In June 2024, the Office of the National Cyber Director (ONCD) released its report Summary of the 2023 Cybersecurity Regulatory Harmonization Request for Information, a government effort whose purpose is to find a path forward to creating a comprehensive framework to strengthen cybersecurity resilience across all sectors; simplify oversight and responsibilities of cyber regulators; and reduce administrative burden and cost on those organizations regulated. The RFI adhered to Strategic Objective 1.1 of the 2023 National Cybersecurity Strategy, “Establish Cybersecurity Requirements to Support National Security and Public Safety.” Eighty-six organizations responded to the RFI, representing the critical infrastructure sectors, as well as state and local government associations, academia, and non-profit and professional organizations. The report found three major outcomes from those that responded to the survey: 1) lack of harmonization and reciprocity impacted cybersecurity outcomes while inflicting high compliance costs; 2) regulatory harmonization had challenges that extended to all sectors and organizations of all sizes and crossed jurisdictions; and 3) it was well within the U.S. government’s ability to address these existing challenges.
Cybersecurity regulatory harmonization needs to be solved to avoid the very issues cited in the report. Specifically, respondents highlighted that there were duplicative, conflicting, and unnecessary regulations that are imposed, which not only taxed organizations financially, but prevented them from focusing and improving their cybersecurity. They not only cited such shortcomings across Federal agencies, but also between state and Federal regulators and internationally, as well. Reallocating financial resources to ensure myriad technical compliance https://www.youtube.com/watch?v=wyLTLwKn5Wwrequirements does not equate into an improved or more resilient cybersecurity posture. This point was underscored by a senior official at the Government Accountability Office who said that financial sector CISOs spent approximately 30-40% of their time on ensuring compliance rather than focusing on cybersecurity. Respondents to the ONCD echoed these sentiments in their replies to the RFI, expressing “the lack of cybersecurity regulatory harmonization and reciprocity posed a challenge to both cybersecurity outcomes and to business competitiveness.” This bears noting given the importance placed on economic prosperity by the White House, and its direct correlation to United States power and influence internationally.
Dovetailing with this report is new legislation proposed in the Senate that would mandate the Administration to create an interagency committee to coordinate federal cybersecurity regulations, a move designed to facilitate industry compliance with cybersecurity regulations.
Notably, an early draft of the bill specifically referenced the committee’s authority to identify information and cyber security regulatory requirements “overly burdensome, inconsistent, or contradictory” for the purposes of making recommendations for remediation. It is likely that this will remain in the final version. The ONCD is already working on developing a pilot reciprocity framework to be used in a critical infrastructure subsector, which would cooperate with a similar pilot program directed by the legislation where at least three regulatory agencies would ensure that any new or updated regulations would align the one spearheaded by the ONCD.
There is no doubt that such regulation harmonization is much needed especially given the amount of cyber regulation being developed or already on the books, and how it’s being enforced. And while it makes sense that there is an organization on the spear tip of this effort, the question of which one becomes a sticky decision, given the additional authorities that come with such a designation. Per the forthcoming bill, all signs point to the ONCD being that choice, and if the language in the bill remains, it will give more power to the ONCD to be in charge of regulation harmonization. Still, there are other organizations like the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) that have a dog in the fight and could present a challenge. After all, CISA is the primary agency in charge of critical infrastructure protection, and interfacing with these stakeholders. It would make sense that it also have an influential hand in regulation harmonization. However, as one expert pointed out, more authority given to the ONCD will likely diminish CISA’s role not strengthen it.
Fragmented cybersecurity regulations cause more confusion and distrust rather than instilling confidence, the very opposite of what you want regulations to convey. The National Cyber Director released a statement in which he said the global community is looking to the United States government to lead. This is a prudent declaration as failing to do so will encourage China to eagerly fill the void, as Beijing routinely lobbies global stakeholders to support its view for regulating cyberspace and emerging technologies. Washington knows that it needs to reassume its global stature in something more than the military aspect of cyber, and by demonstrating a cohesive cybersecurity-minded overhaul of its own domestic cyber regulation harmonization would be one way to show that it has a thoughtful, useful solution to a complex issue that could then be replicated by partners worldwide. This is the type of leadership the ONCD referred to and one that the U.S. government needs to undertake despite the political problems that have caused government to be as fragmented as the regulations they are reviewing.
The assistant national cyber director for cyber policy and programs said that regulation harmonization “is a problem that requires leadership from ONCD and Congress informed by the private sector.” And he’s right. But that is a large ecosystem involving many moving parts, as well as stakeholders with conflicting interests and priorities. Getting on the same page will not only be difficult, but if pragmatic consensus is to be reached, will likely require at least common denominator buy-in, which may not have the rigorous but streamlined harmonious effect as was envisioned at the onset. This risks an end product being watered down to the point of being more of a token gesture than what was initially intended, a mistake that should be avoided at all costs.
Let us hope that principals involved invest the necessary time up front eliminating regulation redundancies and overlap while allowing industry to lead discussions in identifying those regulations that can be best aligned to suit their needs as well as the government’s. Because what’s become abundantly clear with respect to cyberspace is that a flawed solution will ultimately prove to be no solution at all.
