In mixed response to White House cyber strategy, House Republicans focus on regulations

Republican leaders on the House Homeland Security Committee questioned the White House's desire for more cyber regulations after the release of the National Cybersecurity Strategy on Thursday.

Committee Chairman Mark Green and Cybersecurity Subcommittee Chairman Andrew Garbarino did praise aspects of the plan, namely the focus on threats from Russia and China as well as the need for further public-private partnerships. 

But the lawmakers said the call for further mandatory cybersecurity regulations for critical infrastructure contradicted what Congress outlined in the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which tasked U.S. agencies with harmonizing both federal and international regulations.

Significant parts of the National Cybersecurity Strategy rely on the Biden administration working with Congress to create legislation that either imbues the government with more powers to hand down cybersecurity rules or place liability on companies for cybersecurity failures. 

“It's no surprise that this Administration’s desire for more regulation, bureaucracy, and red tape is a consistent theme in the National Cybersecurity Strategy. The key to building trust with our private sector partners is employing harmonization across government, rather than encouraging disparate and competing efforts,” the lawmakers said, arguing that most of what they have seen from the strategy “is a push for more red tape.”

“We must clarify federal cybersecurity roles and responsibilities, not create additional burdens, to minimize confusion and redundancies across the government," said Green (R-TN) and Garbarino (R-NY). "We are concerned that while the Administration expresses their desire to harmonize, their actions have only encouraged or forced new regulations from multiple agencies.”  

The lawmakers added that the White House needs to “prioritize streamlining existing regulations while working with the private sector to identify new opportunities for partnership, rather than punishment, particularly through their implementation of this Strategy.”

But both congressmen touted several aspects of the plan as positive developments, including the focus on strengthening the cybersecurity posture of federal civilian agencies, better federal coordination and the desire to go after perpetrators and enablers of cybercrime.

The Biden administration will need Republican support to enact any legislation after the party took control of the House in January. 

@RepMarkGreen and @RepGarbarino’s statement on the long-awaited release of the Biden admin's National Cybersecurity Strategy:https://t.co/1wI4KPIPvH pic.twitter.com/g5t3IiCKCT

— House Homeland GOP (@HomelandGOP) March 2, 2023

Green and Garbarino said they plan to beef up their oversight of the Cybersecurity and Infrastructure Security Agency (CISA) and are interested to see how the strategy is implemented, particularly the “planned efforts to hopefully ease the regulatory burden on industry while maintaining a strong cybersecurity posture.”

The two noted that a new national cyber director will be needed in the White House after Chris Inglis stepped down from the role just two weeks before the plan was released. Despite Inglis spending more than a year shepherding the strategy through the feedback process, acting National Cyber Director Kemba Walden has led the rollout. 

“We need strong leadership at the helm of our federal cyber defenses, and we hope the next National Cyber Director is up to the challenge,” the Republicans said. 

In the Senate, Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-MI) said he plans to “closely examine this strategy” and “quickly consider the parts of it that will require Congressional action.”

The Republican response to the plan was anticipated by many cybersecurity experts, some of whom questioned why the White House would lean so heavily on congressional action considering the current political climate. 

Robert DuPree, legislative director for former Rep. Bill Chappell, told The Record that the push to impose mandatory cybersecurity requirements on additional critical infrastructure sectors will need congressional authorization in some cases, which he believes “is a longshot at best.” 

The strategy’s call for more cybersecurity funding will also face headwinds in the House of Representatives as well, he added. 

“The Republican House majority is philosophically opposed to new government mandates and is not likely to give the Biden Administration such authority,” he said. 

“Better defending the government’s systems means new funding will be needed from Congress to replace unsecure legacy systems, but that goal will be made more difficult given the desire by many House Republicans to reduce overall discretionary spending to [fiscal] 2022 levels.”