White House backs off mandatory cybersecurity standards for companies

The White House has backed away from its push for mandatory cybersecurity standards in favor of an approach that would combine voluntary measures with incentives for companies to comply with them. That approach reflects recognition of the political reality of a divided Congress, which makes mandated standards difficult to push through, and a belief that an executive order President Barack Obama signed in February could improve companies’ cybersecurity.

The White House’s focus now “is more about having discussions with Congress about the right incentives we could put in place to encourage the adoption of the framework,” a senior administration official said. A range of possibilities exist, including tax breaks and immunity from lawsuits for failing to protect systems. The administration still wants cyber legislation, the official said, but that means creating incentives to meet voluntary standards, revised procedures for government cybersecurity and the removal of barriers to the sharing of cyberthreat data between industry and government.