White House grapples with harmonizing thicket of cybersecurity rules
Pour one out for the cyber bureaucrats in the Biden administration.
In recent weeks, the White House has embarked on a dizzying task: trying to harmonize the exceedingly broad number of cybersecurity-related regulations and technical standards set by industry that corporations and critical infrastructure operators must abide by.
That monumental task is likely to span years — perhaps even administrations. Its outcome has the potential to radically reshape cyber policy and regulations for 16 critical infrastructure sectors. Assuming it gets done.
The initial goal is to create a framework for a single mandate so critical infrastructure owners and operators have “reciprocity” across standards. That would mean that complying with a set of standards in one domain would, in theory, result in compliance in another and reduce compliance costs. Large corporations spread across multiple sectors would spend more on cyber defense , and smaller corporations that currently can’t keep up with security spending might allocate a bit more of their budget toward defense.
“Our thesis here is: You can get better cybersecurity outcomes, you can do a better job of raising the bar for critical infrastructure cybersecurity or lower the cost if you remove some of the red tape associated with compliance,” said Nick Leiserson, the assistant national cyber director for cyber policy and programs at the Office of the National Cyber Director.
Amid the task of harmonizing regulations, cyberattacks against critical infrastructure organizations are only increasing. Harmonizing regulations could be a way to deliver significant security dividends at a time when ransomware gangs are attacking everything from casino operators to hospitals and Russian and Chinese hackers are increasingly probing U.S. critical infrastructure entities. Harmonizing regulations is task 1.1.1 in the National Cybersecurity Strategy Implementation Plan, which calls on the Office of the National Cyber Director and the Office of Management and Budget to lead the effort.
A recent request for information from the ONCD provides a sense of the office’s approach and the scope of the task. The request not only asks which federal regulations are duplicative, but also seeks information about state regulations, international regulations and industry-led standards that many industries — regulated or not — adhere to.
“What we’re trying to figure out right now is A: ‘Is this as big of a problem as we think it is?’ and B: ‘What are different models that might work?'” Leiserson said.
Munish Walther-Puri, vice president of cyber risk at Exiger and former director of cyber risk for New York City’s Cyber Command, described the current maze of rules, regulations and standards as a “regulatory cacophony.”
“For companies specifically that own or operate critical infrastructure, deal with private health information and/or have a footprint that spans jurisdictions, compliance feels out of reach. They’re in dire need of a conductor,” Walther-Puri said.
That mess is evident in breach notification laws. The Securities Exchange Commission recently rolled out rules requiring companies to report to shareholders any cybersecurity incidents that are “material” to the firm. At the same time, some — but not all — publicly traded companies also have to comply with CISA’s incident reporting rules codified in the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which was passed into law to get a sense of the landscape of cyberattacks and to harmonize regulations for covered organizations.
Growing breach notification rules are resulting in “federal agencies with different responsibilities” having to “spread their net,” and that’s resulting in nets “getting tangled with each other,” said Arjun Ramadevanahalli, a cybersecurity-focused lawyer at the law firm Morgan Lewis.
Other aspects of harmonization efforts are quite prosaic: One major aspect of regulatory harmonization comes down to determining what type of information goes in what form and where. “Are you generally asking for the same things to be done? And if you’re asking for the same things to be done, can the evidence be harmonized?” said Bob Kolasky, a senior vice president for critical infrastructure at Exiger who previously led CISA’s National Risk Management Center.
A separate hurdle is ensuring that the auditors who determine if a regulation is being followed see harmonized rules in the same way. If not, one auditor may interpret a rule differently than another, defeating a major purpose of harmonization efforts.
While the harmonization efforts span all 16 critical infrastructure sectors, the White House is not currently planning on including operational technology — which is hardware and software that can monitor or control physical environments — in the mix, Leiserson said. Operational technology is considered too “bespoke” and dependent on the goal or service of each facility or utility.
Instead, the White House will focus on common IT stacks that are replicable across multiple sectors. The current working assumption within the White House, Leiserson said, is that different industrial environments, whether a power plant or a water utility, may be using similar equipment, like programmable logic controllers, for entirely different services. However, most organizations will have IT stacks, such as Microsoft’s Azure Active Directory, in common on the business side.
