House Oversight and Accountability Hearing on Cybersecurity and Regulations
Summary
TLDRThe hearing focused on the urgent need to harmonize cybersecurity regulations across U.S. industries to mitigate the growing threats to critical infrastructure. Witnesses from IT, natural gas, banking, and MITRE Corporation emphasized the inefficiencies and high costs of current overlapping and inconsistent regulatory requirements. They advocated for centralized leadership, a common taxonomy, standardized processes, and reciprocity in regulations to improve security outcomes and reduce the burden on businesses, especially smaller entities, while ensuring national and economic security.
Takeaways
- 🔒 Cyber attacks on critical infrastructure are increasing, posing significant threats to national and homeland security.
- 🏢 Much of the critical infrastructure is owned and operated by the private sector, highlighting the need for strong public-private partnerships in cybersecurity.
- 📋 Federal regulations aimed at mitigating cybersecurity risks often result in overlapping and inconsistent requirements, creating inefficiencies and high compliance costs.
- 💼 Companies are forced to divert resources from cybersecurity enhancements to meet various compliance requirements, which can reduce their competitiveness.
- 🔄 The complexity of regulations can be overwhelming for businesses, especially when multiple agencies issue rules on the same topic, leading to confusion and inefficiency.
- 📚 The Office of the National Cyber Director (ONCD) has recognized the need for regulatory harmonization and has sought input from critical sector operators to identify conflicting regulations.
- 🌐 State-level and international cybersecurity regulations further contribute to the regulatory burden, complicating the compliance landscape for companies.
- 🤝 Harmonization and reciprocity in cybersecurity regulations are essential to reduce the burden on industry and improve overall cybersecurity outcomes.
- 🏦 The financial sector, like other critical industries, spends a significant amount of time and resources on regulatory compliance, detracting from efforts to enhance cybersecurity postures.
- 📉 The excessive focus on compliance can lead to reduced morale and staff burnout, as cybersecurity personnel struggle to balance day-to-day security responsibilities with regulatory demands.
Q & A
What is the primary concern addressed in the hearing regarding cyber attacks?
-The primary concern is the increasing frequency and scale of malicious cyber attacks on the nation's critical infrastructure, which can create damaging disruptions and compromise highly sensitive data, threatening homeland and national security.
Why is there a need for a strong partnership between the government and private operators of critical infrastructure?
-A strong partnership is needed to effectively mitigate cyber security risks and enhance the protection of critical infrastructure, which is often owned and operated by the private sector.
What issues do Federal Regulations intended to mitigate cyber security risk create for key industry participants?
-These regulations often subject key industry participants to overlapping and inconsistent requirements, creating an inefficient regulatory regime with high compliance costs, forcing companies to divert resources away from cyber security enhancements.
What is the impact of multiple agencies issuing rules on the same topic?
-When multiple agencies issue rules on the same topic, it can lead to an uncontrolled proliferation of regulations, causing confusion and increased administrative burdens for companies that have to comply with these overlapping and inconsistent cyber security rules.
What is the goal of harmonization in cyber security regulations?
-The goal of harmonization is to achieve reciprocity in regulations, ensuring that if one regulator finds a company's cyber security measures adequate, other regulators can accept that finding instead of requiring their own independent assessment.
What is the role of the Executive Office of the President in harmonizing cyber security regulations?
-Strong centralized leadership from the Executive Office of the President is required to harmonize cyber security regulations and to check regulators within the bureaucracy who may not be considering the broader impact of the rules they issue.
What was the response to the Request for Information (RFI) regarding conflicting cyber security regulations?
-The RFI received more than 100 responses describing a highly inefficient regulatory regime that detracts from cyber security outcomes by unnecessarily consuming scarce resources.
How do state level and international cyber security regulations contribute to the regulatory challenges?
-State level and international cyber security regulations add further layers to the regulatory morass, complicating the compliance process for companies that must navigate a complex web of different requirements.
What is the average annual cost of cyber crime worldwide expected to reach by 2027?
-The average annual cost of cyber crime worldwide is expected to reach $23 trillion by 2027.
What is the role of the Cyber incident reporting Council (CIRC)?
-The CIRC was established to study and make recommendations to address conflicting and duplicative federal incident reporting requirements.
What are the three main considerations for harmonizing cyber security regulations according to the oil and natural gas industry?
-The three main considerations are robust consultation with the regulated community and other agencies, retroactive harmonization of requirements when possible, and the potential role of a single entity like CISA to facilitate harmonization.
What is the Banking Policy Institute's view on the impact of regulatory compliance on cyber security personnel?
-The Banking Policy Institute believes that the focus on regulatory compliance activities leaves less time for risk mitigation and strategic security initiatives, which could be better spent on fortifying firm defenses.
What is the significance of harmonization and reciprocity in the context of cyber security regulations?
-Harmonization refers to the alignment of agencies and related regulations on a common set of requirements for a desired security outcome, while reciprocity means that the findings of one regulator satisfy the requirements of another, reducing redundant compliance costs on industry.
What is the role of the National Cyber Director (NCD) in addressing the issue of cyber security regulatory harmonization?
-The NCD is responsible for implementing an actionable plan to harmonize existing cyber regulations, holding federal agencies accountable, and developing a structured reciprocity process anchored in baseline controls and standards across federal government regulations.
What is the recommendation for a single clearing house for cyber incident reporting?
-The recommendation is to implement a single clearing house for reporting cyber incidents, which could be operated within a federal agency like CISA or by an independent third party, to streamline reporting and coordination across agencies.
What is the current state of harmonization in the IT sector according to Mr. Miller's testimony?
-According to Mr. Miller, despite long-standing consensus on the need for harmonization, there has not been a single conflicting, inconsistent, or duplicative cyber regulation eliminated or streamlined, indicating a need for action.
What is the impact of regulatory compliance on smaller companies in the tech sector?
-Smaller companies in the tech sector are disproportionately affected by conflicting regulatory requirements, as it is more of a zero-sum game for them, with higher costs and potential inability to figure out what regulations they need to comply with.
What are the challenges faced by the banking sector in terms of cyber incident reporting?
-The banking sector faces challenges with cyber incident reporting due to different definitions, time frames, and information requirements across various regulators, which results in a significant strain on personnel and resources.
What is the role of the Cybersecurity and Infrastructure Security Agency (CISA) in harmonizing cyber security regulations?
-CISA has been tasked with harmonizing cyber security regulations under the Cybersecurity Incident Reporting for Critical Infrastructure Act (CERSA), and is expected to leverage existing requirements and streamline the process.
What is the potential solution proposed by Dr. Clancy for improving the harmonization of cyber security regulations?
-Dr. Clancy proposes moving from study to action, building on existing initiatives like CERSA, and establishing a clearing house for cyber incident reporting that coordinates across the interagency.
