Hackers could derail trains, shutdown power grids, cause planes to collide, or ruin the water supply, officials warned in congressional testimony, public speeches, and op-eds.
In 2012, the White House lobbied Congress to pass legislation requiring critical infrastructure operators, such as telecom companies, banks, and electric utilities, to meet government cybersecurity standards. But Republicans argued that mandatory regulations would burden companies and do little to combat the constantly evolving threat of cyberattacks.
Democrats scaled back their legislation so that businesses would be pressured — but not forced — to follow the cybersecurity standards. But Republicans still objected and successfully filibustered the Cybersecurity Act, which was authored by independent Sen. Joe Lieberman and Republican Sen. Susan Collins and backed by most Democrats.
Following the defeat of the bill, Obama signed an executive order instructing the National Institute of Standards and Technology, a Commerce Department agency, to work with the private sector to develop voluntary cybersecurity guidelines for critical infrastructure.
The framework is a set of broad strategies to help companies defend their systems and contains few specific recommendations. The document is divided into five cybersecurity actions: identify, protect, detect, respond, and recover.
Businesses are urged to take steps such as training their employees, cataloging the software they use, managing remote access to their systems, and backing up their data. In the event of an attack, they should identify the malicious computer code, share information with other groups, assess the damage, and restore their systems.
The standards are largely based on existing industry best-practices, and officials said they plan to keep them up-to-date as threats and security measures evolve.
The standards can apply to retailers like Target, which suffered a massive data breach that compromised millions of credit card numbers late last year.
Although the guidelines are voluntary, the White House is urging regulatory agencies to update their existing regulations to match the framework. So the Federal Communications Commission, which already has broad power over telecom companies, may revise certain regulations to more closely align with the guidelines.
The Homeland Security Department will also develop a program to try to incentivize companies to follow the rules. Phyllis Schneck, DHS deputy undersecretary for cybersecurity, said Monday morning during an event at the Center for National Policy that cybersecurity insurance may be available to companies that follow the guidelines but are breached anyway.
Adam Segal, a cybersecurity fellow at the Council on Foreign Relations, said the framework isn't a replacement for legislation.