House Oversight and Accountability Hearing on Cybersecurity and Regulations

00:01

technology and government Innovation

00:03

will now come to order and welcome

00:05

everyone without objection the chair May

00:07

declare recess at any time and I

00:09

recognize myself for the purpose of

00:11

making an opening statement good morning

00:13

and welcome to this hearing malicious

00:15

cyber attacks on our nation's critical

00:17

infrastructure are increasing in

00:19

frequency and scale these attacks can

00:21

create damaging disruptions and

00:23

compromise highly sensitive data much of

00:25

our critical infrastructure is owned and

00:27

operated by private sector companies

00:29

that includes Transportation networks

00:31

energy production and distribution

00:33

facilities and the defense industrial

00:35

base cyber attacks targeting such

00:38

operations threaten our homeland

00:39

security and our national security

00:41

that's why we need a strong partnership

00:43

between the government and private

00:44

operators of critical infrastructure

00:46

unfortunately Federal Regulations

00:48

intended to mitigate cyber security risk

00:50

often subject key industry participants

00:52

to overlapping and inconsistent

00:54

requirements this creates an inefficient

00:57

regulatory regime the cost and burden of

00:59

compliance is high companies are forced

01:01

to divert resources away from cyber

01:03

security enhancements to check various

01:05

unnecessary compliance boxes the

01:08

unnecessary drain on resources also

01:10

reduces the competitiveness of these

01:12

businesses regulations can proliferate

01:15

out of control when multiple agencies

01:17

are issuing rules on the same topic a

01:19

single company operating across critical

01:21

sectors might need to comply with

01:23

overlapping inconsistent cyber security

01:26

rules issued by half dozen different

01:28

agencies good luck with that so it's not

01:32

surprising that companies are feeling

01:33

besieged by the growing barrage of cyber

01:35

security requirements in March of last

01:38

year the then acting White House cyber

01:39

director appeared before this

01:41

subcommittee to discuss the

01:43

administration's National cyber security

01:44

strategy she testified that day that

01:47

under the strategy her office and the

01:48

Office of Management and budget were

01:50

jointly responsible for addressing this

01:52

issue of cyber security regulatory

01:54

harmonization a few months later her

01:56

office issued a request for information

01:57

asking critical sector operators to

02:00

identify conflicting and mutually

02:02

exclusive or inconsistent regulations

02:04

and describe the burden that they impose

02:07

the RFI describes the goal of

02:09

harmonization reciprocity in the

02:11

regulation an illustration of

02:13

harmonization would be multiple federal

02:15

agencies agreeing on allowable forms of

02:17

multiactor authentication to access it

02:19

systems reciprocity would mean that if

02:21

one regulator found a company's

02:23

multiactor authentication was being in

02:25

being appropriately used on the NIT

02:27

system another regulator could accept

02:30

that find instead of doing its own

02:32

independent assessment unfortunately

02:34

judging from the response to the RFI we

02:36

have a long way to go to achieve

02:38

harmonization and

02:40

reciprocity the more than 100

02:42

respondents a few of whom we will hear

02:44

from today describe a highly inefficient

02:47

regulatory regime that detracts from

02:49

cyber security outcomes by unnecessarily

02:51

consuming scarce resources some of the

02:54

respondents noted that state level and

02:56

international cyber security regulations

02:58

contribute further to the regulatory

03:00

morass they must investigate the upshot

03:04

according to the financial services

03:05

sector coordinating council is that many

03:08

com that the many company many company

03:10

Chief information security officers

03:12

spend as much as half their time on

03:14

Regulatory Compliance instead of

03:17

upgrading their cyber securi posture in

03:20

all the administration received more

03:21

than 2,000 pages of comments to its RFI

03:25

I appreciate the administration took the

03:26

trouble to seek out the views of the

03:28

affected parties but the responses

03:31

thousands of them show how challenging

03:33

it will be to address the problem one

03:36

thing seems clear strong centralized

03:38

leadership from the Executive Office of

03:39

the President will be required to

03:41

harmonize cyber security regulations

03:43

that's the only way to put a check on

03:44

Regulators within the bureaucracy who

03:47

may be blind to the broader impact of

03:48

rules they issue I look forward to

03:50

hearing from our Witnesses today who

03:52

will provide valuable Insight on this

03:53

problem from the perspective of

03:55

different critical sectors but before I

03:57

introduce them I'm going to yield to the

03:58

ranking member Connelly for 5 minutes

04:00

thank you uh and Madam chairwoman I'd

04:02

