[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]
ENHANCING CYBERSECURITY BY ELIMINATING
INCONSISTENT REGULATIONS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON CYBERSECURITY, INFORMATION
TECHNOLOGY, AND GOVERNMENT INNOVATION
OF THE
COMMITTEE ON OVERSIGHT
AND ACCOUNTABILITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTEENTH CONGRESS
SECOND SESSION
__________
JULY 25, 2024
__________
Serial No. 118-126
__________
Printed for the use of the Committee on Oversight and Accountability
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available on: govinfo.gov
oversight.house.gov or
docs.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
56-568 PDF WASHINGTON : 2024
-----------------------------------------------------------------------------------
COMMITTEE ON OVERSIGHT AND ACCOUNTABILITY
JAMES COMER, Kentucky, Chairman
Jim Jordan, Ohio Jamie Raskin, Maryland, Ranking
Mike Turner, Ohio Minority Member
Paul Gosar, Arizona Eleanor Holmes Norton, District of
Virginia Foxx, North Carolina Columbia
Glenn Grothman, Wisconsin Stephen F. Lynch, Massachusetts
Michael Cloud, Texas Gerald E. Connolly, Virginia
Gary Palmer, Alabama Raja Krishnamoorthi, Illinois
Clay Higgins, Louisiana Ro Khanna, California
Pete Sessions, Texas Kweisi Mfume, Maryland
Andy Biggs, Arizona Alexandria Ocasio-Cortez, New York
Nancy Mace, South Carolina Katie Porter, California
Jake LaTurner, Kansas Cori Bush, Missouri
Pat Fallon, Texas Shontel Brown, Ohio
Byron Donalds, Florida Melanie Stansbury, New Mexico
Scott Perry, Pennsylvania Robert Garcia, California
William Timmons, South Carolina Maxwell Frost, Florida
Tim Burchett, Tennessee Summer Lee, Pennsylvania
Marjorie Taylor Greene, Georgia Greg Casar, Texas
Lisa McClain, Michigan Jasmine Crockett, Texas
Lauren Boebert, Colorado Dan Goldman, New York
Russell Fry, South Carolina Jared Moskowitz, Florida
Anna Paulina Luna, Florida Rashida Tlaib, Michigan
Nick Langworthy, New York Ayanna Pressley, Massachesetts
Eric Burlison, Missouri
Mike Waltz, Florida
------
Mark Marin, Staff Director
Jessica Donlon, Deputy Staff Director and General Counsel
Peter Warren, Senior Advisor
Raj Bharwani, Senior Professional Staff Member
Lauren Lombardo, Senior Policy Analyst
Ellie McGowan, Staff Assistant and Administrative Clerk
Contact Number: 202-225-5074
Julie Tagen, Minority Staff Director
Contact Number: 202-225-5051
------
Subcommittee on Cybersecurity, Information Technology, and Government
Innovation
Nancy Mace, South Carolina, Chairwoman
William Timmons, South Carolina Gerald E. Connolly, Virginia
Tim Burchett, Tennessee Ranking Minority Member
Marjorie Taylor Greene, Georgia Ro Khanna, California
Anna Paulina Luna, Florida Stephen F. Lynch, Massachusetts
Nick Langworthy, New York Kweisi Mfume, Maryland
Eric Burlison, Missouri Jared Moskowitz, Florida
Vacancy Ayanna Pressley, Massachesetts
Vacancy Vacancy
C O N T E N T S
----------
Page
Hearing held on July 25, 2024.................................... 1
Witnesses
----------
Mr. John Miller, Senior Vice President of Policy, Trust, Data,
and Technology, Information Technology Industry Council
Oral Statement................................................... 5
Ms. Maggie O'Connell, Director of Security, Reliability, and
Resilience, Interstate Natural Gas Association of America
Oral Statement................................................... 7
Mr. Patrick Warren, Vice President of Regulatory Technology, Bank
Policy Institute
Oral Statement................................................... 8
Dr. Charles Clancy, Chief Technology Officer, MITRE
Oral Statement................................................... 10
Written opening statements and statements for the witnesses are
available on the U.S. House of Representatives Document
Repository at: docs.house.gov.
Index of Documents
----------
* Statement for the Record; submitted by Rep. Connolly.
* Letter, July 31, 2024, from BSA to the Subcommittee;
submitted by Rep. Mace.
* Statement, July 25, 2024, from Jason Healy to HCOA; submitted
by Rep. Connolly.
* Statement, July 25, 2024; submitted by Rep. Mace.
* Statement, July 25, 2024, Airlines for America; submitted by
Rep. Mace.
Documents are available at: docs.house.gov.
ENHANCING CYBERSECURITY BY ELIMINATING INCONSISTENT REGULATIONS
INCONSISTENT REGULATIONS
----------
Thursday, July 25, 2024
House of Representatives
Committee on Oversight and Accountability
Subcommittee on Cybersecurity, Information Technology, and Government
Innovation
Washington, D.C.
The Subcommittee met, pursuant to notice, at 9:06 a.m., in
room 2154, Rayburn House Office Building, Hon. Nancy Mace
[Chairwoman of the Subcommittee] presiding.
Present: Representatives Mace, Burchett, Burlison, and
Connolly.
Ms. Mace. Good Thursday morning. The Subcommittee on
Cybersecurity, Information Technology, and Government
Innovation will now come to order. And welcome everyone.
Without objection, the Chair may declare a recess at any
time. And I recognize myself for the purpose of making an
opening statement.
Good morning, and welcome to this hearing. Malicious
cyberattacks on our Nation's critical infrastructure are
increasing in frequency and scale. These attacks can create
damaging disruptions and compromise highly sensitive data.
Much of our critical infrastructure is owned and operated
by private sector companies. That includes transportation
networks, energy production and distribution facilities, and
the defense industrial base. Cyberattacks targeting such
operations threaten our homeland security and our national
security. That is why we need a strong partnership between the
government and private operators of critical infrastructure.
Unfortunately, Federal regulations intended to mitigate
cybersecurity risk often subject key industry participants to
overlapping and inconsistent requirements. This creates an
inefficient regulatory regime. The cost and burden of
compliance is high. Companies are forced to divert resources
away from cybersecurity enhancements to check various
unnecessary compliance boxes. The unnecessary drain on
resources also reduces the competitiveness of these businesses.
