014), available at: http:// www.iso.org/iso/catalogue_ detail.htm?csnumber=45170. E:\FR\FM\19MRN1.SGM 19MRN1 Rmajette on DSK2VPTVN1PROD with NOTICES Federal Register / Vol. 80, No. 53 / Thursday, March 19, 2015 / Notices IPTF also plans to draw on the Green Paper and earlier responses to past Requests for Public Comment; past respondents are invited to provide additional and updated viewpoints on IPTF efforts since those comments were provided. Implementing the Multistakeholder Process: Commenters also may wish to provide their views on how stakeholder discussions of the proposed issue(s) should be structured to ensure openness, transparency, and consensusbuilding. Analogies to other Internetrelated multistakeholder processes, whether they are concerned with policy or technical issues, could be especially valuable. 4. Please comment on the best structure and mechanics for the process(es). If different security issues will require different process structures, please offer guidance on how to best design an appropriate process for the issue selected. 5. How can the IPTF promote participation from a broad range of stakeholders, i.e., from industry, civil society, academia, and international partners? In particular, how can we promote engagement from small and medium-sized enterprises (SME) that play key roles in the digital ecosystem? How critical is location for meetings, and what factors should be considered in determining where to host meetings? 6. What procedures and technologies can promote transparency of process, including promoting discussion between stakeholders and ensuring those outside the process can understand the decisions made? 7. What types of consensus outcomes can promote real security benefits without further adding to a complianceoriented model of security? 8. Would certain cybersecurity issues be better served by a single workshop or other event to raise awareness and promote independent action, rather than a longer multistakeholder, consensusbuilding process? 9. How should evaluation of the processes be conducted to assess results and to ensure that recommendations and outcomes of the process remain actionable and current? Response to this Request for Public Comment is voluntary. Commenters are free to address any or all of the issues identified above, as well as provide information on other topics that they think are relevant to promoting voluntary coordinated action to address cybersecurity risks through an open, transparent, voluntary, consensus-based process. Please note that the Government will not pay for response VerDate Sep<11>2014 15:18 Mar 18, 2015 Jkt 235001 preparation or for the use of any information contained in the response. Authority: 47 U.S.C. 901(c). Dated: March 16, 2015. Angela Simpson, Deputy Assistant Secretary for Communications and Information. [FR Doc. 2015–06344 Filed 3–18–15; 8:45 am] BILLING CODE 3510–60–P DEPARTMENT OF COMMERCE National Oceanic and Atmospheric Administration RIN 0748–XD841 New England Fishery Management Council; Public Meeting National Marine Fisheries Service (NMFS), National Oceanic and Atmospheric Administration (NOAA), Commerce. ACTION: Notice; public meeting. AGENCY: The New England Fishery Management Council (Council) is scheduling a joint public meeting of its Monkfish Committee to consider actions affecting New England fisheries in the exclusive economic zone (EEZ). Recommendations from this group will be brought to the full Council for formal consideration and action, if appropriate. DATES: This meeting will be held on Tuesday, April 7, 2015 at 9:30 a.m. ADDRESSES: Meeting address: The meeting will be held at the Radisson Airport Hotel, 2081 Post Road, Warwick, RI 02886; telephone: (401) 739–3000; fax: (401) 732–9309. Council address: New England Fishery Management Council, 50 Water Street, Mill 2, Newburyport, MA 01950. FOR FURTHER INFORMATION CONTACT: Thomas A. Nies, Executive Director, New England Fishery Management Council; telephone: (978) 465–0492. SUPPLEMENTARY INFORMATION: The Monkfish Committee will meet to discuss draft alternatives for Framework Adjustment 9 that could modify the current days-at-Sea/trip limit system and possession limits. The Committee will review Plan Development Team analyses requested at the August 25, 2014 meeting. The Committee will also discuss Monkfish Research Set-Aside (RSA) priorities for 2016. The Committee may also discuss other business as necessary, e.g. the RSA program. Although non-emergency issues not contained in this agenda may come before this group for discussion, those SUMMARY: PO 00000 Frm 00007 Fmt 4703 Sfmt 4703 14363 issues may not be the subject of formal action during this meeting. Action will be restricted to those issues specifically listed in this notice and any issues arising after publication of this notice that require emergency action under section 305(c) of the Magnuson-Stevens Act, provided the public has been notified of the Council’s intent to take final action to address the emergency. Special Accommodations This meeting is physically accessible to people with disabilities. Requests for sign language interpretation or other auxiliary aids should be directed to Thomas A. Nies, Executive Director, at (978) 465–0492, at least 5 days prior to the meeting date. Authority: 16 U.S.C. 1801 et seq. Dated: March 16, 2015. Tracey L. Thompson, Acting Deputy Director, Office of Sustainable Fisheries, National Marine Fisheries Service. [FR Doc. 2015–06307 Filed 3–18–15; 8:45 am] BILLING CODE 3510–22–P DEPARTMENT OF COMMERCE National Oceanic and Atmospheric Administration RIN 0648–XD840 New England Fishery Management Council; Public Meeting National Marine Fisheries Service (NMFS), National Oceanic and Atmospheric Administration (NOAA), Commerce. ACTION: Notice; public meeting. AGENCY: The New England Fishery Management Council’s (Council) Scientific and Statistical Committee (SSC) will meet to consider actions affecting New England fisheries in the exclusive economic zone (EEZ). DATES: The meeting will be held on Tuesday, April 7, 2015 at 9 a.m. ADDRESSES: The meeting will be held at the Courtyard by Marriott/Boston Logan Airport, 225 McClellan Highway, Boston, MA 02128; telephone: (617) 569–5250. Council address: New England Fishery Management Council, 50 Water Street, Mill 2, Newburyport, MA 01950. FOR FURTHER INFORMATION CONTACT: Thomas A. Nies, Executive Director, New England Fishery Management Council; telephone: (978) 465–0492. SUPPLEMENTARY INFORMATION: Agenda items: The Committee will receive a report from Northeast Fisheries Science Center Regime Shifts Working Group and SUMMARY: E:\FR\FM\19MRN1.SGM 19MRN1

