Cybersecurity guidelines for companies are unveiled by White House

President Obama says “much more work needs to be done to enhance our cybersecurity.”
(JIM WATSON, AFPGetty Images)

WASHINGTON — The White House has released guidelines aimed at prodding companies that run some of the nation’s most essential services such as utilities, cellphone towers and banks to better protect themselves from cyberattacks.

Officials said the guidelines, developed under an executive order that President Obama signed a year ago, provide companies overseeing the nation’s crucial infrastructure with a blueprint for identifying potential threats, protecting themselves from cyberattacks and, if an attack occurs, recovering from it.

But the voluntary nature of the guidelines showed how sharply proponents of strong regulation have scaled back their ambitions — and even their language — in the face of industry opposition to government intervention.

The new initiative includes no system to formally track how companies are following the “framework for cybersecurity” or measure its effect. It relies largely on “enlightened self-interest” and market forces to convince companies to follow the government’s advice, not incentives or penalties.


In a statement, Obama warned that cyberthreats “pose one of the greatest national security dangers that the United States faces,” echoing the recent judgment of major U.S. intelligence agencies.

“While I believe today’s framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” Obama said. “America’s economic prosperity, national security and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure and reliable Internet.”

In 2012, Obama supported a Senate bill that would have imposed stricter cybersecurity rules. The bill was defeated, as was a subsequent watered-down version to set up voluntary standards amid opposition from companies that feared back-door government regulation.

Companies have grown even more suspicious since last summer, when former National Security Agency contractor Edward Snowden began leaking details of secret NSA monitoring of the Internet.


The disclosures have increased skepticism of giving government agencies access to private data or networks even to stop cyberattacks.

Some security experts said companies might need additional incentives to adopt the guidelines. Most major incentives, such as tax breaks, would require action in Congress, and that’s unlikely.

“The framework doesn’t force companies that are naive about security, or just cheap about the necessary investments, to get smart and invest appropriately,” said Phil Lieberman, chief executive of Lieberman Software in Los Angeles and a cybersecurity industry veteran. “Generally fines and other penalties are about the only thing that gets companies to fix their security.”

The real effect may come in two years, when federal agencies must update their regulations to account for the guidelines, said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington.

In that indirect way, the standards may be imposed on certain regulated industries, such as nuclear plants and electric utilities.

The cybersecurity framework was unveiled with a voluntary program that gives companies and local governments the opportunity to contact cybersecurity experts at the Department of Homeland Security for advice and help in responding to a cyberattack.

The guidelines were developed by the National Institute of Standards and Technology, part of the Commerce Department, along with input from industry.

The reaction was mixed Wednesday. Greg Nojeim, of the nonpartisan Center for Democracy and Technology, said the guidelines did too little to protect privacy and civil liberties.


“As the framework is implemented, we are hopeful that such privacy protections are further developed and become standardized,” Nojeim said in a statement.

Roger Thornton, chief technology officer of AlienVault Inc., a Silicon Valley cybersecurity company, said he was pleasantly surprised at both the scope and clarity of the recommendations.

“It’s a lot better than I would have expected,” Thornton said. “They talked about all the functionality a company should have. They’re not saying how they have to go about it. And that’s great.”

With the framework as a guide, Thornton said he’ll be able to educate businesses about what capabilities they need, and which of those his company can provide.

“If this gets mainstream, it will be really helpful for me to come back and say, ‘Here are all the things we can do for you,’” he said.

Venky Ganesan, a managing director at Menlo Ventures in Menlo Park, Calif., who focuses on cybersecurity investments, called the announcement a great start. But he said it’s too soon to know if it will work.

“The bad guys don’t stop because of a plan or a framework,” he said. “They stop when we have taken real actions.”


Hennessey reported from Washington and O’Brien reported from San Francisco. Times staff writer Ken Dilanian in Washington contributed to this report.