Chairman Peters' Questions: Streamlining the Federal Cybersecurity Regulatory Process
Summary
TLDRThe video script discusses the need for harmonization of cybersecurity regulations across federal agencies to combat the rising threat of cyber attacks. It highlights the challenges faced by the Office of the National Cyber Director (ONCD) in coordinating with independent regulatory agencies and emphasizes the importance of a unified federal framework to reduce compliance burdens and enhance security outcomes. The discussion also touches on the impact of disharmonized regulations on international competitiveness and the need for federal leadership in guiding state and local regulations.
Takeaways
- 📚 Regulations are crucial for various federal agency functions, including clean water, investor protection, and cybersecurity, which is increasingly important due to the growing threat of cyber attacks.
- 🔒 Cybersecurity regulations are a strong candidate for harmonization because the underlying information and communication technology is similar across different sectors like banking, nuclear power, and water treatment facilities.
- 🤝 Harmonization aims to create a unified approach to cybersecurity, reducing compliance costs and improving security outcomes by avoiding redundant efforts across different regulatory bodies.
- 🚫 The current 'check the box' compliance culture is criticized for not significantly advancing cybersecurity and instead increasing the administrative burden without substantial security improvements.
- 🔄 The discussion highlights the need for a common framework that can be customized to meet the needs of individual sectors, reducing the cost and complexity of compliance.
- 🏛️ The Office of the National Cyber Director (ONCD) is designated as the federal lead for addressing cybersecurity regulatory harmonization, emphasizing the need for a strategic, top-down approach.
- 🤝 The ONCD faces challenges in harmonizing regulations due to the breadth of the issue and the difficulty in getting all relevant parties, including independent regulatory commissions, to participate in the policy-making process.
- 🏢 Businesses are impacted by the lack of harmonization, as they may need to invest in multiple systems to comply with different regulatory requirements, putting them at a competitive disadvantage internationally.
- 🏦 State and local regulations, such as those in Massachusetts and New York, add another layer of complexity for businesses, which could benefit from federal leadership in setting a harmonized baseline.
- 🌐 The harmonization effort is not limited to federal agencies; it also involves coordination with state, local, tribal, and territorial governments to create a unified set of regulations.
- 📈 The feedback from the ONCD's request for information (RFI) on cybersecurity regulatory harmonization underscores the importance of reciprocity and a focus on supply chain risk management in the harmonization process.
Q & A
What is the primary purpose of cybersecurity regulations?
-The primary purpose of cybersecurity regulations is to protect critical infrastructure and federal systems from the growing threat of cyber attacks, ensuring the security of enterprise IT systems across various sectors such as banking, nuclear power plants, and water treatment facilities.
Why are cybersecurity regulations a good candidate for harmonization across federal agencies?
-Cybersecurity regulations are a good candidate for harmonization because the information and communication technology used across different sectors is largely the same. Harmonizing these regulations can lead to better cybersecurity outcomes and reduce compliance costs.
What is the main challenge in harmonizing cybersecurity regulations?
-The main challenge in harmonizing cybersecurity regulations is the breadth of the problem, with dozens of regulators and regulations. Additionally, getting all relevant parties, including independent regulatory commissions, to the table is crucial but currently limited.
How can regulators better tailor their requirements to promote cybersecurity?
-Regulators can better tailor their requirements by focusing on a common framework that minimizes redundancy and conflict. This approach can help organizations focus on actual cybersecurity protection rather than just compliance.
What is the role of the Office of the National Cyber Director (ONCD) in addressing cybersecurity regulatory harmonization?
-The ONCD is designated as the federal lead for addressing cybersecurity regulatory harmonization. It is responsible for developing a strategic approach and framework that can be applied across sectors and ensuring all relevant parties are involved in the policy-making process.
What is the significance of reciprocity in cybersecurity regulations?
-Reciprocity is significant in cybersecurity regulations as it ensures that once an entity has met the requirements, it does not need to do so again for other regulators asking the same questions. This helps reduce the compliance burden and allows businesses to focus on improving cybersecurity outcomes.
How does the lack of coordination among regulators impact businesses?
-The lack of coordination among regulators, especially independent regulatory agencies, leads to a compliance culture where businesses spend a significant amount of time and resources on meeting multiple and often conflicting requirements, rather than focusing on actual cybersecurity protection.
What are the implications of disharmonized cybersecurity regulations on international competition?
-Disharmonized cybersecurity regulations can put companies at a competitive disadvantage internationally, as they may need to invest in multiple systems to comply with different regulatory regimes, increasing their costs and reducing their competitiveness compared to companies operating under a single, unified framework.