Agencies

[Federal Register Volume 80, Number 53 (Thursday, March 19, 2015)]
[Notices]
[Pages 14360-14363]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2015-06344]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Telecommunications and Information Administration

[Docket No. 150312253-5253-01]
RIN 0660-XC018


Stakeholder Engagement on Cybersecurity in the Digital Ecosystem

AGENCY: National Telecommunications and Information Administration, 
U.S. Department of Commerce.

ACTION: Request for Public Comment.

-----------------------------------------------------------------------

SUMMARY: The Department of Commerce Internet Policy Task Force (IPTF) 
is requesting comment to identify substantive cybersecurity issues that 
affect the digital ecosystem and digital economic growth where broad 
consensus, coordinated action, and the development of best practices 
could substantially improve security for organizations and consumers. 
The IPTF invites public comment on these issues from all stakeholders 
with an interest in cybersecurity, including the commercial, academic 
and civil society sectors, and from relevant federal, state, local, and 
tribal entities.

DATES: Comments are due on or before 5 p.m. Eastern Time on May 18, 
2015.

ADDRESSES: Written comments may be submitted by email to 
securityRFC2015@ntia.doc.gov. Comments submitted by email should be 
machine-searchable and should not be copy-protected. Written comments 
also may be submitted by mail to the National Telecommunications and 
Information Administration, U.S. Department of Commerce, 1401 
Constitution Avenue NW., Room 4725, Attn: Cybersecurity RFC 2015, 
Washington, DC 20230. Responders should include the name of the person 
or organization filing the comment, as well as a page number, on each 
page of their submissions. All comments received are a part of the 
public record and will generally be posted to http://www.ntia.doc.gov/category/internet-policy-task-force without change. All personal 
identifying information (e.g., name, address) voluntarily submitted by 
the commenter may be publicly accessible. Do not submit Confidential 
Business Information or otherwise sensitive or protected information. 
NTIA will accept anonymous comments.