What is the impact of regulatory compliance on the morale and staff burnout in the banking sector?
-Regulatory compliance has led to staff working exceedingly long hours to balance their obligations, resulting in decreased morale and staff burnout, which can affect the overall effectiveness of cyber security efforts.
How do industry standards and government regulations differ in their impact on a company's approach to cyber security?
-Industry standards and government regulations both play a role in a company's cyber security approach, but when regulations are aligned with industry standards and developed through consultative processes with the industry, they can be more effective and less burdensome.
Outlines
🔒 Addressing Cybersecurity Regulatory Challenges
The opening statement of the hearing emphasizes the urgent need for stronger cybersecurity measures to protect the nation's critical infrastructure from escalating cyber threats. It highlights the inefficiencies and high costs of the current regulatory regime, which often leads to resource diversion from actual security enhancements. The statement calls for a harmonized approach to cybersecurity regulations, with the government and private sector working together to ensure national security is not compromised by overlapping and inconsistent federal requirements.
📈 The Impact of Cybersecurity Regulations on Financial Institutions
This paragraph delves into the specific challenges faced by financial institutions due to the complexity of cybersecurity regulations. It discusses the significant increase in cyber incidents reported by federal agencies and the strain on resources due to compliance with various regulatory requirements. The speaker calls for centralized leadership from the Executive Office of the President to streamline cybersecurity regulations and for the government to improve its cybersecurity outcomes to combat threats more effectively.
🤝 Harmonizing Cybersecurity Regulations for Critical Infrastructure
The third paragraph focuses on the necessity of harmonizing cybersecurity regulations to reduce the burden on industry and improve security outcomes. Witnesses from various sectors, including IT, natural gas, and banking, share their perspectives on the need for a unified approach to regulation. The paragraph underscores the importance of risk-based, outcome-focused regulations and the potential benefits of reciprocity in regulatory compliance.
📋 The Burden of Cybersecurity Compliance on Industries
This section discusses the heavy burden of cybersecurity compliance on various industries, particularly smaller entities that may not have the same resources as larger companies. It highlights the disproportionate impact of conflicting regulatory requirements and the need for a more streamlined and efficient approach to cybersecurity regulation that does not stifle innovation or impose unnecessary costs.
🛡️ The Role of Government in Cybersecurity Regulation
The fifth paragraph examines the role of government in creating and enforcing cybersecurity regulations. It addresses the balance between the need for robust security measures and the potential for overregulation that can hinder the ability of companies to effectively protect their systems. The discussion includes the importance of industry standards, the value of regulatory alignment with these standards, and the potential benefits of a risk-based approach to regulation.
🏛️ Legislative Efforts to Streamline Cybersecurity Regulations
This section reviews legislative efforts aimed at streamlining and harmonizing cybersecurity regulations. It mentions specific laws and directives, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), and discusses the challenges of implementing these regulations in a consistent and effective manner across different sectors.
📊 The Cost of Compliance and the Need for Regulatory Reform
The seventh paragraph focuses on the financial and operational costs associated with complying with cybersecurity regulations. It discusses the impact of these costs on company morale and the potential for staff burnout due to excessive focus on regulatory compliance at the expense of day-to-day security responsibilities. The discussion suggests that regulatory reform is necessary to ensure that compliance efforts are productive and do not detract from the overall security posture of organizations.
🗳️ The Search for Equilibrium in Cybersecurity Regulation
The final paragraph wraps up the hearing by acknowledging the complexity of finding the right balance in cybersecurity regulation. It touches on the need for regulations that are effective without being overly burdensome and the importance of aligning regulatory efforts with industry practices and standards. The closing remarks thank the panelists for their insights and contributions to the discussion on cybersecurity regulation.
Mindmap
Keywords
💡Cyber attacks
💡Critical infrastructure
💡Regulatory regime
💡Compliance
💡Harmonization
💡Reciprocity
💡Cybersecurity posture
💡National Cyber Strategy
💡Cyber incident reporting
💡Risk-based approach
💡Zero trust
Highlights
The hearing addresses the increasing frequency and scale of malicious cyber attacks on the nation's critical infrastructure, emphasizing the need for a strong partnership between government and private sector operators.
Federal Regulations intended to mitigate cyber security risks are criticized for creating an inefficient regulatory regime with overlapping and inconsistent requirements.
The cost and burden of compliance are highlighted as high, forcing companies to divert resources away from cyber security enhancements.
The issue of multiple agencies issuing rules on the same topic is discussed, leading to a single company potentially needing to comply with inconsistent cyber security rules from several different agencies.
The National Cyber Security Strategy's goal of harmonizing regulations to reduce compliance burdens is mentioned, with the acknowledgment that achieving harmonization and reciprocity is challenging.
The financial services sector is noted to have many Chief Information Security Officers spending significant time on regulatory compliance instead of enhancing cyber security posture.
The need for strong centralized leadership from the Executive Office of the President to harmonize cyber security regulations is emphasized.
The average annual cost of cyber crime worldwide is projected to reach $23 trillion by 2027, with ransomware attacks increasing by more than 50% in 2023 alone.
Federal agencies reported over 3,200 cyber security incidents in fiscal year 2023, an increase of nearly 10% compared to the previous year.
The importance of securing systems that are the backbone of the US economy is stressed as essential for both public and private sectors.
The federal government's responsibility to improve cyber security outcomes and combat cyber threats through comprehensive processes is outlined.
The National Cyber Director's role in addressing the overlapping nature of cyber security regulations and reducing the burden of compliance is discussed.
The report on the cyber security posture of the United States is highlighted, assessing the effectiveness of national cyber policy and strategy.
The need for mandatory cyber security requirements for critical infrastructure is acknowledged, with the understanding that Congress and the administration must balance this with improving cyber security outcomes.
The hearing calls for input from industry, civil society, and state and local partners to address the wide variation in existing regulations across sectors.
The importance of aligning existing and future cyber security regulations around a common taxonomy, including definitions and risk management controls, is stressed.
The concept of regulatory reciprocity is introduced, where one regulator's findings satisfy the requirements of another, to reduce redundant compliance costs on industry.
The hearing concludes with a call to move from study to action, emphasizing the need for new thinking and solutions in the face of evolving cyber threats.