How do state and local cybersecurity regulations impact businesses?
-State and local cybersecurity regulations can add an additional layer of complexity for businesses, as they must comply with multiple and sometimes conflicting requirements. This can lead to increased compliance costs and administrative burdens, diverting resources away from actual cybersecurity measures.
What feedback did the ONCD receive from the Request for Information (RFI) on cybersecurity regulatory harmonization?
-The ONCD received feedback highlighting the importance of reciprocity, the focus on compliance burden, and the need for a harmonized framework that includes supply chain risk management. This feedback has influenced the ONCD's approach to regulatory harmonization and reciprocity.
Outlines
🔒 Cybersecurity Regulations and Harmonization
The first paragraph discusses the importance of cybersecurity regulations in protecting critical infrastructure and federal IT systems. The speakers emphasize the need for harmonization across federal agencies to ensure better cybersecurity outcomes and reduce compliance costs. The conversation highlights the commonality of information and communications technology across sectors and the potential benefits of a unified approach to cybersecurity requirements. The challenges of understanding and implementing cybersecurity requirements are also mentioned, along with the need for regulators to promote actual security measures rather than just compliance.
🤔 Addressing Regulatory Challenges in Cybersecurity
This paragraph delves into the challenges faced by the Office of the National Cyber Director (ONCD) in harmonizing cybersecurity regulations. The speakers discuss the breadth of the problem and the need for a strategic, top-down approach to create a unified framework. The importance of involving all relevant parties, including independent regulatory commissions, in the policy-making process is highlighted. The potential benefits of having a convening authority to facilitate this process are explored, as well as the impact of the ONCD's request for information on the development of a harmonized approach.
🌐 Harmonizing Federal, State, and Local Cybersecurity Regulations
The third paragraph focuses on the impact of conflicting definitions and requirements in cybersecurity regulations on compliance burdens. The speakers discuss the need for a single overarching framework that can be customized within sectors to streamline compliance requirements. The conversation also touches on the impact of disharmonized compliance mechanisms on international competitiveness and the need for federal leadership in setting a strong baseline for cybersecurity requirements. The role of state and local governments in this process and the potential for federal guidelines to influence their regulations is also discussed.
🏛️ Federal Coordination with State and Local Governments
In the final paragraph, the discussion centers on the federal government's efforts to coordinate with state, local, tribal, and territorial governments to harmonize cybersecurity regulations. The speakers highlight the importance of federal leadership in setting a gold standard for cybersecurity requirements that can be followed by state governments and used as a benchmark in international negotiations. The challenges faced by businesses in managing multiple regulatory requirements are also discussed, along with the potential for a unified framework to simplify compliance and reduce the burden on businesses.
Mindmap
Keywords
💡Regulations
💡Cybersecurity
💡Harmonization
💡Critical Infrastructure
💡Compliance
💡Enterprise IT Systems
💡Reciprocity
💡Federal Agencies
💡Supply Chain Risk Management
💡State and Local Regulations
💡International Coordination
Highlights
Regulations are crucial for various federal agencies to ensure clean water, protect investors, and enhance cybersecurity amidst growing cyber threats.
Cybersecurity regulations are a strong candidate for harmonization due to the commonality of information and communication technology across different sectors.
Harmonized cybersecurity approaches can lead to better security outcomes and reduced compliance costs.
Public comments highlight the difficulty in understanding and implementing cybersecurity requirements, leading to a compliance-focused culture rather than proactive security measures.
Regulators should tailor requirements to promote actual cybersecurity rather than just checking boxes, which only incrementally increases security.
The need for a common framework to reduce redundant and conflicting requirements that increase compliance burdens.
The Office of the National Cyber Director (ONCD) is designated as the federal lead for cybersecurity regulatory harmonization.
Challenges faced by ONCD include the breadth of regulations and the difficulty in getting all relevant parties to participate in policy-making.
Legislation that requires all agencies, including independent regulatory agencies, to harmonize their regulations could significantly aid the ONCD's efforts.
The RFI response emphasizes the critical need for reciprocity in regulatory harmonization to reduce compliance costs.
Supply chain risk management is a significant focus, with a harmonized framework potentially aiding internal risk management processes.
Federal, state, and local regulations can create a patchwork of requirements, complicating compliance for businesses.
Disharmonized compliance mechanisms can impact companies' international competitiveness due to the need to invest in multiple systems.
Federal leadership in setting a strong baseline for cybersecurity requirements is essential for state and international alignment.
State and local governments have expressed a desire for federal guidelines to help model their cybersecurity regulations.
