This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here
At a recent meeting of the IT Sector Coordinating Council, the new U.S. Government’s Chief Information Security Officer, Chris DeRusha, welcomed a question about the extent of redundant and conflicting cybersecurity regulations that impair both state and local governments and the private sector from efficiently addressing cyber threats.
Mr. DeRusha told the Council that he has long been “passionate” about the need to streamline cybersecurity regulations dating back to his days as the Chief Information Officer for the State of Michigan.
This is, of course, excellent news because Mr. DeRusha, from his post in the Office of Management and Budget, may be the person who can make the long and often recommended streamlining of cyber regulations happen.
One of the most important elements of the cybersecurity regulation issue that needs to be highlighted is that it is an important goal that can be reached quickly.
The well-documented existence of widespread duplicative and redundant cyber regulations is, in fact, a government-created problem. Since government created this cybersecurity problem, government can rectify it. Sure, it takes some work (but not that much), and it is a comparatively easy goal to reach when compared with the overwhelming nature of many cybersecurity problems, such as securing long international supply chains, securing new advanced technologies like artificial intelligence and quantum computing, or figuring out how to catch criminals and nation-states who are promoting cyber insecurity.
Compared to those issues, streamlining cybersecurity regulations is a comparative walk in the park.
Not only can OMB take substantial and relatively speedy steps to address the issue, but it is also one of the few cybersecurity steps that can have an almost immediate impact on improving security. One of the few facts that virtually everyone in the cybersecurity field agrees on – government, industry, and academic – is that we don’t have enough cybersecurity resources. And there are multiple studies that have documented that redundant and duplicative regulations are eating up significant amounts of cybersecurity personnel, time, and resources – all to no security benefit, as they are redundant with other regulations.
In 2016, a report by the President’s Commission on Enhancing National Cybersecurity noted the need for regulatory agencies to work toward harmonizing regulation to focus on risk management. Such an approach, the report noted, would help reduce industry’s cost of complying with prescriptive or conflicting regulations that may not aid cybersecurity and may unintentionally discourage rather than incentivize innovation.
In 2018, the Senate Homeland Security and Governmental Affairs Committee heard testimony from the financial services industry that documented as much as 40 percent of their cybersecurity budgets were being wasted complying with redundant or conflicting regulations.
At the House Homeland Security Committee’s Subcommittee on Cybersecurity hearing on ransomware this week, Congressman Ralph Norman cited the Government Accountability Office’s finding that between 49 and 79 percent of cybersecurity regulations affecting state and local governments are conflicting, which aligns with similar findings in the private sector identifying there is at least 40 percent duplication of cyber regulation.
Imagine the impact of functionally expanding cybersecurity budgets and personnel by 40 to 70 percent — without reducing any actual regulatory inspirited behaviors (you just eliminate the obligation to repeat the filling out the forms validating them).
The time for addressing the issue has never been more appropriate. In responding to Congressman Norman’s question about the need for regulatory streamlining at this week’s Cybersecurity Subcommittee hearing, former Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency Chris Krebs suggested that the problem was likely to be getting worse. Mr. Krebs noted he expects government and industry will become subject to additional regulations at a minimum to address software procurement – and probably other things.
This issue can be addressed promptly in two ways. First, to deal with the new regulations, Mr. Krebs is (we suspect correctly) predicting, OMB can simply require that any new federal regulations be certified by the regulatory authority that they do not conflict and are not redundant with existing federal or state cybersecurity regulations. The new regs would not go into effect until the agency has so certified. That will at least put a tourniquet on the problem.
Addressing the existing regulations will not be as easy. For that, Congress needs to demand a study of cybersecurity regulations be conducted to determine what regs are in conflict or redundant and submit a report to Congress as to how to streamline the. GAO has already demonstrated their ability to do this — they performed a similar study for state and local governments last year. Regulatory agencies should be compelled under pain of withheld funding to cooperate with GAO and OMB on making clear determinations of the regulatory environment and identifying ways to streamline it.
Compared to facing down China, assuring tech is sustainably secured from advanced persistent threats, or creating a functional international cyber law enforcement framework, streamlining regulations is a walk in the park on a beautiful day.
Join the Rethink Cybersecurity Community click here