Regulations can proliferate out of control when multiple
agencies are issuing rules on the same topic. A single company
operating across critical sectors might need to comply with
overlapping, inconsistent cybersecurity rules issued by a half
dozen different agencies. Good luck with that.
So, it is not surprising that companies are feeling
besieged by the growing barrage of cybersecurity requirements.
In March of last year, the then-acting White House Cyber
Director appeared before this Subcommittee to discuss the
Administration's National Cybersecurity Strategy. She testified
that day that under the strategy, her office and the Office of
Management and Budget were jointly responsible for addressing
this issue of cybersecurity regulatory harmonization.
A few months later, her office issued a request for
information asking critical sector operators to identify
conflicting and mutually exclusive or inconsistent regulations
and describe the burden that they impose.
The RFI describes the goal of harmonization, reciprocity in
the regulation. An illustration of harmonization would be
multiple Federal agencies agreeing on allowable forms of
multifactor authentication to access IT systems. Reciprocity
would mean that if one regulator found a company's multifactor
authentication was being appropriately used on an IT system,
another regulator could accept that find instead of doing its
own independent assessment.
Unfortunately, judging from the response to the RFI, we
have a long way to go to achieve harmonization and reciprocity.
The more than 100 respondents--a few of whom we will hear
from today--describe a highly inefficient regulatory regime
that detracts from cybersecurity outcomes by unnecessarily
consuming scarce resources. Some of the respondents noted that
state-level and international cybersecurity regulations
contribute further to the regulatory morass they must
investigate.
The upshot, according to the Financial Services Sector
Coordinating Council, is that many company Chief Information
Security Officers spend as much as half their time on
regulatory compliance instead of upgrading their
cybersecurity's posture.
In all, the administration received more than 2,000 pages
of comments to its RFI.
I appreciate the Administration took the trouble to seek
out the views of the affected parties, but the responses,
thousands of them, show how challenging it will be to address
the problem.
One thing seems clear: strong, centralized leadership from
the Executive Office of the President will be required to
harmonize cybersecurity regulations. That is the only way to
put a check on regulators within the bureaucracy who may be
blind to the broader impact of rules they issue.
I look forward to hearing from our witnesses today who will
provide valuable insight on this problem from the perspective
of different critical sectors. But before I introduce them, I
am going to yield to the Ranking Member Connolly for 5 minutes.
Mr. Connolly. Thank you.
And Madam Chairwoman, I would ask unanimous consent to
enter into the record, at the appropriate time, a statement
from--a thoughtful statement from Professor Jason Healey of
Columbia School of International and Public Affairs.
Ms. Mace. Without objection.
Mr. Connolly. I thank the Chair.
Cyberattacks on government agencies, businesses critical
infrastructure, and private citizens have become alarmingly
frequent and sophisticated. The cost of these attacks
financially and in terms of national security is staggering.
According to data from the Federal Bureau of Investigation
and the International Monetary Fund, the average annual cost of
cybercrime worldwide is expected to reach $23 trillion by 2027,
that is with a T.
Ransomware attacks against these sectors, for example,
increased by more than 50 percent in 2023 alone. Federal
agencies reported more than 32,000 cybersecurity incidents in
Fiscal Year 2023. That is an increase of nearly 10 percent
compared to the previous year.
In addition, the FBI's Internet Crime Complaint Center
received more than 880,000 phishing, personal data breach, and
other complaints in 2023.
As I stated in previous hearings held by this Subcommittee,
data breaches and cyberattacks are no longer novel. That is why
securing the systems that are the backbone of the U.S. economy
is essential and fundamental both to the public and private
sectors. To this end, the Federal Government has a
responsibility to improve its cybersecurity outcomes.
To combat cyber threats, Federal agencies conduct
comprehensive and multilayered processes to set and enforce
cybersecurity requirements across components of our critical
infrastructure, such as banks, water treatment plants, and
telecommunication infrastructure. For example, the Federal
Information Security Management Act and executive orders like
Executive Order 14028 on Improving the Nation's Cybersecurity
enacted after the Russian foreign intelligence service
perpetrated the SolarWinds cybersecurity attack, they mandate
specific cybersecurity practices. Among those are agencywide
cybersecurity programs and risk assessments, incident response
protocols, multifactor authentication, and improved event
logging.
As National Cyber Director Harry Coker testified in
January, there is a clear need for mandatory cybersecurity
requirements for critical infrastructure. No fooling. However,
Congress and the Administration must not lose sight of our
responsibility to improve cybersecurity outcomes, and input
from GAO, industry, civil society, and state and local partners
indicate that existing regulations vary widely across many
sectors and, at times, conflicting parameters.
This patchwork approach often leaves private, state, and
local entities charged with securing critical infrastructure
investing less in our collective goal of improving
cybersecurity outcomes and more in compliance checking
activities, putting national security and economic stability at
some risk.
The Biden-Harris Administration recognized the need to
address the overlapping nature of much needed cybersecurity
regulations by launching efforts to deconflict and clarify
cybersecurity requirements. In March 2023, the National Cyber
Director released the National Cybersecurity Strategy, which
listed harmonizing regulations to reduce the burden of
compliance as one of the stated policy goals.
In August 2023, the ONCD issued a request for information
from industry and other partners on the challenges with
regulatory overlap and to explore framework for baseline
cybersecurity requirements.
All our witnesses here today provided comments and feedback
to the ONCD underscoring the Biden-Harris Administration's
collaborative efforts with industry experts to get this right.
In May of this year, the Office of National Cyber Director
also released the first-of-its-kind report on the cybersecurity
posture of the United States. The report assesses the
cybersecurity posture, the effectiveness of cyber policy and
strategy, and the status of the implementation of national
cyber policy and strategy by Federal departments and agencies.
Among the highlights of that report are actions taken by
the Federal Government during the previous year. Establishing
and using cyber requirements to protect critical
infrastructure, including through the development and
harmonization of regulatory requirements, is the first action
listed in the report, which just goes to show how important the
priority has been for this Administration.
I look forward to hearing today especially from Dr. Charles
Clancy, a Senior Vice President and CTO at MITRE Corporation,
about how Congress can support the efforts underway to achieve
regulatory harmonization.
