Congress needs to step in on cybersecurity harmonization, White House official says
Congressional action is needed to streamline the cybersecurity regulatory landscape, a White House official said Wednesday during a hearing that saw lawmakers and witnesses rail against what they say is an overly complicated patchwork of cyber rules that hinders the private sector’s ability to fight off threats.
Wednesday’s hearing before the Senate Homeland Security and Governmental Affairs Committee, held a day after the Office of the National Cyber Director issued a report in response to a request for information on cybersecurity regulatory harmonization, featured relatively broad agreement among committee members and federal officials on the need for a legislative solution.
Though a proposed solution of that kind hasn’t yet been introduced, a draft bill from committee Chair Sen. Gary Peters, D-Mich., was cited multiple times during the hearing as a way to remedy the streamlining problem. A draft copy of Peters’ Cybersecurity Regulation Harmonization Act, obtained by The Record, calls for the creation of an interagency committee to coordinate cyber regulations.
Regulatory harmonization “is a problem that has existed for decades and the trend line is generally heading toward more fragmentation, not more harmonization,” said Nicholas Leiserson, the assistant national cyber director for cyber policy and programs. “It is a problem that requires leadership from ONCD and Congress informed by the private sector.”
Leiserson said the Biden administration is supportive of Peters’ legislation, calling it “consistent with the views” ONCD has previously shared with the committee. The bill, he added, “would allow ONCD to better carry out our mission by bringing independent regulatory commissions to the table together with the interagency in a policymaking process.”
Rulemaking from independent agencies has drawn plenty of ire from the private sector, most notably in the case of the Securities and Exchange Commission’s cybersecurity incident disclosure rules.
Peters noted in his opening statement that federal regulators have passed 48 rules on cybersecurity standards over the past four years. Though he said that regulatory push “comes from a good place,” absent a higher level of coordination “there is no way to ensure that these guidelines don’t overlap, duplicate, or quite simply contradict each other,” leading to results that “are often confusing and inefficient.”
Sen. James Lankford, R-Okla., echoed Peters’ concerns, particularly with regard to independent agencies that “still need additional oversight.”
“There are independent agencies that feel like they’re independent from everybody. They’re not independent from everybody,” Lankford said. “There’s still some boundaries that need to be there when they’re creating new regs, that they’re not a completely independent fourth branch of government.”
ONCD is “limited” in its ability to corral independent regulatory commissions, Leiserson said, underscoring the need for congressional involvement. Getting all relevant parties to the table is paramount, he added, something that became especially clear as ONCD analyzed the more than 2,000 pages of comments in response to its request for information. In a report published Wednesday, the ONCD sought to summarize the 86 unique responses to that request.
The Business Roundtable, for example, said that burdensome and often conflicting regulations “require companies to devote more resources to fulfilling technical compliance requirements without improving cybersecurity outcomes.” The Bank Policy Institute noted that a survey of large financial institutions found that chief information security officers or comparable senior cyber leaders spend between 30% to 50% of their time on regulatory compliance matters. And the National Defense Industry Association said that regulatory “inconsistencies” erect “barriers to entry” for small and mid-sized businesses.
“When you have multiple reporting regimes with multiple requirements that are not alike, you spend a lot of time doing paperwork rather than focusing on your job, because you need to meet the requirements of both of these frameworks that you’re subject to,” said David Hinchman, director of information technology and cybersecurity at the Government Accountability Office, which released a corresponding report Wednesday on cyber harmonization.
A lack of federal cyber harmonization also negatively impacts the ability of U.S. companies to compete internationally, Leiserson said, noting that European firms only need to worry about operating under the E.U. framework. And at a time when Russia and China are growing increasingly bold in their attacks on U.S. critical infrastructure, the streamlining of standards becomes even more critical.
Creating a proper framework, Leiserson said, would essentially amount to showing sectors “how you should be approaching securing your enterprise IT systems, which are what the adversaries are targeting to get that initial access to set those beachheads.”
In an email to CyberScoop, Amy Chang, a senior fellow on cybersecurity and emerging threats at the right-leaning R Street Institute, said “more coherent messaging” on harmonization emerged at the hearing and in ONCD’s report than what has previously been communicated to the private sector.
Going forward, Chang said ONCD and, to some extent, Congress, “must generate additional buy-in from regulators to be in favor of harmonization, and generate alignment in priorities and expectations with stakeholders such as policymakers, regulatory bodies, industry professionals, and cybersecurity experts.”
