Chairman Peters' Questions: Streamlining the Federal Cybersecurity Regulatory Process

00:00

as both of you have mentioned in your

00:01

opening comments and I mentioned in mine

00:03

uh we know that regulations are used by

00:05

federal agencies in multiple uh ways uh

00:09

I mentioned in my opening about uh

00:11

making sure we have clean water to drink

00:13

uh protecting investors from predatory

00:15

practices and and the list goes on uh

00:18

cyber security regulations have received

00:20

a greater amount of attention giving the

00:23

growing threat of cyber attacks which is

00:25

not going down and probably you would

00:27

argue exponentially going up and uh our

00:30

critical infrastructure and federal it

00:32

systems which are particular Target so

00:34

Mr lerson why do cyber security

00:37

regulations lend themselves generally to

00:39

be a good candidate for harmonization

00:42

all across these agencies we need to do

00:44

a lot of harmonization and a lot of

00:46

fields but why cyber security in

00:48

particular uh thank you Mr chairman it's

00:50

a it's a great question and from our

00:53

standpoint the reason that we're

00:55

particularly interested in looking at

00:57

Baseline cyber security requirements

01:00

across critical infrastructure sectors

01:02

is that the information and

01:04

Communications technology that's used

01:06

whether you're in a bank a nuclear power

01:09

plant a water treatment facility the

01:12

information and Communications

01:13

technology is largely the same and the

01:16

first thing that adversaries are trying

01:18

to do when they get access whether

01:19

they're trying to steal money drop

01:22

ransomware or potentially uh affect our

01:25

ability to mobilize militarily the first

01:27

thing they're going after is these

01:29

Enterprise it systems and for that

01:32

reason because the Enterprise it systems

01:35

are common across sectors we really feel

01:38

strongly that having a harmonized

01:40

approach with reciprocity across

01:43

different Regulators will help ensure

01:45

that we get both better cyber security

01:48

outcomes and less money spent on

01:51

compliance very

01:53

good you know several uh public comments

01:56

um at on CD's request for information on

01:59

harmonization

02:00

discuss the the difficulties in

02:03

understanding um and implementing cyber

02:05

security requirements which I think

02:07

leads to a a compliance culture uh as

02:10

opposed to dedicating resources to

02:12

actually protecting uh our systems from

02:15

cyber attacks so Mr henchman this

02:18

question is for you uh how how can

02:20

Regulators better tailor their

02:22

requirements to promote cyber security

02:25

rather than just a check the box

02:28

exercise that only incrementally

02:30

increases security but unfortunately

02:32

does not um uh move us forward uh and in

02:36

the process significantly increases the

02:38

compliance uh burden while not moving us

02:41

forward thank you Senator I think one

02:44

way to think of this it's not a lot

02:46

different from our duplication overlap

02:48

and fragmentation work that we do for

02:49

the committee in which um comproller

02:52

General was up here several weeks ago

02:53

talking you about the idea of redundant

02:56

conflicting requirements is not

02:58

different it's on a much greater scale

02:59

and it's something that's National and

03:01

something we're still struggling to

03:02

understand the real breadth of but I

03:04

think the general idea that because

03:06

regulations have grown Patchwork here

03:08

and there specific sectors will pass

03:10

rules because it's important to them

03:12

they're dealing with a certain threat

03:14

and then when you have organizations

03:16

that work across sectors or across state

03:18

lines or across International boundaries

03:20

you run into a lot of things that they

03:22

have to do in addition to what they may

03:25

do with their sort of what I'll call

03:26

their home set of of rules and

03:28

regulations and so that compliance issue

03:31

becomes real cost burden and some of the

03:33

work that we've done uh we did a job in

03:35

2020 looking at States and dealing with

03:38

four agencies uh FBI IRS SSA and uh CMS

03:44

and 35 per 35 of the states reported a

03:48

moderate to significant increase in cost

03:51

related to the compliance that they had

03:52

to do to meet the different regulations

03:55

of each of those four agencies and so to

03:58

remove that I think you need to look for

03:59

for a common framework people have

04:01

talked about whether the NIS cyber

04:03

security framework offers that

04:04

possibility but a common set of minimum

04:07

standards that stress across excuse me

04:09

stretch across the government that can

04:11

then be customized to meet the needs of

04:13

individual

04:14

sectors very good yeah as noted uh Mr

04:19

lerson in the your opening statement the

04:21

the office of the national cyber

04:23

director is designated as the federal

04:25

lead for addressing cyber security

04:27

