[Senate Hearing 118-353]
[From the U.S. Government Publishing Office]
S. Hrg. 118-353
STREAMLINING THE FEDERAL CYBERSECURITY
REGULATORY PROCESS: THE PATH TO HARMONIZATION
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED EIGHTEENTH CONGRESS
SECOND SESSION
__________
JUNE 5, 2024
__________
Available via the World Wide Web: http://www.govinfo.gov
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
__________
U.S. GOVERNMENT PUBLISHING OFFICE
56-046 PDF WASHINGTON : 2024
-----------------------------------------------------------------------------------
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada MITT ROMNEY, Utah
JON OSSOFF, Georgia RICK SCOTT, Florida
RICHARD BLUMENTHAL, Connecticut JOSH HAWLEY, Missouri
LAPHONZA BUTLER, California ROGER MARSHALL, Kansas
David M. Weinberg, Staff Director
Christopher J. Mulkins, Director of Homeland Security
Emily A, Ferguson, Professional Staff Member
William E. Henderson III, Minority Staff Director
Christina N. Salazar, Minority Chief Counsel
Kendal B. Tigner, Minority Professional Staff Member
Laura W. Kilbride, Chief Clerk
Ashley A. Gonzalez, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Peters............................................... 1
Senator Hassan............................................... 8
Senator Lankford............................................. 13
Senator Rosen................................................ 15
Senator Blumenthal........................................... 17
Prepared statements:
Senator Peters............................................... 23
WITNESSES
WEDNESDAY, JUNE 5, 2024
Nicholas Leiserson, Assistant National Cyber Director for Cyber
Policy and Programs, Office of the National Cyber Director,
Executive Office of the President.............................. 3
David Hinchman, Director, Information Technology and
Cybersecurity, U.S. Government Accountability Office........... 4
Alphabetical List of Witnesses
Hinchman, David:
Testimony.................................................... 4
Prepared statement........................................... 32
Leiserson, Nicholas:
Testimony.................................................... 3
Prepared statement........................................... 25
APPENDIX
Statements submitted for the Record:
American Public Power Association............................ 48
Bank Policy Institute........................................ 50
U.S. Chamber of Commerce..................................... 53
STREAMLINING THE FEDERAL.
CYBERSECURITY REGULATORY PROCESS:
THE PATH TO HARMONIZATION
----------
WEDNESDAY, JUNE 5, 2024
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 10 a.m., in room
SD-342, Dirksen Senate Office Building, Hon. Gary Peters, Chair
of the Committee, presiding.
Present: Senators Peters [presiding], Hassan, Rosen,
Blumenthal, and Lankford.
OPENING STATEMENT OF SENATOR PETERS\1\
Chairman Peters. The Committee will come to order.
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Peters appears in the
Appendix on page 23.
---------------------------------------------------------------------------
Cybersecurity remains one of the greatest challenges facing
our Nation. As we have become more reliant on technology and
digital infrastructure, the threat of cyberattacks has
dramatically increased. Every day, our citizens, our critical
infrastructure operators, and our Federal, State, and local
governments have to defend against hundreds of thousands of
potential cyberattacks.
These come from criminals who take advantage of our
vulnerable people, foreign actors who threaten our critical
infrastructure, and hackers who try to destabilize American
businesses. Cyberattacks are more coordinated and more
dangerous than ever.
In response to this threat, American regulators have begun
to set new standards for cybersecurity and digital safety. They
have moved quickly in that work. In the last four years alone,
Federal regulators have passed 48 rules on cybersecurity, more
than 10 per year. That does not include new policies at the
State as well as the local level.
This surge of regulations comes from a good place. It
represents our government's response to a new and growing
threat and has helped give American businesses some important
guidance on how to keep safe from these cyber threats.
The challenge is that even though all aspects of our
society are vulnerable to cyberattacks from electric grids to
water systems to gas pipelines--no one, no one is coordinating
this effort. This is a patchwork of new guidelines set by
separate agencies. Regulators are working to respond to the
unique challenges their sectors certainly face, and they are
often not looking at the bigger picture of how all of these
different rules interact with each other. Without that higher
level coordination, there is no way to ensure that these
guidelines do not overlap, duplicate, or, quite simply,
contradict each other.
The results are often confusing and inefficient. Businesses
are scrambling to follow a web of new standards, ones that can
change quickly with new technological innovations. Airlines
have to adhere to three different regulators on cybersecurity.
Railroads have six. A bank could have 16 different oversight
bodies, all of whom are passing their own standards and
expecting those standards to be followed. This is not
necessarily a case where more is better. We must be smart in
these regulations to ensure the higher level of cybersecurity.