ask unanimous consent to enter into the

04:05

record at the appropriate time a

04:07

statement uh from a thoughtful statement

04:09

from Professor John uh Jason Healey of

04:12

Columbia School of International and

04:13

public affairs without objection I thank

04:15

the chair cyber attacks on government

04:18

agencies businesses critical

04:20

infrastructure of private citizens have

04:22

become alarmingly frequent and

04:25

sophisticated the cost of these attacks

04:27

financially and in terms of National

04:29

Security security is

04:31

staggering according to data from the

04:33

Federal Bureau of Investigation and the

04:35

international monetary fund the average

04:38

annual cost of cyber crime worldwide is

04:42

expected to reach $23

04:45

trillion by 2027 that's with a

04:49

t ransomware attacks against these

04:52

sectors for example increased by more

04:54

than 50% in 2023 alone federal agencies

04:58

reported more than 3

05:00

2,000 cyber security incidents in fiscal

05:03

year 2023 that's an increase of nearly

05:07

10% compared to the previous year in

05:09

addition the FBI's internet crime

05:11

complaint center received more than

05:14

880,000

05:16

fishing personal data breach and other

05:19

complaints in

05:21

2023 as I've stated in previous hearings

05:23

held by this subcommittee data breaches

05:26

and cyber attacks are no longer novel

05:30

that is why securing the systems that

05:33

are the backbone of the US economy is

05:36

essential and fundamental both to the

05:38

public and private sectors to this end

05:40

the federal government has a

05:42

responsibility to improve its cyber

05:45

security outcomes to combat cyber

05:48

threats federal agencies conduct

05:50

comprehensive and multi-layered

05:52

processes to set and enforce cyber

05:54

security requirements across components

05:56

of our critical infrastructure such as

05:59

Bank s water treatment plants and

06:01

telecommunication infrastructure for

06:03

example the federal information security

06:05

management act and executive orders like

06:08

executive order 14028 on approving the

06:11

nation cyber security enacted after the

06:13

Russian foreign intelligence service

06:16

perpetrated the solar wind cyber

06:18

security attack they mandate specific

06:21

cyber security practices among those are

06:24

agency-wide cyber security programs and

06:27

risk assessments incident response progr

06:29

protocols multiactor

06:32

authentication and improved event

06:35

logging as National cyber director Harry

06:38

Coker testified in January there is a

06:41

clear need for mandatory cyber security

06:43

requirements for critical infrastructure

06:45

no fool on however Congress and the

06:48

administration must not lose sight of

06:51

our responsibility to improve cyber

06:53

security outcomes and input from jao

06:56

industry civil society and State and

06:59

local Partners indicate that existing

07:01

regulations vary widely across many

07:05

sectors and at times conflicting

07:08

parameters this Patchwork approach often

07:11

leaves private state and local entities

07:13

charged with securing critical

07:14

infrastructure investing Less in our

07:17

Collective goal of improving cyber

07:19

security outcomes and More in compliance

07:23

checking activities putting National

07:25

Security and economic stability at some

07:27

risk the Biden har Administration

07:30

recognized the need to address the

07:32

overlapping nature of much needed cyber

07:34

security regulations by launching

07:36

efforts to deconflict and clarify cyber

07:40

security requirements in March of 2023

07:44

the national cyber director released the

07:46

national cyber security strategy which

07:48

listed harmonizing regulations to reduce

07:51

the burden of compliance as one of the

07:53

stated policy goals in August of 2023

07:57

the oncd issued a request for

08:00

information from industry and other

08:02

partners on the challenges with

08:04

regulatory overlap and to explore

08:06

framework for Baseline cyber security

08:09

requirements all our Witnesses here

08:11

today provided comments and feedback to

08:15

the oncd underscoring the Biden Harris

08:18

administration's collaborative efforts

08:20

with industry experts to get this right

08:23

in May of this year the office of

08:26

national cyber director also released

08:29

the first of its kind report on cyber

08:31

security posture of the United States

08:33

the report assesses the cyber security

08:36

posture the effectiveness of national

08:39

secur cyber policy and strategy and the

08:42

status of the implementation of national

08:44

cyber policy and strategy by federal

08:46

departments and agencies among the

08:48

highlights of that report are actions

08:51

taken by the federal government during

08:52

the previous year establishing and using

08:55

cyber requirements to protect critical

08:57

infrastructure including through the

09:00

development and harmonization of

09:01

regulatory requirements is the first

09:04

action listed in the report which just

09:07

goes to show how important the priority

09:08

