By CHHS Extern Kimberly Gainey
The oft discussed and much anticipated National Cybersecurity Strategy addresses cybersecurity regulatory harmonization with two paragraphs entitled “Harmonize and Streamline New and Existing Regulation.” The Strategy instructs regulators, when feasible, “to harmonize not only regulations and rules, but also assessments and audits of regulated entities.” However, it diverges from a Presidential advisory committee recommendation by designating the Office of National Cyber Director (ONCD), coordinating with the Office of Management and Budget, to lead these efforts, rather than a newly created office within the Cybersecurity and Infrastructure Security Agency (CISA). It is perhaps unsurprising that ONCD received the nod, given their involvement drafting the National Cybersecurity Strategy and the role of the National Cyber Director “as a principal advisor” on cybersecurity policy and strategy to the President.
However, one wonders about the wisdom of this decision on the heels of the retirement of the National Cyber Director Chris Inglis last month, leaving big shoes to fill for the former deputy, now Acting National Cyber Director Kemba Eneas Walden. Serving as the first National Cyber Director, Inglis brought decades of experience in the federal government in a variety of positions at the National Security Agency and the Department of Defense. Praised as a “tremendous leader” and “the best person for the job,” CISA Chief of Staff Kiersten Todt remarked on Inglis’ establishment of ONCD and unifying influence; in “a short period of time, he established an office and a reputation and this ability to unify in many ways, this interagency process and he has been such a tremendous partner to CISA.”
In contrast to two paragraphs in the National Cybersecurity Strategy, another option is presented within a 27 page report after years of study by the committee charged with providing “the best possible industry advice” to the President to assure “the availability and reliability of telecommunications services,” along with other national security and emergency preparedness challenges, which issued several recommendations to ensure internet resilience. The clear theme, per Politico, is “to coax, cajole and needle agencies toward consistent, or ‘harmonized,’ cybersecurity regulations.” The President’s National Security Telecommunications Advisory Committee (NSTAC) released the draft report in anticipation of a meeting where they approved the Strategy for Increasing Trust in the Information and Communications Technology (ICT) and Services Ecosystem, voting to send it to the President for consideration per the Washington Post. The report represents the culmination of a multi-phase study on “Enhancing Internet Resilience in 2021 and Beyond.” After a series of significant cybersecurity incidents, the White House tasked the NSTAC with three crucial cybersecurity topics “foundational” to national security and emergency preparedness. Prior phases developed recommendations regarding those three topics: 1) Software Assurance in the Information and Communications Technology and Services Supply Chain (November 2021); 2) Zero Trust and Trusted Identity Management (February 2022); and 3) Information Technology and Operational Technology Convergence (August 2022). Building from earlier recommendations, the draft report contains a veritable treasure trove of information. For those unable to delve into the 27 page report and appendices, here are the main nuggets.
Attracting immediate attention, several recommendations encourage harmonizing cybersecurity regulations and requirements. First up, recommending that CISA establish the Office of Cybersecurity Regulatory Harmonization (OCRH) to “institutionalize and expand upon existing harmonization efforts” of existing government forums, which lack “the required combination of mission, expertise, and resources that can address the scale of the challenge.” To elucidate the need to establish the OCRH, the report highlights two government entities attempting to address this issue, at least in part. First, the intergovernmental Cyber Incident Reporting Council established to “coordinate, deconflict, and harmonize federal incident reporting requirements, including those issued through regulations.” Note that the Cyber Incident Reporting Council’s mission is limited to incident reporting. Second, the federal interagency Cybersecurity Forum for Independent and Executive Branch Regulators critiqued for lacking the dedicated staffing necessary to develop expertise across sectors as most participating officials juggle Forum participation on top of various responsibilities for their home agencies. This may explain why the Forum has only held one meeting since it was relaunched in February 2022 under Federal Communications Commission (FCC) leadership, after several years of inactivity.
Resolving the dearth of dedicated staff and resources by forming and funding OCRH “would create an institutionalized source of in-depth cybersecurity regulatory expertise across sectors that does not currently exist within the federal government,” which is one of OCRH’s responsibilities. Other OCRH responsibilities include creating resources for regulators to use to develop cybersecurity requirements that leverage consensus standards where possible and providing regulators with technical assistance during rulemaking. These responsibilities respond to “[a] recurring challenge that . . . even though most regulations cite consensus standards as the basis for their requirements, variations in implementations across regulators often result in divergent requirements. Developing regulatory resources that provide common language that could be used across sectors could address the challenge.” OCRH’s first task would involve coordinating with the National Institute of Standards and Technology “to publish a public report that catalogs existing cybersecurity requirements across sectors, analyzes how they align or diverge from consensus standards down to the control level, and identifies opportunities to drive harmonization.”
Unlike the National Cybersecurity Strategy, the NSTAC report explains why CISA was selected to house the OCRH: “primarily because the responsibilities are well aligned with CISA’s role as National Coordinator for critical infrastructure security and resilience, which includes ensuring a unified approach to cyber risk management . . . .” The OCRH also aligns with CISA’s preference to remain non-regulatory as it “would act only in an advisory capacity in support of other federal government regulators.” CISA Director Jen Easterly describes regulation as “one tool” for federal officials, “not a panacea,” which she has previously disavowed in favor of partnerships: “I am certainly not a proponent of regulation, because we’re a voluntary agency.”
Two other recommendations in the NSTAC report involve regulatory harmonization, specifically creating policies and processes to encourage: 1) regulation harmonization and 2) federal government cybersecurity requirement harmonization and drive consensus standards development, listing suggested Presidential actions for federal agencies. The NSTAC Report’s remaining recommendations are to advance the adoption of Post Quantum Cryptography and further work done in earlier phases by: creating and improving transparent procurement language to encourage vendor security best practices; enhancing CISA’s Continuous Diagnostics and Mitigation Program; and maximizing automation and reuse of evidence in federal compliance with the Federal Information Security Management Act.
Response to the NSTAC report, prior to being overrun by a deluge of coverage around the National Cybersecurity Strategy, was positive. United States House of Representatives Committee on Homeland Security Chairman Mark Green welcomed the emphasis on regulatory harmonization, citing “duplicative and burdensome regulatory obligations, most of which stem from the White House push for cross-sector mandates.” Chairman Green expressed enthusiasm for “pursuing strong oversight over this Administration’s scattershot cybersecurity regulations this Congress and . . . working with CISA to ensure the red tape doesn’t strangle industry,” referring to “Cyber Incident Reporting for Critical Infrastructure Act rulemaking.” However, American Banker reported that while many share the goal of regulatory harmonization, many barriers may hinder achievement including the lack of authority to harmonize a variety of state-level requirements. Further, expanding CISA’s role to include advising on regulations may change political dynamics, negatively affecting the support CISA currently receives in conjunction with its “primarily operational role in improving cybersecurity across all levels of government and providing resources that private enterprises can use to improve their own cybersecurity.”
Pursuant to the National Cybersecurity Strategy, the Acting National Cyber Director will likely encounter similar difficulties and faces the daunting prospect of leading regulatory harmonization on a national and international scale. The Strategy calls for the pursuit, when necessary, of “cross-border regulatory harmonization to prevent cybersecurity requirements from impeding digital trade flows.” Despite consensus around the value of regulatory harmonization, the path toward realization remains murky.