The decision to not include rules around operational technology in harmonization efforts is a decision some experts question. If the goal of harmonization is to put the same requirements on companies and technologies that support multiple regulated entities and establish a measure of commonality, then “OT certainly fits into the commonality question.”
“One reason we’re so concerned about OT cyber vulnerabilities is it starts to cross over to a safety issue,” Kolasky said. “We have a long history of trying to regulate for safety.”
Leiserson stresses that the administration’s approach to harmonization may still change in response to its request for information — comments to which are due on Oct. 31.
Among the unanswered questions at this stage is whether the administration will integrate cloud computing security into its regulatory overhaul.
The RFI asks for examples of regulatory obligations that are “passed along” through contracts to the cloud service providers. Such contracts are fairly common among regulated companies, to the point that outsourcing compliance is an economy in its own right.
Similar to how electricity — the production of which comes from a regulated critical infrastructure sector — powers a huge portion of the U.S. economy, cloud computing provides a resource without which a massive number of businesses could not operate. Nonetheless, cloud computing has not been designated as critical infrastructure, and how the industry fits into harmonization efforts remains to be seen.
“It’s a real benefit for a lot of smaller organizations, but it means we’re concentrating a lot of dependence and risk of really important systems onto a few large technology stacks,” Maia Hamin, the associate director at the Atlantic Council’s Cyber Statecraft Initiative, said of cloud computing’s role in the U.S. economy.
While the administration has tried to strengthen cybersecurity regulations using existing laws, that effort has run into roadblocks, and a full overhaul of cybersecurity rules may require an act of Congress.
When the Biden administration recently tried to strengthen cybersecurity rules for public water utilities via the Environmental Protection Agency, for instance, it relied on sanitary surveys to evaluate the cybersecurity posture of water utilities, only to face legal opposition from Republican states and industry trade groups arguing the agency overstepped its authority.
“I don’t think water is going to work through the sanitary checks, I think that’s just passing the problem to 54 states and territory organizations who are not ready to do it,” said Mark Montgomery, former executive director of the Cyberspace Solarium Commission who is now senior director at the Center on Cyber and Technology Innovation at Foundation for Defense of Democracies.
Water industry trade groups and some experts have argued that water utilities should be subject to a similar regulatory structure as the electric grid, where there is an independent regulator that works with industry to develop standards and another agency to enforce those standards. While there has been little indication that the administration is interested in such an overhaul, the White House needs industry buy-in to reach harmonization.
“I’m sympathetic that they’re trying to do as much as they can without requiring Congress to pass a bunch of new laws,” Kolasky said. “We’re going to run into the limits of what can be done without the laws and new authorities.”
Leiserson said the administration is not thinking about any major policy changes that might involve Congress, as it’s “putting the cart before the horse.”
“If we have a framework that makes sense, then we can say, ‘What do we need to get from here to there?'” Leiserson said. “Is this something that regulators can do using their existing authorities? Is this something that there is a gap in authorities that we would have to look for legislation for?”
While harmonization is about reducing compliance costs, it’s not clear that federal agencies are sufficiently resourced to oversee a more robust regulatory regime. Prior to the Colonial Pipeline ransomware attack that cut off the flow of vital energy supplies to the Eastern Seaboard, the Transportation Security Agency’s division responsible for overseeing the cybersecurity of the pipeline industry was operating with what was essentially a skeleton crew pre-Colonial Pipeline, according to a 2018 Government Accountability Office report.
The EPA faces similar workforce and resourcing difficulties, and experts caution that harmonization efforts will only be as good as the work of agencies that implement them.
“Theoretically, you come up with the best solution across industries and sectors, but then you have to take into consideration if it’s cost prohibitive,” said Amy Chang, resident senior fellow for cybersecurity and emerging threats at the think tank RStreet.
Chang said two critical questions face harmonization efforts. First, do agencies have the money? Second, do companies that do business with the federal government have money to put in place appropriate cybersecurity standards? In both cases, she said, “I’m sure the answer is no, and, in that case, what is the solution?”