The need for a unified approach to cybersecurity that includes reporting, identification, management, protection, response, and recovery.
The impact of contrasting federal, state, and local regulations on businesses, particularly those with limited resources.
The importance of a single overarching framework for cybersecurity to streamline compliance and minimize burdens.
Transcripts
as both of you have mentioned in your
opening comments and I mentioned in mine
uh we know that regulations are used by
federal agencies in multiple uh ways uh
I mentioned in my opening about uh
making sure we have clean water to drink
uh protecting investors from predatory
practices and and the list goes on uh
cyber security regulations have received
a greater amount of attention giving the
growing threat of cyber attacks which is
not going down and probably you would
argue exponentially going up and uh our
critical infrastructure and federal it
systems which are particular Target so
Mr lerson why do cyber security
regulations lend themselves generally to
be a good candidate for harmonization
all across these agencies we need to do
a lot of harmonization and a lot of
fields but why cyber security in
particular uh thank you Mr chairman it's
a it's a great question and from our
standpoint the reason that we're
particularly interested in looking at
Baseline cyber security requirements
across critical infrastructure sectors
is that the information and
Communications technology that's used
whether you're in a bank a nuclear power
plant a water treatment facility the
information and Communications
technology is largely the same and the
first thing that adversaries are trying
to do when they get access whether
they're trying to steal money drop
ransomware or potentially uh affect our
ability to mobilize militarily the first
thing they're going after is these
Enterprise it systems and for that
reason because the Enterprise it systems
are common across sectors we really feel
strongly that having a harmonized
approach with reciprocity across
different Regulators will help ensure
that we get both better cyber security
outcomes and less money spent on
compliance very
good you know several uh public comments
um at on CD's request for information on
harmonization
discuss the the difficulties in
understanding um and implementing cyber
security requirements which I think
leads to a a compliance culture uh as
opposed to dedicating resources to
actually protecting uh our systems from
cyber attacks so Mr henchman this
question is for you uh how how can
Regulators better tailor their
requirements to promote cyber security
rather than just a check the box
exercise that only incrementally
increases security but unfortunately
does not um uh move us forward uh and in
the process significantly increases the
compliance uh burden while not moving us
forward thank you Senator I think one
way to think of this it's not a lot
different from our duplication overlap
and fragmentation work that we do for
the committee in which um comproller
General was up here several weeks ago
talking you about the idea of redundant
conflicting requirements is not
different it's on a much greater scale
and it's something that's National and
something we're still struggling to
understand the real breadth of but I
think the general idea that because
regulations have grown Patchwork here
and there specific sectors will pass
rules because it's important to them
they're dealing with a certain threat
and then when you have organizations
that work across sectors or across state
lines or across International boundaries
you run into a lot of things that they
have to do in addition to what they may
do with their sort of what I'll call
their home set of of rules and
regulations and so that compliance issue
becomes real cost burden and some of the
work that we've done uh we did a job in
2020 looking at States and dealing with
four agencies uh FBI IRS SSA and uh CMS
and 35 per 35 of the states reported a
moderate to significant increase in cost
related to the compliance that they had
to do to meet the different regulations
of each of those four agencies and so to
remove that I think you need to look for
for a common framework people have
talked about whether the NIS cyber
security framework offers that
possibility but a common set of minimum
standards that stress across excuse me
stretch across the government that can
then be customized to meet the needs of
individual
sectors very good yeah as noted uh Mr
lerson in the your opening statement the
the office of the national cyber
director is designated as the federal
lead for addressing cyber security
regulatory harmonization so my my
question for you uh you've raised some
of this but to clarify for the committee
what are the biggest challenges oncd is
now facing in harmonizing cyber
regulations uh certainly Mr chairman
thanks for the question there are two
things that I would highlight as as the
challenges one is the breath that we
have here where you see dozens of
regulators who have uh dozens more
regulations you mentioned the 48 that
we've seen just in the past four years
uh which means that from our perspective
you really need a strategic approach a
top- down approach that says this is the
framework that we're aiming at uh and
gives that guidance to Regulators but
that gets into the Second Challenge
right so the first challenge is the
breath of the problem and getting our
hands around it the second challenge is
getting all of the relevant parties to
the table as I mentioned from our
perspective the most important part of
ensuring that we have a framework that
is applicable across sectors and does
appropriately address the concerns that
different Regulators have is to ensure
all of them are participants in a
policy-making process to design such a
framework uh but doing so at the moment
we are limited in our ability to do so
with respect to independent regulatory
commissions which is something that we
truly need congress's help
with Mr again you you stated in your
testimony that the administration