In short, businesses and their employees are spending too
many resources trying to understand these new guidelines.
Companies are taking their cybersecurity professionals off the
line to fill out paperwork, leaving their defenses undermanned
and vulnerable.
We need effective regulations on cybersecurity, no question
about that. But we need them to be efficient, adaptable, and
coordinated all across different agencies. Harmonization and
harmonizing these guidelines will make our government more
efficient, help businesses compete on the global stage, and
ensure that we are addressing cybersecurity threats in the most
effective way. That is why I am working on legislation to
establish a Harmonization Committee at Office of the National
Cyber Director (ONCD) that would require all agencies and
regulators to come together, talk about cybersecurity
regulations, and work on harmonization.
Passing legislation is the only solution. We have to bring
independent agencies together and start harmonizing this
effort. Only Congress has the power to do so. If we fail at
this mission, we will not be able to build the most effective
response to cyber threats.
It is the practice of the Homeland Security and
Governmental Affairs Committee (HSGAC) to swear in witnesses,
so if each of you would please stand and raise your right hand.
Do you swear that the testimony that you will give before
this Committee will be the truth, the whole truth, and nothing
but the truth, so help you, God?
Mr. Leiserson. I do.
Mr. Hinchman. I do.
Chairman Peters. You may be seated. Thank you.
Our first witness, Nicholas Leiserson, is an Assistant
National Cyber Director for Cyber Policy and Programs. He
previously served as ONCD's Deputy Chief of Staff, and prior to
joining ONCD, Nicholas spent more than a decade on the staff of
Congressman James R. Langevin, principal author of the National
Cyber Director Act.
Mr. Leiserson, you are now recognized for your opening
comments.
TESTIMONY OF NICHOLAS LEISERSON,\1\ ASSISTANT NATIONAL CYBER
DIRECTOR FOR CYBER POLICY AND PROGRAMS, OFFICE OF THE NATIONAL
CYBER DIRECTOR, EXECUTIVE OFFICE OF THE PRESIDENT
Mr. Leiserson. Good morning, Chairman Peters and
distinguished Senators of the Committee. Thank you for the
opportunity to testify before you today.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Leiserson appears in the Appendix
on page 25.
---------------------------------------------------------------------------
Today's hearing is about a complex topic, how to set
baseline cybersecurity requirements across critical
infrastructure in a harmonized manner. It involves coordinating
dozens of agencies, each implementing its own unique
authorities. Yet, despite the complexity, our value proposition
is simple. In a harmonized regulatory environment we will see
better cybersecurity outcomes as we reduce the dollars that are
going into regulatory compliance.
Pursuant to the National Cybersecurity Strategy (NCS)
Implementation Plan, the Office of the National Cyber Director
released a request for information last year about
cybersecurity regulatory harmonization and reciprocity. ONCD
received 86 unique responses to the request for information
(RFI), covering 11 of 16 critical infrastructure sectors. In
all, the respondents represent over 15,000 businesses, States,
and other organizations.
We have analyzed the responses, and yesterday we released
our summary of the more than 2,000 pages of comments we
received. There are three key findings. First, the lack of
harmonization and reciprocity harms cybersecurity outcomes
while increasing compliance costs. Second, challenges with
harmonization extend to businesses of all sectors and all
sizes, and cross jurisdictional boundaries. Third, the United
States government is positioned to act to address these
challenges.
Let me share some of what we heard.
The Business Roundtable, a group of Chief Executive
Officers (CEOs) whose companies support one in four American
jobs, noted that, ``Duplicative, conflicting, or unnecessary
regulations require companies to devote more resources to
fulfilling technical compliance requirements without improving
cybersecurity outcomes.''
The National Defense Industry Association (NDIA), whose
more than 65,000 corporate and individual members comprise much
of our defense industrial base, wrote, ``Inconsistencies also
pose barriers to entry, especially for small and midsized
businesses that often have limited resources.''
In some cases, respondents noted that Chief Information
Security Officers (CISO) were spending 30 to 50 percent of
their time not on security but on compliance activities.
ONCD leads the coordination of implementation of national
cyber policy and strategy. In alignment with our mission, both
the National Cybersecurity Strategy and the recent National
Security Memorandum (NSM) on Critical Infrastructure assign
ONCD the responsibility for coordinating cybersecurity
regulatory harmonization across the government. Improving
Federal coherence, in partnership with our interagency and
private sector stakeholders, is at the core of our mission.
Based on feedback from the RFI, ONCD has begun to build a pilot
reciprocity framework. We anticipate that this pilot will give
us valuable insights as to how best achieve reciprocity when
designing a cybersecurity regulatory approach from the ground
up.