Transcripts
technology and government Innovation
will now come to order and welcome
everyone without objection the chair May
declare recess at any time and I
recognize myself for the purpose of
making an opening statement good morning
and welcome to this hearing malicious
cyber attacks on our nation's critical
infrastructure are increasing in
frequency and scale these attacks can
create damaging disruptions and
compromise highly sensitive data much of
our critical infrastructure is owned and
operated by private sector companies
that includes Transportation networks
energy production and distribution
facilities and the defense industrial
base cyber attacks targeting such
operations threaten our homeland
security and our national security
that's why we need a strong partnership
between the government and private
operators of critical infrastructure
unfortunately Federal Regulations
intended to mitigate cyber security risk
often subject key industry participants
to overlapping and inconsistent
requirements this creates an inefficient
regulatory regime the cost and burden of
compliance is high companies are forced
to divert resources away from cyber
security enhancements to check various
unnecessary compliance boxes the
unnecessary drain on resources also
reduces the competitiveness of these
businesses regulations can proliferate
out of control when multiple agencies
are issuing rules on the same topic a
single company operating across critical
sectors might need to comply with
overlapping inconsistent cyber security
rules issued by half dozen different
agencies good luck with that so it's not
surprising that companies are feeling
besieged by the growing barrage of cyber
security requirements in March of last
year the then acting White House cyber
director appeared before this
subcommittee to discuss the
administration's National cyber security
strategy she testified that day that
under the strategy her office and the
Office of Management and budget were
jointly responsible for addressing this
issue of cyber security regulatory
harmonization a few months later her
office issued a request for information
asking critical sector operators to
identify conflicting and mutually
exclusive or inconsistent regulations
and describe the burden that they impose
the RFI describes the goal of
harmonization reciprocity in the
regulation an illustration of
harmonization would be multiple federal
agencies agreeing on allowable forms of
multiactor authentication to access it
systems reciprocity would mean that if
one regulator found a company's
multiactor authentication was being in
being appropriately used on the NIT
system another regulator could accept
that find instead of doing its own
independent assessment unfortunately
judging from the response to the RFI we
have a long way to go to achieve
harmonization and
reciprocity the more than 100
respondents a few of whom we will hear
from today describe a highly inefficient
regulatory regime that detracts from
cyber security outcomes by unnecessarily
consuming scarce resources some of the
respondents noted that state level and
international cyber security regulations
contribute further to the regulatory
morass they must investigate the upshot
according to the financial services
sector coordinating council is that many
com that the many company many company
Chief information security officers
spend as much as half their time on
Regulatory Compliance instead of
upgrading their cyber securi posture in
all the administration received more
than 2,000 pages of comments to its RFI
I appreciate the administration took the
trouble to seek out the views of the
affected parties but the responses
thousands of them show how challenging
it will be to address the problem one
thing seems clear strong centralized
leadership from the Executive Office of
the President will be required to
harmonize cyber security regulations
that's the only way to put a check on
Regulators within the bureaucracy who
may be blind to the broader impact of
rules they issue I look forward to
hearing from our Witnesses today who
will provide valuable Insight on this
problem from the perspective of
different critical sectors but before I
introduce them I'm going to yield to the
ranking member Connelly for 5 minutes
thank you uh and Madam chairwoman I'd
ask unanimous consent to enter into the
record at the appropriate time a
statement uh from a thoughtful statement
from Professor John uh Jason Healey of
Columbia School of International and
public affairs without objection I thank
the chair cyber attacks on government
agencies businesses critical
infrastructure of private citizens have
become alarmingly frequent and
sophisticated the cost of these attacks
financially and in terms of National
Security security is
staggering according to data from the
Federal Bureau of Investigation and the
international monetary fund the average
annual cost of cyber crime worldwide is
expected to reach $23
trillion by 2027 that's with a
t ransomware attacks against these
sectors for example increased by more
than 50% in 2023 alone federal agencies
reported more than 3
2,000 cyber security incidents in fiscal
year 2023 that's an increase of nearly
10% compared to the previous year in
addition the FBI's internet crime
complaint center received more than
880,000
fishing personal data breach and other
complaints in
2023 as I've stated in previous hearings
held by this subcommittee data breaches
and cyber attacks are no longer novel
that is why securing the systems that
are the backbone of the US economy is
essential and fundamental both to the
public and private sectors to this end
the federal government has a
responsibility to improve its cyber
security outcomes to combat cyber
threats federal agencies conduct
comprehensive and multi-layered
processes to set and enforce cyber
security requirements across components
of our critical infrastructure such as
Bank s water treatment plants and
telecommunication infrastructure for
example the federal information security
management act and executive orders like
executive order 14028 on approving the
nation cyber security enacted after the
Russian foreign intelligence service
perpetrated the solar wind cyber
security attack they mandate specific
cyber security practices among those are
agency-wide cyber security programs and
risk assessments incident response progr
protocols multiactor
authentication and improved event
logging as National cyber director Harry
Coker testified in January there is a
clear need for mandatory cyber security
requirements for critical infrastructure
no fool on however Congress and the
administration must not lose sight of
our responsibility to improve cyber
security outcomes and input from jao
industry civil society and State and
local Partners indicate that existing
regulations vary widely across many
sectors and at times conflicting
parameters this Patchwork approach often
leaves private state and local entities
charged with securing critical
infrastructure investing Less in our
Collective goal of improving cyber
security outcomes and More in compliance
checking activities putting National
Security and economic stability at some
risk the Biden har Administration
recognized the need to address the
overlapping nature of much needed cyber
security regulations by launching
efforts to deconflict and clarify cyber
security requirements in March of 2023
the national cyber director released the
national cyber security strategy which
listed harmonizing regulations to reduce
the burden of compliance as one of the
stated policy goals in August of 2023
the oncd issued a request for
information from industry and other
partners on the challenges with
regulatory overlap and to explore
framework for Baseline cyber security
requirements all our Witnesses here
today provided comments and feedback to
the oncd underscoring the Biden Harris
administration's collaborative efforts
with industry experts to get this right
in May of this year the office of
national cyber director also released
the first of its kind report on cyber
security posture of the United States
the report assesses the cyber security
posture the effectiveness of national
secur cyber policy and strategy and the
status of the implementation of national
cyber policy and strategy by federal
departments and agencies among the
highlights of that report are actions
taken by the federal government during
the previous year establishing and using
cyber requirements to protect critical
infrastructure including through the
development and harmonization of
regulatory requirements is the first
action listed in the report which just
goes to show how important the priority
has been for this Administration I look
forward to hearing today from especially
from Dr Charles clinty a senior vice
president and CTO at miter Corporation
