Obama’s big plan to protect businesses from cyberattack

(Warner Bros.)

It's been a long time coming, and some experts say it isn't enough. But the White House has now put the finishing touches on a set of security guidelines meant to help businesses defend themselves from hackers and cyberattacks.

Senior administration officials call the framework for cybersecurity "a major milestone achievement," one year after President Obama issued an executive order on defending the nation's railroads, energy grid and other critical infrastructure from an online assault. To that end, the new guidelines offer suggestions for how businesses can protect their systems.

The suggestions are also aimed at companies that handle sensitive consumer  data, such as retailers. High-profile data breaches at Target and Neiman Marcus in recent months have refocused attention on corporate IT security practices.

Adoption of the standards will be voluntary, and officials stressed their intent was not to impose new regulations on businesses. Instead, the cybersecurity framework suggests ways companies can identify threats, protect themselves against them, detect intrusions when they occur, respond to those breaches and recover in the aftermath.

"From today on, we'll have a new shared vocabulary about cybersecurity ... to set baselines and make improvements," a senior administration official said Wednesday.

The suggestions focus on existing industry best practices written by the National Institute of Standards and Technology (NIST), the agency responsible for drafting the framework in consultation with industry groups and privacy advocates.

Industry watchers have praised the administration's inclusive approach. But questions remain about how strong the framework's protections are, whether they'll be adopted widely and how much they can accomplish when some of the private sector's key unfulfilled demands still depend on an act of Congress.

Last week, House lawmakers on the Homeland Security Committee approved a bill to address some of those issues, including beefing up liability protections for companies that comply with security standards.

In a statement, President Obama said the framework was an example of the way government and the private sector could collaborate on cybersecurity. But, he added, "our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property." Obama urged Congress to move more swiftly on cybersecurity legislation.

Privacy groups took aim at the document, which in previous drafts had included a separate appendix laying out how businesses could share information about threats without endangering civil liberties. Wednesday's final draft, however, eliminated the privacy appendix in favor of folding its ideas into parts of the broader document. Senior officials said the privacy language did not receive sufficient support among the participating groups to survive as a standalone section.

"We would have preferred a framework that requires more measurable privacy protections as opposed to the privacy processes that were recommended," said Greg Nojeim of the Washington-based nonprofit Center for Democracy and Technology.

Beyond the privacy controls, it remains unclear how — or if — the framework will be received by corporations. Some analysts believe that the framework establishes the bare minimum, such that many businesses can already say they satisfy the document's recommendations.

"It's about as regulatory as a phone book," said James Lewis, a cybersecurity scholar at the Center for Strategic and International Studies.

The government also has no way of determining the number of businesses that adopt the framework, though a separate program by the Department of Homeland Security will establish a public-private partnership that companies can voluntarily join. That program, known as the Critical Infrastructure Cyber Community, will facilitate collaboration on cybersecurity, officials said.

Brian Fung covers technology for The Washington Post, focusing on telecommunications and the Internet. Before joining the Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments
Most Read Business



Success! Check your inbox for details.

See all newsletters

Next Story
Andrea Peterson · February 12, 2014

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.