A law directing cyber reg harmonization would ‘help enormously,’ White House official says

Sen. Gary Peters, D-Mich., shown here at an April 2024 hearing, is floating legislation that would harmonize federal agency cybersecurity regulations.

Sen. Gary Peters, D-Mich., shown here at an April 2024 hearing, is floating legislation that would harmonize federal agency cybersecurity regulations. Andrew Harnik/Getty Images

The remarks come a day after ONCD issued a blog calling for cybersecurity regulations to be harmonized.

A congressional mandate requiring federal agencies to study cybersecurity regulation overhauls with the White House would be a tremendous asset to the Biden administration’s cyber czar office, a top cyber official told a Senate panel Wednesday.

The Office of the National Cyber Director’s assistant director for cyber policy and programs, Nick Leiserson, testified before a Senate Homeland Security hearing that such a law would “help enormously” with the gargantuan task of streamlining and harmonizing the landscape of federal agency cybersecurity requirements.

Committee Chair Sen. Gary Peters, D-Mich. asked about inherent strengths that would come with such a law, as he is floating a draft bill requiring ONCD to stand up a new interagency committee that would study “overly burdensome, inconsistent, or contradictory” cyber regulations and issue potential fixes to them, The Record reported last week.

As of now, when regulatory partners want to talk to the White House about cyber matters, it’s a “coalition of the willing,” Leiserson said.

“Having a clear mandate from Congress to bring everyone to the table will let us do what we do best at ONCD, which is listen to our partners, work with them to address the challenges … and design a comprehensive framework that allows for harmonization, yes, but just as importantly, reciprocity,” he said.

The office is limited in its ability to sway independent regulatory commissions to the discussion table, he said, noting that it will need congressional help to direct entities like the Consumer Product Safety Commission or National Labor Relations Board — designed to operate autonomously from the executive branch — to discuss streamlining cyber laws.

The hearing came on the heels of an extensive analysis released by ONCD on Tuesday, after the cyber office pored through some 2,000 pages of industry feedback on cybersecurity regulatory harmonization from a request for information issued last summer.

Academics and officials have touted the Biden era as a strong player for U.S. cybersecurity regulatory activity, which has aimed to stick more requirements onto private firms in a way that forces them to be more transparent about neverending cyberattacks.

But the industry comments made clear that requirements like notification deadlines, frameworks and other procedures may be creating cost and time burdens, said National Cyber Director Harry Coker. 

“It was overwhelmingly evident that respondents believe that there was a lack of cybersecurity regulatory harmonization and reciprocity and that this posed a challenge to both cybersecurity outcomes and to business competitiveness. This was true for businesses of all sectors and of all sizes,” he wrote.

Industry oversight agencies like the Federal Communications Commission and Securities and Exchange Commission have worked on their own cybersecurity measures linked to top-down planning from a sweeping ONCD cybersecurity strategy which aims to bolster United States cyber posture.

But not every regulation has received such praise, such as an SEC mandate requiring publicly traded firms to file with the agency within four business days of discovering a cybersecurity incident. It faces pushback from some lawmakers and cybersecurity executives, who argue it could draw unwanted attention from other hackers and force firms to direct their attention to potential legal dilemmas instead of cyber threat mitigation.

Broadly speaking, feedback to ONCD signaled that inconsistent or duplicative requirements which force firms to draw money away from cybersecurity programs into compliance spending is preventing the private sector — including critical infrastructure owners and operators — from fully shoring up its cyberdefenses.

Financial sector CISOs, for instance, spent some 30% to 40% of their time “doing paperwork” on compliance rather than focusing on cybersecurity, said GAO IT chief David Hinchman, who testified alongside Leiserson.

“There will always be some compliance burden … but we can do a lot to streamline that and minimize it,” Hinchman said.