The goal is to maintain clear and consistent guidance when
it comes to cybersecurity requirements. That will improve
outcomes by bolstering incident response, enhancing resilience,
reducing costs, and, ultimately, benefiting the American
people.
Thank you, and I yield back.
Ms. Mace. Thank you, Mr. Connolly.
I am pleased to introduce our witnesses for today's
hearing. Our first witness is Mr. John Miller, Vice President
of Policy, Trust, Data, and Technology and General Counsel at
the Information Technology Industry Council. Our second witness
is Ms. Maggie O'Connell, Director of Security, Reliability, and
Resilience at the Interstate Natural Gas Association of
America. Our third witness is Mr. Patrick Warren, Vice
President of Regulatory Technology with the Banking Policy
Institute. And our fourth and final witness today is Dr.
Charles Clancy, Chief Technology Officer at MITRE.
Welcome, everyone. We are pleased to have you this morning.
Pursuant to Committee Rule 9(g), the witnesses will please
stand and raise your right hand.
Do you solemnly swear or affirm that the testimony that you
are about to give is the truth, the whole truth, and nothing
but the truth, so help you God?
Let the record show that the witnesses all answered in the
affirmative.
We appreciate you being here today and look forward to your
testimony. Let me remind the witnesses we have read your
written statements, and they will appear in full in the hearing
record. Please limit your oral statements to 5 minutes this
morning.
As a reminder, please press the button on the microphone in
front of you so that it is on and that the members up here can
hear you. When you begin to speak, the light in front of you
will turn green. After 4 minutes, it will turn yellow. When the
light comes on and it turns red, your 5 minutes have expired. I
use the gavel. I bang it hard. Let us not do that today. We
would ask you to please wrap up.
All right. So, now I would like to recognize each of you
individually for your opening statements. I will first
recognize Mr. Miller. If you will please begin.
STATEMENT OF MR. JOHN MILLER
SENIOR VICE PRESIDENT OF POLICY, TRUST, DATA, AND TECHNOLOGY
INFORMATION TECHNOLOGY INDUSTRY COUNCIL
Mr. Miller. Chairwoman Mace, Ranking Member Connolly, and
distinguished members of the Subcommittee, on behalf of the
Information Technology Industry Council, or ITI, thank you for
the opportunity to testify today on the need to harmonize
cybersecurity regulations.
ITI is a global policy and advocacy organization
representing 80 of the world's leading tech companies, and I
lead ITI's Trust, Data, and Technology policy team, including
our work on cybersecurity in the U.S. and globally.
I have worked on cyber policy issues for over 15 years and
have extensive experience partnering with CISA and other
Federal Government stakeholders on efforts to improve cyber,
supply chain, and critical infrastructure security, including
currently serving in leadership positions on the ICT Supply
Chain Risk Management Task Force and the IT Sector Coordinating
Council.
For as long as I can remember, there has been strong,
longstanding, widely agreed-upon bipartisan consensus on the
need to harmonize inconsistent, duplicative, or conflicting
cyber regulations. The past three administrations have
prioritized the issue. Multiple Congresses have agreed it is a
priority. And yet I do not recall a single conflicting,
inconsistent, or duplicative cyber regulation ever being
eliminated or streamlined after all these years.
So, I welcome this Subcommittee's interest and, again,
shining a light on this important topic, and sincerely hope
this hearing can help catalyze long overdue harmonization of
cyber regulations.
The reasons why inconsistent, duplicative, or conflicting
cyber regulations are costly to industry and government are
obvious. The Office of the National Cyber Director has
acknowledged that cyber overregulation leads to companies
focusing more on compliance than security, resulting in higher
costs to customers and working families, and negatively impacts
national security.
This makes sense. The more resources organizations spend on
compliance, auditing, and tracking across multiple regulatory
regimes, the less resources are available to devote to
obtaining better cyber outcomes at lower costs.
There are real costs on government too. Surely it is
inefficient to use scarce government resources and regulatory
capacity to create and enforce duplicative, inconsistent, or
conflicting cyber regulatory requirements, particularly in
light of the persistent Federal cyber workforce shortage.
Congress, to its credit, remains focused on the issue. Your
colleagues at Senate HSGAC recently introduced the cyber
regulatory streamlining bill, and Congress previously flagged
this problem as part of the Cyber Incident Reporting for
Critical Infrastructure Act, which established the Cyber
Incident Reporting Council, or CIRC, to study and make
recommendations to address conflicting and duplicative Federal
incident reporting requirements.
Last September, CIRC report tallied over 50 such
requirements that were in effect or pending, representing just
one small slice of the overall cyber regulatory landscape.
When we consider that most companies are also encountering
duplicative, inconsistent, or conflicting cyber regulations at
the U.S. state level and internationally, it reveals the status
quo as simply untenable.
The deluge of cyber incident reporting regulations
perfectly illustrates the scope of the overregulation problem
and also serves as a reminder that, to date, while we have
studied the issue and offered recommendations, there has been
no discernible harmonization. Instead, the problem is getting
worse.
It is time that we stop admiring this problem and commit to
addressing it. I encourage the subcommittee to consider all of
the recommendations to drive better cyber harmonization in my
written testimony, but I highlight five here.
First, ONCD must follow through on its ongoing work
implementing the National Cyber Strategy to implement an
actionable plan to harmonize existing cyber regulations and
hold Federal agencies accountable for following through,
including DHS for implementing the CIRC recommendations, and
all agencies for actualizing harmonization efforts.
Second, we should align existing and future cyber
regulations around a common taxonomy, including definitions and
risk management controls grounded in international standards.
The NIST Cybersecurity Framework provides a common language for
doing so and can serve as an orientation point for Federal
harmonization efforts.
Third, we should define a standardized clearing process for
new cyber regulatory activity to prevent future fragmentation.
For instance, by expanding OIRA's role to review sector-
specific regulations for inconsistencies or by requiring
Federal agencies to demonstrate that any new regulations must
fill identified regulatory gaps.
Fourth, ONCD should develop and implement a structured
reciprocity process anchored in baseline controls and standards
across Federal Government regulations to reduce barriers and
clarify obligations. Reciprocity among Federal agency
requirements is critical to reduce redundant compliance costs
on industry and is particularly important in areas such as
cloud security.
