New Federal CISO “Passionate” for Regulatory Streamlining: Action Required

May 7, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

At a recent meeting of the IT Sector Coordinating Council, the new U.S. Government’s Chief  Information Security Officer, Chris DeRusha, welcomed a question about the extent of  redundant and conflicting cybersecurity regulations that impair both state and local  governments and the private sector from efficiently addressing cyber threats. 

Mr. DeRusha told the Council that he has long been “passionate” about the need to streamline cybersecurity regulations dating back to his days as the Chief Information Officer for the State  of Michigan.

This is, of course, excellent news because Mr. DeRusha, from his post in the Office of  Management and Budget, may be the person who can make the long and often recommended streamlining of cyber regulations happen.

One of the most important elements of the cybersecurity regulation issue that needs to be  highlighted is that it is an important goal that can be reached quickly.

The well-documented existence of widespread duplicative and redundant cyber regulations is, in fact, a government-created problem. Since government created this cybersecurity problem, government can rectify it. Sure, it takes some work (but not that much), and it is a  comparatively easy goal to reach when compared with the overwhelming nature of many  cybersecurity problems, such as securing long international supply chains, securing new  advanced technologies like artificial intelligence and quantum computing, or figuring out how  to catch criminals and nation-states who are promoting cyber insecurity.

Compared to those issues, streamlining cybersecurity regulations is a comparative walk in the  park.

Not only can OMB take substantial and relatively speedy steps to address the issue, but it is also  one of the few cybersecurity steps that can have an almost immediate impact on improving security. One of the few facts that virtually everyone in the cybersecurity field agrees on – government, industry, and academic – is that we don’t have enough cybersecurity resources.  And there are multiple studies that have documented that redundant and duplicative  regulations are eating up significant amounts of cybersecurity personnel, time, and resources – all to no security benefit, as they are redundant with other regulations. 

In 2016, a report by the President’s Commission on Enhancing National Cybersecurity noted the  need for regulatory agencies to work toward harmonizing regulation to focus on risk  management. Such an approach, the report noted, would help reduce industry’s cost of  complying with prescriptive or conflicting regulations that may not aid cybersecurity and may  unintentionally discourage rather than incentivize innovation.

In 2018, the Senate Homeland Security and Governmental Affairs Committee heard testimony  from the financial services industry that documented as much as 40 percent of their cybersecurity budgets were being wasted complying with redundant or conflicting regulations.

At the House Homeland Security Committee’s Subcommittee on Cybersecurity hearing on  ransomware this week, Congressman Ralph Norman cited the Government Accountability  Office’s finding that between 49 and 79 percent of cybersecurity regulations affecting state and  local governments are conflicting, which aligns with similar findings in the private sector  identifying there is at least 40 percent duplication of cyber regulation.

Imagine the impact of functionally expanding cybersecurity budgets and personnel by 40 to 70  percent — without reducing any actual regulatory inspirited behaviors (you just eliminate the  obligation to repeat the filling out the forms validating them).

The time for addressing the issue has never been more appropriate. In responding to  Congressman Norman’s question about the need for regulatory streamlining at this week’s  Cybersecurity Subcommittee hearing, former Director of the Department of Homeland  Security’s Cybersecurity and Infrastructure Security Agency Chris Krebs suggested that the  problem was likely to be getting worse. Mr. Krebs noted he expects government and industry  will become subject to additional regulations at a minimum to address software procurement – and probably other things.

This issue can be addressed promptly in two ways. First, to deal with the new regulations, Mr.  Krebs is (we suspect correctly) predicting, OMB can simply require that any new federal  regulations be certified by the regulatory authority that they do not conflict and are not  redundant with existing federal or state cybersecurity regulations. The new regs would not go  into effect until the agency has so certified. That will at least put a tourniquet on the problem.

Addressing the existing regulations will not be as easy. For that, Congress needs to demand a  study of cybersecurity regulations be conducted to determine what regs are in conflict or  redundant and submit a report to Congress as to how to streamline the. GAO has already  demonstrated their ability to do this — they performed a similar study for state and local  governments last year. Regulatory agencies should be compelled under pain of withheld  funding to cooperate with GAO and OMB on making clear determinations of the regulatory  environment and identifying ways to streamline it.

Compared to facing down China, assuring tech is sustainably secured from advanced persistent  threats, or creating a functional international cyber law enforcement framework, streamlining regulations is a walk in the park on a beautiful day.

Join the Rethink Cybersecurity Community click here