Minimal progress has been made on preventing cyberattacks. | AP Photos Cybersecurity still in slow lane

Nearly a year after President Barack Obama issued an executive order to improve the cybersecurity of the nation’s vital assets, the administration doesn’t have much to show: The government is about to produce only some basic standards, with little incentive for the private sector to participate.

The program’s early weaknesses are a sign that — even as high-profile breaches at Target and other retailers compromise the data of millions of consumers — the White House and Congress have made minimal progress on the potentially more serious issue of protecting power plants, oil pipelines and major banks from a crippling cyberattack.


The administration’s blueprint for such “critical infrastructure,” due this month, is shaping up to be a simple checklist, mirroring well-established industry norms. The standards are entirely voluntary and, so far at least, the White House and Congress haven’t come up with much-needed perks — like tax breaks or federal contracting advantages — that could spur companies to take part.

( Sign up for POLITICO’s Morning Defense tip sheet)

Top White House officials are already hitting the road to pitch the plan to the country’s business leaders — but in Washington, there’s broad agreement that much more work needs to be done.

“Either Congress will have to really put some muscle behind it, or the regulators … will have to pick up the baton,” said Michael Chertoff, former Homeland Security secretary under President George W. Bush and now a cybersecurity consultant with The Chertoff Group. “I wouldn’t say we’re at the end of the journey.”

Obama issued his executive order last year after two failed efforts by Congress to boost cybersecurity of key assets like electrical grids and chemical factories. Officials fear such systems — the majority of which are owned or operated by the private sector — are increasingly vulnerable to hackers who could cause large-scale disruptions or economic losses.

Without legislation, though, the president could only create a program for voluntary industry standards, and Obama directed his administration to develop them and find ways to encourage their adoption.

( Also on POLITICO: Full defense policy coverage)

The National Institute of Standards and Technology — part of the Commerce Department — has been working on the “framework,” and it’s due to release a final version in the coming weeks. Early drafts, however, consist mainly of widely accepted practices, such as patching computers against viruses and creating secure logins for employees. Practically all of the principles ring familiar to the country’s biggest businesses.

Still, as the first-year anniversary of Obama’s executive order approaches, administration officials are turning up at conferences, holding workshops and meeting with corporate leaders, hoping to sell companies large and small on the need to invest in their cyber defenses.

“The administration gets cybersecurity,” said Phyllis Schneck, a top official at the Department of Homeland Security, during a speech at a recent government-backed conference in Baltimore. “All we want is to roll out a plan that helps our country … get more secure.”

For now, a senior administration official told POLITICO it’s too early to judge its cybersecurity standards, saying it’s only just getting to “Version 1.0.”

( Also on POLITICO: Report: New documents reveal Clintons)

“We’re trying to do something that’s not a normal government program,” the official said, adding that the goal is for the program to develop naturally “in whatever direction government and industry need it to grow.”

And there’s certainly plenty of room for growth.

For one thing, the administration hasn’t provided much detail on a key component of the program — incentives for companies to adopt new cybersecurity standards. Officials for months have been exploring different kinds of carrots, from tax breaks to priority technical assistance, but the White House has yet to announce any.

Some of the perks that are most desirable to industry, like giving participating companies protection from lawsuits after a cyberattack, are benefits that only Congress can confer. But lawmakers have struggled to pass such legislation — and they’re showing no signs of taking action now. Members are divided over how much legal immunity to give companies, and the fallout from Edward Snowden’s surveillance leaks has chilled practically any conversation involving national security on Capitol Hill.

“If there are going to be incentives, they’re going to have to come from the Hill,” said Sam Visner, who leads global cyber strategy work for CSC, a major IT company based in Virginia. But, he added, he’s skeptical there “would be some kind of breakthrough this year” on cybersecurity legislation that tackles many of the unresolved issues.

The administration does have other means of pushing its cybersecurity standards. Under Obama’s executive order, individual federal agencies are tasked with evaluating, over the next year, existing cyber rules for their industries — and turning some of the new voluntary standards into regulation, if needed. Lawsuits could also drive adoption, if companies fear their lack of adherence to government-approved standards could be used against them in court in the event of a cyberattack. Others aren’t sure a basic set of best practices requires any incentives at all.

“In my opinion, the way you get people to invest more [in cybersecurity] is to have them, unfortunately, experience a severe crisis,” said Richard Bejtlich, chief security strategist with FireEye. That’s usually when companies “find some money,” he said.

In the meantime, it’s unclear how the administration plans to measure its progress.

At a two-day cybersecurity workshop in January, DHS indicated it plans to launch a website that allows companies to compare their current cyber practices with the government’s framework, according to two sources present at the meeting.

But the agency left the impression it’s not planning to monitor who adopts the standards or give participants any kind of “seal of approval,” the sources said. While Obama didn’t require that in his executive order, and DHS may not have authority to do it under current law, the lack of follow-up could make it hard to determine which companies are buying into the program — or whether the standards are having any effect.

The program’s limitations go back to the congressional debate of 2012, when Republicans and business groups fiercely opposed increasing the powers of DHS in cybersecurity. Today, there likely isn’t “a lot of appetite” for adding to the agency’s authority, Visner said.

That’s why, for now, it’s all about the sale.

The “real key” to cybersecurity is “going to be collaboration and cooperation” between government and industry, Chuck Romine, director of NIST’s Information Technology Laboratory, told the crowd in Baltimore.

Other top White House and agency officials plan to take a similar message around the country — including to the RSA cybersecurity conference in San Francisco later this month. And Schneck pledged to go industry by industry to help companies figure out how to tailor the standards to their industry’s needs.

That outreach is important, said Mike Brown, vice president and general manager of RSA. He added: “The proof of the pudding will be in the coming years, whether or not adoption occurs, and how that impacts not just security” but “awareness” of the cyberthreat.