close
close

The Senate leader wants a new White House-led panel to improve federal cybersecurity regulations

Posted on by darion

A top Democratic senator is pushing a bill that would require the White House to create a new interagency commission to streamline and better coordinate federal cybersecurity regulations, according to two sources familiar with the bill.

The proposal from Gary Peters (D-MI), chairman of the Homeland Security and Governmental Affairs Committee, would make it easier for industry to comply with cybersecurity rules. The Office of the National Cybersecurity Director (ONCD) would be responsible for these activities.

Peters has long been an influential voice in Congress on cyber issues, and it is believed that if the bill is formally introduced as expected, it will have a good chance of passing despite Congress being paralyzed in an election year.

An early version obtained by Recorded Future News would give the commission a year to identify information security and cybersecurity regulatory requirements that are “unduly burdensome, inconsistent or contradictory” and make recommendations to fix them.

The legislation would also establish a pilot program requiring at least three regulatory agencies responsible for implementing similar policies to work with the committee to ensure that any updates to existing regulations or potential new ones are “aligned as closely as possible” with the ONCD regulatory framework would lead to further development.

The national cybersecurity director would head an interagency committee that would include representatives from each regulatory agency, each sector risk management agency, the White House Office of Information and Regulatory Affairs, and the Office of Management and Budget.

Spokespeople for Peters and ONCD did not immediately respond to a request for comment.

The industry has long been vexed by the myriad and often overlapping regulations issued by multiple federal agencies responsible for cybersecurity.

“The sheer volume of current enforcement and the significant call for future regulation make cybersecurity harmonization sorely needed,” said Brian Harrell, a former deputy secretary of the Department of Homeland Security who now serves as an energy industry executive.

Harrell said the industry and Republicans are pushing for a harmonization bill because in the current climate, the industry is “mandated on a lot of cyber regulation.”

In recent days, the draft regulations have been widely disseminated by industry representatives and business associations, who were asked for comments, as well as by ONCD, which is working with Peters on the final shape of the draft law.

The legislation would give the ONCD greater powers to set and coordinate cybersecurity regulations than it currently has. The bill comes just two months after the Cybersecurity and Infrastructure Security Authority (CISA) published long-awaited regulations created under the Critical Infrastructure Cyber ​​Incident Reporting Act (CIRCIA).

According to James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies, it is critical that one agency takes control of the cybersecurity regulatory landscape. The wording in the bill that gives ONCD greater powers to coordinate regulations is a good idea, even if it limits CISA, he said.

“There is always tension as to who is in charge – whether it is CISA or ONCD – and therefore the bill falls on ONCD,” Lewis said. “It’s a White House entity, so it makes a little more sense,” Lewis said.

He called the bill important because “we’re starting to see a lot of regulation.”

Lewis cited both CIRCIA and the Securities and Exchange Commission’s new cybersecurity incident disclosure rules as examples of this abundance.

Still, Lewis cautioned that the bill’s attempt to streamline cybersecurity regulations across the federal government could be thwarted by the fact that many congressional committees oversee the cybersecurity work of various federal agencies and are unwilling to give up jurisdiction.

“There are so many committees dealing with cybersecurity – which one will be in charge?” – said Lewis. “And the answer from every committee is ‘I do’.”

For the bill to be successful, it will be important to “avoid touching the jurisdiction of congressional committees,” Lewis added.

A long-term problem

The White House has long recognized the importance of better streamlining cybersecurity regulations. The National Cybersecurity Strategy published in March included a commitment to “harmonize not only regulations and principles, but also assessments and audits of regulated entities.”

In July, the ONCD requested an assessment from stakeholders so that it can better understand “the existing challenges related to regulatory overlaps and inconsistencies with a view to exploring a framework for mutual recognition by regulators of compliance with the Common Core Cybersecurity Framework

requirements.”

The ONCD call for input notes that “at a technical level, the cybersecurity of one sector is inherently similar to the cybersecurity of other sectors. (…) Technological similarities also mean that the underlying risk mitigation measures are likely to be common to entities and sectors.”

According to Mark Montgomery, senior director of the Center for Cyber ​​and Technology Innovation at the Foundation for Defense of Democracies, the legislation will give a much-needed boost to ONCD’s efforts to streamline regulations.

Like Lewis, Montgomery said it made sense for ONCD to take on the task rather than CISA.

“Things like this require leadership from the White House,” said Montgomery, who previously served as executive director of the Cyberspace Solarium Commission. “This requires participating agencies to believe that if they fail to comply or delay, the NCD will use the tools of the presidency to force participation.”

Montgomery said harmonizing cybersecurity regulations was one of former national cybersecurity director Chris Inglis’ two top priorities. He added that current director Harry Coker is similarly focused on this issue.

Montgomery said the legislation has a chance of being passed in the near future.

Peters has “a long track record in crafting complex cybersecurity regulations,” Montgomery said. “This is the kind of legislation that should appeal to everyone.”