You can now read 10 articles a month for free. Read as much as you want anywhere and anytime for just 99¢.

White House eases stance on corporate cybersecurity

WASHINGTON — The White House has backed away from its push for mandatory cyber­security standards in favor of an approach that would combine voluntary measures with incentives for companies to comply with them.

That approach reflects recognition of the political reality of a divided Congress that makes mandated standards difficult to push through, and a belief that an executive order President Obama signed in February could improve companies’ cybersecurity.

Continue reading below

‘‘This is a huge focus for my office right now — driving forward and staying on track with the executive order,’’ White House cybersecurity coordinator Michael Daniel said in an interview this week.

Obama issued the order after a failed effort to pass legislation to ensure that computer systems in critical private-sector operations met security standards. The bill died last year in the face of stiff opposition from industry, in particular the Chamber of Commerce.

The order directed the Commerce Department’s National Institute of Standards and Technology to lead a process in which critical industry sectors and the government jointly develop a set of standards to enhance the companies’ cyber­security.

‘‘The most important thing right now is making that framework truly industry-led, truly a collaborative product, and truly something that is useful to companies,’’ Daniel said.

A preliminary framework is due in October, and a final version next February.

The White House’s focus now ‘‘is more about having discussions with Congress about the right incentives we could put in place to encourage the adoption of the framework,’’ a senior administration official said.

A range of possibilities exist, including tax breaks and immunity from lawsuits for failing to protect systems.

The administration still wants cyber legislation, the official said, but that means creating incentives to meet voluntary standards, revised procedures for government cybersecurity, and the removal of barriers to the sharing of information about threats by industry and government.

The sharing of cyber-threat data is controversial because of concerns that doing so with noncivilian government agencies would risk a violation of privacy rights. The White House has threatened to veto a House data-sharing bill if its privacy protections are not strengthened. But the official said that threat does not mean the administration is averse to information sharing or working with the GOP-led House. ‘‘That’s a misinterpretation of the veto threat,’’ he said.

The official said he believes the Congress can pass a bill that Obama will sign. ‘‘I do actually see an opportunity here to get acceptable legislation,’’ he said.

Backing off the mandate, said Eric Chapman, associate director of the University of Maryland’s Cybersecurity Center, is a recognition of the ‘‘political realities that mandatory standards face on Capitol Hill: unlikely and unrealistic. Voluntary is politically more feasible, period.’’

Jacob Olcott, a cyber policy specialist at Good Harbor Consulting, said he still believes there will be advocates for mandating standards in particular sectors, such as energy or telecommunications. But he concedes that the White House-backed legislative proposal that envisioned the Department of Homeland Security ‘‘as uber-regulator’’ is dead.

Loading comments...

You have reached the limit of 10 free articles in a month

Stay informed with unlimited access to Boston’s trusted news source.

  • High-quality journalism from the region’s largest newsroom
  • Convenient access across all of your devices
  • Today’s Headlines daily newsletter
  • Subscriber-only access to exclusive offers, events, contests, eBooks, and more
  • Less than 25¢ a week