Collectively we believe multi-stakeholder efforts must be open, transparent and develop consensus by providing an equitable and fair opportunity for interested parties to participate. Processes need to be established to help keep discussions, priorities and scope from being dominated by special interest and dominate market players. We believe a facilitated led process will effectively drive the formation of best practices to allow us to improve the security, stability and resiliency of Internet. It is important to note that as the stakeholders are typically geographically diverse, meetings need to accommodate those in different time zones and promote remote participation. In addition the cost, benefits and incentives for cyber security must also be addressed and considered when developing best practices and any self-regulatory models.
Where possible NTIA should leverage related efforts including those driven by National Institute of Standards and Technology (NIST), the FCC CSRIC, Federal Trade Commission and Department of Homeland Security. It is important to recognize that some of the practices and controls outlined in these efforts while being applicable to critical infrastructure may not be applicable or cost effective to the broader group of stakeholders. Conversely some of the specific areas listed in the RFC such as malvertising may not have been a top priority for the NIST framework or by ISPs with the FCC’s CSRIC, yet may be better suited for a broader multi-stakeholder effort as proposed by NTIA.