In yesterdays’ post we praised the new national cybersecurity strategy for properly placing the harmonization of cybersecurity regulations as issue 1.1.1 in its new implementation plan. Streamlining regulations is one of the fastest, most efficient, and frankly easiest, ways to unleash significant amounts of scarce cybersecurity resources to more effective uses.
We also criticized the ONCD’s initial foray into implementing the implementation plan by initiating an overly-wide-ranging and uncoordinated Request for Information on the issue instead of taking action to address it. The RFI is unnecessary, unhelpful, and wasteful. It will likely delay effectively addressing the problem (which is completely of the government’s making) and as such, effectively further weakens our nation’s cybersecurity.
We cited numerous independent studies of the issue which found that overlapping cybersecurity regulations impacts large multinationals, small businesses, and perhaps most dire, state and local governments. These studies came from the International Privacy Conference, MIT SLOAN, the Institute for Information Law of the University of Amsterdam, The Bipartisan Policy Center, The Fordham Law Review, The Department of Health and Human Services, the GAO, and “The President’s Commission on Enhancing National Cybersecurity.” In fact, at the launch event for the Biden National Cyber Strategy, Anne Neuberger said “organizations need to only be regulated once and we need to work to make that the case. This is a responsibility of government. We owe this to the private sector; this one is on us.”
Among the harms cited in these studies are that “overlapping regulations obscure[s] policy objectives and hinder[s] the development of effective and clear regulation.” They also “undermine the goals of transparent, rational, and well-honed government objectives by injecting uncertainty, creating potentially conflicting regulatory regimes, and increasing transactions costs with no discernible benefit to the public.” They also cause the dislocation of key personnel that can effect operations at the worst possible time – during a cybersecurity event.
They also have been found to increase government cost for compliance while simultaneously disincentivizing innovations. Earlier this year the Bipartisan Policy Center named “overlapping, conflicting, and subjective regulations” as a top macro risk to US cybersecurity.
We seem to have plenty of documentation of the problem, but now we need to move on to solutions.
A MORE EFFICIENT AND EFFECTIVE PATHWAY TO REGULATORY HARMONZATION
ISA presents an alternative that is faster, simpler, and more effective. Specifically, ISA agrees with the Administration’s in identifying the Office of Management and Budget (OMB), as the agency with the authority to impose rules on other governmental entities. OMB should:
- Require that any new cybersecurity regulations include a finding from the proposing agency assuring that the proposed new regulation is not redundant or in conflict with an existing one.
- The OMB requirement should also instruct regulatory agencies to conduct internal assessments of their regulations prior to proposing new ones to discover any redundancies or conflicts. Should the agency find that some of its existing regulations are in conflict with, or redundant, to others it will be required to resolve these conflicts/redundancies. This internal review is obviously necessary for the agency to make the finding required in item 1 above and capitalizes on the regulatory agencies’ specialized knowledge of their own frameworks. This process bypasses the need for numerous external organizations to navigate the complexities of different jurisdictions, business strategies, and resources as the current implementation plan suggests and creates a structure that not only stops the problem of regulatory overlap immediately but creates a mechanism for the agencies to harmonize existing regulations.
- To address the broader issue of one agency’s regulations being redundant to another agency, the federal inter-agency council should be instructed to work with OMB, the SRMA’s and the appropriate Sector Coordinating Councils to develop a cross-agency database of cybersecurity regulations. This database ought to be searchable in order to uncover conflicts and regulatory redundancies between agencies. ONCD, in its capacity as the federal cyber coordinating agency, should then work collaboratively with the SRMAs and the appropriate Sector Coordinating Councils to find the most efficient and effective way of achieving legitimate goals of regulation without creating wasteful redundancy and conflict between the agencies.
CONCLUSION
This proposal has several major advantages. First, it is an immediate and concrete step toward solving, not studying, the problem. Requiring agencies to produce a filing attesting that any new proposals are not redundant or conflicting with existing regulations would effectively put an immediate tunicate on the issue and prevent further duplication and conflict. Second, requiring such a finding will incentivize the agencies to regularly review their existing cybersecurity regulations which will not only prevent them from adding to the problem, but alert them to any existing redundancies which they will be tasked with harmonizing. Third, the interagency database will enable the government to systematically address the potential for wasteful regulatory overlap leveraging the regulatory agencies’ expertise and aligning proposed regulations with existing frameworks (another goal of the implementation plan). This approach optimizes resource utilization, addresses redundancy, and ultimately enhances national cybersecurity. Given the urgency of this issue and the potential benefits, prompt action is needed.
FOR GREATER DETAIL ON THE ISSUES DISCUSSED IN “TWENTY-FIVE STEPS TO IMPROVING SECURITY WITHOUT NEW REGUALTIONS” SEE FIXING AMERICAN CYBERSECURITY: CREATING A STRATEGIC PUBLIC-PRIVATE PARTNERSHIP (GEORGETOWN UNIVERISTY PRESS 2023).