supports uh legislation that would
require all agencies including our
independent regulatory agencies to to
come up to the table basically and work
on harmonizing their regulations with
with everybody else so the specific
question for you sir is H how would
having this convening Authority help the
oncd actually address this issue what
what what are going to be the strengths
of getting this done uh thank you Mr
chairman uh the the it would help
enormously frankly and it would help
because right now when we want to talk
to our Independent Regulatory Commission
partner which we do as much as we can we
basically have a coalition of the
Willing we have the folks who want to
come to the table who believe that this
is an important problem and have a
conversation about it but having a clear
mandate from Congress to bring everyone
to the table will let us do what we do
best at oncd which is listen to our
partners work with them to address the
challenges and as I say design a
comprehensive framework that allows for
harmonization yes but just as
importantly
reciprocity right the idea that once
I've proven as an entity that I've met
the requirements once I do not need to
do so no matter how many other
Regulators are asking the same questions
and that is what will allow us to both
get better cyber security outcomes and
at the same time reduce the burden on
businesses in July of
2023 the office of the national cyber
director released a a request for
information on cyber security regulatory
harmonization uh the main theme of a
lack of coordination amongst Regulators
particularly Independent Regulatory
Agencies such as the Securities and
Exchange Commission the Federal
Communications Commission the Federal
Trade Commission uh certainly uh stands
out to to me so my question for you is
how is the oncd incorporating the
feedback from the RFI um into their work
uh thank you Mr chairman uh we are very
much the the reason that we put out the
the RFI in the first place is absolutely
that we rely on the input from all of
our partners both in the private sector
and in the inter agency to inform our
work the there are a couple of things
that I think uh really stood out to us
in terms of the RFI and have
crystallized how we're approaching uh
our Regulatory harmonization and
reciprocity work going forward one
element in particular is the fact that
uh reciprocity which we had theorized
should probably be part of the solution
was really highlighted in the RFI
respondents as something that is
absolutely critical to our getting this
right um the focus on the compliance
burden really points to the fact that
yes you want a harmonized baseline
because that gives you the Simplicity
the clarity of understanding what
specifically it is that you need to do
uh but you need the reciprocity to
ensure that that also translates into
less compliance costs the other thing
that I think I think I'll highlight is
um the amount of focus on supply chain
risk management and the fact that for a
number of companies they are right now
trying to figure out how do they manage
risk in their supply chains uh cyber
risk that can come because they're
either connections back into their
networks or the fact that A disruption
in their supply chain could materially
impact their business and having a
harmonized framework would also help
them do their own internal risk
management process IES which I will
admit was not something that we were
really thinking through at the outset
and now we look and say well this
actually could be a catalyst for
businesses too you may have regulation
that actually helps them manage their
own business Risk by being able to look
and say oh these folks have met the
Baseline standards that helps us
understand what their posture is for our
own internal business focus supply chain
risk
management Mr Hitchman in in your
testimony you you highlighted that the
federal government should adopt model
definitions uh and consider setting
minimum cyber security requirements so
how do uh conflicting definitions and
requirements uh contribute to the
difficulties in overall
compliance anytime that an organization
is subject to multiple the word of art
is regime reporting regime you run into
compliance burdens uh and we've done
work in the financial sector where cisos
from Financial Services firms have
reported their folks spend 30 to 40% of
their time on compliance rather than
focusing on cyber security and it gets
back to the point I'd initially made
about duplication overlap that when you
have multiple reporting regimes with
multiple requirements that are not alike
you spend a lot of time doing paperwork
rather than focusing on your job because
you need to meet the requirements of
both of these Frameworks that you're
subject to a single overarching
framework which is then customized as
appropriate Within sector ideally would
remove a lot of that burden so that
there is a single point of reference
that everyone starts from when thinking
about cyber security in near
organizations and that includes
reporting requirements anything else and
you know we talk about reporting
requirement there's a whole framework
beyond that you know identification
management protection of data uh report
uh response recovery uh and so it's I
think it's really important that people
be able to go to one place know where
that starts and then figure out what
they're required to do from there so you
can streamline those compliance
requirements there will always be some
compliance burden as I mentioned a
moment ago but we can do a lot to
streamline that and minimize it yeah
very good Mr lerson to what extent has
disharmonize and compliance mechanisms
actually impacted the ability of
companies to compete uh
internationally uh thank you Mr chairman
that that has absolutely been something
that we have heard um because for for a
number of reasons I would say so first
and foremost it can mean that companies
need to invest in multiple systems so
you are basically forcing them to
duplicate some of their information and
Communications technology spend because
