White House cyber czar touts regulatory harmonization bill advancing through Congress

LAS VEGAS — The White House is deeply involved in a push to harmonize cybersecurity regulations in an effort to limit the burden on organizations, National Cyber Director Harry Coker said Thursday. 

Speaking at the Black Hat conference in Las Vegas, Coker said he has spoken to security officers who spend up to half of their time on complying with cybersecurity regulations.

“It’s clear to us, and it's going to become clear to others, that compliance does not equal cybersecurity,” he said. “Thirty to fifty percent of the time on compliance is way too much, hence, reciprocity is a key goal of ours in regulatory harmonization.”

A key facet of the harmonization effort is a bill making its way through Congress that would create an interagency Harmonization Committee at the Office of the National Cyber Director (ONCD). 

Late last month, the bill advanced out of the Senate Homeland Security Committee, and it has been touted by both Democrats and Republicans as a necessary step to “mitigate challenges associated with conflicting, contradictory cybersecurity compliance requirements,” Senate leaders said last week. 

The bill requires the committee, led by ONCD, to develop a framework for the alignment of cybersecurity and information security regulations, rules, examinations, and other compliance requirements. 

The bill also requires all federal agencies, including independent regulatory agencies, to consult with the committee before issuing or updating regulations.

Coker said regulatory harmonization would decrease the cost of doing business and enhance security in the process, allowing cybersecurity leaders to focus their efforts on defense as opposed to compliance. 

He said that his office worked with U.S. Senators Gary Peters (D-MI) and James Lankford (R-OK) on the bill. 

“That bill will give our office the opportunity to bring together regulators to apply logic and good teamwork and collaboration to a vexing, hard problem that the public sector, private sector, and our business associations, all want to see happen,” he said. 

“One of the key aspects that has to be there is reciprocity. Our office strives for federal coherence across the cybersecurity ecosystem, and we lead via collaboration.” 

Coker added that he meets with cyber regulators regularly and values their independence but argued that the bill will help relevant agencies to better collaborate. 

Stringent cybersecurity rules have already been implemented in specific sectors, such as healthcare and finance, with the Securities Exchange Commission, Federal Trade Commission and others adopting rules around incident response and protections. Another cyber incident reporting rule for critical infrastructure is slated to come out next year.

Sen. Peters held a hearing last month where several witnesses complained about duplicative or contradictory cyber requirements and the effect they had on business. Data shared at the hearing said some cybersecurity teams spend between 40-70% of their time on compliance. 

Sen. Lankford said in a statement that “bureaucratic red tape” should not get in the way of preventing a cyberattack and added that “complicated regulations are making it more difficult to address the major cyber threats facing our national security and critical infrastructure.” 

“Harmonizing these efforts will make sure that federal requirements are focused on actually improving security instead of imposing a convoluted set of compliance challenges,” he wrote.