FOR FURTHER INFORMATION CONTACT: Allan Friedman, National 
Telecommunications and Information Administration, U.S. Department of 
Commerce, 1401 Constitution Avenue NW., Room 4725, Washington, DC 
20230; Telephone: (202) 482-4281; Email: afriedman@ntia.doc.gov. Please 
direct media inquiries to NTIA's Office of Public Affairs: (202) 482-
7002.

SUPPLEMENTARY INFORMATION: Background: The Department of Commerce IPTF 
published a Notice of Inquiry (NOI) in 2010, focusing on the 
relationship between cybersecurity and the pace of innovation in the 
information economy.\1\ Based on the comments received, the Department 
of Commerce published a Green Paper, Cybersecurity, Innovation, and the 
Internet Economy, in 2011.\2\ The Green Paper focused on the sector of 
the economy that creates or uses the Internet or networking services 
and falls outside the classification of critical infrastructure, as 
defined by existing law and Administration policy. In that document, 
the IPTF focused on two themes. First, there are real, evolving threats 
in cyberspace that not only put businesses and their online operations 
at risk, but threaten to undermine the trust on which much of the 
digital economy depends. Second, the pace of innovation in the highly 
dynamic digital ecosystem makes traditional regulation and compliance 
difficult and inefficient.
---------------------------------------------------------------------------

    \1\ U.S. Department of Commerce, Internet Policy Task Force, 
Notice of Inquiry, Cybersecurity, Innovation, and the Internet 
Economy, Dkt. No. 100721305-0305-01, 75 FR 44216 (July 28, 2010), 
available at: http://www.ntia.doc.gov/federal-register-notices/2010/cybersecurity-innovation-and-internet-economy. Responses to the 
Notice of Inquiry are available at: http://www.nist.gov/itl/cybercomments.cfm.
    \2\ U.S. Department of Commerce, Internet Policy Task Force, 
Cybersecurity, Innovation, and the Internet Economy (June 2011) 
(``Green Paper''), available at: http://www.nist.gov/itl/upload/Cybersecurity_Green-Paper_FinalVersion.pdf.
---------------------------------------------------------------------------

    Stakeholder response to the Green Paper provided a roadmap for the 
IPTF to continue its cybersecurity policy work. In September 2011, the 
IPTF, in coordination with the Department of Homeland Security, issued 
a NOI on possible approaches to creating a voluntary industry code of 
conduct to address the detection, notification, and mitigation of 
botnets, which led to an industry-led working group.\3\ In February 
2013, the White House released Executive Order 13636 which called upon 
the Department of Commerce to work with industry to develop a framework 
for use by U.S. critical infrastructure to improve

[[Page 14361]]

cybersecurity practices, and to undertake a study on incentives to 
encourage private sector adoption of cybersecurity protections.\4\
---------------------------------------------------------------------------

    \3\ U.S. Department of Commerce and U.S. Department of Homeland 
Security, Notice of Inquiry, Models To Advance Voluntary Corporate 
Notification to Consumers Regarding the Illicit Use of Computer 
Equipment by Botnets and Related Malware, Dkt. No. 110829543-1541-
01, 76 FR 58466 (September 21, 2011), available at: http://www.ntia.doc.gov/files/ntia/publications/botnet_rfi.pdf.
    \4\ Exec. Order No. 14636, Improving Critical Infrastructure 
Cybersecurity, 78 FR 11739 (February 12, 2013), available at https://www.federalregister.gov/articles/2013/02/19/2013-03915/improving-critical-infrastructure-cybersecurity.
---------------------------------------------------------------------------

