Continued from page 1

The presidential directive and executive order give government scientists and officials a year to devise a “baseline framework” — a term critics deride as vague — for cybersecurity incorporating “consensus standards and industry best practice” on how to secure computer networks.

The standards will be voluntary, except where government agencies can use regulatory authority to enforce them.

A senior administration official who briefed reporters Tuesday said that many industrial sectors, such as energy, already are “moving aggressively” to adopt best practices in cybersecurity.

The regulatory review the president has ordered “is really a backstop to what we think will already be happening in the marketplace,” the official said.

“They are trying to be flexible in their approach, recognizing that each sector is very different,” said Jessica Herrera-Flanigan, a government-affairs consultant in cybersecurity.

For example, telecommunications systems generally are owned by large high-tech companies whose staff include the best cybersecurity expertise available. By contrast, many water systems in rural or small communities are “mom and pop” operations without even an in-house tech staff.

Making rules that make sense for operations as diverse as global phone companies and rural water utilities is one of the challenges of securing vital computer systems, analysts say.

The presidential orders “are specifically designed not to be a one-size-fits-all approach,” said a senior administration official, noting that each sector is overseen by an agency.