has been for this Administration I look

09:11

forward to hearing today from especially

09:13

from Dr Charles clinty a senior vice

09:15

president and CTO at miter Corporation

09:19

about how Congress can support the

09:21

efforts underway to achieve regulatory

09:24

harmonization the goal is to maintain

09:27

clear and consistent guidance when it

09:29

comes to cyber security requirements

09:31

that will improve outcomes by bolstering

09:33

incident response enhancing resilience

09:36

reducing cost and ultimately benefiting

09:39

the American people thank you and I Y

09:41

back thank you Mr Connelly I'm pleased

09:43

to introduce our Witnesses for today's

09:45

hearing our first witness is Mr John

09:47

Miller vice president of policy trust

09:49

data and technology and general councel

09:51

at the information technology Industry

09:53

Council our second witness is Miss

09:55

Maggie oconnell director of security

09:57

reliability and resilience the

09:59

interstate Natural Gas Association of

10:01

America our third witness is Mr Patrick

10:03

Warren vice president regulatory

10:05

technology with the banking policy

10:06

Institute and our fourth and Final

10:08

witness today is Dr Charles Clancy Chief

10:11

technology officer at miter welcome

10:13

everyone we're pleased to have you this

10:15

morning pursuant to committ committee

10:17

rule 9g the witnesses will please stand

10:20

and raise your right

10:22

hand do you solemnly swear or affirm

10:25

that the testimony that you are about to

10:26

give is the truth the whole truth and

10:28

nothing but the truth so help you got

10:31

let the record show that the witnesses

10:32

all answered in the affirmative we

10:34

appreciate you being here today and look

10:36

forward to your testimony let me remind

10:38

the witnesses we have read your written

10:39

statements and they will appear in full

10:41

in the hearing record please limit your

10:43

oral statements to five minutes this

10:45

morning as a reminder please press the

10:47

button on the microphone in front of you

10:49

so that it is on and that the members up

10:51

here can hear you when you begin to

10:53

speak the light in front of you will

10:54

turn green after 4 minutes it will turn

10:56

yellow when the light comes on and it

10:58

turns red your five minutes have expired

11:00

I use the gavel I bang it hard let's not

11:03

do that today um we'd ask you to please

11:06

wrap up all right so now I would like to

11:08

recognize each of you individually for

11:10

your opening statements I will first

11:11

recognize Mr Miller if you will please

11:15

begin chairwoman mace ranking member

11:17

Connelly and distinguished members of

11:19

the subcommittee on behalf of the

11:21

information technology Industry Council

11:23

or ITI thank you for the opportunity to

11:25

testify today on the need to harmonize

11:27

cyber security regulations ITI is a

11:29

global policy and advocacy organization

11:32

representing 80 of the world's leading

11:33

tech companies and I lead I's trust data

11:36

and Technology policy team including our

11:38

work on cyber security in the US and

11:40

globally I've worked on Cyber policy

11:43

issues for over 15 years and have

11:44

extensive experience partnering with

11:46

cisa and other federal government

11:47

stakeholders on efforts to improve cyber

11:50

supply chain and critical infrastructure

11:52

security including currently serving in

11:54

leadership positions on the ICT supply

11:56

chain risk management task force and the

11:58

IT sector coordinating Council for as

12:01

long as I can remember there has been

12:03

strong long-standing widely agreed upon

12:05

bipartisan consensus on the need to

12:07

harmonize inconsistent duplicative or

12:09

conflicting cyber regulations the past

12:12

three administrations have prioritized

12:14

the issue multiple congresses have

12:16

agreed it's a priority and I and yet I

12:18

do not recall a single conflicting andc

12:20

consistent or duplicative cyber

12:22

regulation ever being eliminated or

12:24

streamlined after all these years so I

12:27

welcome this subcommittee's interest in

12:28

again Shining a light on this important

12:30

topic and sincerely hope this hearing

12:32

can help catalyze long overdue

12:33

harmonization of cyber regulations the

12:36

reasons why inconsistent duplicative or

12:38

conflicting cyber regulations are costly

12:40

to Industry and government are obvious

12:42

the office of the national cyber

12:43

director has acknowledged that cyber

12:45

overregulation leads to companies

12:46

focusing more on compliance than

12:48

security resulting in higher costs to

12:50

customers and working families and

12:52

negatively impacts National Security

12:54

this makes sense the more resources

12:56

organizations spend on compliance

12:57

auditing and tracking across multiple

12:59

regulatory regimes the less resources

13:01

are available to devote to obtaining

13:03

better cyber outcomes at lower costs

13:05

there are real costs on government too

13:07

surely it is inefficient to use scarce

13:09

