Harmonizing the Cybersecurity Thicket: The White House’s Challenge

Policy White House grapples with harmonizing thicket of cybersecurity rules

The Regulatory Challenge

The Biden administration is facing the complex task of harmonizing cybersecurity regulations and technical standards across 16 critical infrastructure sectors. This endeavor is expected to be a lengthy and difficult one, potentially spanning multiple administrations. The goal is to create a framework that establishes reciprocity across standards, meaning that compliance with a set of standards in one sector would result in compliance in another. The hope is that this would reduce compliance costs and improve cybersecurity outcomes for critical infrastructure owners and operators. However, this task comes at a time when cyberattacks on critical infrastructure are increasing, making harmonizing regulations even more critical.

The National Cybersecurity Strategy

Harmonizing regulations is a key element of the National Cybersecurity Strategy Implementation Plan. The Office of the National Cyber Director and the Office of Management and Budget have been tasked with leading this effort. In a recent request for information, the government sought input on federal regulations, state regulations, international regulations, and industry-led standards that could be harmonized. The aim is to assess the extent of the problem and explore different models that might work.

The Need for Harmonization

The current regulatory landscape for cybersecurity is described as a “regulatory cacophony” with duplicative rules, regulations, and standards. Compliance is particularly challenging for companies that operate critical infrastructure, handle private health information, or operate across jurisdictions. This regulatory mess is evident in breach notification laws, where different agencies require different reporting and compliance obligations. Harmonization efforts seek to simplify and streamline these requirements.

Challenges in Harmonization

One of the challenges in harmonizing regulations is determining what type of information should be included and how it should be presented. The goal is to have consistency in the evidence and requirements across different sectors. Another challenge is ensuring that auditors interpret and enforce the rules in the same way. If auditors have varying interpretations, it could undermine the purpose of harmonization.

Excluding Operational Technology

The decision to exclude operational technology (OT) from harmonization efforts has raised questions. OT, which includes hardware and software that monitor or control physical environments, is considered too specific and dependent on the goals or services of each facility or utility. Instead, the focus is on common IT stacks that are replicable across multiple sectors. However, some experts argue that OT should be included as it touches on safety concerns and has a history of regulation.

Cloud Computing and Harmonization

An unanswered question is how cloud computing fits into the regulatory overhaul. The government is seeking input on how contractual obligations related to regulatory compliance are passed along to cloud service providers. Cloud computing plays a vital role in the U.S. economy, and many businesses rely on it to operate. However, the industry has not been designated as critical infrastructure, so how it fits into harmonization efforts remains uncertain.

Limitations and the Role of Congress

While the administration has been making efforts to strengthen cybersecurity regulations through existing laws, these efforts have faced roadblocks. A full overhaul of cybersecurity rules may require legislation from Congress. Some experts argue that certain industries, like the water industry, should have independent regulators and a similar regulatory structure to the electric grid. However, the administration is currently focused on achieving harmonization through industry buy-in rather than major policy changes involving Congress.

Resource Constraints and Implementation

A significant concern in harmonization efforts is whether federal agencies have the resources and manpower to oversee a more robust regulatory regime. Prior to the Colonial Pipeline attack, the Transportation Security Agency was operating with limited resources. The Environmental Protection Agency faces similar challenges. Experts caution that harmonization efforts will only be effective if the agencies implementing them have adequate resources. The question of funding and whether companies can afford to comply with new cybersecurity standards also arises, and both can pose significant hurdles to successful harmonization.

Conclusion and Advice

Harmonizing cybersecurity regulations across critical infrastructure sectors is a monumental task that will require time, resources, and effective collaboration between government agencies, industry, and other stakeholders. While the goal of reducing compliance costs and improving cybersecurity outcomes is commendable, careful consideration must be given to the challenges and limitations inherent in this endeavor.

It is crucial for the Biden administration to conduct a thorough assessment of existing regulations, engage with industry experts and professionals, and seek input from all relevant parties in order to develop a comprehensive and effective framework for harmonization. This framework must address not only technical aspects but also the financial and operational implications for both large and small organizations.

In addition, the government must ensure that federal agencies have the necessary resources and support to implement and enforce the harmonized regulations. Efforts should be made to streamline processes, avoid duplicative requirements, and establish clear guidelines for auditors to ensure consistency and effectiveness.

While harmonization is a step in the right direction, it is important to recognize that regulations alone cannot guarantee cybersecurity. Organizations must also prioritize cybersecurity investments, cultivate a culture of cybersecurity, and continuously update their defenses against evolving cyber threats. Public-private partnerships and information sharing can also play a crucial role in enhancing cybersecurity resilience and response.

Ultimately, achieving harmonization in cybersecurity regulations requires a long-term commitment, ongoing collaboration, and a comprehensive approach that encompasses technical, operational, and financial considerations. The Biden administration must seize this opportunity to pave the way for a more secure digital future for critical infrastructure in the United States.