    The Cybersecurity Framework was developed by the National Institute 
of Standards and Technology (NIST), an agency of the Department of 
Commerce, with the aid of broad stakeholder participation.\5\ The 
Cybersecurity Framework offers organizations a guide for understanding 
and implementing appropriate cybersecurity protections, and has been 
applied by a range of organizations, including a number that fall 
``outside the orbit of critical infrastructure or key resources,'' the 
focus of the Green Paper effort.\6\ Following launch of the 
Cybersecurity Framework, NIST published a Request for Information (RFI) 
in August 2014 asking for stakeholder feedback on Cybersecurity 
Framework awareness, use, and next steps.\7\ In response to questions 
regarding next steps that could complement the Cybersecurity Framework 
process, stakeholders again identified the IPTF as a vehicle to 
facilitate further collaborative cybersecurity work, building on the 
models of multistakeholder participation initially discussed in the 
Green Paper.\8\
---------------------------------------------------------------------------

    \5\ National Institute of Standards and Technology, Framework 
for Improving Critical Infrastructure Cybersecurity Version 1.0, 
(February 12, 2014), available at: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.
    \6\ Green Paper at ii.
    \7\ U.S. Department of Commerce, National Institute of Standards 
and Technology, Notice of Inquiry, Experience With the Framework for 
Improving Critical Infrastructure Cybersecurity, Dkt. No. 140721609-
4609-01, 79 FR 50891 (August 26, 2014), available at: https://www.federalregister.gov/articles/2014/08/26/2014-20315/experience-with-the-framework-for-improving-critical-infrastructure-cybersecurity.
    \8\ See, e.g., comments from the Information Technology Industry 
Council (ITI), US Telecom Association, and Microsoft on the 
Cybersecurity Framework RFI (August 2014), available at: http://csrc.nist.gov/cyberframework/rfi_comments_10_2014.html.
---------------------------------------------------------------------------

    Accordingly, the IPTF proposes to facilitate one or more 
multistakeholder processes around key cybersecurity issues facing the 
digital ecosystem and economy. Multistakeholder processes, built on the 
principles of openness, transparency, and consensus, can generate 
collective guidance and foundations for coordinated voluntary action. 
Potential outcomes would vary by the issue discussed, but could include 
voluntary policy guidelines, procedures, or best practices. In the 
digital ecosystem, the rapid pace of innovation often outstrips the 
ability of regulators to effectively administer key policy questions. 
Open, voluntary, and consensus-driven processes can work to safeguard 
the interests of all stakeholders while still allowing the digital 
economy to thrive.
    The focus of these processes is to address discrete security 
challenges in the digital ecosystem where collaborative voluntary 
action between diverse actors can substantially improve security for 
everyone. Each process will engage a wide range of participants to 
ensure that the outcomes reflect the consensus of the relevant 
community, and are fair, voluntary, and stakeholder-driven.
    These processes will be designed to complement, rather than 
duplicate existing initiatives, both inside and outside the government. 
They will be coordinated by the IPTF, under the leadership of the 
National Telecommunications and Information Administration (NTIA). 
Under its statutory authority, NTIA undertakes Internet policy 
initiatives that serve to protect, promote and reinforce an open, 
innovative Internet ecosystem and digital economy, and is the executive 
branch lead for promoting the multistakeholder approach to Internet 
policymaking.\9\ In partnership with its IPTF partners, NTIA has 
addressed other key challenges in Internet policy through 
multistakeholder processes, including an ongoing set of initiatives 
around privacy and digital copyright.\10\ These proposed cybersecurity 
processes will be coordinated with standards and technology work 
underway within the Department of Commerce focused on cybersecurity, 
including the Cybersecurity Framework, the National Cybersecurity 
Center of Excellence, and the National Strategy for Trusted Identities 
in Cyberspace.\11\ Through the comprehensive scope of all these 
efforts, the Department of Commerce seeks to foster innovation and to 
better secure the ecosystem to ensure that businesses, organizations 
and individuals can expand their trust, investment and engagement in 
the digital economy, while also reinforcing the voluntary, 
multistakeholder approach to Internet policymaking.
---------------------------------------------------------------------------

