Skip Navigation

Close and don't show again.

Your browser is out of date.

You may not get the full experience here on National Journal.

Please upgrade your browser to any of the following supported browsers:

This Is How Obama Wants Companies to Protect Themselves From Cyberattacks This Is How Obama Wants Companies to Protect Themselves From Cyberatta...

This ad will end in seconds
Close X

Want access to this content? Learn More »

Forget Your Password?

Don't have an account? Register »

Reveal Navigation


This Is How Obama Wants Companies to Protect Themselves From Cyberattacks

A first glimpse of the voluntary standards that will take effect in October.



Even as the saga of Edward Snowden continues, the threat to U.S. systems posed by foreign hackers hasn't abated. Private- and public-sector officials have been working quietly behind the scenes to craft a set of guidelines to address the danger, but so far there's been no product to speak of.

Until now. The National Institute of Standards and Technology on Wednesday released a draft of its new cybersecurity playbook that teaches businesses how to defend themselves from hackers. This is the first time we've had a chance to assess President Obama's efforts at crafting a national cybersecurity policy since he signed an executive order on the issue in February. 


The draft guide presents companies with a rubric of sorts to score themselves. Companies will be asked to evaluate their security along five "functions": know, prevent,  detect, respond, and recover. Think of each function as a layer of defense—you can't prevent attacks, for instance, until you know what assets you've got and what your vulnerabilities are. And you can't effectively respond to a cyberattack unless you have the capability to detect one.

Within each function is a set of concrete, actionable goals. "Prevent" recommends that businesses use training programs—without mandating what kind—designed to acclimate employees to threats such as phishing e-mails. Some companies do this sort of thing already; for more help, the goals themselves are broken down into pieces that existing NIST standards already address. That way, no new rules have to be written—the cybersecurity regime will wind up being mostly a fresh blend of old ideas that are already on the books.

The other key part of the system appears to be an executive-level rubric that singles out important people within a company responsible for its cybersecurity. It then gives a "good, better, best" table that looks like this:




It's important to remember that this is only a draft—huge swaths of the document remain blank. 

"We're using this as an opportunity to say to the private sector, 'Is this what you had in mind? Are we on track?' " said NIST spokesperson Jennifer Huergo. "We're really focused on putting the meat into this."

A complete draft—which the public will also have a chance to comment on before it's finalized—is expected to be unveiled this October. 

comments powered by Disqus