However, our vision cannot be fully achieved without help
from Congress. As the United States Chamber of Commerce noted
in its filing, ``A significant challenge to U.S. regulatory
harmonization efforts are independent regulatory agencies,''
and further, ``The U.S. Chamber urges Congress to consider
legislation to address this challenge.''
The Administration supports Chair Peters' bill, consistent
with the views previously provided to the Committee, that would
allow ONCD to better carry out our mission by bringing
independent regulatory commissions to the table together, with
the interagency, in a policymaking process. This would act as a
catalyst to develop a cross-sector framework for harmonization
and reciprocity.
Such a framework is foundational to our desired end state,
which would do three things: first, strengthen cybersecurity
readiness and resilience across all sectors; second, simplify
responsibilities of cyber regulators while enabling them to
focus on their areas of expertise; and finally, substantially
reduce the administrative burden and cost on regulated
entities.
Mr. Chair, Members of the Committee, in closing, regulatory
harmonization is a hard problem. It is a problem that has
existed for decades. The trend line is generally heading toward
more fragmentation, not more harmonization. It is a problem
that requires leadership from ONCD and Congress, informed by
the private sector. We have the opportunity to set the stage
for a more harmonized future, and I hope we will do so
together.
Thank you for the opportunity to testify today. I look
forward to your questions.
Chairman Peters. Thank you. Thank you for your testimony.
Our next witness is David Hinchman. He is the Director of
Information Technology and Cybersecurity at the U.S. Government
Accountability Office (GAO). In that role, he oversees audits
on critical infrastructure, the information technology (IT) and
cybersecurity workforce, cloud computing, and the IT
modernization efforts at the Internal Revenue Service (IRS).
Prior to joining GAO in 2002, Mr. Hinchman worked as a business
consultant for several private sector firms and served as a
Surface Warfare officer in the United States Navy.
Mr. Hinchman, you are now recognized for your opening
remarks.
TESTIMONY OF DAVID HINCHMAN,\1\ DIRECTOR, INFORMATION
TECHNOLOGY AND CYBERSECURITY, U.S. GOVERNMENT ACCOUNTABILITY
OFFICE
Mr. Hinchman. Thank you. Chair Peters, Members of the
Committee, thank you for inviting GAO to discuss our work on
the Federal Government's efforts to harmonize cybersecurity
regulations. Our nation increasingly depends on computer-based
information systems and electronic data to execute fundamental
operations and to process and maintain crucial information.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Hinchman appears in the Appendix
on page 32.
---------------------------------------------------------------------------
Cyber-based intrusions and attacks on both Federal and non-
Federal systems by malicious actors are becoming more common
and more disruptive. These attacks threaten the continuity,
confidence, and integrity of these essential systems, including
those that support our nation's critical infrastructure. Never
has there been a greater need to ensure that these vital
systems have the appropriate direction and guidance needed to
ensure their security.
Because the private sector owns the majority of this
infrastructure, it is crucial that the public and private
sectors work together to protect these assets and systems.
However, when critical infrastructure sectors are subject to
multiple regulations that grow and evolve in a decentralized
manner, this can result in conflicting, inconsistent, or
redundant requirements.
In recent years, interest in harmonizing these regulations
has gained momentum, with several actions taken both by
Congress and the Executive Branch. Today I would like to
briefly summarize the findings of GAO's work in this area as
well as share our current observations on ongoing efforts.
In legislation sponsored by this Committee, the 2022 Cyber
Incident Reporting for Critical Infrastructure Act (CIRCIA),
addressed the need for standardized cyber incident reporting,
in addition to incident reporting requirements that both
deconflicted and harmonized. Additionally, the Administration
specifically addressed harmonization as a core strategic
objective in the 2023 National Cybersecurity Strategy. The
Administration also addresses important information in a
request for information published by the Office of the National
Cyber Director, the organization that leads the
Administration's harmonization efforts. This request for
information sought to gather public comments on opportunities
for and obstacles to harmonizing cyber regulations. Further,
the April 2024 National Security Memorandum on Critical
Infrastructure Security and Resilience called for an approach
to harmonizing cyber regulations as part of a national plan for
infrastructure risk management.
Taken together, these congressional executive actions
provide an important starting point for the harmonization
effort. However, GAO's past work and ongoing observations offer
cautionary notes on the challenges that will be faced on this
journey.
In February 2024, GAO reported that the ONCD's National
Cyber Strategy did not define outcome-oriented performance
measures. Our past work has consistently found, across the
government, that well-defined performance measures allow for
more accurate assessment of the extent to which an initiative,
such as those found in the National Cyber Strategy, are
achieving their stated objectives.