government resources and Regulatory

13:11

capacity to create and enforce

13:13

duplicative inconsistent or conflicting

13:15

cyber regulatory requirements

13:17

particularly in light of the persistent

13:19

Federal cyber Workforce

13:21

shortage Congress to its credit remains

13:23

focused on the issue your colleagues at

13:25

Senate hgac recently introduced the

13:27

Cyber regulatory streamline in Bill and

13:30

Congress previously flagged this problem

13:31

as part of the Cyber incident reporting

13:33

for critical infrastructure act which

13:35

established the Cyber incident reporting

13:37

Council or Circ to study and make

13:39

recommendations to address conflicting

13:41

and duplicative federal incident

13:42

reporting requirements last September

13:44

cir report tallied over 50 such

13:47

requirements that were in effect or

13:48

pending representing just one small

13:50

slice of the overall cyber regulatory

13:53

landscape when we consider that most

13:55

companies are also encountering

13:56

duplicative inconsistent or conflicting

13:58

cyber regulation

13:59

at the US state level and

14:00

internationally it reveals the status

14:02

quo as simply untenable the delu of

14:05

cyber incident reporting regulations

14:07

perfectly illustrates the scope of the

14:08

overregulation problem and also serves

14:11

as a reminder that to date while we have

14:12

studied the issue and offered

14:14

recommendations there has been no

14:15

discernable harmonization instead the

14:18

problem is getting worse it is time that

14:20

we stop admiring this problem and commit

14:22

to addressing it I encourage the

14:24

subcommittee to consider all of the

14:25

recommendations to drive better cyber

14:27

harmonization in my written testimony

14:29

but I highlight five here first oncd

14:31

must follow through on its ongoing work

14:33

implementing the national cyber strategy

14:35

to implement an actionable plan to

14:37

harmonize existing cyber regulations and

14:39

hold federal agencies accountable for

14:41

following through including DHS for

14:44

implementing the Circ recommendations

14:45

and all agencies for actualizing

14:47

harmonization efforts second we should

14:49

align existing and future cyber

14:51

regulations around a common taxonomy

14:53

including definitions and risk

14:55

management controls grounded in

14:56

international standards the N cyber

14:58

security framework provides a common

15:00

language for doing so and can serve as

15:02

an orientation point for federal

15:03

harmonization efforts third we should

15:06

Define a standardized clearing process

15:07

for new Cyber regulatory activity to

15:09

prevent future fragmentation for

15:11

instance by expanding oira's role to

15:13

review sector specific regulations for

15:16

inconsistencies or by requiring federal

15:18

agencies to demonstrate that any new

15:20

regulations must fill identified

15:22

regulatory gaps fourth oncd should

15:25

develop and Implement a structured

15:27

reciprocity process Anchored In Baseline

15:29

controls and standards across federal

15:31

government regulations to reduce

15:33

barriers and clarify obligations

15:35

reciprocity among Federal agency

15:37

requirements is critical to reduce

15:38

redundant compliance costs on industry

15:40

and is particularly important in areas

15:42

such as Cloud security finally Congress

15:45

should seize the opportunity to drive

15:46

actionable Cyber harmonization Solutions

15:49

and use its oversight authorities to

15:50

make sure that the current and future

15:52

administrations follow through given the

15:54

Supreme Court's recent decision in ler

15:56

bright to overturn Chevron difference

15:58

going forward it is more important than

16:00

ever that Congress provide precise cyber

16:02

authorities and clear direction to the

16:04

federal agencies who will Implement and

16:06

enforce future rules thank you again for

16:08

the opportunity to testify today I look

16:10

forward to your

16:13

questions thank you I'd like to rise

16:15

Miss recognize Mr oconnell for five

16:17

minutes Miss oconnell for five minutes

16:19

good morning chairwoman me ranking

16:21

member Connelly members of the

16:22

subcomittee I'm Maggie oconnell director

16:24

of security reliability and resilience

16:26

with the interstate Natural Gas

16:27

Association of America America I

16:29

currently lead inga's cyber security

16:31

physical security and emergency response

16:33

policy thank you for inviting me to

16:35

share our perspectives on cybercity

16:37

regulatory harmonization Ina is the

16:40

national trade Association that

16:41

Advocates to federal policy makers the

16:43

priorities of the interstate natural gas

16:45

pipeline industry our members represent

16:47

the majority of Interstate natural gas

16:49

transmission pipeline companies in the

16:50

us and our leaders in the reliable

16:53

transportation of gas throughout the

16:55

country many of our members also operate

16:57

other forms of critical energy

16:59

infrastructure making our members some

17:01

of the most regulated entities in the

17:02