regulatory harmonization so my my

04:30

question for you uh you've raised some

04:31

of this but to clarify for the committee

04:34

what are the biggest challenges oncd is

04:36

now facing in harmonizing cyber

04:39

regulations uh certainly Mr chairman

04:41

thanks for the question there are two

04:43

things that I would highlight as as the

04:45

challenges one is the breath that we

04:48

have here where you see dozens of

04:49

regulators who have uh dozens more

04:53

regulations you mentioned the 48 that

04:55

we've seen just in the past four years

04:57

uh which means that from our perspective

05:00

you really need a strategic approach a

05:02

top- down approach that says this is the

05:04

framework that we're aiming at uh and

05:07

gives that guidance to Regulators but

05:09

that gets into the Second Challenge

05:11

right so the first challenge is the

05:13

breath of the problem and getting our

05:14

hands around it the second challenge is

05:16

getting all of the relevant parties to

05:18

the table as I mentioned from our

05:20

perspective the most important part of

05:22

ensuring that we have a framework that

05:25

is applicable across sectors and does

05:27

appropriately address the concerns that

05:30

different Regulators have is to ensure

05:32

all of them are participants in a

05:33

policy-making process to design such a

05:36

framework uh but doing so at the moment

05:38

we are limited in our ability to do so

05:40

with respect to independent regulatory

05:42

commissions which is something that we

05:44

truly need congress's help

05:47

with Mr again you you stated in your

05:50

testimony that the administration

05:52

supports uh legislation that would

05:54

require all agencies including our

05:58

independent regulatory agencies to to

06:00

come up to the table basically and work

06:03

on harmonizing their regulations with

06:05

with everybody else so the specific

06:07

question for you sir is H how would

06:09

having this convening Authority help the

06:11

oncd actually address this issue what

06:14

what what are going to be the strengths

06:16

of getting this done uh thank you Mr

06:19

chairman uh the the it would help

06:22

enormously frankly and it would help

06:24

because right now when we want to talk

06:27

to our Independent Regulatory Commission

06:29

partner which we do as much as we can we

06:32

basically have a coalition of the

06:33

Willing we have the folks who want to

06:36

come to the table who believe that this

06:37

is an important problem and have a

06:40

conversation about it but having a clear

06:43

mandate from Congress to bring everyone

06:45

to the table will let us do what we do

06:48

best at oncd which is listen to our

06:50

partners work with them to address the

06:52

challenges and as I say design a

06:55

comprehensive framework that allows for

06:57

harmonization yes but just as

06:59

importantly

07:00

reciprocity right the idea that once

07:02

I've proven as an entity that I've met

07:05

the requirements once I do not need to

07:07

do so no matter how many other

07:09

Regulators are asking the same questions

07:11

and that is what will allow us to both

07:14

get better cyber security outcomes and

07:17

at the same time reduce the burden on

07:20

businesses in July of

07:22

2023 the office of the national cyber

07:25

director released a a request for

07:27

information on cyber security regulatory

07:30

harmonization uh the main theme of a

07:33

lack of coordination amongst Regulators

07:36

particularly Independent Regulatory

07:37

Agencies such as the Securities and

07:39

Exchange Commission the Federal

07:41

Communications Commission the Federal

07:43

Trade Commission uh certainly uh stands

07:45

out to to me so my question for you is

07:48

how is the oncd incorporating the

07:50

feedback from the RFI um into their work

07:54

uh thank you Mr chairman uh we are very

07:57

much the the reason that we put out the

08:00

the RFI in the first place is absolutely

08:02

that we rely on the input from all of

08:04

our partners both in the private sector

08:07

and in the inter agency to inform our

08:09

work the there are a couple of things

08:11

that I think uh really stood out to us

08:14

in terms of the RFI and have

08:16

crystallized how we're approaching uh

08:18

our Regulatory harmonization and

08:20

reciprocity work going forward one

08:23

element in particular is the fact that

08:25

uh reciprocity which we had theorized

08:28

should probably be part of the solution

08:30

was really highlighted in the RFI

08:32

respondents as something that is

08:34

absolutely critical to our getting this

08:37

right um the focus on the compliance

08:41

burden really points to the fact that

08:43

yes you want a harmonized baseline

08:45

because that gives you the Simplicity

08:47

the clarity of understanding what

08:49

specifically it is that you need to do

08:52

uh but you need the reciprocity to

08:53

ensure that that also translates into

08:56

less compliance costs the other thing

08:59

that I think I think I'll highlight is

09:00

um the amount of focus on supply chain