Without identifying appropriate outcome-oriented
performance measures, ONCD may be limited in its ability to
deliver the effectiveness of the national strategy and meeting
its goals of better securing cyberspace and the nation's
critical infrastructure.
Further, a 2023 Department of Homeland Security (DHS)
report, required by CIRCIA, found 45 existing incident cyber
reporting requirements across our nation's critical
infrastructures. Among these 45 requirements, DHS found
substantive differences such as varying definitions, differing
report timelines, and inconsistent reporting mechanisms.
Notably, this report looked at only one aspect of cyber
regulations and still found these 45 applicable requirements.
This serves as a stark reminder of how many regulations likely
exist in the broader realm of general infrastructure
cybersecurity and how much work will be required to harmonize
those numerous requirements once they are identified.
In summary, given the increasing need for harmonized cyber
regulations, it will be important for stakeholders in this
vital process, representing both the Legislative and Executive
Branches, to continue to work toward a common goal. It will
also be crucial to develop definitive goals for this process
based on both realistic timeframes as well as measurable
performance.
This whole-of-government effort will require two things:
one, a continued focus to ensure that performance goals are
well defined and outcome oriented; and two, that the
appropriate groundwork is laid to fully understand the universe
of regulations to be harmonized. By taking these actions we can
better position our nation's critical infrastructure to
successfully defend itself against the growing and ever-present
cybersecurity threat.
Mr. Chairman, this concludes my statement. Thank you.
Chairman Peters. Thank you.
As both of you mentioned in your opening comments, and I
mentioned in mine, we know that regulations are used by Federal
agencies in multiple ways. I mentioned in my opening about
making sure we have clean water to drink, protecting investors
from predatory practices, and the list goes on.
Cybersecurity regulations have received a greater amount of
attention given the growing threat of cyberattacks, which is
not going down, and probably would argue exponentially going
up, and on our critical infrastructure and Federal IT systems,
which are a particular target.
Mr. Leiserson, why do cybersecurity regulations lend
themselves generally to be a good candidate for harmonization
all across these agencies? We need to do a lot of harmonization
in a lot of fields, but why cybersecurity, in particular?
Mr. Leiserson. Thank you, Mr. Chair. It is a great
question. From our standpoint, the reason that we are
particularly interested in looking at baseline cybersecurity
requirements across critical infrastructure sectors is that the
information and communications technology (ICT) That is used,
whether you are in a bank, a nuclear power plant, a water
treatment facility, the information and communications
technology is largely the same, and the first thing that
adversaries are trying to do when they get access, whether they
are trying to steal money, drop ransomware, or potentially
affect our ability to mobilize militarily, the first thing they
are going after is these enterprise IT systems.
For that reason, because the enterprise IT systems are
common across sectors, we really feel strongly that having a
harmonized approach with reciprocity across different
regulators will help ensure that we get both better
cybersecurity outcomes and less money spent on compliance.
Chairman Peters. Very good. Several public comments at
ONCD's request for information on harmonization discuss the
difficulties of understanding and implementing cybersecurity
requirements, which I think leads to a compliance culture as
opposed to dedicating resources to actually protecting our
systems from cyberattacks.
Mr. Hinchman, this question is for you. How can regulators
better tailor their requirements to promote cybersecurity
rather than just a check-the-box exercise that only
incrementally increases security but unfortunately does not
move us forward, and in the process significantly increases the
compliance burden while now moving us forward?
Mr. Hinchman. Thank you, Senator. I think one way to think
of this, it is not a lot different from our duplication overlap
and fragmentation work that we do for the Committee, which the
Comptroller General (CG) was up here several weeks ago talking
about. The idea of redundant, conflicting requirements is not
different. It is on a much greater scale, and it is something
that is national, and something that we are still struggling to
understand the real breadth of.
But I think the general idea that because regulations have
run patchwork here and there, specific sectors will pass rules
because it is important to them, they are dealing with a
certain threat, and then when you have organizations that work
across sectors or across State lines or across international
boundaries you run into a lot of things that they have to do in
addition to what they may do with what I will call their home
set of rules and regulations.
That compliance issue becomes a real cost burden, and some
of the work that we have done, we did a job in 2020, looking at
States, and dealing with four agencies--Federal Bureau of
Investigation (FBI), IRS, Social Security Administration (SSA),
and Centers for Medicare and Medicaid Services (CMS). Thirty
five of the States reported a moderate to significant increase
in costs related to the compliance that they had to do to meet
the different regulations of each of those four agencies.
To remove that I think you need to look for a common
framework. People have talked about whether the National
Institute of Standards and Technology's (NIST) Cybersecurity
Framework offers that possibility. But a common set of minimum
standards that stretch across the government that can then be
customized to meet the needs of individual sectors.