Finally, Congress should seize the opportunity to drive
actionable cyber harmonization solutions and use its oversight
authorities to make sure that the current and future
administrations follow through.
Given the Supreme Court's recent decision in Loper Bright
to overturn Chevron deference, going forward, it is more
important than ever that Congress provide precise cyber
authorities and clear direction to the Federal agencies who
will implement and enforce future rules.
Thank you again for the opportunity to testify today. I
look forward to your questions.
Ms. Mace. Thank you.
I would like to recognize Mr. O'Connell for 5 minutes--Ms.
O'Connell for 5 minutes.
STATEMENT OF MS. MAGGIE O'CONNELL
DIRECTOR OF SECURITY, RELIABILITY, AND RESILIENCE
INTERSTATE NATURAL GAS ASSOCIATION OF AMERICA
Ms. O'Connell. Good morning, Chairwoman Mace, Ranking
Member Connolly, members of the Subcommittee. I am Maggie
O'Connell, Director of Security, Reliability, and Resilience at
the Interstate Natural Gas Association of America. I currently
lead INGAA's cybersecurity, physical security, and emergency
response policy. Thank you for inviting me to share our
perspectives on cybersecurity regulatory harmonization.
INGAA is the national trade association that advocates to
Federal policymakers the priorities of the interstate natural
gas pipeline industry. Our members represent the majority of
interstate natural gas transmission pipeline companies in the
U.S. and are leaders in the reliable transportation of gas
throughout the country. Many of our members also operate other
forms of critical energy infrastructure, making our members
some of the most regulated entities in the Nation.
The oil and natural gas subsector understands the
importance of regulations to ensure the safe, secure, and
reliable delivery of goods and services. Our primary purpose is
to keep energy moving, which is precisely why our operators
apply a risk-based ``defense-in-depth'' approach to
cybersecurity.
Defense-in-depth is a strategy that protects the entire
enterprise rather than each individual business unit from
various threats. It entails robust governance, systematic risk-
based management, and multidimensional programs based on
industry recognized standards and frameworks.
To that end, security regulations should not be promulgated
simply for the sake of doing so. They must be based on risk,
outcome-focused, and threat-informed, with the goal of
safeguarding those elements that enable the provision of energy
services, protection of personal data, and of the essential
functions that support the country's economy and national
security.
The oil and natural gas industry believes there are three
main considerations for determining how to harmonize
cybersecurity regulations. First, regulators should engage in
robust consultation processes with a regulated community, other
agencies with authorities in that sector, and with regulators
of sectors with direct dependencies to the sector for which the
cybersecurity requirements are underdeveloped.
Second, if efforts cannot be made to harmonize proposed
cybersecurity regulatory requirements, agencies should take
action to retroactively ensure that requirements are harmonized
in a reciprocating manner.
Third, Congress and the White House should consider whether
a single entity, such as CISA, could facilitate the harmonizing
role. A single entity to provide management and oversight of
the multitude of cybersecurity regulations would enhance
overall cybersecurity and ease compliance efforts.
I would like to briefly discuss two key principles that we
believe are imperative to understanding: harmonization and
reciprocity.
Harmonization is best understood as alignment across
agencies and related regulations on a common set of
requirements to achieve a desired security outcome.
Harmonization achieves efficiency for compliance and the
circumvention of duplicative or conflicting requirements.
However, when undertaking this effort, the Federal Government
should understand the risk within each critical infrastructure
sector, the agencies with existing cybersecurity requirements,
and the varying purposes of each of those regulations.
The other piece to harmonization is reciprocity, wherein
the findings of one regulator satisfy the requirements of
another. Reciprocity is particularly pertinent given the number
of Federal regulations impacting the oil and natural gas sector
emanating from a single Federal department. For example, TSA
and the U.S. Coast Guard each have cybersecurity regulatory
authority over segments of the oil and natural gas sector.
While CISA does not currently have authority to enforce CFATS,
most CFATS-regulated facilities implement the program's
requirements on a voluntary basis.
These three agencies alone, existing under DHS, have made
little effort to harmonize these efforts, leading to increased
administrative burdens for coordinating with and meeting the
requirements of these respective agencies. Indeed, a
significant challenge for regulatory reciprocity is the silos
in which each of these agencies exist. Each agency sees its
mission as unique and independent from others despite the
common goal of strong cybersecurity for critical infrastructure
systems.
To that end, a single agency, such as CISA, could serve as
an arbiter and facilitator for cybersecurity regulatory
harmonization.
In closing, I would like to reiterate that INGAA and our
members appreciate the role that smartly constructed risk-and
outcome-based cybersecurity regulations play in securing our
Nation's critical infrastructure. As additional agencies seek
to expand their oversight and authorities to include
cybersecurity, harmonization and reciprocity will be essential
to ensure operators can continue to mature their security
programs without overly burdensome compliance obligations.
Thank you for your time, and I look forward to your
questions.
Ms. Mace. Thank you, Ms. O'Connell.
Mr. Warren, you may begin your opening statement.
STATEMENT OF MR. PATRICK WARREN
VICE PRESIDENT OF REGULATORY TECHNOLOGY
BANK POLICY INSTITUTE
Mr. Warren. Chairwoman Mace, Ranking Member Connolly, and
honorable members of the Subcommittee, thank you for inviting
me to testify. I am Pat Warren, Vice President for Regulatory
Technology for BITS, the technology division of the Bank Policy
Institute.
BPI is a nonpartisan policy, research, and advocacy
organization representing the Nation's leading banks. Through
our technology division, we work with our members on cyber risk
management, critical infrastructure protection, fraud
reduction, regulation, and innovation.
As illustrated by CrowdStrike's software update last week,
the security and resilience of the network systems and software
that we rely on as a Nation is vitally important. Cybersecurity
regulations can play a role in fostering the necessary programs
and policies that protect our critical infrastructure. At the
same time, we must be mindful that if not properly harmonized
and aligned, such requirements can place unnecessary strain on
the critical cybersecurity resources we rely on to prepare for
emerging threats and address incidents when they occur.
On behalf of BPI members, we greatly appreciate the
Committee's leadership and the opportunity to provide input on
the need to harmonize cybersecurity regulations and streamline
existing requirements.