about how Congress can support the
efforts underway to achieve regulatory
harmonization the goal is to maintain
clear and consistent guidance when it
comes to cyber security requirements
that will improve outcomes by bolstering
incident response enhancing resilience
reducing cost and ultimately benefiting
the American people thank you and I Y
back thank you Mr Connelly I'm pleased
to introduce our Witnesses for today's
hearing our first witness is Mr John
Miller vice president of policy trust
data and technology and general councel
at the information technology Industry
Council our second witness is Miss
Maggie oconnell director of security
reliability and resilience the
interstate Natural Gas Association of
America our third witness is Mr Patrick
Warren vice president regulatory
technology with the banking policy
Institute and our fourth and Final
witness today is Dr Charles Clancy Chief
technology officer at miter welcome
everyone we're pleased to have you this
morning pursuant to committ committee
rule 9g the witnesses will please stand
and raise your right
hand do you solemnly swear or affirm
that the testimony that you are about to
give is the truth the whole truth and
nothing but the truth so help you got
let the record show that the witnesses
all answered in the affirmative we
appreciate you being here today and look
forward to your testimony let me remind
the witnesses we have read your written
statements and they will appear in full
in the hearing record please limit your
oral statements to five minutes this
morning as a reminder please press the
button on the microphone in front of you
so that it is on and that the members up
here can hear you when you begin to
speak the light in front of you will
turn green after 4 minutes it will turn
yellow when the light comes on and it
turns red your five minutes have expired
I use the gavel I bang it hard let's not
do that today um we'd ask you to please
wrap up all right so now I would like to
recognize each of you individually for
your opening statements I will first
recognize Mr Miller if you will please
begin chairwoman mace ranking member
Connelly and distinguished members of
the subcommittee on behalf of the
information technology Industry Council
or ITI thank you for the opportunity to
testify today on the need to harmonize
cyber security regulations ITI is a
global policy and advocacy organization
representing 80 of the world's leading
tech companies and I lead I's trust data
and Technology policy team including our
work on cyber security in the US and
globally I've worked on Cyber policy
issues for over 15 years and have
extensive experience partnering with
cisa and other federal government
stakeholders on efforts to improve cyber
supply chain and critical infrastructure
security including currently serving in
leadership positions on the ICT supply
chain risk management task force and the
IT sector coordinating Council for as
long as I can remember there has been
strong long-standing widely agreed upon
bipartisan consensus on the need to
harmonize inconsistent duplicative or
conflicting cyber regulations the past
three administrations have prioritized
the issue multiple congresses have
agreed it's a priority and I and yet I
do not recall a single conflicting andc
consistent or duplicative cyber
regulation ever being eliminated or
streamlined after all these years so I
welcome this subcommittee's interest in
again Shining a light on this important
topic and sincerely hope this hearing
can help catalyze long overdue
harmonization of cyber regulations the
reasons why inconsistent duplicative or
conflicting cyber regulations are costly
to Industry and government are obvious
the office of the national cyber
director has acknowledged that cyber
overregulation leads to companies
focusing more on compliance than
security resulting in higher costs to
customers and working families and
negatively impacts National Security
this makes sense the more resources
organizations spend on compliance
auditing and tracking across multiple
regulatory regimes the less resources
are available to devote to obtaining
better cyber outcomes at lower costs
there are real costs on government too
surely it is inefficient to use scarce
government resources and Regulatory
capacity to create and enforce
duplicative inconsistent or conflicting
cyber regulatory requirements
particularly in light of the persistent
Federal cyber Workforce
shortage Congress to its credit remains
focused on the issue your colleagues at
Senate hgac recently introduced the
Cyber regulatory streamline in Bill and
Congress previously flagged this problem
as part of the Cyber incident reporting
for critical infrastructure act which
established the Cyber incident reporting
Council or Circ to study and make
recommendations to address conflicting
and duplicative federal incident
reporting requirements last September
cir report tallied over 50 such
requirements that were in effect or
pending representing just one small
slice of the overall cyber regulatory
landscape when we consider that most
companies are also encountering
duplicative inconsistent or conflicting
cyber regulation
at the US state level and
internationally it reveals the status
quo as simply untenable the delu of
cyber incident reporting regulations
perfectly illustrates the scope of the
overregulation problem and also serves
as a reminder that to date while we have
studied the issue and offered
recommendations there has been no
discernable harmonization instead the
problem is getting worse it is time that
we stop admiring this problem and commit
to addressing it I encourage the
subcommittee to consider all of the
recommendations to drive better cyber
harmonization in my written testimony
but I highlight five here first oncd
must follow through on its ongoing work
implementing the national cyber strategy
to implement an actionable plan to
harmonize existing cyber regulations and
hold federal agencies accountable for
following through including DHS for
implementing the Circ recommendations
and all agencies for actualizing
harmonization efforts second we should
align existing and future cyber
regulations around a common taxonomy
including definitions and risk
management controls grounded in
international standards the N cyber
security framework provides a common
language for doing so and can serve as
an orientation point for federal
harmonization efforts third we should
Define a standardized clearing process
for new Cyber regulatory activity to
prevent future fragmentation for
instance by expanding oira's role to
review sector specific regulations for
inconsistencies or by requiring federal
agencies to demonstrate that any new
regulations must fill identified
regulatory gaps fourth oncd should
develop and Implement a structured
reciprocity process Anchored In Baseline
controls and standards across federal
government regulations to reduce
barriers and clarify obligations
reciprocity among Federal agency
requirements is critical to reduce
redundant compliance costs on industry
and is particularly important in areas
such as Cloud security finally Congress
should seize the opportunity to drive
actionable Cyber harmonization Solutions
and use its oversight authorities to
make sure that the current and future
administrations follow through given the
Supreme Court's recent decision in ler
bright to overturn Chevron difference
going forward it is more important than
ever that Congress provide precise cyber
authorities and clear direction to the
federal agencies who will Implement and
enforce future rules thank you again for
the opportunity to testify today I look
forward to your
questions thank you I'd like to rise
Miss recognize Mr oconnell for five
minutes Miss oconnell for five minutes
good morning chairwoman me ranking
member Connelly members of the
subcomittee I'm Maggie oconnell director
of security reliability and resilience
with the interstate Natural Gas
Association of America America I
currently lead inga's cyber security
physical security and emergency response
policy thank you for inviting me to
share our perspectives on cybercity
regulatory harmonization Ina is the
national trade Association that
Advocates to federal policy makers the
priorities of the interstate natural gas
pipeline industry our members represent
the majority of Interstate natural gas
transmission pipeline companies in the
us and our leaders in the reliable
transportation of gas throughout the
country many of our members also operate
other forms of critical energy
infrastructure making our members some
of the most regulated entities in the
nation the oil and natural gas sub
sector understands the importance of
regulations to ensure the safe secure
and reliable delivery of goods and
services our primary purpose is to keep
energy moving which which is precisely
why our operators apply a risk-based