Chairman Peters. Very good. As noted, Mr. Leiserson, in
your opening statement, the Office of the National Cyber
Director is designated as the Federal lead for addressing
cybersecurity regulatory harmonization. My question for you,
you have raised some of this, but to clarify for the Committee,
what are the biggest challenges ONCD is now facing in
harmonizing cyber regulations?
Mr. Leiserson. Certainly, Mr. Chair. Thanks for the
question. There are two things that I would highlight as the
challenges. One is the breadth that we have here, where you see
dozens of regulators who have dozens more regulations--you
mentioned the 48 that we have seen just in the past four
years--which means that from our perspective you really need a
strategic approach, a top-down approach that says this is the
framework that we are aiming at and gives that guidance to
regulators.
But that gets into the second challenge. So the first
challenge is the breadth of the problem and getting our hands
around it, the second challenge is getting all of the relevant
parties to the table. As I mentioned, from our perspective, the
most important part of ensuring that we have a framework, that
is applicable across sectors and does appropriately address the
concerns that different regulators have, is to ensure all of
them are participants in a policymaking process to design such
a framework. But doing so at the moment we are limited in our
ability to do so with respect to independent regulatory
commissions, which is something that we truly need Congress'
help with.
Chairman Peters. Mr. Leiserson, again, you stated in your
testimony that the Administration supports legislation that
would require all agencies, including our independent
regulatory agencies, to come up to the table, basically, and
work on harmonizing their regulations with everybody else. My
specific question for you, sir, is how would having this
convening authority help the ONCD actually address this issue?
What are going to be the strengths of getting this done?
Mr. Leiserson. Thank you, Mr. Chair. It would help
enormously, frankly, and it would help because right now when
we want to talk to our independent regulatory commission
partners, which we do as much as we can, we basically have a
coalition of the wiling. We have the folks who want to come to
the table, who believe that this is an important problem, and
have a conversation about it. But having a clear mandate from
Congress to bring everyone to the table will let us do what we
do best at ONCD, which is listen to our partners, work with
them to address the challenges, and as I say, design a
comprehensive framework that allows for harmonization, yes, but
just as importantly, reciprocity, the idea that once I have
proven, as an entity, that I have met the requirements once, I
do not need to do so, no matter how many other regulators are
asking the same questions. That is what will allow us to both
get better cybersecurity outcomes and, at the same time, reduce
the burden on businesses.
Chairman Peters. Great. Thank you.
Senator Hassan, you are recognized for your questions.
OPENING STATEMENT OF SENATOR HASSAN
Senator Hassan. Thank you very much, Mr. Chair, and I
appreciate you and the Ranking Member holding this hearing. I
appreciate not only our witnesses being here today, but thank
you and the teams you work with for the work you do.
Mr. Leiserson, I wanted to start with some questions about
kind of where we are on certain issues. Recent cyberattacks,
like the attack on Change Healthcare just a few months ago,
have highlighted the impact that a cyberattack can have on
critical services. In the Change Healthcare attack, we saw that
an attack on a single major service provider could result in a
really major disruption to the whole national health network.
What steps have your office, Cybersecurity and
Infrastructure Security Agency (CISA), and the agencies
overseeing different infrastructure sectors taken to identify
potential single points of failure in critical infrastructure?
Mr. Leiserson. Thank you, ma'am, for that question. It is
one that actually is very important to our work in the
Administration. When I was on the Hill, I actually worked with
the Cyberspace Solarium Commission (CSC), where we talked about
systemically important critical infrastructure. if you look at
the President's letter to Congress, delivering CISA's report on
Section 9002 of the fiscal year (FY) 2021 National Defense
Authorization Act (NDAA), in response to Congress' request, he
specifically highlighted the fact that we need more policy on
systemically important entities as a key goal of the policy
process that we kicked off in November 2022.
That has produced this new National Security Memorandum,
and right now sector risk management agencies are working to,
within their sectors, identify exactly, as you describe, these
critical points of failure, and then working with CISA as the
national coordinator to help ensure that once we have them
identified we can provision resources appropriately and ensure
that we are appropriately managing that risk.
Senator Hassan. Thank you for that. Another question for
you. Effective implementation of cybersecurity laws requires a
Federal workforce with the appropriate expertise and skills.
What is the National Cyber Director doing to expand the Federal
workforce of cybersecurity professionals so that government
agencies have the expertise needed to safeguard our country's
cybersecurity?
