A U.S. bureau on Tuesday unveiled a draft of voluntary standards that companies can adopt to boost cybersecurity – part of an attempt to protect critical industries without setting restrictive and costly regulations.
The National Institute of Standards and Technology (NIST), a non-regulatory agency that is part of the Department of Commerce, issued the so-called framework following input from some 3,000 industry and academic experts.
Cybersecurity experts warn that relentless efforts to hack into U.S. banks and financial institutions, the power grid and other critical infrastructure, paired with instances of disruptive attacks abroad, pose a national security threat.
President Barack Obama directed NIST to compile voluntary minimum standards in a February executive order aimed at countering the lack of progress on cybersecurity legislation in Congress.
Action on bills this year is stalled after the disclosures of vast online U.S. government spying programs.
The draft offers guidance on how companies could identify and protect network assets and detect, respond to and recover from breaches.
Steps might include keeping inventories of software platforms and applications they use, ensuring that top executives know roles and responsibilities, and setting information security policies.
The document also expands on how the companies could do all that while protecting privacy and civil liberties.
“Ultimately what we want to do is we want to turn today’s best practices into common and expected practices,” NIST Director Patrick Gallagher told reporters, calling the framework “a living document” that is expected to be flexible.
Many in the private sector have expressed fears that the voluntary framework will inevitably turn into a set of requirements or create new liabilities.
Another concern is that companies have little incentive to adopt the framework – something being reviewed by the Departments of Homeland Security, Commerce and Treasury.
“This is really just a stepping stone … . The meat of all of this still remains in the incentives program,” said Melanie Teplinsky, who teaches law at American University and serves as an adviser to cybersecurity firm CrowdStrike. “Even if this is perfect, who’s going to adopt this and why?”
Some trade groups and industry analysts say the framework appears vague and complex, and experts warn that may become a hurdle to adoption.
“I understand their problem, they’re trying to write something that any industry can apply. As soon as you do that, you’re going to get to a very big level of abstraction,” said Stewart Baker, a former Department of Homeland Security assistant secretary and now lawyer at Steptoe & Johnson.
“Much of the document is very procedural,” he said. “I fear that it won’t measurably improve cybersecurity without making it more expensive for everybody.”
Gallagher said the “relative simplicity” of the document should not be construed as lack of specifics or impracticality.
“It’s still too soon to tell if the framework will achieve the challenging goal set by the executive order,” said Norma Krayem, a senior policy advisor at law firm Patton Boggs.
“At the same time, if there are sectors or companies that have not fully engaged in this process with the administration, they need to do so very quickly. The Congress and others are waiting to see how this process goes, but they may not wait forever.”
(Reporting by Alina Selyukh; Editing by Ros Krasny and Xavier Briand)