nation the oil and natural gas sub

17:05

sector understands the importance of

17:06

regulations to ensure the safe secure

17:09

and reliable delivery of goods and

17:10

services our primary purpose is to keep

17:13

energy moving which which is precisely

17:16

why our operators apply a risk-based

17:18

defense in depth approach to cyber

17:19

security defense in depth is a strategy

17:22

that protects the entire Enterprise

17:24

rather than each individual business

17:25

unit from various threats it entails

17:28

robust governance systematic risk-based

17:30

management and multi-dimensional

17:32

programs based on industry recognized

17:34

standards and Frameworks to that end

17:37

security regulations should not be

17:39

prolongated simply for the sake of doing

17:41

so they must be based on risk outcome

17:43

focused and threat enformed with the

17:45

goal of safeguarding those elements that

17:47

enable the provision of Energy Services

17:50

protection of personal data and of the

17:52

essential functions that support the

17:53

country's economy and National Security

17:56

the oil and natural gas industry

17:58

believes there are three main

17:59

considerations for determining how to

18:00

harmonize cyber security regulations

18:03

first Regulators should engage in robust

18:06

consultation processes with the

18:08

regulated Community other agencies with

18:11

authorities in that sector and with

18:12

Regulators of sectors with direct

18:14

dependencies to the sector for which the

18:16

cyber security requirements are

18:18

underdeveloped second if efforts cannot

18:20

be made to harmonize proposed cyber

18:22

security regulatory requirements

18:24

agencies should take action to

18:25

retroactively ensure that requirements

18:28

are harmonized in a reciprocating manner

18:30

third Congress and the White House

18:32

should consider whether a single entity

18:34

such as cisa could facilitate the

18:36

harmonizing role a single entity to

18:38

provide management and oversight of the

18:40

multitude of cyber secur regulations

18:42

would enhance overall cyber security and

18:44

ease compliance efforts I would like to

18:47

briefly discuss two key principles that

18:49

we believe are imperative to

18:51

understanding harmonization and

18:53

reciprocity harmonization is best

18:55

understood as alignment across agencies

18:57

and related regulations on a common set

18:59

of requirements to achieve a desired

19:01

security outcome harmonization achieves

19:04

efficiency for compliance in the

19:05

circumvention of duplicative or

19:07

conflicting requirements however when

19:10

undertaking this effort the federal

19:11

government should understand the risk

19:13

within each critical infrastructure

19:15

sector the agencies with existing cyber

19:17

security requirements and the varying

19:19

purposes of each of those regulations

19:21

the other piece to harmonization is

19:23

reciprocity wherein the findings of one

19:25

regulator satisfy the requirements of

19:27

another reciprocity is particularly

19:29

pertinent given the number of federal

19:31

regulations impacting the oil and

19:33

natural gas sector emanating from a

19:34

single federal department for example

19:37

TSA and the US Coast Guard each have

19:39

cyber security regulatory authority over

19:41

segments of the oil and natural gas

19:43

sector while sisa does not currently

19:45

have authority to enforce cats most cats

19:48

regulated facilities implement the

19:49

program's requirements on a voluntary

19:51

basis these three agencies alone

19:54

existing under DHS have made little

19:56

effort to harmonize these efforts

19:58

leading to increased administrative

20:00

burdens for coordinating with and

20:02

meeting the requirements of these

20:03

respective agencies indeed a significant

20:06

challenge for regulatory reciprocity is

20:08

the silos in which each of these

20:10

agencies exist each agency sees its

20:13

Mission as unique and independent from

20:15

others despite the common goal of strong

20:17

cyber security for critical

20:18

infrastructure systems to that end a

20:20

single agency such as sisa could serve

20:23

as an Arbiter and facilitator for cyber

20:25

security regulatory

20:26

harmonization in closing I would like to

20:29

reiterate that Ina and our members

20:30

appreciate the role that smartly

20:32

constructed risk and outcome based cyber

20:34

security regulations play in securing

20:37

our nation's critical infrastructure as

20:39

additional agencies seek to expand their

20:41

oversight and authorities to include

20:42

cyber security harmonization and

20:45

reciprocity will be essential to ensure

20:47

operators can continue to mature their

20:49

Security Programs without overly

20:51

burdensome compliance obligations thank

20:53

you for your time and I look forward to

20:54

your questions thank you Miss oconnell

20:56

Mr Warren you uh May begin your opening

20:59

statement chairwoman mace ranking member

21:02

Connelly and honorable members of the

21:04

subcommittee thank you for inviting me

21:05

to testify I'm Pat Warren vice president