Mr. Leiserson. Thank you, Senator. There are two things
that I think I will highlight for this, something that is a key
priority of National Cyber Director Harry Coker, Jr. The first
is that we recognize that our regulatory partners need capacity
building for cybersecurity regulations. We are talking about
how we need harmonization. We also need to ensure they have the
appropriate expertise. That is something that we, at the Office
of the National Cyber Director, with our partners and the
Office of Management and Budget (OMB), in our annual budget
guidance that we provide to agencies, have specifically
highlighted for the fiscal year 2025 budget as a key priority,
that they are making investments in the personnel that they
need in order to do their jobs effectively.
More broadly, one of the key goals of implementing the
National Cyber Workforce and Education Strategy we released
last year is both removing barriers and broadening pathways to
entry. A key initiative we are focused on right now is skills-
based hiring. It is removing the barrier of saying ``if you
have the appropriate skills to do a cybersecurity job, but you
do not have a four-year college degree that should not be a
barrier, in terms of your being able to join the Federal
Government.'' At the end of April we announced that next year
the 2210 Series, which is the largest series of Federal IT
positions, the Office of Personnel Management (OPM) is working
to ensure that all 2210's you can hire using a skills-based
process, which we believe is incredibly important to getting
the talent that we need into Federal jobs.
Senator Hassan. That is really helpful, and please stay in
touch if there are additional strategies that we can employ to
help bring people in from the private sector to work for the
Federal Government.
Mr. Hinchman, your written testimony discusses the need to
harmonize cybersecurity requirements with national
infrastructure risk management planning. Last year, I
introduced bipartisan legislation with Senator Romney to codify
the Department of Homeland Security's national risk management
process. I am pleased to see that the White House's recent
National Security Memorandum includes a requirement to
implement part of our bill. The memorandum requires the
Department of Homeland Security to develop a National
Infrastructure Risk Management Plan and to update it
periodically.
How could this plan improve cybersecurity across U.S.
critical infrastructure, and how could the plan help harmonize
current cybersecurity regulations?
Mr. Hinchman. I think that this plan is going to go a long
way toward all of those things. The National Infrastructure
Protection Plan (NIPP) was last updated in 2013. An update is
desperately needed. The world has changed so much in the last
11 years, both in terms of technology, how it is used, as well
as the threat we face on a daily basis. I think that the
National Cyber Strategy's approach of building up from a risk
management plan that starts at the sectors, very sector
specific, makes them go out, understand what does their threat
landscape look like, which then all come in to DHS, which then
inform the development of the national plan, which is then
submitted to the White House, is a very important first step
for understanding what it is that we are facing and what we
need to have out there so that we can ensure that individual
sectors have the customized cybersecurity standards that they
need, in addition to the national framework that is developed.
Senator Hassan. As they have the customized cybersecurity
infrastructure that they need, you are also able to identify
things that they have in common, and as we are talking about
harmonizing efforts, trying to make sure that the regulatory
framework really is reflective of those specific needs.
Mr. Hinchman. Absolutely. I think the way I think of it
right now is we do not yet understand what we do not know, and
until that work is done and as these efforts, as Mr. Leiserson
has been describing, that is all going to start to come
together, and we are going to start to understand the landscape
a lot better, and that is what is going to enable the really
positive developments, like the framework, the customized
specialties within sectors, as well as the commonalities that
the sectors share, as you mentioned.
Senator Hassan. OK. Thank you. One more question to you
again, Mr. Hinchman. There are important reporting requirements
for companies that are targeted by a cyberattack. For example,
some companies must inform the Department of Homeland Security
about cyberattacks on critical infrastructure. These reporting
requirements provide the Federal Government with important
information to prevent cyberattacks on other companies.
One way to improve reporting requirements is to streamline
them across State and Federal levels which will help ensure
that companies are aware of and able to fulfill their
obligations. How is the Federal Government coordinating the
efforts of various Federal agencies to streamline reporting
requirements for cyberattacks?
Mr. Hinchman. I would argue that that effort is very much
in its infancy. I think the press that you see every day about
the U.S. Securities and Exchange Commission (SEC) rule that
came out last year in addition to CISA's Notice of Proposed
Rulemaking (NPR) has a lot of people very concerned about just
what you mentioned. There is not that harmonization that is
happening yet.
A lot of the small businesses are very scared that these
reporting requirements will crush them under administrative
burden. I think that there is some work still to be done to
make sure that we are imposing the right requirements on the
right organizations with the right threshold of burden.
There is going to be burden. We cannot get around that. But
I think there needs to be sensitivity to what that burden is to
different sized organizations.
Senator Hassan. Thank you very much. Thank you, Mr. Chair.
Chairman Peters. Thank you, Senator Hassan.
Mr. Leiserson, this next question will be for you. In July
2023, the Office of the National Cyber Director released a
request for information on cybersecurity regulatory
harmonization. The main theme of a lack of coordination amongst
the regulators, particularly independent regulatory agencies
such as the Securities and Exchange Commission, the Federal
Communications Commission (FCC), the Federal Trade Commission
(FTC) certainly stands out to me.