    \9\ See 47 U.S.C. 901(c) (describing NTIA's policy roles, 
including ``[p]romoting the benefits of technological development in 
the United States for all users of telecommunications and 
information facilities;'' ``[f]ostering national safety and 
security, economic prosperity, and the delivery of critical social 
services through telecommunications;'' and ``[f]acilitating and 
contributing to the full development of competition, efficiency, and 
the free flow of commerce in domestic and international 
telecommunications.'')
    \10\ More information about the IPTF's work on privacy and 
copyright initiatives, including multiple Requests for Comment, are 
available at: http://www.ntia.doc.gov/category/internet-policy-task-force.
    \11\ More information about the Cybersecurity Framework is 
available at: http://www.nist.gov/cyberframework; the National 
Cybersecurity Center of Excellence at: http://nccoe.nist.gov; and 
the National Strategy for Trusted Identities in Cyberspace at: 
http://www.nist.gov/nstic.
---------------------------------------------------------------------------

    Request for Comment: IPTF plans to facilitate a series of 
discussions around key cybersecurity challenges that may be addressed 
through a better shared understanding of the nature of the problem, and 
where multistakeholder discussion can be a catalyst for self-
coordination of cybersecurity activities. Outcomes would depend on the 
issues discussed, but may involve combinations of principles, 
practices, and the voluntary application of policies and existing 
standards. Initially, IPTF seeks to conduct a cybersecurity 
multistakeholder process focused on a definable area where consumers 
and organizations will achieve the greatest benefit and consensus in a 
reasonable timeframe. While IPTF will avoid duplicating existing work, 
areas where stakeholders have identified the problem or begun to seek 
consensus around specific practices could provide a useful starting 
point.
    To identify potential cybersecurity topics that would benefit from 
a multistakeholder process, IPTF seeks comment from stakeholders on the 
following questions:
    1. What security challenges could be best addressed by bringing 
together the relevant participants in an open, neutral forum to explore 
coordinated, voluntary action through principles, practices, and 
guidelines? For each issue, also provide comment on:
    i. Why this topic is a good fit for a multistakeholder process, and 
whether stakeholders might reasonably be expected to come to some 
consensus;
    ii. Why such a process would benefit the digital ecosystem as a 
whole;
    iii. How long a facilitated, participant-led process on this topic 
should take to come to consensus;
    iv. What form an actionable outcome might take; and
    v. What pre-existing organizations and work already exist on the 
topic.
    2. Please comment on which of the following topics could result in 
actionable, collective progress by stakeholders in a multistakeholder 
setting. For each issue, also provide comment on:
    i. Why or why not this topic is a good fit for a multistakeholder 
process, and whether stakeholders might reasonably be expected to come 
to some consensus;

[[Page 14362]]

    ii. Why such a process would benefit the digital ecosystem as a 
whole;
    iii. How long a facilitated, participant-led process on this topic 
should take to come to consensus;
    iv. What form an actionable outcome might take; and
    v. What pre-existing organizations and work already exist on the 
topic.

Network and Infrastructure Security

    (a) Botnet Mitigation. Disrupting botnets requires coordinated 
action and transparency between ISPs, vendors, consumers, and the 
public sector, such as previous efforts of the voluntary public-private 
partnership between the U.S. Office of the Cybersecurity Coordinator 
and the U.S. Departments of Commerce and Homeland Security related to 
ISP codes of conduct.\12\ What additional collective steps can be taken 
to support efforts to create awareness and manage the effects of 
botnets?
---------------------------------------------------------------------------

    \12\ U.S. Department of Commerce, Press Release, White House 
Announces Public-Private Partnership Initiatives to Combat Botnets 
(May 30, 2012), available at: http://www.commerce.gov/news/press-releases/2012/05/30/white-house-announces-public-private-partnership-initiatives-combat-b.
---------------------------------------------------------------------------

