President Biden’s National Cybersecurity Strategy (NCS) and subsequent Implementation Plan (NCSIP) got off to a great first step by recognizing the need for cybersecurity harmonization as initiative 1.1.1. The Administration is properly prioritizing this initiative because addressing it will, comparatively quickly and effectively, enhance our nation’s cybersecurity by freeing up between 40%-70% (depending on the sector) of currently wasted cybersecurity resources. Since the current inadequacy of cyber resources is a foundational issue of our national security this initiative, if properly implemented, would provide a substantial boost to our currently lacking efforts in cybersecurity.
Unfortunately, the Administration’s plan to address this issue offers little if any hope of succeeding.
THE URGENCY OF CYBERSECURITY REGULATORY HARMONIZATION
The current uncoordinated patchwork of cybersecurity regulation is one of the most persistent impediments to enhancing our nation’s security. There is virtually no one – industry or government – who does not recognize that this is a major problem. Additionally, resolving the overlapping regulatory morass is one of the most efficient ways to enhance cybersecurity. Unlike most cybersecurity problems which are caused by aggressive adversaries, this particular problem is caused by poor government organization. In fact, when compared with other major cyber issues like securing AI or combating China, streamlining cybersecurity regulation is one of the easiest major cybersecurity issues to address – at heart this is government paperwork coordination.
Perhaps most critically, the uncoordinated, wasteful, and redundant nature of cybersecurity regulation is not simply an administrative problem – it has serious negative security impacts. Another of the areas of wide consensus in the cybersecurity field is that our collective efforts to enhance our cybersecurity are seriously undermined by an enormous lack of adequate cybersecurity resources. ONCD itself has documented that we have 700,000 cybersecurity jobs we cannot fill.[1] Given the serious lack of adequate security resources, it is imperative that we manage what resources we do have efficiently. The uncoordinated state of cybersecurity regulation exacerbates this issue substantially and undermining our national security.
WE NEED TO STOP ADMIRING THE PROBLEM AND GET ON TO SOLVING IT
On July 19th, ONCD released a Request for Information (RFI) concerning cybersecurity regulation harmonization. While the Administration’s proposal for an extremely wide-ranging Request for Information (RFI) is no doubt well intentioned, it brings us no closer to implementing the needed program of regulatory harmonization. The RFI’s scope is extremely open-ended, requesting stakeholders – the list of which is almost anyone – to submit detailed reports on instances of regulatory overlap. There is no clear organizational structure or definition of what will count as a disharmonized regulation or clarity in how this disparate information is to be submitted. The aggregation, organization, verification, and evaluation of RFI responses places an immense burden on the ONCD, which itself is strapped for resources and also lacks the authority to institute any proposed harmonization measures. At best this initiative will conclude with proposals for regulatory realignment, which the Administration has already endorsed.
In addition, it is completely unnecessary.
AMPLE EVIDENCE OF REDUNDENT CYBER REGULAITON ALREADY EXISTS
There already exists substantial research and evidence identifying the existence of, and harm caused, by the current duplicative regulatory landscape. Studies dating back almost a decade have shown not only that the US seriously needs to harmonize cybersecurity regulations, but the pernicious effects of regulatory overlap are most evident at the worst possible time – during a cybersecurity event.
A report of the International Privacy Conference, a group of experts from MIT and the Institute for Information Law of the University of Amsterdam found that the lack of uniformity in reporting requirements for security breaches needlessly confuses companies during the already chaotic time of a cyber breach.[2] In 2018, the Fordham Law Review published a study that found that firms are spending upwards of 40% of their time on compliance issues[3] – time that should be spent on actual security practices.
A 2020 MIT report on “Convergence and Divergence of Regulatory Compliance and Cybersecurity” found that the lack of harmonization between cyber regulations negatively effects both multinational organizations and small to medium sized businesses.[4] The Bipartisan Policy Center (BPC) named “overlapping, conflicting, and subjective regulations” as a top macro risk to US cybersecurity in their 2023 Cybersecurity Report. Additionally, a 2022 Wiley found that cyber regulatory overlap “obscure[s] policy objectives and hinder[s] the development of effective and clear regulation.”[5] The President’s Commission on Enhancing National Cybersecurity found that patchwork regulations not only “risk redundancy and confusion,” but that the effect of regulatory confusion disincentivized innovation.[6] A 2020 GAO study found that between 49 and 79 percent of federal cybersecurity regulations on the states were either duplicative or in conflict with each other and the implementation cost the federal government millions of dollars.
A 2020 HHS finding reported that “redundant, overlapping, or inconsistent regulations” undermine “transparent, rational, and well-honed government objectives” by injecting uncertainty, creating potentially conflicting regulatory regimes, and increasing transactions costs with no discernible benefit to the public.”[7]
In fact, at the launch event for the Biden National Cyber Strategy Anne Neuberger said “organizations need to only be regulated once and we need to work to make that the case. This is a responsibility of government. We owe this to the private sector; this one is on us.”[8]
ISA firmly agrees with Ms. Neuberger. We are long past the point where we need to study the, frankly obvious, existence of, and negative impacts of, redundant cybersecurity regulations. We need to move quickly to actually implementing a solution, not studying the problem.
In our next post we will outline a faster and more effective approach to promptly address this critical issue.
FOR GREATER DETAIL ON THE ISSUES DISCUSSED IN “TWENTY-FIVE STEPS TO IMPROVING SECURITY WITHOUT NEW REGULATIONS” SEE FIXING AMERICAN CYBERSECURITY: CREATING A STRATEGIC PUBLIC-PRIVATE PARTNERSHIP (GEORGETOWN UNIVERISTY PRESS 2023).
[1] Camille Stewart Gloster, “Office of the National Cyber Director Requests Your Insight and Expertise on Cyber Workforce, Training, and Education” The White House, ONCD, 3 Oct. 2022, www.whitehouse.gov/oncd/briefing-room/2022/10/03/office-of-the-national-cyber-director-requests-your-insight-and-expertise-on-cyber-workforce-training-and-education/.
[2] Jean-François Abramatic, et al. MIT, Cambridge, MA, 2015, Privacy Bridges: EU and US Privacy Experts in Search of Transatlantic Privacy Solutions.
[3] William Pierotti, “Cyber Babel: Finding The Lingua Franca In Cybersecurity Regulation,” Fordham Law Review, 30 Sept. 2018, https://doi.org/https://fordhamlawreview.org/wp-content/uploads/2018/09/14_Pierotti-405-435.pdf.
[4] Angelica Marotta and Stuart Madnick, Cybersecurity Interdisciplinary Systems Laboratory, Cambridge, MA, 2020, Convergence and Divergence of Regulatory Compliance and Cybersecurity.
[5] Lachlan Robb, Trent Candy, Felicity Deane, “Regulatory overlap: A systematic quantitative literature review. Regulation & Governance,” 2023, https://doi.org/10.1111/rego.12504.
[6] “Executive Order on Improving the Nation’s Cybersecurity,” White House, May 12, 2021, www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order -on-improving-the-nations-cybersecurity/.
[7] United States, Health and Human Services Department, “Policy on Redundant, Overlapping, or Inconsistent Regulations” 85 FR 75893 (November 27, 2020).
[7] Anne Neuberger, “The Biden-Harris Administration’s National Cybersecurity Strategy,” 2 March 2023, CSIS, Washington New York City. Featured discussion panel.
