It's been a long time coming, and some experts say it isn't enough. But the White House has now put the finishing touches on a set of security guidelines meant to help businesses defend themselves from hackers and cyberattacks.
Senior administration officials call the framework for cybersecurity "a major milestone achievement," one year after President Obama issued an executive order on defending the nation's railroads, energy grid and other critical infrastructure from an online assault. To that end, the new guidelines offer suggestions for how businesses can protect their systems.
The suggestions are also aimed at companies that handle sensitive consumer data, such as retailers. High-profile data breaches at Target and Neiman Marcus in recent months have refocused attention on corporate IT security practices.
Adoption of the standards will be voluntary, and officials stressed their intent was not to impose new regulations on businesses. Instead, the cybersecurity framework suggests ways companies can identify threats, protect themselves against them, detect intrusions when they occur, respond to those breaches and recover in the aftermath.
"From today on, we'll have a new shared vocabulary about cybersecurity ... to set baselines and make improvements," a senior administration official said Wednesday.
The suggestions focus on existing industry best practices written by the National Institute of Standards and Technology (NIST), the agency responsible for drafting the framework in consultation with industry groups and privacy advocates.
Industry watchers have praised the administration's inclusive approach. But questions remain about how strong the framework's protections are, whether they'll be adopted widely and how much they can accomplish when some of the private sector's key unfulfilled demands still depend on an act of Congress.
Last week, House lawmakers on the Homeland Security Committee approved a bill to address some of those issues, including beefing up liability protections for companies that comply with security standards.
In a statement, President Obama said the framework was an example of the way government and the private sector could collaborate on cybersecurity. But, he added, "our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property." Obama urged Congress to move more swiftly on cybersecurity legislation.
Privacy groups took aim at the document, which in previous drafts had included a separate appendix laying out how businesses could share information about threats without endangering civil liberties. Wednesday's final draft, however, eliminated the privacy appendix in favor of folding its ideas into parts of the broader document. Senior officials said the privacy language did not receive sufficient support among the participating groups to survive as a standalone section.
"We would have preferred a framework that requires more measurable privacy protections as opposed to the privacy processes that were recommended," said Greg Nojeim of the Washington-based nonprofit Center for Democracy and Technology.
Beyond the privacy controls, it remains unclear how — or if — the framework will be received by corporations. Some analysts believe that the framework establishes the bare minimum, such that many businesses can already say they satisfy the document's recommendations.
"It's about as regulatory as a phone book," said James Lewis, a cybersecurity scholar at the Center for Strategic and International Studies.
The government also has no way of determining the number of businesses that adopt the framework, though a separate program by the Department of Homeland Security will establish a public-private partnership that companies can voluntarily join. That program, known as the Critical Infrastructure Cyber Community, will facilitate collaboration on cybersecurity, officials said.