Administration releases preliminary cybersecurity standards

The Obama administration released a highly-anticipated set of cybersecurity standards for private industry on Tuesday.

The preliminary rules are intended to help critical infrastructure operators, such as power plants and telecommunications companies, better protect their systems from hackers. The president directed the National Institute of Standards and Technology, a Commerce Department agency, to come up with the standards as part of his executive order from February. 

NIST will now accept public comments for 45 days and plans to finalize the framework in February.


Patrick Gallagher, the director of NIST, emphasized that the rules are voluntary and were based on input from industry groups.

"This had to be a product of industry," Gallagher said on a conference call with reporters. 

The framework divides its recommendations into five categories: helping companies to identify, protect, detect, respond and recover from cyber attacks.

The document urges companies to provide proper training to their employees, protect against data leaks, control access to systems and manage backed-up information, among other steps. 

The framework includes a lengthy appendix devoted to protecting privacy and civil liberties—an emphasis of the executive order. Companies are urged to minimize the use and disclosure of personal information of their employees and customers. 

President Obama issued the executive order after Congress failed to pass his preferred cybersecurity bill last year. 

Republicans argued that his approach would have imposed burdensome regulations on critical infrastructure companies, but Democrats worry that without mandatory regulations—or at least strong incentives—vital computer systems will be vulnerable to attack.

They worry that hackers could disrupt a bank, shutdown a power grid or cause trains to collide. 

Gallagher acknowledged Tuesday that NIST has no power to force companies to comply with the cybersecurity standards. But he argued that in many cases, it will be in a company's interest to follow the guidelines. 

"We believe cybersecurity is good business, and we hope that this new framework will be a flexible tool that companies will voluntarily use because it both improves their cybersecurity and improves their bottom line," Gallagher said. 

He said Congress has a "role to play," but that the framework can still be useful even without congressional action.