We Need to Harmonize Cybersecurity Regulations, What We Heard From our Partners

By National Cyber Director Harry Coker, Jr.

At the Office of the National Cyber Director, we pride ourselves on our willingness to collaborate and work through the hard problems facing us in cybersecurity. We rely on the candid dialogue and feedback we receive from our partners in civil society, academia, and industry, especially the owners and operators of our nation’s critical infrastructure and business associations.

One of the issues we hear about most often is the need to better harmonize cybersecurity regulations.

So, our office has been hard at work to better understand the challenge and ultimately help our partners across the public and private sectors strengthen cybersecurity readiness and resilience while also simplifying oversight and regulatory responsibilities of cyber regulators to enable them to focus on areas of unique, sector-specific expertise.

We know this work is necessary not only to better protect Americans, but also to substantially reduce the administrative burden and cost on regulated entities.

Last August, ONCD released a request for information (RFI) to formally jumpstart conversations with industry and ask for input to better understand the cybersecurity regulatory landscape.

We received 86 responses to the RFI, representing 11 of the 16 critical infrastructure sectors, as well as trade associations, nonprofits, and research organizations. In all, the respondents, many of which are membership organizations, represent over 15,000 businesses, states, and other organizations. Today, in our continued commitment to transparency, we are releasing a summary of those responses.

It was overwhelmingly evident that respondents believe that there was a lack of cybersecurity regulatory harmonization and reciprocity and that this posed a challenge to both cybersecurity outcomes and to business competitiveness. This was true for businesses of all sectors and of all sizes.

Partners raised concerns not only about a lack of harmonization and reciprocity across Federal agencies, but also between state and Federal regulators and across international borders.

In a world in which there is increasing fragmentation of cybersecurity regulations, what we have been hearing from our international partners and multi-national companies is they are looking to the United States government to lead.

Many of those who responded lamented a lack of reciprocity to date, noting that investments in compliance across multiple regulatory regimes intended to control the same risk resulted in a net reduction in actual programmatic cybersecurity spending.

These responses have confirmed the scope of the challenge and helped us chart a path forward.

Already we are working with our partners to build a pilot reciprocity framework to be used in a critical infrastructure subsector. We anticipate that this pilot will give us valuable insights as to how best to design a cybersecurity regulatory approach from the ground up.

However, we need Congress’s help to bring all the relevant agencies in the government together to develop a cross-sector framework for harmonization and reciprocity for baseline cybersecurity requirements.

As we listen and learn from our partners in the public and private sectors, we more clearly see that regulatory harmonization is a hard problem, exactly the kind of hard problem that ONCD was created to solve on behalf of our nation. It involves coordinating dozens of agencies, each implementing its own unique authorities. It’s a problem that has existed for decades. And it is a problem whose trend line is generally heading toward more fragmentation, not more harmonization.

Empowered with the feedback of our partners, we are taking steps towards a comprehensive solution that will provide efficiency to our industry partners, clarity to our interagency colleagues, and that will ultimately incentivize better, safer cyber outcomes for the American people.