My question for you is how the ONCD incorporating the
feedback from the RFI into their work?
Mr. Leiserson. Thank you, Mr. Chair. The reason that we put
out the RFI in the first place is absolutely that we rely on
the input from all of our partners, both in the private sector
and in the interagency, to inform our work.
There are a couple of things that I think really stood out
to us in terms of the RFI and have crystallized how we are
approaching our regulatory harmonization and reciprocity work
going forward. One element, in particular, is the fact that
reciprocity, which we had theorized should probably be part of
the solution, was really highlighted in the RFI respondents as
something that is absolutely critical to our getting this
right. The focus on the compliance burden really points to the
fact that, yes, you want a harmonized baseline because that
gives you the simplicity, the clarity of understanding what
specifically it is that you need to do. But you need the
reciprocity to ensure that also translates into less compliance
costs.
The other thing that I think I will highlight is the amount
of focus on supply chain risk management and the fact that for
a number of companies they are right now trying to figure out
how do they manage risk in their supply chains, cyber risks
that can come because there are either connections back into
their networks or the fact that a disruption in their supply
chain could materially impact their business. Having a
harmonized framework would also help them do their own internal
risk management processes, which I will admit was not something
that we were really thinking through at the outset. Now we look
and say, well, this actually could be a catalyst for businesses
too. You may have regulation that actually helps them manage
their own business risk by being able to look and say, oh,
these folks have met the baseline standards. That helps us
understand what their posture is for our own internal business
focus supply chain risk management.
Chairman Peters. Mr. Hinchman, in your testimony you
highlighted that the Federal Government should adopt model
definitions and consider setting minimum cybersecurity
requirements. How do conflicting definitions and requirements
contribute to the difficulties in overall compliance?
Mr. Hinchman. Any time that an organization is subject to
multiple--the word of art is regime--reporting regime, you run
into compliance burdens. We have done work in the financial
sector where CISA, from financial services firms, has reported
their folks spend 30 to 40 percent of their time on compliance
rather than focusing on cybersecurity.
It gets back to the point I had initially made about
duplication and overlap, that when you have multiple reporting
regimes with multiple requirements that are not alike you spend
a lot of time doing paperwork rather than focusing on your job,
because you need to meet the requirements of both of these
frameworks that you are subject to.
A single overarching framework, which is then customized as
appropriate within a sector, ideally would remove a lot of that
burden, so that there is a single point of reference that
everyone starts from when thinking about cybersecurity in their
organizations, and that includes reporting requirements,
anything else.
Yet when we talk about reporting requirement there is a
whole framework beyond that, identification management,
protection of data, response recovery. I think it is really
important that people be able to go to one place, know where
that starts, and then figure out what they are required to do
from there, so that you can streamline those compliance
requirements. There will always be some compliance burden, as I
mentioned a moment ago, but we can do a lot to streamline that
and minimize it.
Chairman Peters. Yes. Very good. Mr. Leiserson, to what
extent has disharmonization of cyber regulations and compliance
mechanisms actually impacted the ability of companies to
compete internationally?
Mr. Leiserson. Thank you, Mr. Chair. That has absolutely
been something that we have heard, for a number of reasons, I
would say. First and foremost, it can mean that companies need
to invest in multiple systems. You are basically forcing them
to duplicate some of their information and communications
technology spend because they are subject to disharmonious
regulatory regimes. When that is the case, if they are
competing against a company in, say Europe, that is only
operating under an European Union (EU) framework, they will be
at a competitive disadvantage.
I think that really points to part of what we are hoping to
get out of this effort. If we have a strong Federal framework
for baseline cybersecurity requirements it is developed by all
of the relevant parties in the interagency, including the
independent regulatory commissions. That actually is very
helpful for us in digital trade negotiations, in other export
of American businesses, because we can then go forth and say,
hey, now we are looking for mutual recognition with our
international partners, and we can give folks an understanding
of what exactly that means because we have a single framework
to point to, whereas right now when you look at mutual
recognition it is often challenging because we are pointing
back to what we are doing, that is a kind of hodge-podge of
different regulatory requirements.
Chairman Peters. Thank you. Senator Lankford, you are
recognized for your questions.
OPENING STATEMENT OF SENATOR LANKFORD
Senator Lankford. For my 19 minutes of questions?
Chairman Peters. Your 19 minutes, yes. Senator Rosen is
here. She will want you to be briefer.
Senator Lankford. It will be a little more brief than that.
Thank you both. Thanks for the information and the background
on it. I apologize I have had to run in and out through this
hearing, as well.