they are subject to
disharmonious uh Regulatory regimes and
when that is the case if uh they're
competing against a company in say
Europe that is only operating under an
EU framework um they will be at a
competitive disadvantage uh I think that
that really points to part of what we
are hoping to get out of this effort if
we have a strong Federal framework for
Baseline cyber security requirements
that is developed by all of the relevant
parties in the inter agency including
the independent regulatory commissions
that actually is very helpful for us in
digital trade negotiations in other uh
export of American businesses because we
can then go forth and say hey now we're
looking for Mutual recognition with our
International partners and we can give
folks an understanding of what exactly
that means because we have a single
framework to point to whereas right now
when you look at Mutual recognition it's
often challenging because we're pointing
back to what we're doing that is a uh a
kind of hodgepodge of different
regulatory requirements you know federal
agencies uh as you know very well are
are not the only agencies that have
cyber security regulations we have state
regulations local cities other
localities across the nation have all
sorts of requirements for businesses
that operate in their areas give you a
couple examples for example
Massachusetts state law requires all
persons who own or license personal
information about Massachusetts
residents to develop Implement and
maintain a comprehensive information
security program the New York Department
of Financial Services has also adopted
robust set of cyber security rules with
significant requirements for any company
that provides a financial or credit
service within the state of New York and
I could just go on and on with that list
so mron how is the federal government
working to coordinate with State local
tribal territorial governments uh all
across the uh the government uh
landscape to harmonize these regulations
uh thank you Mr chairman so I will
highlight a couple points so first of
all both the New York Department of
Financial Services and the state of New
York responded to our RFI our request
for information and one of the things
that stood out to me was the fact that
they really were asking for federal
leadership in this space DFS in the
state said having strong federal
guidelines um which a harmonized set of
Baseline requirements would do uh would
help them significantly in terms of how
they would model their work they have
worked DFS has worked the Department of
Financial Services has worked with
Federal Regulators um it is something
that we're concerned about again like
when we see duplicative requirements
that are attempting to control the same
risk whether they're at the state level
the federal level or the international
level um that gives us pause but if we
can get the federal house in order if we
can set a strong Federal uh uh Baseline
requirement if we can lead um we do have
strong confidence that both our state
governments will look at that as a gold
standard and also start to move in that
direction and also our International
Partners one of the things that uh the
national cyber director Harry Coker Jr
has consistently impressed upon me is in
his conversations with International
counterparts they bring up regulatory
harmonization they ask what is it that
we're doing to help control risk to
critical infrastructure and they say gee
it would be great to see Federal
leadership here we need the United
States to help us understand you have
the most sophisticated Tech sector you
have the most Reliance on technology if
you can set a gold standard that would
help us that would give something for us
to shoot for as well so I think it
really is uh incumbent Upon Us in the
federal government partnering between
the administration and Congress to set
that
standard and Mr Hitchman how does this
contrasting federal state local
regulations how does that impact
businesses in our community or in our
country well I I think very similar to
the problems we had with just sort of
federal agencies it's the multiple
requirements and who do you need to do
and for what I think you know the
examples you drew are great I live in
Texas uh the Texas department of
information resources has an instant
reporting rule that schools are required
to follow when attack well the cister
are notice a propos making also includes
schools so now you're going to have
schools that are trying to figure out
how to do their local reporting as well
as the national reporting and these are
organizations that traditionally do not
have resources for this they're already
undern it is probably underfunded you in
a small District you may have one person
who does it for the entire District
including the Cyber side and I don't
know that that's sustainable and so I
think we really need to think about how
those state and local rules are impacted
by perhaps the federal leadership that's
been called for so that they have more
of a benchmark to follow I think there's
also things like privacy states are
increasingly passing privacy laws which
may be conflicting with guidance they're
getting from the federal level and so
how does an organiz a business operating
manage both of those is it's similar to
how sort of Patchwork of federal rail
Lake regulations have popped up is the
patchwork of federal excuse me state
laws pop as pop up as well that all
needs to be managed and sort of brought
into a common framework so that folks
know who to how who their operating from
and what the standards are
Посмотреть больше похожих видео
Chairman Peters Opening Statement: Streamlining the Federal Cybersecurity Regulatory Process
House Oversight and Accountability Hearing on Cybersecurity and Regulations
The Hacking Wars - How Governments Hack Each Other
Introduction - Cybersecurity and Privacy - Prof. Saji K Mathew
How close is the world to the widespread rollout of CBDCs & what is RBI's pilot project
Are Hackers the Biggest Threat to America’s Critical Infrastructure?
5.0 / 5 (0 votes)