09:03

risk management and the fact that for a

09:06

number of companies they are right now

09:08

trying to figure out how do they manage

09:10

risk in their supply chains uh cyber

09:13

risk that can come because they're

09:14

either connections back into their

09:16

networks or the fact that A disruption

09:18

in their supply chain could materially

09:20

impact their business and having a

09:22

harmonized framework would also help

09:26

them do their own internal risk

09:28

management process IES which I will

09:30

admit was not something that we were

09:31

really thinking through at the outset

09:34

and now we look and say well this

09:35

actually could be a catalyst for

09:37

businesses too you may have regulation

09:39

that actually helps them manage their

09:40

own business Risk by being able to look

09:43

and say oh these folks have met the

09:45

Baseline standards that helps us

09:48

understand what their posture is for our

09:49

own internal business focus supply chain

09:52

risk

09:54

management Mr Hitchman in in your

09:57

testimony you you highlighted that the

09:59

federal government should adopt model

10:01

definitions uh and consider setting

10:04

minimum cyber security requirements so

10:07

how do uh conflicting definitions and

10:09

requirements uh contribute to the

10:11

difficulties in overall

10:14

compliance anytime that an organization

10:17

is subject to multiple the word of art

10:20

is regime reporting regime you run into

10:23

compliance burdens uh and we've done

10:25

work in the financial sector where cisos

10:28

from Financial Services firms have

10:30

reported their folks spend 30 to 40% of

10:33

their time on compliance rather than

10:35

focusing on cyber security and it gets

10:38

back to the point I'd initially made

10:39

about duplication overlap that when you

10:41

have multiple reporting regimes with

10:44

multiple requirements that are not alike

10:46

you spend a lot of time doing paperwork

10:49

rather than focusing on your job because

10:51

you need to meet the requirements of

10:52

both of these Frameworks that you're

10:54

subject to a single overarching

10:56

framework which is then customized as

10:58

appropriate Within sector ideally would

11:00

remove a lot of that burden so that

11:02

there is a single point of reference

11:04

that everyone starts from when thinking

11:06

about cyber security in near

11:07

organizations and that includes

11:09

reporting requirements anything else and

11:12

you know we talk about reporting

11:13

requirement there's a whole framework

11:15

beyond that you know identification

11:16

management protection of data uh report

11:20

uh response recovery uh and so it's I

11:23

think it's really important that people

11:25

be able to go to one place know where

11:27

that starts and then figure out what

11:29

they're required to do from there so you

11:32

can streamline those compliance

11:33

requirements there will always be some

11:35

compliance burden as I mentioned a

11:36

moment ago but we can do a lot to

11:38

streamline that and minimize it yeah

11:41

very good Mr lerson to what extent has

11:45

disharmonize and compliance mechanisms

11:48

actually impacted the ability of

11:50

companies to compete uh

11:53

internationally uh thank you Mr chairman

11:55

that that has absolutely been something

11:57

that we have heard um because for for a

12:01

number of reasons I would say so first

12:03

and foremost it can mean that companies

12:05

need to invest in multiple systems so

12:08

you are basically forcing them to

12:10

duplicate some of their information and

12:12

Communications technology spend because

12:15

they are subject to

12:17

disharmonious uh Regulatory regimes and

12:21

when that is the case if uh they're

12:23

competing against a company in say

12:26

Europe that is only operating under an

12:29

EU framework um they will be at a

12:32

competitive disadvantage uh I think that

12:35

that really points to part of what we

12:37

are hoping to get out of this effort if

12:40

we have a strong Federal framework for

12:43

Baseline cyber security requirements

12:45

that is developed by all of the relevant

12:48

parties in the inter agency including

12:50

the independent regulatory commissions

12:52

that actually is very helpful for us in

12:55

digital trade negotiations in other uh

12:59

export of American businesses because we

13:01

can then go forth and say hey now we're

13:03

looking for Mutual recognition with our

13:05

International partners and we can give

13:07

folks an understanding of what exactly

13:09

that means because we have a single

13:11

framework to point to whereas right now

13:14

when you look at Mutual recognition it's

13:15

often challenging because we're pointing

13:17

back to what we're doing that is a uh a

13:22

kind of hodgepodge of different

13:23

regulatory requirements you know federal

13:26

agencies uh as you know very well are

13:28

are not the only agencies that have

13:30

cyber security regulations we have state

13:34

regulations local cities other

13:36

