White House Releases Framework Meant to Reduce Cyberattacks

The White House released on Wednesday a framework of best practices in cybersecurity designed to help businesses and organizations protect critical infrastructure and intellectual property.

While the education-technology consortium Educause maintains a cybersecurity guide that dates back a decade, the new framework could still prove useful in higher education, where chief information and chief security officers cite cybersecurity attacks as a growing problem. During the last year, many colleges, including Stanford University, have acknowledged network breaches.

“It is going to be very useful to colleges and universities of all sizes and types, both to reassess what they have done in the past and where they are going in the future,” said Rodney J. Petersen, senior policy adviser for SecuriCORE at Indiana University. “Or certainly if they are starting from scratch, this is a good framework to consider.”

The new framework includes a tiered approach by which organizations can assess the rigor of their risk-management practices and how they align with organizational priorities, Mr. Petersen said, similar to what’s known as an information-security maturity model.

President Obama called for the development of the framework in a 2013 executive order that was issued in response to the growing number of cybersecurity attacks on government, corporations, and institutions such as research universities. The National Institute of Standards and Technology, a division of the Commerce Department, spent a year developing the guidelines, which are voluntary.

In a telephone conference with reporters, senior administration officials described the guidelines as an early step in building a robust public-private response to cybersecurity threats.

“Because the majority of our national critical infrastructure is owned and operated by private companies, both the government and the private sector have a shared responsibility to reduce the risks to that critical infrastructure,” Suzanne Spaulding, acting under secretary for the national protection and programs directorate in the Homeland Security Department, said during the call.

Still, the new guidelines might give some college officials and corporate executives pause, Mr. Petersen said. Even though the framework isn’t legally binding, many organizations have voiced concern that it could over time create a legal standard that courts could hold organizations to, he said.

“There is a concern that, as institutions try to adopt this, they could be exposing themselves to additional liability,” Mr. Petersen said. ”Some campus legal counsel might be reluctant to say they embraced the standard if in fact it is going to add to their liability.”