Senate chairman wants new White House-led panel to streamline federal cyber rules
A top Democratic senator is pushing draft legislation that would require the White House to create a new interagency committee to streamline and better coordinate federal cybersecurity regulations, according to two sources familiar with the bill.
The proposal from Gary Peters (D-MI), chairman of the Homeland Security and Governmental Affairs Committee, is intended to make it easier for industry to comply with cybersecurity rules. The Office of the National Cyber Director (ONCD) would be in charge of the effort.
Peters has long been an influential voice on cyber issues in Congress, and if the bill is formally introduced as expected, it is thought to have a good chance of passing despite election year congressional paralysis.
An early version obtained by Recorded Future News would give the committee one year to identify information security and cybersecurity regulatory requirements that are “overly burdensome, inconsistent, or contradictory” and issue recommendations to fix them.
The legislation also would establish a pilot program requiring at least three regulatory agencies charged with implementing similar rules to work with the committee to ensure that any update to existing regulations or potential new ones are “aligned to the greatest extent possible” with a regulatory framework ONCD would lead on developing.
The national cyber director would lead the interagency committee, which would include representatives from each regulatory agency, each sector risk management agency, the White House Office of Information and Regulatory Affairs and Office of Management and Budget.
A spokesperson for Peters did not immediately respond to a request for comment. ONCD declined to comment.
Industry has long chafed at the myriad and often overlapping regulations issued by multiple federal agencies with jurisdiction over cybersecurity.
“The amount of regulation currently enforced, and the significant call for future regulation, make cyber harmonization badly needed,” said Brian Harrell, a former Department of Homeland Security assistant secretary who now works as an energy industry executive.
Harrell said industry and Republicans have been clamoring for a harmonization bill because as it stands industry is “beholden to multiple cyber regulations.”
In recent days the draft legislation has been circulated widely by industry executives and business associations who have been asked for input as well as within ONCD, which is collaborating with Peters to shape the final bill.
The legislation would give more authority to ONCD to direct how cybersecurity regulations are set and coordinated than it currently holds. The draft bill comes just two months after the Cybersecurity and Infrastructure Security (CISA) released long-anticipated regulations created under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
It is critical that a single agency take charge of the cyber regulatory landscape, according to James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies. The bill’s language giving ONCD more authority to coordinate rules is a good idea even if it diminishes CISA, he said.
“There's always this tension about who's in charge — is it CISA or is it ONCD — and the bill comes down on the side of ONCD,” Lewis said. “It’s a White House entity so that makes a little more sense,” Lewis said.
He called the bill important because “we're starting to see a profusion of regulation.”
Lewis cited both CIRCIA and the Securities and Exchange Commission’s new cybersecurity incident disclosure rule as examples of that profusion.
Still, Lewis cautioned that the bill’s attempt to streamline cybersecurity regulations across the federal government could be derailed by the fact that multiple congressional committees oversee different federal agencies’ cybersecurity work and won’t want to give up jurisdiction.
“Cybersecurity cuts across so many committees — which one gets to be in charge?” Lewis said. “And the answer from every committee is, ‘me.’”
For the bill to succeed it will be important to “steer clear of touching congressional committee jurisdiction,” Lewis added.
A long-running issue
The White House has long recognized the importance of better streamlining cybersecurity regulations. The National Cybersecurity Strategy it released last March included a pledge to “harmonize not only regulations and rules, but also assessments and audits of regulated entities.”
In July, ONCD asked stakeholders to weigh in so that it could better understand “existing challenges with regulatory overlap and inconsistency in order to explore a framework for reciprocal recognition by regulators of compliance with common baseline cybersecurity requirements.”
ONCD’s call for input noted that “at a technical level, the cybersecurity of one sector is inherently similar to the cybersecurity of other sectors. … The technological commonalities also mean that baseline risk mitigation measures are likely to be common among entities and sectors.”
Legislation will give much needed muscle to the ONCD effort to streamline regulations, according to Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies.
Like Lewis, Montgomery said it makes sense for ONCD to run the effort as opposed to CISA.
“This kind of thing requires White House leadership,” said Montgomery, who previously served as executive director of the Cyberspace Solarium Commission. “It requires the participating agencies to believe that if they're noncompliant or foot dragging the NCD will use the tools of the presidency to compel participation.”
Cybersecurity regulatory harmonization was one of the top two priorities for former National Cyber Director Chris Inglis, Montgomery said. He added that the current director, Harry Coker, is similarly focused on the issue.
The legislation has a chance of passing in the near term, Montgomery said.
Peters has a “long track record of getting complex cybersecurity legislation completed,” Montgomery said. “This is the type of legislation that should appeal across the aisle.”
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.