Financial institutions are subject to numerous regulations
and rigorous supervision from their prudential banking
regulators: the Office of the Comptroller of the Currency, the
Federal Reserve Board, and the Federal Deposit Insurance
Corporation. This includes onsite examiners who regularly
evaluate whether a financial institution operates in a safe and
sound manner.
Firms also comply with cyber incident reporting and
disclosure, consumer breach notification, data security and
data privacy requirements enforced by agencies like the CFPB,
the FCC, and the CFTC, among others.
Based on our experience navigating a complex regulatory
environment, we believe congressional action and a focus on
three areas could have meaningful impact. We encourage Congress
to, one, require coordination among regulators to avoid
duplication, overlap, or conflict in requirements placed on
industry; two, encourage regulatory reciprocity; and three,
leverage common frameworks.
First, it is imperative that all regulators consider
existing requirements and do not duplicate or create variations
of what already exists. We have seen this coordination does not
always occur, particularly with independent regulatory agencies
like the SEC.
Within the financial sector, there are several examples
where the prudential banking regulators issue joint rules and
guidance which helps provide clarity and consistency for firms
and supports the efficient use of resources. However, the
collective effect of supervision and oversight by multiple
regulators can cause significant strain on personnel and the
resources necessary to implement security solutions that keep
pace with evolving threats.
According to a recent survey of large financial
institutions, several firms reported their cyber teams now
spend more than 70 percent of their time on regulatory
compliance activities. Those same firms reported their Chief
Information Security Officers or comparable senior cyber
leaders spend between 30 to 50 percent of their time on those
same regulatory compliance matters. Diverting finite cyber
resources in this way leaves less time for risk mitigation
activities and strategic security initiatives to fortify firm
defenses moving forward.
Second, implementing a regulatory reciprocity model where
one regulator accepts the work and results of another would be
particularly valuable for sectors with multiple regulators and
would alleviate the need for entities to demonstrate compliance
with the same or similar requirements multiple times.
Based on our survey, financial institutions reported that
only 30 percent of exam documentation can be reused due to
slight differences in exam scope and cadence between
regulators. By better leveraging each other's documentation,
testing, evaluations, and findings, regulators would receive
the information they need to conduct rigorous oversight while
preserving the ability of cybersecurity teams to adjust to
rapid technological change.
Finally, existing standards and frameworks, like NIST's
Cybersecurity Framework, can be helpful tools for aligning
regulatory requirements. The Cyber Risk Institute developed a
financial sector profile, which is based on NIST's
Cybersecurity Framework, and integrates regulatory requirements
unique to the financial sector. This provides financial
institutions with a single scalable resource for managing cyber
risk and compliance requirements.
Regulators can also leverage common frameworks to tailor
oversight priorities and more efficiently assess a company's
baseline security posture.
As regulatory requirements continue to proliferate,
congressional action is needed to ensure new and existing
requirements accomplish the goals of better security and
resilience while balancing the collective impact of these
requirements on regulated entities.
We are committed to working with this Committee as it
explores potential legislative solutions for achieving broader
harmonization.
Thank you for the opportunity to testify today, and I am
happy to answer any questions.
Ms. Mace. Thank you.
I would now like to recognize Dr. Clancy for your opening
statement.
STATEMENT OF DR. CHARLES CLANCY
CHIEF TECHNOLOGY OFFICER
MITRE
Mr. Clancy. Chairwoman Mace, Ranking Member Connolly, and
members of the Subcommittee, good morning, and thank you for
inviting me to testify before you today. And it is my pleasure
to address the Subcommittee on this topic of critical national
importance.
The practice of cybersecurity has grown organically, driven
by need.
The first wave of standards, spurred by FISMA, was
compliance-driven and focused on checklists of security
controls. The second wave was threat-informed and motivated
information sharing. The third wave was risk-based,
prioritizing continuous assessment and adaptive security
controls. The fourth wave that we are experiencing now is that
of zero trust and architecture-driven, recognition that our
greater reliance on devices and networks and cloud
infrastructure that may be untrusted.
Umbrella frameworks like the NIST Cybersecurity Framework
and ISO 27001 take a holistic approach from across business
processes, technical controls, risk, and threat. These
frameworks can be used as an organizing structure and common
taxonomy to talk about regulations, but they do not really get
down to the implementation level.
This leaves a patchwork of requirements for regulated
organizations that have mandatory implementation obligations.
It leaves them dealing with a jumble of not necessarily
contradictory but often fragmented, overlapping, and
inconsistent obligations.
First starting with security controls. A positive step
would be to commission NIST to document the differing security
controls required across different security standards. Such an
enumeration would help harmonization as various standards
organizations update their requirements over time and help
regulators identify consensus controls that would minimize
burden on their stakeholders. Again, this is not a call for new
standards but, rather, illuminating the complexity of today's
environment so we can build roadmaps that over time would lead
to harmonization and potentially even consolidation of
technically controlled standards.
Next is auditing processes. If a standard is mandatory to
implement, then someone actually needs to check that it has
been implemented. There is a range of everything from self-
attestation of compliance to rigorous annual inspections by
third-party auditors.
One concerning trend is efforts to make the NIST
Cybersecurity Framework mandatory. And while this is an admiral
goal, the framework was explicitly designed to be voluntary,
and lacks the necessary metrology to even define compliance,
making such attestations meaningless.
If you want to make something mandatory, then you need a
standard that defines and provides the tools to measure
compliance.
Additionally, reciprocity must be harmonized. No security
standard is strictly more rigorous than any other. They all
have industry-specific or domain-specific attributes, but there
is a common core set of requirements across most, and the job
of an auditor or regulator can be greatly simplified if there
is reciprocity across that common core.
Last is incident reporting, which is probably the biggest
headache for regulated organizations. Implement a single
clearinghouse for reporting a cyber incident, either operated
within a Federal agency, such as CISA, or by an independent
third-party on behalf of the Federal Government.
Such a clearinghouse can identify a lead agency to engage
with the affected party, coordinate with others across the
interagency, and really serve as a touch point for major
vendors that support that industry, like CrowdStrike or
Microsoft that have equities that cross many different sectors.
