The White House has backed away from its push for mandatory cybersecurity standards in favor of an approach that would combine voluntary measures with incentives for companies to comply with them.
That approach reflects recognition of the political reality of a divided Congress, which makes mandated standards difficult to push through, and a belief that an executive order President Obama signed in February could improve companies’ cybersecurity.
“This is a huge focus for my office right now — driving forward and staying on track with the executive order,” White House cybersecurity coordinator Michael Daniel said in an interview this week.
Obama issued the order after a failed effort to pass legislation to ensure that critical private-sector computer systems met security standards. The bill died last year in the face of stiff opposition from industry, in particular the Chamber of Commerce.
The order directed the Commerce Department’s National Institute of Standards and Technology (NIST) to lead a process in which critical industry sectors and the government jointly develop a set of standards to enhance companies’ cybersecurity.
“The most important thing right now is making that framework truly industry-led, truly a collaborative product and truly something that is useful to companies,” Daniel said.
A preliminary framework is due in October, and a final version next February.
The White House’s focus now “is more about having discussions with Congress about the right incentives we could put in place to encourage the adoption of the framework,” a senior administration official said. A range of possibilities exist, including tax breaks and immunity from lawsuits for failing to protect systems.
The administration still wants cyber legislation, the official said, but that means creating incentives to meet voluntary standards, revised procedures for government cybersecurity and the removal of barriers to the sharing of cyberthreat data between industry and government.
The sharing of cyberthreat data is controversial because of concerns that doing so with noncivilian government agencies would risk a violation of privacy rights. The White House has threatened to veto a House data-sharing bill if its privacy protections are not strengthened. But the official said that threat does not mean the administration is averse to information sharing or working with the GOP-led House. “That’s a misinterpretation of the veto threat,” he said.
The official said he believes Congress can pass a bill that Obama will sign. “I do actually see an opportunity here to get acceptable legislation,” he said.
Backing off the mandate, said Eric Chapman, associate director of the University of Maryland’s Cybersecurity Center, is a recognition of the “political realities that mandatory standards face on Capitol Hill: unlikely and unrealistic. Voluntary is politically more feasible, period.”
Jacob Olcott, a cyber-policy expert at Good Harbor Consulting, said he believes there will be advocates for mandating standards by particular sectors such as energy and telecommunications. But he concedes that the White House-backed legislative proposal that envisioned the Department of Homeland Security “as uber-regulator” is dead.