21:08

for regulatory technology for bits the

21:10

technology division of the bank policy

21:12

Institute BPI is a nonpartisan policy

21:15

research and advocacy organization

21:17

representing the nation's leading Banks

21:19

through our technology division we work

21:20

with our members on Cyber risk

21:22

management critical infrastructure

21:24

protection fraud reduction regulation

21:26

and Innovation as Illustrated by crowd

21:29

software update last week the security

21:31

and resilience of the networks systems

21:33

and software that we rely on as a nation

21:35

is vitally important cyber secur

21:38

regulations can play a role in fostering

21:40

the necessary programs and policies that

21:42

protect our critical infrastructure at

21:44

the same time we must be mindful that if

21:46

not properly harmonized and aligned such

21:48

requirements can place unnecessary

21:50

strain on the critical cyber security

21:52

resources we rely to prepare for

21:54

emerging threats and address incidents

21:56

when they

21:57

occur on behalf of BPI members we

21:59

greatly appreciate the committee's

22:01

leadership and the opportunity to

22:02

provide input on the need to harmonize

22:04

cyber security regulations and

22:06

streamline existing requirements

22:08

financial institutions are subject to

22:10

numerous regulations and rigorous

22:12

supervision from the Prudential banking

22:13

Regulators the office of the com

22:15

controller of the currency the Federal

22:17

Reserve board and the Federal Deposit

22:19

Insurance Corporation this includes

22:21

on-site examiners who regularly evaluate

22:23

whether a financial institution operates

22:25

in a safe and sound manner firms also

22:28

comp comp with cyber incident reporting

22:29

and disclosure consumer breach

22:31

notification data security and data

22:33

privacy requirements enforced by

22:35

agencies like the cfbb the SEC and the

22:38

cftc among

22:40

others based on our experience

22:42

navigating a complex regulatory

22:44

environment We Believe congressional

22:46

action and a focus on three areas could

22:48

have meaningful impact we encourage

22:50

Congress to One require coordination

22:52

among Regulators to avoid duplication

22:54

overlap or conflict in requirements

22:56

placed on industry two encourage

22:59

regulatory reciprocity and three

23:01

leverage common

23:02

Frameworks first it's imperative that

23:04

all Regulators consider existing

23:06

requirements and Do Not Duplicate or

23:08

create variations of already of what

23:10

already exists we've seen this

23:12

coordination does not always occur

23:14

particularly with independent regulatory

23:16

agencies like the

23:17

SEC within the financial sector there

23:19

are several examples where credential

23:21

banking Regulators issue joint rules and

23:23

guidance which helps provide Clarity and

23:25

consistency for firms and supports the

23:27

efficient use of

23:29

resources however the collective effect

23:31

of supervision and oversight by multiple

23:33

Regulators can cause significant strain

23:35

on personnel and the resources necessary

23:38

to implement Security Solutions that

23:40

keep Pace with evolving threats

23:42

according to a recent survey of large

23:44

financial institutions several firms

23:46

reported their cyber teams now spend

23:48

more than 70% of their time on

23:50

Regulatory Compliance activities those

23:52

same firms reported their Chief

23:54

information security officers or

23:56

comparable senior cyber leaders spend

23:58

between 30 to 50% of their time on those

24:01

same Regulatory Compliance matters

24:03

diverting finite cyber resources in this

24:05

way leaves less time for risk mitigation

24:07

activities and strategic security

24:09

initiatives to fortify firm defenses

24:11

moving forward second implementing a

24:14

regulatory reciprocity model where one

24:16

regulator accepts the work and results

24:18

of another would be particularly

24:20

valuable for sectors with multiple

24:21

regulators and would alleviate the need

24:23

for entities to demonstrate compliance

24:25

with the same or similar requirements

24:27

multiple times

24:29

based on our survey financial

24:31

institutions reported that only 30% of

24:33

exam documentation can be reused due to

24:36

slight differences in exam scope and

24:38

Cadence between Regulators by better

24:40

leveraging each other's documentation

24:42

testing evaluations and findings

24:45

Regulators would receive the information

24:47

they need to conduct rigorous oversight

24:49

while preserving the ability of cyber

24:50

security teams to adjust to Rapid

24:52

technological change finally existing

24:55

standards and Frameworks like nist cyber

24:57

security framework can be helpful tools

24:59

for aligning regulatory requirements the

25:02

Cyber risk Institute developed a

25:03

financial sector profile which is based

25:05

on N cyber security framework and

25:07

integrates regulatory requirements

25:09

unique to the financial sector this

25:11

provides financial institutions with a

