Both members of the private sector and state governments are struggling under the burden of inconsistent and overlapping Federal cybersecurity regulations, according to experts who spoke before the Senate Homeland Security and Government Affairs Committee.
“There is currently no clearinghouse for mitigating conflicts between regulators, and, as a result, states and industry bear the burden for ensuring compliance between sometimes redundant and often conflicting regulations,” said Sen. Claire McCaskill, D-Mo.
“We have to understand the enormous opportunity cost of overregulation, of contradictory regulations, if we want to truly address this very complex problem of the threats we face because of cyberattacks,” said Sen. Ron Johnson, R-Wis.
According to Christopher F. Feeney, president of BITS/Financial Services Roundtable, cybersecurity regulations need to mimic the standards of air traffic control, where all pilots and air traffic controllers speak English, no matter the country they work in.
“While we recognize the need to have regulations tailored to the different firms and the markets in which they operate, these regulations do not follow a common language, or a common set of exam procedures,” said Feeney. “This is counterproductive and introduces tremendous inconsistency and duplication of effort.”
James “Bo” Reese, vice president of the National Association of State Chief Information Officers (NASCIO) and CIO in the Office of Management and Enterprise Services for the State of Oklahoma, said that conflicting regulations from the Federal government cause IT workers to focus on meeting the audit, rather than managing risk, and those audits often deliver inconsistent results.
“State CIOs and chef information security officers must comb through thousands of pages of regulations to ensure that states are in compliance with rules from our Federal partners,” said Reese. “And even though Federal regulations are similar in nature in that they aim to protect high-risk information, they are mostly duplicative, and have minor differences that can obscure the goal of IT consolidation.”
Dean C. Garfield, president and CEO of the Information Technology Industry Council, said that even though the past three cybersecurity executive orders to come out of the White House called for coordination and harmonization of regulations, no real action has been taken.
“I think in part it is because of the challenge of putting someone in charge. In order to have the level of coordination that is needed to avoid the kind of redundancy we see […] you need someone who’s a center point for coordination,” said Garfield.
However, when asked about who should take on that leadership role, the witnesses had differing opinions about which person or agency would be best situated.
“I think for us, it’s important to keep Treasury in the role they’re in,” said Feeney.
“We may see things slightly different, we see HHS as a regulator,” said Daniel Nutkis, founder and CEO of the Health Information Trust Alliance, adding that health organizations don’t always want their regulator to develop standards for them.
McCaskill was also critical of HHS’s decision to develop their own version of DHS’s National Cybersecurity Communications and Integration Center (NCCIC), rather than letting DHS be the single touchpoint for private sector information sharing.
“That is the essence of duplicative,” said McCaskill, questioning the logic of “sprouting a new CCIC for every industry or sector.”
However, Garfield said that the infrastructure is already there for cyber regulation leadership, and that Congress should use its oversight power to ensure that the actions called for in the three executive orders actually take place.
“The infrastructure is there. NIST develops the standards, you don’t want a regulatory body developing the standards, as Mr. Nutkis pointed out. And so, the actual strategy, the framework, NIST is there, they’re doing it well,” said Garfield, adding that the cyber coordinator position, currently held by Rob Joyce, could be well situated to enforce the implementation of NIST’s work. “What we’re encouraging is that role or some other role play this part in coordination and avoiding redundancy.”