MAN BITES DOG: State Regulators Want Cyber Reg Reform

June 26, 2019

Yesterday Congressman Cedric Richmond, Chair of the House Homeland Subcommittee on Cybersecurity, Infrastructure Protection and Innovation announced in the wake of the recent ransomware attacks on local jurisdictions like Atlanta and Baltimore that he is going to propose a series of legislative efforts to assist the municipalities because “we can’t expect under-resourced, understaffed, state and local governments to defend their networks from state-sponsored hackers.”

Bravo to Congressman Richmond.

But while we are waiting for Congressman Richmond to craft his legislation, hold hearings on it, send it to subcommittee markup, then full committee markup, then Rules Committee, and floor time, before we go through a similar exercise in the Senate and finally negotiations with the White House (and then the appropriations process) we could just cut to the chase and have OMB free up 30-40% of state and local cyber budget by simply streamlining the federal cyber regulatory structure they are applying to the municipalities.

In our blog last week we documented, again, how duplicative cyber regulations were undermining cybersecurity in the private sector by diverting scarce cybersecurity resources to duplicative regulatory requirements — none of which have been shown to actually improve security. It turns out the municipalities are similarly suffering from redundant federal cyber regulations, putting their systems and citizens at constant risk.

Last year in testimony before the House Oversight and Government Reform Committee, James ” Bo” Reese, Oklahoma’s Chief Information Officer, and President of the National Association of State Chief Information Security Officers said “duplicative, complex, and often conflicting federal regulations and their accompanying Audits hinder state governments from achieving more effective and efficient IT enterprise and Cybersecurity.” Mr. Reese provided a list of more than a dozen security requirements issued by eight different federal agencies to prove his point. Reese noted that he was spending 43% of his team’s time on managing this regulatory structure. Moreover, Oklahoma is not an isolated example. Reese’s testimony cited numerous cases from states as diverse as Maine, Colorado, and Kansas.

We face numerous problems in trying to create a sustainably secure cyber system. Some are large and complex such as defining the line between cyber-attacks and cyber warfare, addressing the asymmetric threat or realigning the economic incentive structures to promote cybersecurity.

But, this problem is not nearly that complicated. This problem, i.e. the federal government’s inability to create a sensible coherent regulatory structure and the attendant vast waste of scarce cyber resources is a problem created by government and can be readily addressed by government.

The Office of Management and Budget (OMB) should direct agencies to review cybersecurity regulations and requirements then oversee a process to streamline and harmonize these regulations and related audits.  Specifically, OMB should require agencies to report and present to the OMB Director current cybersecurity and information security regulations and requirements and describe how they are enforced or audited.    After receiving this information, OMB could issue new guidance to agencies to harmonize these requirements to alleviate the compliance burden.Which could quickly, and comparatively easily address a substantial portion of the problem.

Moreover, there could be bipartisan interest in this issue (man bites dog again!) as the Trump Administration, committed to right-sizing regulation and Democrats like Congressman Richmond who are seeing the impact of the status quo on states and localities can, and ought to, find common cause in creating a sensible cyber regulatory structure for both government and industry.