Banking, oil and IT industry reps call on Congress to harmonize cyber regulations … again
Scores of overlapping and contradictory cyber regulations are overburdening the banking, oil and natural gas, and IT sectors, representatives from those industries told House lawmakers Thursday.
While the White House has prioritized the harmonization of regulations within critical infrastructure sectors and President Joe Biden’s cybersecurity strategy calls for “reciprocity” in mandates across federal agencies, witnesses told members of the House Oversight Subcommittee on Cybersecurity, Information Technology, and Government Innovation that they’re still waiting for the streamlining of rules to take effect.
“For as long as I can remember, there has been strong, long-standing, widely agreed upon bipartisan consensus on the need to harmonize inconsistent, duplicative or conflicting cyber regulations,” John Miller, vice president of policy, trust, data and technology at the Information Technology Industry Council, said in his opening statement.
“The past three administrations have prioritized the issue. Multiple congresses have agreed it’s a priority, and yet I do not recall a single conflicting and consistent or duplicative cyber regulation ever being eliminated or streamlined after all these years,” he said, adding that the Office of the National Cyber Director could establish a standardized clearinghouse process for new regulations to avoid overlaps.
Witnesses pointed to the recent cyber reporting mandate from the Cybersecurity and Infrastructure Security Agency as a major example of where harmonization fell flat. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires that certain organizations report to the federal government within 72 hours of a substantial cyberattack and 24 hours if a ransomware payment is made. However, public comments from industry argued for clearer terms and more defined limits from the reporting mandate, while members of Congress said the agency went too far.
Other comments noted the need for the federal government to have some metric to understand the cyber threat landscape, though the line between requiring industry participation without overburdening organizations with less resources, like staffing, has proven difficult.
Patrick Warren, vice president of regulatory technology at the Bank Policy Institute, said during Thursday’s hearing that after CISA issued its proposal for cyber incident reporting, a separate proposal for federal acquisition regulation on cyber incident reporting was released, creating conflicting rules.
Rep. Gerry Connolly, D-Va., said the issue for the federal government is figuring out how to best navigate these conflicts. “What is the balance between the need of banks to do their business while the government tries to get its arms around the cyber problem and hopefully working with industry to protect American consumers?”
Maggie O’Connell, director of security, reliability and resilience at the Interstate Natural Gas Association of America, said that a single entity like CISA should oversee cybersecurity regulations. O’Connell noted that the Coast Guard and the Transportation Security Administration both have purview over portions of the oil and natural gas sector, and until Congress let authorities lapse, CISA also oversaw the Chemical Facility Anti-Terrorism Standards program, which included cybersecurity mandates. Ensuring that regulations are accepted across the federal board is the quickest way to ease any overlapping burdens, she said.
Charles Clancy, the chief technology officer at MITRE, noted that regulators from different agencies are layering “slightly different” versions of the same obligations for similar threats for critical infrastructure. Meanwhile, many of those regulations are rarely more than common best practices that may not stand up against nation-backed threats.
“None of it’s really new, and I don’t know that any of it necessarily rises to the nature of the threat that we’re seeing from Russia and China,” Clancy said. “So it’s just sort of creating a compounding set of the same and I think what we need is new thinking.”
In legislation released earlier this month, Sens. Gary Peters, D-Mich., and James Lankford, R-Okla., aimed to address the issue of “overly burdensome” cyber regulations facing industry. The Streamlining Federal Cybersecurity Regulations Act would establish an interagency committee to recommend which cyber regulations to pare down or eliminate.