    (b) Trust and Security in Core Internet Infrastructure: Naming, 
Routing, and Public Key Infrastructure. Key aspects of the Internet's 
core infrastructure were designed and deployed without explicit 
security mechanisms (e.g., the Domain Name System (DNS) and Border 
Gateway Protocol (BGP)) and new threats have been discovered in the 
Internet's Public-Key Infrastructure (i.e., PKIX). Technical solutions 
have been developed for many of these issues (e.g., DNSSEC, BGPSec and 
RPKI, DANE and certificate transparency) but uptake has been slow. What 
collective action can be taken to promote the voluntary adoption and 
diffusion of existing technical solutions to make the infrastructure 
more trustworthy?
    (c) Domain Name System (DNS), Border Gateway Protocol (BGP), and 
Transport Layer Security (TLS) Certificates. Key aspects of the 
Internet infrastructure have long been known to be vulnerable. While 
technical solutions exist for security vulnerabilities in routing, the 
domain name system and TLS certificates, uptake has been slow or is 
just beginning. What collective action can be taken to promote the 
voluntary adoption and diffusion of technical solutions, such as DNS 
Security (DNSSEC), to make the infrastructure more trustworthy?
    (d) Open Source Assurance. Many organizations depend on open source 
projects for a wide range of purposes across the digital economy. How 
can stakeholders better support improving the security of open source 
projects, and the distribution of patches?
    (e) Malware Mitigation. Disrupting and mitigating malware and 
malware networks can sometimes adversely impact consumers and 
stakeholders who may be inadvertently caught-up in the incident. How 
can existing models of mitigation and disruption better incorporate the 
needs and concerns of all relevant stakeholders?

Web Security and Consumer Trust

    (f) Web Security. Many consumers assume that their connections with 
Web sites are secure, and that the Web sites themselves are secure, 
when there is little guarantee that safeguards are in place. What 
actions can improve web security and trust for consumers, including 
transport layer (Transport Layer Security, or TLS, often referred to as 
Secure Sockets Layer, or SSL) and web application security, potentially 
building on the success of existing stakeholder initiatives? \13\
---------------------------------------------------------------------------

    \13\ See, e.g., Open Web Application Security Project (OWASP), 
Top 10 List (``represent[ing] a broad consensus about the most 
critical web application security flaws''), available at: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
---------------------------------------------------------------------------

    (g) Malvertising. Several popular Web sites have inadvertently 
spread malware through ``malvertising,'' when malicious code is served 
from legitimate advertising networks. How can diverse stakeholders work 
together to limit this risk?
    (h) Trusted Downloads. Internet users often download content and 
applications online without clear assurance of the security of the 
site. Are there best practices and existing standards that providers of 
online applications and downloadable tools can adopt to ensure consumer 
protection without impacting innovation or business models?
    (i) Cybersecurity and the Internet of Things. As the Internet of 
Things matures and more systems integrate information technologies (IT) 
and operational technologies (OT), cybersecurity is enmeshed in a 
broader risk context that includes safety, reliability, and 
resilience.\14\ How can we foster the emergence of voluntary policy 
frameworks, informed by market dynamics, that enable Internet of Things 
innovation while addressing the full spectrum of risks associated with 
cyber-physical systems?
---------------------------------------------------------------------------

    \14\ See, e.g., NIST Cyber-Physical Systems Homepage, available 
at: http://www.nist.gov/cps; see also, FTC Staff, Internet of 
Things: Privacy & Security in a Connected World (January 2015), 
available at: http://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.
---------------------------------------------------------------------------

    (j) Privacy. As noted in the Cybersecurity Framework, privacy and 
civil liberties implications may arise when personal information is 
used, collected, processed, maintained, or disclosed in connection with 
an organization's cybersecurity activities. How can risks to privacy or 
civil liberties arising from the application of cybersecurity measures 
or best practices be addressed in this process(es)?