A clearinghouse would serve a number of important other
purposes as well, including energizing a Federal cyber action
team that could help impacted organizations with incident
response, if appropriate and necessary; serve as a focal point
for major vendors and cloud providers who may be stakeholders,
particularly in wide-scale cyber incidents; and be an important
repository for cross-sector data on adversary cyber operations
so we can actually keep track of what our adversaries are doing
in an integrated way across the entire ecosystem.
Another important point is that reporting should be viewed
as iterative. As reporting timelines get shorter and shorter,
the amount of high-confidence, reportable information collected
by affected organizations get smaller and smaller. We must
balance reporting timelines with practical detail on incidents
from the impacted organization and the actual utility of that
data to a regulator.
Reporting ``we might have been hacked but we are not sure,
and we have no idea what might have been impacted'' within 8
hours to a regulator does not provide anything actionable. If
that regulator's typical response time for assigning a case
agent and soliciting additional information is 2 weeks, then
what was the point of the 8-hour reporting timeline in the
first place?
A clearinghouse could also help with state, local, Tribal,
and territorial government reporting and coordination. These
governments have a growing set of cyber reporting obligations,
and a Federal clearinghouse could ease the burden on impacted
organizations.
In conclusion, I encourage the Committee to move from study
to action. The National Cybersecurity Strategy identified the
need to establish an initiative on harmonization. The Peters-
Lankford bill currently in the Senate involves years of pilots.
NSM 22 calls on DHS to develop a plan for harmonization and
critical infrastructure by April 2025. Last fall's ONCD request
for information gathered broad industry input from a variety of
stakeholders. I think we have a good handle on the issues, and
we need to move out on solutions.
Thank you, and I look forward to your questions.
Ms. Mace. Thank you.
I ask unanimous consent to submit the following statements
for the record: a statement from the American Gas Association
and a statement from Airlines for America. And without
objection.
Ms. Mace. First of all, I want to thank you all for being
here. We have a broad section of industry, from IT to natural
gas, banking, and then, of course, MITRE company. You know,
listening to your testimony, it is very clear that the
government is way too big, way too overregulated because of all
the duplicative efforts.
I would like to ask everyone a question this morning. For
your member companies, or for MITRE specifically, would you be
able and willing to invest more in cybersecurity enhancements
like IT upgrades if the compliance burden of inconsistent,
duplicative regulations was reduced? Would you have the
resources to be able to invest more than what you are today if
that burden was reduced?
Mr. Miller. Yes. I mean, I think, based on everything that
we have heard from our companies, they would definitely have
more resources to invest in cybersecurity and producing better
cybersecurity outcomes if they did not have to spend as much
resources on complying with conflicting or duplicative
regulatory regimes.
Ms. Mace. And I am sure you guys are all going to probably
say yes, but I do want to focus on something Mr. Warren said in
your testimony today, the 70 percent figure.
You are in the banking sector, so it might be slightly
different. Is it the same in natural gas and IT? Are you seeing
the 70 percent? What is the rough, the figure, roughly, of
percentage of cybersecurity workers, generally within industry,
that you guys represent that are focused on compliance? Do you
have a handle on that?
Ms. O'Connell. I do not have exact numbers in front of me,
but based on the information that I have heard from our
members, that sounds about accurate, yes.
Ms. Mace. Even in natural gas, Mr. Miller?
Mr. Miller. I mean, I think it--I do not have exact numbers
either, but I do think it varies by companies, right. I mean,
certainly larger multinational tech companies have more
resources, so they are, you know, able to devote more resources
to both compliance and better security outcomes.
I think that there are a lot of small and medium-sized
companies in the tech sector, and I think that these types of
conflicting requirements that we are talking about today really
disproportionately hit those companies who it is much more of a
zero-sum game for them.
Ms. Mace. Much more expensive, the cost of legal fees.
Mr. Miller. Yes. If you are a smaller company, and you may
not even be able to figure out what regulations you have to
comply with, it creates, I think, a bad situation.
Ms. Mace. Yes. So, in terms of that--and I only have 2 1/2
minutes left, roughly, and I would like to hear from all
members on the panel. I will start with--Ms. O'Connell, I will
start with you. It is almost like where do you start? But if
you could just do one thing, one bill, one policy, one
regulation, one piece of legislation, what is that one thing?
Because we are so big. We are so bureaucratic. I mean, a
comprehensive policy, it just is not going to happen, right.
And it is not going to happen in the next decade because we are
not nimble anymore. We do not move that fast, unfortunately.
But if you could do one thing today or tomorrow, what would
that--what would that be to make it better for industry?
Ms. O'Connell. I would say specific to our sector,
reciprocity would probably move the needle the quickest. Given
we have multiple security regulators across our industry, any
efforts to sort of streamline and, you know, have one set of
requirements be applicable to another set of regulations would
really be, I think, an efficient way to move that needle
quickly.
Ms. Mace. Thank you.
Mr. Warren?
Mr. Warren. Sure. I think an area that has been a
particular challenge for financial institutions is cyber
incident reporting. These requirements often have slightly
different definitions, timeframes for reporting, and
information requirements.
And so, hypothetically, if a financial institution were to
experience a reportable incident, they would first have to
report to the Federal Housing Administration within 12 hours of
detection. They would have to notify their primary banking
regulator within 36 hours. Another notification to Ginnie Mae
within 48 hours. Once CIRCIA is finalized, they would have to
provide a very detailed report to CISA within 72 hours, and
then, finally, publicly disclose that incident to the SEC
within 4 business days.
So, compiling all of those reports, similar but distinct
reports, takes a lot of time from frontline cyber personnel,
which leaves less time for day-to-day security----
Ms. Mace. Would it be better if it just went to CISA and
then CISA distributed it accordingly?
Mr. Warren. Sure. And I think that CISA has been tasked
with harmonizing cybersecurity regulations under CIRCIA.
Unfortunately, with a recent proposed rule to implement that
legislation, it seems they have taken an expansive approach to
implementing that law. We provided comment with a number of
other financial trades, encouraging them to better leverage
existing requirements, and leaders in the House Homeland
Security Committee and Senate HSGAC provided similar feedback
as well.
Ms. Mace. Dr. Clancy? We have 15 seconds.
