Keypoint: To advance the National Cybersecurity Strategy, the Office of the National Cyber Director is soliciting public comments to harmonize cybersecurity regulations, with comments due by October 31, 2023.
In March 2023, the White House released its National Cybersecurity Strategy (NCS), which envisions two changes in how the United States allocates roles, responsibilities, and resources in cyberspace:
- Rebalancing the responsibility to defend cyberspace; and
- Realigning incentives towards long-term investments to reward security and resilience.
This rebalance and realignment explicitly acknowledges that collaboration between private and public sector stakeholders will be necessary.
Five Pillars of the NCS
The NCS rests on five pillars: (1) Defend Critical Infrastructure, (2) Disrupt and Dismantle Threat Actors, (3) Shape Market Forces to Drive Security and Resilience, (4) Invest in a Resilient Future, and (5) Forge International Partnerships to Pursue Shared Goals.
The NCS directs the Office of the National Cyber Director (ONCD) to work with federal agencies to develop and publish an implementation plan for the NCS, and to evaluate the effectiveness of the NSC in annual reports to the President and Congress. In July 2023, ONCD released the NCS Implementation Plan (NCSIP) – a roadmap of federal initiatives that put more substance onto the NCS pillars, including:
- Defend critical infrastructure. ONCD will establish new regulations to provide clear guidance to critical infrastructure providers during incident response and recovery.
- Disrupt and dismantle threat actors. The Joint Ransomware Task Force, which was created by Congress, will work with private sector companies to combat and disrupt ransomware and other cybercrimes.
- Shape market forces to drive security and resilience. Emphasizes the government’s focus on securing the software supply chain by identifying and reducing gaps in software bill of materials.
- Invest in a resilient future. Improve key cybersecurity standards to secure the internet and workforce from cybersecurity risks in existing and emerging technologies, including the standardization of quantum-resistant cryptographic algorithms.
- Forge international partnerships to pursue shared goals. The US will collaborate with its international partners and allies to develop an international cyberspace and digital policy strategy that will bolster law enforcement, hold governments accountable, increase international support for incident response, and encourage safe supply chains for information and communications technologies.
Harmonizing Critical Infrastructure Regulations – ONCD Wants Feedback
The NSC and the NCSIP put critical infrastructure defense at the top of the government’s “to do” list, and the NCSIP is prioritizing the enactment and enforcement of new regulations for critical infrastructure. However, ONCD also wants to harmonize these new regulations to ensure that companies are not just focused on compliance, but on security as well.
To better understand the challenges and discrepancies private industry faces with regulatory overlap, ONCD published a Request For Information (RFI) asking for public feedback on potential ways to harmonize federal cybersecurity regulations for critical infrastructure and the associated sub-sectors. Notwithstanding the possibility of a government shutdown on September 30, 2023, the deadline to submit written comments through www.regulations.gov responsive to ONCD’s request for information is October 31, 2023.
ONCD is also interested in receiving comments on newer technologies, such as cloud services, or other “Critical and Emerging Technologies” identified by the National Science and Technology Council,3 that are being introduced into critical infrastructure. ONCD strongly encourages academics, non-profit entities, industry associations, regulated entities, and others with expertise in cybersecurity regulation, risk management, operations, compliance, and economics to provide inputs, as well as state, local, Tribal, and territorial (SLTT) entities to submit responses in their capacity not only as regulators but also as critical infrastructure entities.
Ten topics for comment were released, and the highlights include:
- Examples of conflicting, mutually exclusive, or inconsistent regulations;
- Comments on the use of common guidelines;
- Evaluations of the use of existing standards or frameworks to reduce burdens on regulated entities and to help achieve regulatory harmonization;
- Examples of cybersecurity oversight by multiple regulators of the same entity;
- Examples of SLTT regulations that affect critical infrastructure owners and operators across state lines; and
- Examples of foreign governments that have been implementing regulatory regimes with overlapping, redundant, or inconsistent requirements.
During a recent cybersecurity conference I attended, a panel of former government officials discussed the NCS and the RFI. The panelists gave full-throated encouragement to the public comment process for at least three reasons. First, and consistent with my own experience in public service, policymakers want to reach a good outcome. They do not want to cause unintended harm to the regulated community.
Second, policymakers want to receive inputs from outside the DC beltway. The US Chamber of Commerce reports that small and mid-sized businesses comprise over 95% of American businesses. However, most of those companies are not Federal contractors, and they do not speak to policymakers regarding information technology. As a result, policymakers thirst for information from small and mid-sized businesses on regulatory reform.
Third, and perhaps the most compelling reason to submit comments, is that silence implies consent. If policymakers do not receive feedback from a broad swath of the regulated community, it is natural to assume that the status quo is acceptable.
The Qualitative Benefits of Public-Private Collaboration
Each NCS pillar leverages collaboration and partnership with the private sector and international allies. One of the reasons for this emphasis is that the United States legal system restricts many of our best-resourced and talented network defenders, namely the Department of Defense (DoD), the Intelligence Community (IC), and law enforcement, from monitoring privately owned US networks and related infrastructure.
While these legal restrictions are entirely appropriate and consistent with US values, the consequence of those restrictions is that threat actors strive to use networks where the DoD and IC cannot monitor or counter their nefarious behavior. Unfortunately, sophisticated threat actors understand this interplay between privacy and national security and strive to operate in areas where the DoD and IC cannot operate.
By way of example, the Director of the National Security Agency testified before Congress in 2021 that the Federal government is precluded from monitoring domestic internet infrastructure without a warrant. To paraphrase the Director, it isn’t just a question of “connecting the dots” on threats to domestic infrastructure, but rather a prohibition on even “looking at those dots.” Consequently, when it comes to seeing the dots that might be indicators of nefarious activity within US-based private infrastructure, private-sector companies are in the best position to report those indicators.
Companies that engage with their regulatory agencies, and collaborate with Information Sharing and Analysis Centers (ISACs), the Cyber Collaboration Center (CCC), the Joint Cyber Defense Collaborative (JCDC), or the National Cyber-Forensics and Training Alliance (NCFTA) will be in a stronger position to recover from a cyber disruption and reduce the magnitude of that disruption.