By Alina Selyukh
WASHINGTON, Feb 12 (Reuters) - The U.S. government is expected on Wednesday to release the final version of voluntary standards meant to help U.S. companies in nationally critical industries better protect themselves against cyber attacks.
Criticized in earlier drafts for being too vague and toothless, the so-called cybersecurity framework attempts to turn a vast amount of industry input into guidelines designed for 16 different sectors whose disruption could be devastating to the country.
Exactly one year after President Barack Obama issued an executive order directing a Commerce Department agency to compile voluntary minimum standards, the National Institute of Standards and Technology, or NIST, is due to issue guidelines, which companies have no obligation to adopt.
Drafters of the framework had to allay concerns by many in the private sector that their voluntary standards could someday become regulations. The threat of restrictive rules has helped stall progress on passing a cybersecurity law in Congress.
The framework, drafted by the non-regulatory NIST in consultation with thousands of industry experts, offers broad benchmarks for companies to measure the effectiveness of their cyber defenses.
"The federal government has an overriding interest to protect critical infrastructure," said Norma Krayem, a former official at the Transportation, State and Commerce departments who now works with infrastructure companies as a senior policy adviser at law firm Patton Boggs.
"But they don't own or control it, and at the moment, the cyber framework is the means to work collaboratively with critical infrastructure to address (cybersecurity) concerns."
'GETS MURKY REALLY FAST'
Cybersecurity experts warn that relentless efforts to hack into U.S. banks and financial institutions, the power grid and other critical infrastructure, paired with instances of disruptive attacks abroad, pose a national security threat.
The issue recently became a household topic after hackers stole about 40 million credit and debit card records and 70 million other records with personal customer data from the third-largest U.S. retailer, Target Corp.
Many experts have expressed alarm about the lack of awareness or reluctance among some companies' leadership to spend more money on cyber defenses. The framework could force the issue into more executive suites, analysts say.
"At a minimum, it's going to force this conversation up the food chain, out of the CEO office into the boardroom," said Tom Kellermann, a former member of Obama's Commission on Cyber Security and software company executive now with professional services firm Alvarez & Marsal.