An opportunity for Trump’s deregulation journey: Cybersecurity harmonization – Greg Otto
– [[{“value”:”
President-elect Donald Trump’s push for deregulation was a hallmark of his first administration — and he has vowed to not only continue it but take it further.
What started as removing two regulations for each new one has increased to removing 10 for every new one. There’s also a plan to create a new Department of Government Efficiency (DOGE) and general sentiment on Capitol Hill hinting at a pursuit of various deregulatory efforts. However, there is a ripe opportunity for greater efficiency: cybersecurity. Now is the time to improve our nation’s cybersecurity posture, free up compliance tasks placed on cybersecurity teams, and promote government efficiency in this area.
Most people would not think of cybersecurity as being rife with regulation and requirements. Yet numerous federal agencies, industry regulators, and standalone laws at the state and federal levels set forth cyber requirements around cyber incident reporting and baseline security rules. The challenge is that these can be duplicative, contradictory, and even leave holes in areas where there is no guidance. For example, it is possible for a company to fall under multiple regulators, meaning they might need to follow several sets of cybersecurity rules. This strains cybersecurity teams by forcing them to prioritize compliance over security, ultimately lacking in a consistent approach to security.
Importantly, cyber regulatory harmonization is a bipartisan idea that has been initiated by the current administration, with interest from members of Congress on both sides of the aisle. Thus far, a broad consensus exists among stakeholders of all backgrounds, as evidenced by a request for information that found that “the lack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens.” However, limited success was made in making this a reality. In fact, the Biden administration’s efforts to create new cyber regulation increased the patchwork since it was not done simultaneously with harmonization.
However, Trump’s vow to prioritize deregulation and efficiency is an opportune time to drive this forward. The Republican Party already stated that security standards are necessary. There are many aspects the Trump administration should consider to make this possible, and three stand out.
First, there should be a clear end goal in mind before beginning. One question is whether harmonization should apply to incident reporting requirements, baseline security requirements, state and international requirements, or a combination. A comprehensive inventory of all requirements and legal bases is a helpful starting point, especially after a change in deference to federal agencies.
To move forward, harmonization could entail having a uniform set of security requirements across federal agencies, allow for a baseline with some regulators being able to have requirements specific to their sector, and/or better aligning requirements with existing cybersecurity frameworks. While these might be binding requirements, they would at least streamline and reduce what is currently in place and provide clarity of what precisely is required. The most challenging aspect of this is determining what makes up this baseline. There is a difference between requiring cybersecurity practices that most companies should or already do follow from prescribing onerous and resource-intensive requirements that might not be necessary for all entities.
Similarly, there could be a system built on reciprocity where an entity in compliance with one framework is deemed to be in compliance with another. To add to this, there are international efforts desiring to harmonize globally like those considered by G7 countries and the OECD, which is fueled by the number of countries that already have national cybersecurity laws.
Second, there needs to be a plan to overcome barriers of federal agencies that desire to follow their own path. There is not a single entity currently empowered to drive independent agencies to the table and result in a path forward because the Office of the National Cyber Director (ONCD) is not currently empowered to do so. Of course, there are voluntary forums like ones run by the Federal Communications Commission, but they have not had huge success to date. In fact, the opposite has happened. The Cyber Incident Reporting for Critical Infrastructure Act was passed as a uniform requirement for cyber incident reporting to have standardized times, thresholds, and processes. Not long after that, the Securities and Exchange Commission released rules for reporting material cyber incidents.
A path forward could entail the president affirmatively setting forth an expectation for harmonization, although it still would be technically voluntary. This seems like an area for the DOGE, led by Elon Musk and Vivek Ramaswamy, to coordinate. Alternatively, an entity could be empowered by statute to identify a baseline and pilot it, much like the bipartisan Streamlining Federal Cybersecurity Regulations Act — introduced by Sens. Gary Peters, D-Mich., and James Lankford, R-Okla. — does for ONCD.
Third, industry should be a key player in identifying which rules are not workable and what should be the path forward. The Biden administration learned this after attempting to issue pipeline cybersecurity requirements before consulting with industry. Not to mention, true collaboration between industry and government is critical to improving cybersecurity. Harmonization is not an exception.
It is hard to dispute that there is a need for cyber regulatory harmonization, and it is time to make it happen. This is an area for the incoming administration and Congress to push this commonsense, bipartisan idea across the finish line as a way to improve the cybersecurity ecosystem, while simultaneously making it more efficient for industry and government.
Brandon Pugh, Esq. is the director of the R Street Institute’s cybersecurity and emerging threats team. He previously served in elected office and was Republican counsel covering cyber issues for a state legislature.
The post An opportunity for Trump’s deregulation journey: Cybersecurity harmonization appeared first on CyberScoop.
“}]] – Read More – CyberScoop
