The next president should appoint an official whose job it is to cut excessive red tape related to cybersecurity, the nation’s leading business lobby group said in a open letter released Tuesday.
The U.S. Chamber of Commerce calls on the next president to “appoint an official to focus on reducing (or better yet, eliminating) duplicative cybersecurity requirements for regulated industries.” It’s part of a policy appeal to the 45th U.S. head of state to “build on the current momentum” behind the National Institute of Standards and Technology Cybersecurity Framework — a voluntary set of principles that businesses can use to to better understand the risks they face from online threats and how to reduce them.
The framework was developed with heavy industry input and is popular among business leaders because it’s not just voluntary but very high-level and flexible — attempting to provide advice that is germane to businesses across different industry sectors from water utilities to banks, law firms and telecom companies; and for enterprises of wildly varying sizes from small start-ups to massive multinational corporations.
But in addition to the framework, the past few years have seen some regulatory activity on the cybersecurity front — especially in sectors where regulators already had extensive authorities, like banking and financial services.
“We need you to encourage federal agencies to harmonize existing regulations with the [NIST] framework,” states the letter, complaining, “Too often, U.S. companies are beset by multiple cybersecurity regulations coming from many agencies. These onerous and conflicting regulations are likely to shift businesses’ limited cybersecurity resources toward costly compliance mandates.”
Both legislation and presidential policy “call on government leaders to identify and reduce the cyber regulatory burden on business,” the letter states, adding, “So far, these responsibilities have not been met by officials in Washington. This is an opportunity for you to come in and lead the charge.”
The letter also calls on the next president to help bring about a culture shift in business mentality which the chamber says is essential if the cyberthreat information-sharing legislation passed by the last Congress is to be truly effective.
Although the law provides indemnity and legal safe harbor to businesses that share threat information with the government and each other, the letter states that many businesses are “approaching this new world with caution” and waiting on the sidelines.
“Many industry leaders have preconceived visions of bureaucrats lying in wait with regulations and privacy groups readying lawsuits behind the scenes,” the letter states, urging the future president to approach industry as an “ally.”
Finally the letter states that the U.S. government should shift its approach from a regulatory one to one that pushes more “adherence to to international norms of acceptable behavior and deterrence in cyberspace” by foreign actors. “Over the past several years, policy and legislation have tended to focus almost exclusively on regulating industry.”
The chamber says that instead of “punishing victims,” the next administration should “work with business leaders to battle cyber criminals and other bad actors.”