White House urges streamlined cyber rules following industry feedback

After nearly 90 responses were submitted to an August 2023 White House request for information on cybersecurity regulatory harmonization, the Biden administration’s cyber czar says it’s time for an overhaul.

Inconsistent or duplicative requirements that force firms to draw money from cybersecurity programs into compliance spending is preventing the private sector — including critical infrastructure owners and operators — from fully shoring up its cyberdefenses, according to industry feedback cited by National Cyber Director Harry Coker.

A Tuesday blog post from Coker calls on Congress to work with the Biden administration to help craft more in-line cyber policy standards.

Academics and officials have touted the Biden era as a strong player for American cybersecurity regulatory activity, which has sought to stick more requirements onto private firms in a way that forces them to be more transparent about neverending cyberattacks that will seemingly become a mainstay in 2020s and beyond. 

But the 2,000 pages of industry comments made clear that requirements like notification deadlines, frameworks and other procedures may be creating cost and time burdens, according to Coker. 

“It was overwhelmingly evident that respondents believe that there was a lack of cybersecurity regulatory harmonization and reciprocity and that this posed a challenge to both cybersecurity outcomes and to business competitiveness. This was true for businesses of all sectors and of all sizes,” Coker wrote.

Respondents — which included academics, civil society organizations and industry trade groups — said the U.S. needs to work more closely with foreign allies to align cybersecurity rules. They also suggested that regulators lean more into NIST cybersecurity standards, especially its vanguard cybersecurity framework.

Many of the regulatory mainstays were ushered in by a sweeping national cybersecurity strategy implementation plan first unveiled last year, which assigned agencies tasks to shore up U.S. cyber posture, including regulators who oversee sectors like energy, telecommunications and financial services.

The FCC, for instance, has teed up rules to bolster the security of a core data transmission protocol, known as BGP. It’s also working with NIST and the National Security Council to set standards for a Cyber Trust Mark, which seeks to help consumers shop for products that are less prone to cyberattacks.

Not every regulation has received such praise, such as an SEC mandate that requires publicly traded firms to file with the agency within four business days of discovering a cybersecurity incident.

The disclosure rule, issued on grounds that investors should know how cyberattacks impact companies’ bottom lines, is facing pushback from some lawmakers and cybersecurity executives, who argue it could draw unwanted attention from other hackers and force firms to direct their attention to potential legal dilemmas instead of cyber threat mitigation.

Some lawmakers haven’t waited for an administrative solution, putting a carveout in the House Financial Services appropriations bill that says the funds can’t be used to enforce the rule.

The feedback comes a day before Nick Leiserson, ONCD’s assistant director for cyber policy and programs, is expected to testify before a Senate panel about cyber regulatory harmonization, alongside GAO IT director David Hinchman.

Leiserson last month told an audience at RSA Conference in San Francisco that his office had initiated discussions with software developers to get their feedback on crafting laws that would require the private sector to take steps to manufacture and release software that doesn’t contain exploitable flaws.