Editorial: Stop, Drop and Roll

The Obama Administration last week released its preliminary framework on cybersecurity best practices. It is still a work in progress—the final document won’t be released until next February— but it looks like it is on the right track. The National Institute of Science and Technology’s version of stop, drop and roll, in this case, is “Identify, Protect, Detect, Respond, Recover,” with the industry’s existing practices helping lead the way in all those areas.

The NIST is in charge of the framework under Obama’s marching orders, and officials there went out of their way to emphasize it was the result of major input from stakeholders—including telecom companies that are among the critical infrastructure providers—and can’t succeed without their buy-in.

The voluntary framework is a collection of best practices for identifying and responding to cyber threats across a range of industries, and a way to apply those uniformly while providing flexibility and not superseding processes that already work.

It’s a tall order, but a vital one as cyberthreats grow and the world increasingly depends on broadband connectivity for just about everything.

They key is that the framework remains voluntary, flexible and relies on what companies are already doing to protect themselves rather than reinventing the wheel, something NIST has said it does not want to do. The institute was quick to point out that the framework is not a magic bullet. It will not remove cyberthreats; it will only help manage them.

We can disagree on how best to combat those threats, but letting any political difficulties delay a response should not be an option.