defense in depth approach to cyber
security defense in depth is a strategy
that protects the entire Enterprise
rather than each individual business
unit from various threats it entails
robust governance systematic risk-based
management and multi-dimensional
programs based on industry recognized
standards and Frameworks to that end
security regulations should not be
prolongated simply for the sake of doing
so they must be based on risk outcome
focused and threat enformed with the
goal of safeguarding those elements that
enable the provision of Energy Services
protection of personal data and of the
essential functions that support the
country's economy and National Security
the oil and natural gas industry
believes there are three main
considerations for determining how to
harmonize cyber security regulations
first Regulators should engage in robust
consultation processes with the
regulated Community other agencies with
authorities in that sector and with
Regulators of sectors with direct
dependencies to the sector for which the
cyber security requirements are
underdeveloped second if efforts cannot
be made to harmonize proposed cyber
security regulatory requirements
agencies should take action to
retroactively ensure that requirements
are harmonized in a reciprocating manner
third Congress and the White House
should consider whether a single entity
such as cisa could facilitate the
harmonizing role a single entity to
provide management and oversight of the
multitude of cyber secur regulations
would enhance overall cyber security and
ease compliance efforts I would like to
briefly discuss two key principles that
we believe are imperative to
understanding harmonization and
reciprocity harmonization is best
understood as alignment across agencies
and related regulations on a common set
of requirements to achieve a desired
security outcome harmonization achieves
efficiency for compliance in the
circumvention of duplicative or
conflicting requirements however when
undertaking this effort the federal
government should understand the risk
within each critical infrastructure
sector the agencies with existing cyber
security requirements and the varying
purposes of each of those regulations
the other piece to harmonization is
reciprocity wherein the findings of one
regulator satisfy the requirements of
another reciprocity is particularly
pertinent given the number of federal
regulations impacting the oil and
natural gas sector emanating from a
single federal department for example
TSA and the US Coast Guard each have
cyber security regulatory authority over
segments of the oil and natural gas
sector while sisa does not currently
have authority to enforce cats most cats
regulated facilities implement the
program's requirements on a voluntary
basis these three agencies alone
existing under DHS have made little
effort to harmonize these efforts
leading to increased administrative
burdens for coordinating with and
meeting the requirements of these
respective agencies indeed a significant
challenge for regulatory reciprocity is
the silos in which each of these
agencies exist each agency sees its
Mission as unique and independent from
others despite the common goal of strong
cyber security for critical
infrastructure systems to that end a
single agency such as sisa could serve
as an Arbiter and facilitator for cyber
security regulatory
harmonization in closing I would like to
reiterate that Ina and our members
appreciate the role that smartly
constructed risk and outcome based cyber
security regulations play in securing
our nation's critical infrastructure as
additional agencies seek to expand their
oversight and authorities to include
cyber security harmonization and
reciprocity will be essential to ensure
operators can continue to mature their
Security Programs without overly
burdensome compliance obligations thank
you for your time and I look forward to
your questions thank you Miss oconnell
Mr Warren you uh May begin your opening
statement chairwoman mace ranking member
Connelly and honorable members of the
subcommittee thank you for inviting me
to testify I'm Pat Warren vice president
for regulatory technology for bits the
technology division of the bank policy
Institute BPI is a nonpartisan policy
research and advocacy organization
representing the nation's leading Banks
through our technology division we work
with our members on Cyber risk
management critical infrastructure
protection fraud reduction regulation
and Innovation as Illustrated by crowd
software update last week the security
and resilience of the networks systems
and software that we rely on as a nation
is vitally important cyber secur
regulations can play a role in fostering
the necessary programs and policies that
protect our critical infrastructure at
the same time we must be mindful that if
not properly harmonized and aligned such
requirements can place unnecessary
strain on the critical cyber security
resources we rely to prepare for
emerging threats and address incidents
when they
occur on behalf of BPI members we
greatly appreciate the committee's
leadership and the opportunity to
provide input on the need to harmonize
cyber security regulations and
streamline existing requirements
financial institutions are subject to
numerous regulations and rigorous
supervision from the Prudential banking
Regulators the office of the com
controller of the currency the Federal
Reserve board and the Federal Deposit
Insurance Corporation this includes
on-site examiners who regularly evaluate
whether a financial institution operates
in a safe and sound manner firms also
comp comp with cyber incident reporting
and disclosure consumer breach
notification data security and data
privacy requirements enforced by
agencies like the cfbb the SEC and the
cftc among
others based on our experience
navigating a complex regulatory
environment We Believe congressional
action and a focus on three areas could
have meaningful impact we encourage
Congress to One require coordination
among Regulators to avoid duplication
overlap or conflict in requirements
placed on industry two encourage
regulatory reciprocity and three
leverage common
Frameworks first it's imperative that
all Regulators consider existing
requirements and Do Not Duplicate or
create variations of already of what
already exists we've seen this
coordination does not always occur
particularly with independent regulatory
agencies like the
SEC within the financial sector there
are several examples where credential
banking Regulators issue joint rules and
guidance which helps provide Clarity and
consistency for firms and supports the
efficient use of
resources however the collective effect
of supervision and oversight by multiple
Regulators can cause significant strain
on personnel and the resources necessary
to implement Security Solutions that
keep Pace with evolving threats
according to a recent survey of large
financial institutions several firms
reported their cyber teams now spend
more than 70% of their time on
Regulatory Compliance activities those
same firms reported their Chief
information security officers or
comparable senior cyber leaders spend
between 30 to 50% of their time on those
same Regulatory Compliance matters
diverting finite cyber resources in this
way leaves less time for risk mitigation
activities and strategic security
initiatives to fortify firm defenses
moving forward second implementing a
regulatory reciprocity model where one
regulator accepts the work and results
of another would be particularly
valuable for sectors with multiple
regulators and would alleviate the need
for entities to demonstrate compliance
with the same or similar requirements
multiple times
based on our survey financial
institutions reported that only 30% of
exam documentation can be reused due to
slight differences in exam scope and
Cadence between Regulators by better
leveraging each other's documentation
testing evaluations and findings
Regulators would receive the information
they need to conduct rigorous oversight
while preserving the ability of cyber
security teams to adjust to Rapid
technological change finally existing
standards and Frameworks like nist cyber
security framework can be helpful tools
for aligning regulatory requirements the
Cyber risk Institute developed a
financial sector profile which is based
on N cyber security framework and
integrates regulatory requirements
unique to the financial sector this
provides financial institutions with a
single scalable resource for managing
cyber risk and compliance requirements
Regulators can also leverage common
Frameworks to tailor oversight
priorities and more efficiently assess a
company's baseline security posture as
regulatory requirements continue to
proliferate Cong ression action is
needed to ensure new and existing
requirements accomplish the goals of