localities across the nation have all

13:38

sorts of requirements for businesses

13:40

that operate in their areas give you a

13:42

couple examples for example

13:44

Massachusetts state law requires all

13:46

persons who own or license personal

13:48

information about Massachusetts

13:49

residents to develop Implement and

13:51

maintain a comprehensive information

13:53

security program the New York Department

13:56

of Financial Services has also adopted

13:59

robust set of cyber security rules with

14:01

significant requirements for any company

14:03

that provides a financial or credit

14:05

service within the state of New York and

14:08

I could just go on and on with that list

14:11

so mron how is the federal government

14:13

working to coordinate with State local

14:16

tribal territorial governments uh all

14:19

across the uh the government uh

14:23

landscape to harmonize these regulations

14:26

uh thank you Mr chairman so I will

14:28

highlight a couple points so first of

14:30

all both the New York Department of

14:32

Financial Services and the state of New

14:34

York responded to our RFI our request

14:36

for information and one of the things

14:38

that stood out to me was the fact that

14:40

they really were asking for federal

14:42

leadership in this space DFS in the

14:45

state said having strong federal

14:48

guidelines um which a harmonized set of

14:51

Baseline requirements would do uh would

14:55

help them significantly in terms of how

14:58

they would model their work they have

15:00

worked DFS has worked the Department of

15:03

Financial Services has worked with

15:04

Federal Regulators um it is something

15:07

that we're concerned about again like

15:08

when we see duplicative requirements

15:10

that are attempting to control the same

15:12

risk whether they're at the state level

15:14

the federal level or the international

15:15

level um that gives us pause but if we

15:19

can get the federal house in order if we

15:21

can set a strong Federal uh uh Baseline

15:23

requirement if we can lead um we do have

15:27

strong confidence that both our state

15:30

governments will look at that as a gold

15:32

standard and also start to move in that

15:35

direction and also our International

15:37

Partners one of the things that uh the

15:39

national cyber director Harry Coker Jr

15:41

has consistently impressed upon me is in

15:44

his conversations with International

15:46

counterparts they bring up regulatory

15:48

harmonization they ask what is it that

15:51

we're doing to help control risk to

15:53

critical infrastructure and they say gee

15:56

it would be great to see Federal

15:58

leadership here we need the United

16:00

States to help us understand you have

16:02

the most sophisticated Tech sector you

16:04

have the most Reliance on technology if

16:07

you can set a gold standard that would

16:10

help us that would give something for us

16:11

to shoot for as well so I think it

16:13

really is uh incumbent Upon Us in the

16:17

federal government partnering between

16:19

the administration and Congress to set

16:21

that

16:23

standard and Mr Hitchman how does this

16:25

contrasting federal state local

16:27

regulations how does that impact

16:29

businesses in our community or in our

16:31

country well I I think very similar to

16:34

the problems we had with just sort of

16:36

federal agencies it's the multiple

16:38

requirements and who do you need to do

16:40

and for what I think you know the

16:41

examples you drew are great I live in

16:43

Texas uh the Texas department of

16:45

information resources has an instant

16:47

reporting rule that schools are required

16:49

to follow when attack well the cister

16:51

are notice a propos making also includes

16:53

schools so now you're going to have

16:55

schools that are trying to figure out

16:57

how to do their local reporting as well

16:59

as the national reporting and these are

17:01

organizations that traditionally do not

17:04

have resources for this they're already

17:06

undern it is probably underfunded you in

17:08

a small District you may have one person

17:10

who does it for the entire District

17:13

including the Cyber side and I don't

17:15

know that that's sustainable and so I

17:17

think we really need to think about how

17:21

those state and local rules are impacted

17:25

by perhaps the federal leadership that's

17:27

been called for so that they have more

17:29

of a benchmark to follow I think there's

17:31

also things like privacy states are

17:33

increasingly passing privacy laws which

17:35

may be conflicting with guidance they're

17:37

getting from the federal level and so

17:39

how does an organiz a business operating

17:41

manage both of those is it's similar to

17:44

how sort of Patchwork of federal rail

17:45

Lake regulations have popped up is the

17:48

patchwork of federal excuse me state

17:50

laws pop as pop up as well that all

17:53

needs to be managed and sort of brought

17:55

into a common framework so that folks

17:57

know who to how who their operating from

17:59

and what the standards are