25:13

single scalable resource for managing

25:15

cyber risk and compliance requirements

25:17

Regulators can also leverage common

25:19

Frameworks to tailor oversight

25:20

priorities and more efficiently assess a

25:23

company's baseline security posture as

25:25

regulatory requirements continue to

25:27

proliferate Cong ression action is

25:29

needed to ensure new and existing

25:31

requirements accomplish the goals of

25:33

better security and resilience while

25:35

balancing the collective impact of these

25:36

requirements on regulated entities we're

25:38

committed to working with this committee

25:40

as it explores potential legislative

25:42

solutions for achieving broader

25:44

harmonization thank you for the

25:45

opportunity to testify today and I'm

25:47

happy to answer any questions thank you

25:48

I'd now like to recognize Dr Clancy for

25:50

your opening statement

25:58

chairwoman mace uh ranking member

25:59

Connelly members of the subcommittee

26:01

good morning and thank you for inviting

26:03

me to testify before you today and it's

26:05

my pleasure to address uh the

26:06

subcommittee on this topic of critical

26:08

National importance the practice of

26:10

cyber security has grown organically

26:12

driven by need uh the first wave of

26:14

Standards spurred by fsma uh was

26:16

compliance driven and focused on

26:17

checklists of security controls the

26:19

second wave was threat formed and

26:21

motivated information sharing the third

26:23

wave was risk-based prioritizing

26:25

continuous assessment and adaptive

26:27

security controls uh the fourth wave

26:29

that we're experiencing now is that of

26:31

zero trust and architecture-driven

26:33

recognition that our greater Reliance on

26:35

um devices and networks and Cloud

26:37

infrastructure uh that may be

26:39

untrusted umbrella Frameworks like the N

26:41

cyber security framework and ISO 270001

26:44

uh take a holistic approach from across

26:46

business processes technical controls

26:48

risk and threat uh these Frameworks can

26:50

be used uh as an organizing structure

26:52

and common taxonomy to talk about

26:54

regulations uh but they do not really

26:55

get down to the implementation level uh

26:57

this Le is a patchwork of of uh

27:00

requirements for regulated organizations

27:02

that have mandatory implementation uh

27:05

obligations uh it leaves them dealing

27:07

with a jumble of not necessarily

27:10

contradictory but often fragmented

27:12

overlapping and inconsistent

27:14

obligations uh first starting with

27:16

security controls a positive step would

27:17

be to commission NY to document the

27:19

differing security controls uh required

27:22

across different security standards such

27:24

an enumeration would help harmonization

27:26

as various standards organizations

27:28

update their requirements over time and

27:30

help Regulators identify consensus

27:31

controls uh that would minimize uh

27:33

burden on their stakeholders um again

27:36

this is not a call for new standards but

27:37

rather Illuminating the complexity of

27:39

today's environment so we can build road

27:40

maps that over time would lead to

27:42

harmonization and potentially even

27:43

consolidation of technical control

27:45

standards um next is auditing processes

27:48

uh if a standard is mandatory to

27:50

implement then someone actually needs to

27:51

check that it's been implemented uh

27:53

there's a range of uh everything from

27:54

self attestation of compliance uh to

27:56

rigorous annual inspections by

27:58

thirdparty Auditors one concerning trend

28:00

is efforts to make the nist cyber

28:02

security framework mandatory and while

28:04

this is an admirable goal the framework

28:06

was explicitly designed to be voluntary

28:08

and lacks the necessary Metrology to

28:10

even Define compliance making such

28:12

attestations meaningless if you want to

28:14

make something mandatory then you need a

28:15

standard that defines and provides the

28:17

tools to measure

28:19

compliance additionally reciprocity must

28:21

be harmonized uh no security standard is

28:23

strictly more rigorous than any other

28:25

they all have industry specific or

28:27

domain specific attributes but there's a

28:29

common core set of requirements across

28:31

most uh and the job of an auditor

28:32

auditor or regulator can be greatly

28:34

simplified if there's reciprocity across

28:36

that Common Core uh lastly is incident

28:39

reporting which is probably the biggest

28:41

headache for regulated organizations um

28:44

Implement a single Clearing House for

28:46

reporting a cyber incident either

28:48

operated within a federal agency such as

28:49

siza or by an independent third party on

28:51

behalf of the federal government uh such

28:53

a Clearing House can identify a lead

28:55

agency to engage with the affected party

28:57

a coordinate with others across the

28:58

inter agency uh and really serve as a

29:00

touch point for major vendors that

29:02

support that industry like crowd strike

29:04

or Microsoft that have equities that

29:05