better security and resilience while
balancing the collective impact of these
requirements on regulated entities we're
committed to working with this committee
as it explores potential legislative
solutions for achieving broader
harmonization thank you for the
opportunity to testify today and I'm
happy to answer any questions thank you
I'd now like to recognize Dr Clancy for
your opening statement
chairwoman mace uh ranking member
Connelly members of the subcommittee
good morning and thank you for inviting
me to testify before you today and it's
my pleasure to address uh the
subcommittee on this topic of critical
National importance the practice of
cyber security has grown organically
driven by need uh the first wave of
Standards spurred by fsma uh was
compliance driven and focused on
checklists of security controls the
second wave was threat formed and
motivated information sharing the third
wave was risk-based prioritizing
continuous assessment and adaptive
security controls uh the fourth wave
that we're experiencing now is that of
zero trust and architecture-driven
recognition that our greater Reliance on
um devices and networks and Cloud
infrastructure uh that may be
untrusted umbrella Frameworks like the N
cyber security framework and ISO 270001
uh take a holistic approach from across
business processes technical controls
risk and threat uh these Frameworks can
be used uh as an organizing structure
and common taxonomy to talk about
regulations uh but they do not really
get down to the implementation level uh
this Le is a patchwork of of uh
requirements for regulated organizations
that have mandatory implementation uh
obligations uh it leaves them dealing
with a jumble of not necessarily
contradictory but often fragmented
overlapping and inconsistent
obligations uh first starting with
security controls a positive step would
be to commission NY to document the
differing security controls uh required
across different security standards such
an enumeration would help harmonization
as various standards organizations
update their requirements over time and
help Regulators identify consensus
controls uh that would minimize uh
burden on their stakeholders um again
this is not a call for new standards but
rather Illuminating the complexity of
today's environment so we can build road
maps that over time would lead to
harmonization and potentially even
consolidation of technical control
standards um next is auditing processes
uh if a standard is mandatory to
implement then someone actually needs to
check that it's been implemented uh
there's a range of uh everything from
self attestation of compliance uh to
rigorous annual inspections by
thirdparty Auditors one concerning trend
is efforts to make the nist cyber
security framework mandatory and while
this is an admirable goal the framework
was explicitly designed to be voluntary
and lacks the necessary Metrology to
even Define compliance making such
attestations meaningless if you want to
make something mandatory then you need a
standard that defines and provides the
tools to measure
compliance additionally reciprocity must
be harmonized uh no security standard is
strictly more rigorous than any other
they all have industry specific or
domain specific attributes but there's a
common core set of requirements across
most uh and the job of an auditor
auditor or regulator can be greatly
simplified if there's reciprocity across
that Common Core uh lastly is incident
reporting which is probably the biggest
headache for regulated organizations um
Implement a single Clearing House for
reporting a cyber incident either
operated within a federal agency such as
siza or by an independent third party on
behalf of the federal government uh such
a Clearing House can identify a lead
agency to engage with the affected party
a coordinate with others across the
inter agency uh and really serve as a
touch point for major vendors that
support that industry like crowd strike
or Microsoft that have equities that
cross uh many different sectors Clearing
House would serve a number of important
other purposes as well including
energizing a federal cyber action team
that could help impacted organizations
with incident response if appropriate
and necessary uh serve as a focal point
for major vendors and Cloud providers
who may be stakeholders particularly in
widescale cyber
incidents and be an important repository
for cross- sector data on adversary
cyber operations so we can actually keep
track of what our adversaries are doing
in an integrated way across the entire
ecosystem another important point is
that reporting should be viewed as
iterative as reporting timelines get
shorter and shorter the amount of high
confidence reportable information
collected by affected organizations gets
smaller and smaller we must balance
reporting timelines with practical
detail on incidents uh and the from the
impacted organization and the actual
utility of that data to a regulator
reporting we might have been hacked but
we're not sure and we have no idea if we
What Might Have Been impact acted within
8 hours to a regulator doesn't provide
anything actionable if that regulator is
typical response time for assigning a
case agent and soliciting additional
information is two weeks what was the
point of The 8 Hour reporting timeline
in the first place a clearing house
could also help with State local tribal
and territorial government reporting and
coordination uh these governments have a
growing set of cyber reporting
obligations and a federal Clearing House
could ease the burden on impacted
organizations uh in conclusion I uh
encourage the committee uh to move from
study to action the national cyber
security strategy identified the need to
establish an initiative on harmonization
the peters lenford Bill currently in the
Senate involves years of Pilots NSM 22
calls on DHS to develop a plan for
harmonization and critical
infrastructure by April 2025 last Fall's
uh oncd request for information uh
gathered broad industry uh input uh from
a variety of stakeholders I think we
have a good handle on the issues and we
need to move out on Solutions thank you
and I look forward to your
questions thank you I ask unanimous
consent to submit the following
statements for the record a statement
from the American Gas Association and a
statement from Airlines for America and
without
objection there you go um first of all I
want to thank you all for being here we
have a a broad section of Industry from
it to Natural Gas Banking and then of
course miter company um you know
listening to your testimony it's very
clear that the government is uh way too
big uh way too overregulation because of
all the duplicative efforts um I would I
would like to ask everyone a question
this morning for your member companies
or for for miter specifically would you
be able and willing to invest more in
cyber security enhancements like it
upgrades for the um if the uh compliance
burden of inconsistent duplicative
regulations was reduced would you have
the resources to be able to invest more
than what you are today if that burden
was
reduced um yeah I mean I think based on
everything that we've heard from from
our companies um they they would
definitely have more resources to invest
in cyber security and producing better
cyber security outcomes um if they did
not have to spend as much resources on
complying with conflicting or
duplicative Regulatory regimes and I'm
sure you guys are all going to probably
see us but I do want to focus on
something Mr Warren said in your
testimony today the 70% figure you're in
the banking sector so it might be
slightly different is it the same in
natural gas and it are you seeing the
70% what's the rough the figure roughly
a percentage of cyber security workers
generally with in Industry that you guys
represent that are focused on compliance
do you have a a handle on that um I
don't have exact numbers in front but
based on the information that I've heard
from our members that sounds about
accurate yes even in natural gas Mr
Miller I mean I think it I I I don't
have exact numbers either but but I do
think it varies by by companies right I
mean certainly larger U multinational
tech companies have more resources so
they are you know able to devote more
resources to to both compliance and
better security outcomes I think that
there are a lot of small and mediumsized
companies in the tech sector and I think
that these types of uh conflicting
requirements that we're talking about
today really disproportionately hit
those companies who it's much more of a
zero sum game for them if you have if
you're much more expensive the cost of
company and and you you may not even be
able to figure out what regulations you
have to comply with it creates a I think
a a bad situation yeah um so in terms of
that and I I only have two and a half