Mr. Clancy. I would just amplify that. I think you can
build on CIRCIA in making that clearinghouse for reporting that
coordinates across interagency.
Ms. Mace. OK. Thank you all. I appreciate your time this
morning.
And I will now yield to Mr. Connolly for 5 minutes.
Mr. Connolly. Thank you.
Just to clarify, Mr. Warren, what was that 70 percent
referring to?
Mr. Warren. That refers to the amount of time a number of
our firms reported their frontline cyber personnel are spending
on regulatory compliance matters.
Mr. Connolly. Those personnel assigned to cyber?
Mr. Warren. Correct.
Mr. Connolly. Right. And how many people is that?
Mr. Warren. It varies depending on firm. I am not sure I am
able to give you an exact number across our member
institutions.
Mr. Connolly. Banks are often a target of cyberattacks or
attempted attacks. Is that not correct?
Mr. Warren. That is correct as a critical infrastructure
statement.
Mr. Connolly. Right. And how many--collectively, how many
Americans are customers of banks?
Mr. Warren. I am not sure I have the exact number of how
many.
Mr. Connolly. Kind of most of us, right?
Mr. Warren. Yes.
Mr. Connolly. So, the government has some interest in
protecting those people, working with the banking community, in
making sure that data is not disclosed, misused, assets
diverted, deposits corrupted, just like banks do, presumably,
because you do not want to lose customers. You would concede
that point?
Mr. Warren. Yes.
Mr. Connolly. So, the issue is how best to do that, right.
What is the balance between, you know, the need of banks to do
their business or the gas industry or anybody else while the
government tries to get its arms around the cyber problem and
hopefully working with industry to protect American consumers?
And, you know, it is going to be natural that we may have
disagreements about how far we go.
Industry is always going to have an eye on what it costs
and, you know, kind of cost-benefit analysis of how far do we
go in that cyber thing. And government may have a different
point of view about the value of that cost-benefit analysis.
And so therein lies potential for conflict.
Let me ask you this: do you think if we got government
entirely out of the business, the banking industry could handle
this all by itself, thank you very much? We can--we can--we,
the banking industry, could come up with our own set of
standards, our own cyber protection policies that would be
fairly standard and would voluntarily comply with them and
there would be no problem.
Mr. Warren. I think the financial sector is supportive of a
number--has been supportive of a number of confidential
reporting requirements, like CIRCIA and the banking 36-hour
notification rule. Those regulators worked very collaboratively
with industry to develop that requirement.
I think, really, it is about striking the right balance
here. We recognize the importance of these requirements for the
enhanced visibility they provide for the cyber threat
environment and to warn potential downstream victims. I think
it is less an issue of cost and more one of time.
Mr. Connolly. OK. Got it.
Mr. Warren. Institutes want to spend more time on cyber.
Mr. Connolly. So, Dr. Clancy, my concern--I am not
unsympathetic with the bureaucratic burden, and I think we
could tolerate the bureaucratic burden if it led to efficacy.
We talk about harmony and reciprocity. I am going to add a
third one. Efficacy.
How effective is it? Because if it is effective, then I am
going to leave it alone. But if we are doing all of this and it
is not effective, then we have got to fix it. We have got to do
something else.
Comment on that. Do these requirements, do these burdens on
reporting and creating systems and so forth, how efficacious
are they?
Mr. Clancy. I think when we talk about this, we need to
look at it through the lens of the adversary as well.
So, China and Russia have made it clear that they are
coming after our critical infrastructure from a cybersecurity
perspective. I think what we are seeing is lots of different
regulators all layering slightly different versions of the same
obligations on top of the critical infrastructure sectors. None
of it is really new, and I do not know that any of it
necessarily rises to the nature of the threat that we are
seeing from Russia and China.
So, it is just sort of creating a compounding set of the
same. And I think what we really need is new thinking and if
you want to get after efficacy.
Mr. Connolly. So, in my last few minutes, I wrote a bill to
codify and set a new standard or--for FedRAMP, which is the
process at GSA for certifying companies that want to do
business with the Federal Government for cloud computing. And
we had the same problem. Like, every Federal agency had its own
standards, and you could go to one window but then go to
another one, you had to start all over again and they had their
own.
So, we built into the law that when you are certified by a
Federal agency, there is a presumption of adequacy. And so, you
are good to go in the other Federal windows as well. You do not
have to start all over again. And we are trying to eliminate
duplication and redundancy and overburden in regulations.
And it seems to me taking that concept here so that we can
try to--you are calling it harmonization. OK. But the
presumption of adequacy, if you have met a cyber standard by
agency X, you ought to be good to go and not have to have a
whole new set of regulations by agency Y. So, that is something
I hope we can explore.
Thank you.
Ms. Mace. All right. I would now like to recognize Mr.
Burlison for 5 minutes.
Mr. Burlison. Thank you.
If we could go to Mr. Miller, Ms. O'Connell, and Mr.
Warren, just to get an idea from your particular industry. What
is the--if you had to put a dollar figure on it, what is the
cost of complying--of the conflicts in the regulatory burdens
that you are facing?
Mr. Miller. Thank you for the question.
I do not know that I have a, you know, an actual aggregate
number of the amount of, you know, of the compliance burden
that we are talking about here. I mean, I guess I would just
say that by all accounts, it is significant and, you know, I do
think it is probably even more significant for heavily
regulated industries, such as my, you know, colleagues here up
on the panel.
But it is--it seems to be a problem. The compliance burdens
are growing every day. And, again, I think they are
disproportionately hitting the smaller companies in the sector
even more harshly.
Ms. O'Connell. I would sort of echo that. The compliance
costs, I think, vary greatly based on your company size, the
complexity of your operations, your staffing. INGAA generally
as a trade association tries to stay out of conversations
around cost for antitrust reasons, so it is difficult for me to
kind of quantify that.
But to your point, I mean, I think, you know, it does
disproportionately affect smaller entities across all critical
infrastructure, not just oil and natural gas.
Mr. Warren. Similar to my fellow panelists, I am not sure I
am able to provide a ballpark estimate. There will be some
variance across our member financial institutions. The bottom
line is firms are going to spend whatever they have to in order
to secure their environments.