cross uh many different sectors Clearing

29:08

House would serve a number of important

29:09

other purposes as well including

29:11

energizing a federal cyber action team

29:13

that could help impacted organizations

29:14

with incident response if appropriate

29:16

and necessary uh serve as a focal point

29:18

for major vendors and Cloud providers

29:20

who may be stakeholders particularly in

29:21

widescale cyber

29:23

incidents and be an important repository

29:25

for cross- sector data on adversary

29:27

cyber operations so we can actually keep

29:28

track of what our adversaries are doing

29:30

in an integrated way across the entire

29:32

ecosystem another important point is

29:34

that reporting should be viewed as

29:35

iterative as reporting timelines get

29:37

shorter and shorter the amount of high

29:39

confidence reportable information

29:41

collected by affected organizations gets

29:43

smaller and smaller we must balance

29:45

reporting timelines with practical

29:47

detail on incidents uh and the from the

29:49

impacted organization and the actual

29:51

utility of that data to a regulator

29:53

reporting we might have been hacked but

29:54

we're not sure and we have no idea if we

29:57

What Might Have Been impact acted within

29:58

8 hours to a regulator doesn't provide

30:00

anything actionable if that regulator is

30:03

typical response time for assigning a

30:04

case agent and soliciting additional

30:06

information is two weeks what was the

30:07

point of The 8 Hour reporting timeline

30:09

in the first place a clearing house

30:11

could also help with State local tribal

30:13

and territorial government reporting and

30:15

coordination uh these governments have a

30:16

growing set of cyber reporting

30:18

obligations and a federal Clearing House

30:19

could ease the burden on impacted

30:21

organizations uh in conclusion I uh

30:24

encourage the committee uh to move from

30:26

study to action the national cyber

30:28

security strategy identified the need to

30:30

establish an initiative on harmonization

30:32

the peters lenford Bill currently in the

30:34

Senate involves years of Pilots NSM 22

30:36

calls on DHS to develop a plan for

30:38

harmonization and critical

30:39

infrastructure by April 2025 last Fall's

30:42

uh oncd request for information uh

30:45

gathered broad industry uh input uh from

30:48

a variety of stakeholders I think we

30:49

have a good handle on the issues and we

30:51

need to move out on Solutions thank you

30:53

and I look forward to your

30:54

questions thank you I ask unanimous

30:56

consent to submit the following

30:58

statements for the record a statement

30:59

from the American Gas Association and a

31:02

statement from Airlines for America and

31:05

without

31:06

objection there you go um first of all I

31:09

want to thank you all for being here we

31:11

have a a broad section of Industry from

31:13

it to Natural Gas Banking and then of

31:16

course miter company um you know

31:19

listening to your testimony it's very

31:20

clear that the government is uh way too

31:23

big uh way too overregulation because of

31:25

all the duplicative efforts um I would I

31:27

would like to ask everyone a question

31:29

this morning for your member companies

31:32

or for for miter specifically would you

31:35

be able and willing to invest more in

31:38

cyber security enhancements like it

31:40

upgrades for the um if the uh compliance

31:43

burden of inconsistent duplicative

31:45

regulations was reduced would you have

31:48

the resources to be able to invest more

31:50

than what you are today if that burden

31:53

was

31:55

reduced um yeah I mean I think based on

31:58

everything that we've heard from from

31:59

our companies um they they would

32:00

definitely have more resources to invest

32:03

in cyber security and producing better

32:05

cyber security outcomes um if they did

32:08

not have to spend as much resources on

32:11

complying with conflicting or

32:12

duplicative Regulatory regimes and I'm

32:14

sure you guys are all going to probably

32:15

see us but I do want to focus on

32:17

something Mr Warren said in your

32:18

testimony today the 70% figure you're in

32:20

the banking sector so it might be

32:22

slightly different is it the same in

32:23

natural gas and it are you seeing the

32:26

70% what's the rough the figure roughly

32:29

a percentage of cyber security workers

32:32

generally with in Industry that you guys

32:34

represent that are focused on compliance

32:37

do you have a a handle on that um I

32:40

don't have exact numbers in front but

32:42

based on the information that I've heard

32:43

from our members that sounds about

32:45

accurate yes even in natural gas Mr

32:48

Miller I mean I think it I I I don't

32:51

have exact numbers either but but I do

32:53

think it varies by by companies right I

32:55

mean certainly larger U multinational

32:58

tech companies have more resources so

33:00

they are you know able to devote more

33:02

resources to to both compliance and

33:04

better security outcomes I think that

33:07

there are a lot of small and mediumsized