minutes left roughly and I'd like to
hear from all members on the panel I'll
start with mokon I'll start with
you um it's almost like where do you
start but if you could just do one thing
um one bill one policy one regulation
one piece of legislation what is that
one thing because we are so big we are
so bureaucratic I mean a compreh
comprehensive policy it just ain't going
to happen right and it's not going to
happen in the next decade because we
don't we're not Nimble anymore we don't
move that fast unfortunately but if you
could do one thing today or tomorrow
what would that what would that be to
make it better for industry I would say
specific to our sector reciprocity would
probably move the needle the the
quickest given we have multiple security
Regulators across our industry any
efforts to sort of streamline and and um
you know have have one set of
requirements be applicable to another
set of regulations would really be I
think an efficient way to move that
needle quickly thank you Mr
Warren sure I think an area that's been
a particular challenge for financial
institutions is cyber incident reporting
these requirements often have slightly
different definitions time frames for
reporting and information requirements
and so hypothetically if a financial
institution were to an experience a
reportable incident they would first
have to report to the federal housing
Administration within 12 hours of
detection they'd have to notify their
primary banking regulator within 36
hours another notification to jinny May
within 48 Hours um once cersa is
finalized they'd have to provide a very
detailed report to sisa within 72 hours
and then finally publicly disclose that
incident to the SEC within four business
days so compiling all of those reports
similar but distinct reports takes a lot
of time from Frontline cyber Personnel
uh which leaves less time for day-to-day
security would it be better if it just
went to sisa and then sisa distributed
it accordingly sure and I think that's
sisa has been tasked with harmonizing
cyber security regulations under cersa
uh unfortunately with their recent
proposed rule to to implement that
legislation it seems they've taken an
expansive approach to implementing that
law we provided comment with a number of
of other Financial trades encouraging
them to better leverage existing
requirements um and leaders is in the
house Homeland Security committee and
Senate his gak provided similar feedback
as Dr Clancy we have 15 seconds one time
I would just amplify that I think you
can build on cersa and make it that
clearing house uh for reporting that
coordinates across the inter agency okay
thank you all appreciate your time this
morning and I will now uh yield to Mr
Connelly for five minutes thank you um
just to clarify Mr Warren what was that
70% referring
to that refers to uh the amount of time
a number of our firms reported their
Frontline cyber Personnel are spending
on Regulatory Compliance matters those
Personnel assigned to cyber correct
right and how many people is that it
varies depending on firm uh I'm not sure
I'm able to give you an exact number
across our member institutions um banks
are often a target of
cyber attacks or attempted attacks is
that not correct yeah that's correct as
a as a critical infrastructure right
and how many collectively how many
Americans are customers of
banks I I'm not sure I have the the
exact number of how many kind of most of
us right yes so the
government has some interest in
protecting those
people uh working with the banking
Community um in making sure their dat is
not disclosed misused assets diverted
deposits corrupted
just like Banks do presumably because
you don't want to lose customers you'd
concede that point yes and so the issue
is how best to do that right what's the
balance between you know the need of
banks to do their business or the gas
industry or anybody
else while the government tries to get
its arms around the Cyber problem and
hopefully working with industry to
protect American consumers and you know
it's going to be natural that we may
have disagreements
about um how far we go uh industry is
always going to have an eye on what's it
cost and you know kind of cost benefit
analysis of uh how far do we go in that
cyber thing and government have a
different point of view about the value
of that cost benefit
analysis um and so therein lies
potential for
conflict uh let me ask you this do you
think if we got government entirely out
of the business the banking industry
could handle this all by itself thank
you very much we can we can we the
banking industry could come up with our
own set of Standards our own cyber uh uh
protection uh policies uh that would be
fairly standard and would voluntarily
comply with them and there'd be no
problem I think the the financial sector
is supportive of a number has been
supportive of a a number of confidential
reporting requirements like cersa and
the banking 36- hour notification rule
those Regulators worked very
collaboratively with industry to develop
that requirement I think really it's
about striking the right balance here we
recognize the importance of these
requirements for the enh visibility they
provide for the Cyber threat environment
and to warn potential Downstream victims
I think it's less an issue of cost and
more one of time in want to spend more
time on so so M Dr Clancy my concern I'm
not unsympathetic with the bureaucratic
burden uh and I I think we could
tolerate the bureaucratic burden if it
led to efficacy that's we've talked
about Harmony and reciproc I'm going to
add a third one efficacy how effective
is it because if it's effective then I'm
going to leave it alone but if we're
doing all of this and it's not effective
then we got to fix it we got to do
something else comment on that how do
these requirements do these uh burdens
um on reporting and creating systems and
so forth how efficacious are they I
think uh when we talk about this we need
to look at it through the lens of the
adversary as well so China and Russia
have ma made it clear that they are
coming after our critical infrastructure
from a cyber security perspective I
think uh what we're seeing is lots of
different Regulators all layering
slightly different versions of the same
obligations on top of the critical
infrastructure sectors none of it's
really new and I don't know that any of
it necessarily Rises to the nature of
the threat that we're seeing from Russia
and China um so it's just sort of
creating compounding um set of the same
and I think what we really need is new
thinking and if you want to get after e
efficacy so so uh in my last few minutes
I wrote a bill uh uh to uh codify and
set a new standard or uh for fedramp
which is the process at GSA for
certifying companies that want to do
business with federal government for
cloud computing and we had the same
problem like every Federal agency had
its own standards and you could go to
one window but then go to another one
you had to start all over again and they
had their own so we built into the law
that when you are certified by a federal
agency there is a presumption of
adequacy and so you're good to go in the
other Federal Windows as well you don't
have to start all over again and we
we're trying to eliminate duplication
and redundancy and overburden in
regulations and it seems to me taking
that concept here so that we can try to
you're you're calling it harmonization
okay but the presumption of ad quacy if
you've met a cyber standard by agency X
you ought to be good to go and not have
to have a whole new set of regulations
by agency why so that's something I hope
we can explore thank
you all right I would now like to
recognize Mr burles for five
minutes thank you if we could go down
like Mr Miller miss oconnell Mr Warren
just to get an idea from your particular
industry what is
the if you had to put a dollar figure on
it what is the cost of complying of the
of the conflicts and the regulatory
burdens that you're you're
facing um than thank you for the
question I I don't know that I have a
you know an actual uh aggregate number
of of the of the amount of uh you know
of the compliance burden that that we're
talking about here I mean I guess I
would just say that by by all accounts
it's significant and you know I I I do
think um it's probably even more
significant for heavily regulated
Industries such as my uh you know
colleagues here up up on the panel but
it is it it seems to be a problem uh the
compliance burdens are are growing
um every day U and again I think they're
disproportionately hitting the smaller
companies in the sector even more more
harshly
I would sort of uh Echo that the
compliance costs I think vary greatly uh
based on your company size the
complexity of your operations your
Staffing um Ina generally as a trade