But what I will say is we have heard from firms that staff
have had to work exceedingly long hours to balance the burden
of regulatory compliance with their day-to-day security
obligations, and there are scenarios where that has led to
decreased morale and staff burnout.
Mr. Burlison. I can totally relate with what you all are
referring to. I used to conduct cybersecurity audits in
healthcare and used to have to comply with meaningful use
requirements and HIPAA, and knew firsthand real-world scenarios
where the well intentions of this place, of this town did
nothing to benefit patients and did nothing to benefit the
patient-provider experience.
So, I would like to hear directly--because I can think of
those laws in particular--what specifically--are we talking
about rules that have been implemented that you are struggling
with? And if it is possible to, because I want to put pen to
paper here and actually take, you know, some tasks out of this
hearing.
What specifically--what policies specifically are affecting
your industry that we might be able to address? And are they
laws? Are they rules? What are they? And if you could go down
the line.
Mr. Miller. Sure. I mean, I think, you know, the example
that I cited earlier and that others have talked about here is
I think top of mind for many folks, and that is cyber incident
reporting, regulations, and requirements.
You know, on the one hand, we have Congress recently
passing, you know, a couple years ago, CIRCIA, a Federal bill,
with an idea of streamlining requirements and, you know, also
setting up CIRC, Cyber Incident Reporting Council, to issue a
report and streamline requirements.
You know, the requirements do vary. I mean, obviously,
CIRCIA is an underlying legislative regulation, but there are
different requirements that vary over those. I think it was 52
in total, different types of requirements and regulations on
incident reporting.
And, again, the problem is that, even though we have
identified the problem and Congress has identified the problem,
we have set up, you know, a group, the council to fix it, even
after that report has come out, we have had more divergent
requirements being proposed.
An example is there was a FAR regulation that was proposed
just a couple months after that that varied from the
recommendations in that report. So, I mean, that is the example
that I would use for the IT industry is incident reporting.
Mr. Burlison. Ms. O'Connell?
Ms. O'Connell. I would echo the incident reporting
requirements. I mean, we currently are required to report
incidents to CISA within 24 hours under the first TSA security
directive. We also have CIRCIA. There are also state and local
reporting requirements.
But I would also, on the more kind of, you know, risk-based
kind of regulatory side, I would say hastily promulgated
regulations are also a real challenge for compliance. For
example, when TSA first issued its first iteration of the
second security directive, they required some very prescriptive
mitigation measures that were either impossible to achieve in
the pipeline environment or with existing technologies, or they
had, you know, perhaps reactive and, you know, inconsequent,
like, downstream impacts to pipeline reliability and safety.
And those were not considered when TSA first promulgated that
security directive.
They have since undertaken a very robust consultative
process with industry and with the other regulators in the
pipeline and oil and natural gas industry to make it more risk-
based and outcome-focused.
And I think as long as regulations are promulgated with
that risk-based, outcome-focused, threat-informed mentality,
then they can be successful. But when they are overly
prescriptive and they are reactive, that is where the challenge
can be within compliance.
Mr. Burlison. Mr. Warren?
Mr. Warren. Incident reporting is a challenge for our
sector as well. But another place where sometimes they overlap
and duplication occurs is in the supervisory environment, where
one financial regulator will examine a firm on a given topic,
say, identity and access management, and shortly after that
exam concludes, another regulator will come in and examine the
exact or similar topic. That pulls on the same cyber personnel
and is sort of a consistent exam regulatory obligation for them
rather than their day-to-day security responsibilities.
Mr. Burlison. Because it is--if I may? Can I continue?
It is a lot of work to pull all of those reports. When you
are talking about identity and access management alone, to pull
all of those reports and who has specific role access for any
software, it can be a daunting task. And then to have to do it
repeatedly and based on whatever the demand is for the
different agency, I can absolutely see why that would be
problematic.
Let me ask this, if it is OK. Are there--you know, if we
did not have these in place, if the Federal Government was not
doing it, you have an innate desire to want to have your data
secure. And when there are events, they become high profile.
You know, it is all over the news. Your stock goes down. That
in and of itself is a deterrent.
But you have got industry standards as well, right. So, you
have got the industry who is creating these certification
levels and these standards that are not necessarily connected
to the government. Which is more important to meet? I mean,
which would you prefer: to try to meet the industry standard,
the certification levels, or to try to comply with these
regulators?
Mr. Miller. I mean, I think--you are raising a really good
point, Congressman. You know, I think there are a lot of
different--it is an important reminder that, you know,
regulations are not the answer to everything, right. It is not
going to solve all of our problems. You know, we have got
regulations. We have got frameworks, such as the Cybersecurity
Framework. We have got international standards. We have got
guidance, then there are administrative requirements.
So, there is a lot going on there, but, you know, in
terms--I think they are all important and they all have a role,
but what is really most important from a company standpoint is
that, you know, everything is hopefully oriented toward common
consensus-based standards and that those standards are risk
management standards, right.
I mean, we are talking about risk management, which, you
know, is not only just about defending--I do not want to
minimize the importance of that--but also, response and
recovery efforts as well. I mean, all of this is important.
You know, cybersecurity has a lot of dimensions, and from
an industry standpoint, we need to do it all. We need to do it
all well. We just need to align and not be operating at cross
purposes.
Mr. Burlison. Ms. O'Connell----
Ms. O'Connell. Sure. I would say the golden ticket is when
regulations are aligned with industry standards. Of course,
that cannot always happen, but, you know, when it does, when
regulations are, again, promulgated in a way that is consulted
with the industry, that is when you can get the best result of
the regulation.
Mr. Warren. And I think this is a place where industry can
leverage common frameworks that sort of reference regulatory
requirements and common standards to sort of validate that they
are where they need to be from a cybersecurity standpoint and
hopefully streamline some of these compliance requirements.
Mr. Burlison. I am well beyond my time.
Ms. Mace. Thank you, Mr. Burlison. You did great.
OK. In closing today, I want to thank our panelists once
again for their testimony.
And with that, and without objection, all members will have
5 legislative days within which to submit materials and to
submit additional written questions for the witnesses which we
will then forward to the witnesses for their response.
If there is no further business, then, without objection,
we stand adjourned.
[Whereupon, at 9:59 a.m., the Subcommittee was adjourned.]
[all]