What the White House Should Do Next for Cyber Regulation

COMMENTARY

Regulation is the most complex and politically sensitive cybersecurity measure ever undertaken by the US government.  

The most important step the White House can take is starting a cyber-regulation strategy and creating a new office within the Office of the National Cyber Director (ONCD) to drive smart regulation and harmonization. 

Regulating Cybersecurity: Strategy Needed

Government mandates, especially ones to regulate an area tied to speech, touch at the heart of the role of government in a free society. They are far more inherently political than most other cybersecurity initiatives, such as building the cyber workforce, a topic for which ONCD has already created a dedicated strategy. 

Cyber regulation is also exceedingly complex. To improve cybersecurity, the government might impose minimum baseline cybersecurity controls for critical infrastructures (for everything from rail to customer information held by banks), charge companies for fraud under the False Claims Act, use securities laws to criminally charge corporate security executives, impose labeling requirements for smart devices, or regulate cybersecurity for broadband Internet access. 

The US government is defaulting to doing all of these, plus many more, all at once. 

Some of these initiatives are more in line with the president's strategy and priorities than others; some are best done first, others later; some might be challenged in court, post-Chevron; and some will impose larger costs, for fewer gains, than others seeking the same end. 

All will create winners and losers. Unlike efforts to fix the cyber workforce, some might even affect the outcome of elections. 

ONCD must accordingly develop a new strategy (or at least a less-formal road map) for regulating cyberspace, laying out the major options and trade-offs, timelines, and measures of success. The final deciders must be the nation's political leadership in the National Security Council and National Economic Council. 

New White House Office Also Needed

To ensure the success of the cyber-workforce strategy, ONCD created a dedicated team, led by an assistant national cyber director. ONCD must create another such special office to focus on the far more politically sensitive and complex topic of regulation. 

ONCD's office would work to not just "create a coherent regulatory system and harmonize cybersecurity requirements," as recommended by the American Chamber of Commerce, or oversee a Harmonization Committee, per a recent Senate bill. It would draft the strategy, develop an implementation plan and track completion, develop frameworks to harmonize regulations, champion mutual recognition, and help oversee if regulations are working and at reasonable cost. 

This office would work with other departments and agencies — especially the Cybersecurity Forum for Independent and Executive Branch Regulators and the Cybersecurity and Infrastructure Security Agency, recently tasked to harmonize critical infrastructure regulations.  

And there are a lot regulations needing coordination. Just in the past few months, there is not only the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), but also: 

1. Cybersecurity in the Marine Transportation System, "establishing minimum cybersecurity requirements for U.S. flagged vessels" (from the Coast Guard)  

2. Data Breach Reporting Requirements for telecommunications providers (the Federal Communications Commission) 

3. Cybersecurity Labeling for Internet of Things (IoT) (FCC) 

4. Cybersecurity Maturity Model Certification for contractors (Department of Defense) 

5. Significant Cybersecurity Incident Reporting Requirements for federally approved mortgage lenders (Department of Housing and Urban Development) 

6. New requirements for US infrastructure-as-a-service (IaaS) providers (Department of Commerce) 

Meanwhile, the Environmental Protection Agency is "increasing inspections and enforcement" of community water systems and "the Centers for Medicare and Medicaid Services (CMS) will be drafting new rules" for hospitals. 

ONCD's harmonization efforts have been solid, led by Nick Leiserson, Brian Scott, and Elizabeth Irwin, among others. But this team is also working on a wide range of other policies and programs, such as including cyber in federal grants to states. Regulation, complex, and politically fraught, deserves a dedicated team and leadership. 

But It's Close to an Election!

The next presidential administration may be less eager to regulate than this one, but it will still need a regulatory plan of some sort to coordinate and harmonize between independent agencies and engage with states and the European Union.  

ONCD is staffed not just by political appointees and detailed civil servants — as is the National Security Council, the traditional heart of White House cyber policymaking — but also permanent staff. Starting the work on such a document now can help the smartest policies to survive between administrations and improve predictability for regulated companies. 

This is the White House's best opportunity for perhaps a generation to get this right, to improve security, to protect Americans in an increasingly dangerous world, and to decrease the cost and improve predictability for companies building our digitized economy. 

If the White House doesn't solve other important cyber issues, future administrations will have other chances. The critics fighting regulation will not be so forgiving.