Association tries to stay out of
conversations around cost for antitrust
reasons so it's difficult for me to kind
of quantify that but to your point I
mean it I think you know it does
disproportionately affect smaller
entities across all critical
infrastructure not just oil and natural
gas
similar to to my fellow panelists I'm
not sure I'm able to provide a ballpark
estimate there will be some variance
across our member financial institutions
the bottom line is firms are going to
spend whatever they have to in order to
secure their environments um but what I
will say is we have heard from firms
that staff have had to work exceedingly
long hours to balance the burden of
Regulatory Compliance with their
day-to-day security obligations and
there are scenarios where that has led
to decreased morale and staff burnout I
can totally relate with what you all are
referring to when I I I used to conduct
um cyber security Audits and Healthcare
and um used to have to comply with
meaningful use requirements and Hippa
and and and new
firsthand um real world scenarios where
the well intentions of this place of
this
town did nothing to benefit patients and
did nothing nothing to benefit uh the
patient provider experience so I I'm I
would like to hear directly because I
can think of those laws in particular um
what what specifically are we talking
about rules that have been
implemented that are that you're
struggling with and if it's possible to
because I I want to I want to put pen to
paper here and actually take not you
know some tasks out of this heing
What specifically what what policies and
specifically are affecting your industry
that we might be able to
address and are they laws are they rules
what are they and if you could go down
the
line sure I I I mean I think um you the
the example that that that I cited
earlier and that that others have talked
about here is I think top of mind for
many folks and that's cyber incident
reporting regulation and requirements
you know on the one hand we have uh
Congress recently passing you know a
couple years ago cersa the the bill a a
federal Bill uh with an idea of
streamlining um requirements and you
know also setting up the Circ uh cyber
incident reporting Council uh to issue a
report and streamline requirements um
you know the requirements do do vary I
mean obviously CA is is is an under
underlying legislative regulation but
there are different requirements that
that vary over those I think it was 52
in total different types of requirements
and regulations on incident reporting um
and and again the
it's the problem is that even though we
have identified the problem and Congress
has identified the problem we've set up
a you know a and you know a group this
the the council to to fix it um even
after that report has come out we've had
more Divergent requirements being
proposed an example is one of the there
was a far regulation that was proposed
just a couple of months after that that
varied from the recommendations in that
report so I mean that that's the example
that I would use for the IT industry is
incident reporting Miss OK Connell um I
would Echo the incident reporting
requirements uh I mean we currently are
required to report incidents to sisa
within uh 24 hours under the first uh
TSA security directive we also have
cersa there's also state and local
reporting requirements um but I would
also on the more more kind of you know
risk-based kind of regulatory side um I
would say hastily promulgated
regulations um are also a real challenge
for compliance for example uh when TSA
first uh issued its first iteration of
the second security directive they
required some very prescriptive
mitigation measures that were either
impossible to achieve in the pipeline
environment or with existing
Technologies or they had um you know per
perhaps reactive and and you know
inconsequent like Downstream impacts to
pipeline reliability and safety and
those weren't considered when TSA first
promulgated that uh security directive
they've since undertaken a very robust
consult consultative process with
industry and with the other Regulators
in the pipeline and oil and natural gas
industry to make it more risk-based and
outcome focused and I think as long as
regulations are promulgated um with that
risk-based outcome focused threat
informed and mentality then they can be
successful but when they are overly
prescriptive and they are reactive um
that's where the challenge can be within
compliance Mr
Warren incident reporting is a challenge
for our sector as well but another place
where sometimes overlap and duplication
occurs is in the supervis supervisory uh
environment where One Financial
regulator will examine a firm on a given
topic say identity and access management
and shortly after that exam concludes
another regulator will come in and
examine the exact or similar topic that
pulls on the same cyber personnel and is
sort of a consistent exam regulatory
obligation for them rather than their
day-to-day security responsibilities
yeah because it's a if I may can iue
it's a lot of work to pull all of those
reports I when you're talking about
identity and access management alone to
pull all of those reports and who has
specific role access for any software it
can be a daunting task and then to have
to do it
repeatedly and based on whatever the the
demand is for the different agency I can
absolutely see why that would be
problematic
um let me ask this if it's if it's okay
are there if you know if we didn't have
these in place if the federal government
wasn't doing that you you have an
innate desire to want to have your data
secure and when there are events they
become high-profile the you know it's
all over the news your stock goes down
that in and of itself is a is a
deterrent um but you but you've got
industry standards as well right so
you've got the industry who's creating
these certification levels and these
standards that that are not necessarily
connected to the government which is
which is more important to meet I mean
which would you prefer to try to meet
the indry standard these certification
levels or to try to comply with um these
Regulators I I mean I I think um you're
you're raising a really good point um
Congressman uh you know I think there
are a lot of different it's an important
reminder that you know regulations are
not the answer to everything right that
it's not going to solve all of our
problems you know we we we've got
regulations we've got Frameworks such as
the cyber security framework we've got
International standards we've got
guidance then there were administrative
requirements so there there's a lot
going on there but you know in terms I I
think I think they're all important and
they all have a role but what's really
most important from a company standpoint
is that you know everything is hopefully
oriented toward common consensus based
standards and that those standards are
riskmanagement standards right I mean
we're talking about risk management
which uh you know is not only just about
defending I don't want to minimize the
importance of that but also response and
Recovery efforts as well I mean all of
this is important uh you know cyber
security has a lot of dimensions and
from a from the an industry standpoint
we we we need to do it all we need to do
it all well we just need to align and
not be operating across
purposes sure I would say the golden
ticket is when regulations are aligned
with industry standards um of course
that can't always happen but you know
when it does when regulations are again
promulgated in a way that is consultive
with the industry that's when you can
get the best result of the
regulation and I think this is a place
where industry can leverage common
Frameworks that sort of reference
regulatory requirements and Comm common
standards to sort of validate that they
are where they need to be from a cyber
security standpoint and and hopefully
streamline some of these compliance
requirements well beond my thank you Mr
bison you did great okay in closing
today I want to thank our panelists once
again for their testimony um and with
with that and without objection all
members will have five legislative days
within which to submit materials and to
submit additional written questions for
the witnesses which we will then forward
to the witnesses for their response if
there's no further business and without
objection We Stand adjourned
Weitere ähnliche Videos ansehen
Chairman Peters' Questions: Streamlining the Federal Cybersecurity Regulatory Process
Chairman Peters Opening Statement: Streamlining the Federal Cybersecurity Regulatory Process
Security Considerations - CompTIA Security+ SY0-701 - 5.1
Roles in the data governance domain - organizational roles and data governance roles
01 CYBER SECURITY ESSENTIALS 1
Banking Law Part 1 The Concept
5.0 / 5 (0 votes)