Federal Agency Raises Flag On Untamed Cybersecurity Regulation Landscape
Fragmented cyber regulations could increase cyber risks, some argue .
An often-heard bane of CISOs and other IT security professionals is navigating the stupefying number of regulations within the cybersecurity industry.
There are so many layers of regulations and then even regulations within those layers. There are federal regulations like HIPAA, but there are ones at the state level, ones for specific verticals, and not to mention, international regulations.
The White House's Office of the National Cyber Director looked into concerns and issues with the untamed and fragmented world of security regulations.
'A Lack Of Harmonization'
The agency collected data seeking "public feedback on existing challenges with regulatory overlap" sending out a Request For Information (RFI) to industry, civil, academic, government and other entities.
The NCD published a summary report this week of its findings from the data, as well as comments from respondents.
One organization, the American Chemistry Council, responded that the "the lack of harmonization . . . [in cybersecurity regulations] led to a fragmented approach nationally and internationally."
"A growing patchwork of cybersecurity laws across the states and at the Federal level creates duplicative, inconsistent, or contradictory regulatory frameworks. This fragmentation presents real risks to businesses, consumers, and the overall goals of cybersecurity policy," the Wireless Association (CTIA) responded.
The International Information System Security Certification Consortium (ISC2) said that the current regulation landscape, designed to bolster cyber resilience, could in fact, have the opposite effect.
"Fear of non-compliance and penalties draws the focus of cybersecurity professionals from operational risk to compliance risk," and that "cybersecurity professionals are 'spending inordinate amounts of time complying with nuanced requirements rather than preventing and responding to cyber incidents,'" ISC2 said in its response.
As cyber threats evolve and spread, cybersecurity regulations have been subject to more scrutiny.
In a blog post, the Internet Security Alliance said there is a "common misconception" that "if only there was federal regulation of cyberspace, we would have a more secure environment."
"The facts don't bear this assertion," the post continued.
The ISA pointed to a 2020 study by the ESI ThoughtLab. The study found that "healthcare institutions ranked 11th out of 13 critical sectors in terms of average loss compared to revenue." Health care organizations were also less likely to have had "disaster recovery plans, cyber incident recovery plans, or did regular cyber risk assessments or stress tests."
The same report also found that financial institutions did not fare much better with cyber resilience.
Now four years later since that study, health care and finance, despite being regulation-and-compliance-saturated industries, are still considered the top two verticals most prone to cyberattacks.
NCD summed up its key findings from its research:
- "The lack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens."
- "Challenges with cybersecurity regulatory harmonization and reciprocity extend to businesses of all sectors and sizes and that they cross jurisdictional boundaries."
- "The U.S. Government is positioned to act to address these challenges. Respondents provided numerous suggestions for how the Administration and Congress could act to increased harmonization and reciprocity."
In its blog post, the NCD also addressed Congress: "We need Congress's help to bring all the relevant agencies in the government together to develop a cross-sector framework for harmonization and reciprocity for baseline cybersecurity requirements."
The NCD's regulations study is part of the White House's National Cybersecurity Strategy, announced in March 2023.
"Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense," President Joe Biden said in a news release at the time.