Business Processes and Enabling Markets

    (k) Managed Security Services: Requirements and Adoption. Managed 
security services (MSS) allow many firms, particularly small- and 
medium-sized businesses, to secure themselves without acquiring 
expensive in-house expertise, yet there are obstacles preventing 
seamless market cooperation and accountability between clients and 
vendors. How can a common understanding of security needs by 
stakeholders enable faster and more efficient adoption to improve 
security without sacrificing accountability?
    (l) Vulnerability Disclosure. The security of the digital economy 
depends on a productive relationship between security vendors and 
researchers of all types who discover vulnerabilities in existing 
technology and systems, and the providers, owners, and operators of 
those systems. How can stakeholders build on existing work in this 
space to responsibly manage the vulnerability disclosure process 
without putting consumers at risk in the short run? \15\
---------------------------------------------------------------------------

    \15\ See, e.g., Vulnerability Disclosure Overview, ISO Standard 
29147 (2014), available at: http://www.iso.org/iso/catalogue_detail.htm?csnumber=45170.
---------------------------------------------------------------------------

    (m) Security Investment and Metrics. Market solutions for security 
require good information. What types of robust, practical, and 
actionable metrics can be used within organizations to understand 
security investment, and by consumers and clients to understand 
security practices and promote market demand for security?
    This list is not exhaustive. The IPTF welcomes comments on any of 
these topics, as well as descriptions of other topics that the IPTF and 
stakeholders should consider for the cybersecurity multistakeholder 
process. Note that comments are directly sought on which topics to 
address through the process, rather than the best solution to any given 
question.
    3. Please comment on what factors should be considered in selecting 
the issues for multistakeholder processes.

[[Page 14363]]

    IPTF also plans to draw on the Green Paper and earlier responses to 
past Requests for Public Comment; past respondents are invited to 
provide additional and updated viewpoints on IPTF efforts since those 
comments were provided.
    Implementing the Multistakeholder Process: Commenters also may wish 
to provide their views on how stakeholder discussions of the proposed 
issue(s) should be structured to ensure openness, transparency, and 
consensus-building. Analogies to other Internet-related 
multistakeholder processes, whether they are concerned with policy or 
technical issues, could be especially valuable.
    4. Please comment on the best structure and mechanics for the 
process(es). If different security issues will require different 
process structures, please offer guidance on how to best design an 
appropriate process for the issue selected.
    5. How can the IPTF promote participation from a broad range of 
stakeholders, i.e., from industry, civil society, academia, and 
international partners? In particular, how can we promote engagement 
from small and medium-sized enterprises (SME) that play key roles in 
the digital ecosystem? How critical is location for meetings, and what 
factors should be considered in determining where to host meetings?
    6. What procedures and technologies can promote transparency of 
process, including promoting discussion between stakeholders and 
ensuring those outside the process can understand the decisions made?
    7. What types of consensus outcomes can promote real security 
benefits without further adding to a compliance-oriented model of 
security?
    8. Would certain cybersecurity issues be better served by a single 
workshop or other event to raise awareness and promote independent 
action, rather than a longer multistakeholder, consensus-building 
process?
    9. How should evaluation of the processes be conducted to assess 
results and to ensure that recommendations and outcomes of the process 
remain actionable and current?
    Response to this Request for Public Comment is voluntary. 
Commenters are free to address any or all of the issues identified 
above, as well as provide information on other topics that they think 
are relevant to promoting voluntary coordinated action to address 
cybersecurity risks through an open, transparent, voluntary, consensus-
based process. Please note that the Government will not pay for 
response preparation or for the use of any information contained in the 
response.

    Authority: 47 U.S.C. 901(c).

    Dated: March 16, 2015.
Angela Simpson,
Deputy Assistant Secretary for Communications and Information.
[FR Doc. 2015-06344 Filed 3-18-15; 8:45 am]
 BILLING CODE 3510-60-P