You gave a stat earlier that I want to be able to drill
down a little bit on it. You gave a stat that one of the
business organizations said they spend 30 to 50 percent of
their time not on security but on compliance.
Let's drill down on that a little bit. Do they give you
information or do you have a sense of what that compliance is
that could not be done so they could spend more time on
security?
Mr. Leiserson. Absolutely, Senator, and thanks very much
for that question. That 30 to 50 percent number is for chief
information security officers and their time. That was in
response to our RFI last year. More recent testimony, actually,
that was given in April, before the Committee on Homeland
Security, said that when you look at CISA's teams' times,
sometimes it is up to 70 percent. Seventy percent of the human
capital that, in this case this is the financial services
sector that had done this survey, 70 percent of their teams'
time were spent on compliance activities.
The concern that I think we have is not that there should
not be requirements. There absolutely must be. The financial
services system, for instance, is absolutely vital to our
economy, to our national security.
However, when you have time spent on developing reports, on
responding to examiners' question, not in a standardized,
harmonized way, that is a challenge. A further challenge is if
another regulator then comes in, after you have just finished
an examination with the first, the second regulator comes in
and says, ``Hey, yes, you have all of these reports that you
have developed for the first, but we have a different opinion
with respect to risk.''
The Chair had asked earlier about why cybersecurity is
particularly amenable to harmonization, and the reason is the
risk that we are talking about here is the same. It is the same
information systems.
That is really one of the challenges that we see out there
any why we believe the approach here is so important.
Senator Lankford. What is the right percentage of time, do
you think, to be able to do compliance? Because they are going
to have to do some. You are right. But 70 percent is clearly
not the right number on this, to try to get it down to that
level. It is going to be just a ballpark. I get that.
Mr. Leiserson. Yes. I am more of a cybersecurity guy,
Senator, than a compliance guy, but I would be happy to take
that back and get some sense. But 70 percent is not correct.
Senator Lankford. It is not correct. I will tell you, I met
with some folks that were in rural health care yesterday, and
nursing homes and skilled nursing. They are frustrated because
their compliance requirements continue to go up. They are
adding additional nurses, not to see patients but to fill out
forms that are now being requested by CMS. It is the same issue
here. They do not have the same issue of multiple regulators.
They just have increased amount of compliance to be able to
fill out forms. When you take nurses away from patients to be
able to fill out forms you have got more forms but not more
care.
We have the same situation, my fear is, and I know we have
duplication, but we also have increased requirements to be able
to do some of these completed forms to be able to turn in, for
someone to be able to put in a drawer so that later, if there
is a problem, they can show, yes, here is your problem. You did
not fill out this form correctly, rather than helping them with
compliance. That is my perspective on that, but that one I want
to be able to push on.
I need to ask, though, why OMB does not already have the
authority to do this? Obviously there is a lot of authority
that OMB has, to be able to coordinate against all agencies.
What is unique about this legislation that gives authority that
OMB does not have right now?
Mr. Leiserson. Senator, thanks very much for that question.
I will say a couple of things. First of all, we are lockstep
with the Office of Information and Regulatory Affairs (OIRA),
at OMB. We work very closely with them.
Part of the challenge that they have is they do not have a
gold standard that they can point to when it comes to Executive
Branch regulators and say this is not harmonized with
something, right. The challenge right now is you can come to a
regulator and say, ``This doesn't look like other
regulations,'' but there is not a policy that says this is what
good, baseline cybersecurity requirements, cross-sectorally for
enterprise IT looks like. That is part of what we are trying to
solve.
The other challenge, though, is the independent regulatory
commissions, which we do not have the authority, neither OMB
nor the Office of the National Cyber Director, to bring to the
table to help design that framework. From our standpoint it
needs to be an inclusive process. We need to hear from everyone
in order to design something effectively, and that is something
that, from the Administration's perspective, not just ONCD's,
the Administration supports the approach that Chair Peters has
laid out.
Senator Lankford. I am going to defer the time and actually
be done earlier rather than later. That is shocking, I know,
for everybody. But Chair Peters, this is an area we need to
work on, the independent agencies, not just in this area but in
a broader area. My perspective--and I am not going to force GAO
to be able to make a comment about this--my perspective on
this, there are independent agencies that feel like they are
independent from everybody. They are not independent from
everybody. They still need additional oversight. They still
need to be able to go through the OIRA review. There are still
some boundaries that need to be there when they are creating
new regulations, that they are not a completely independent
fourth branch of government, that they do need to have some
kind of oversight.
This is something that I think we need to look at, not only
in this area but in a broader area, in the days ahead, and the
authority that this Committee has.
Chairman Peters. I agree with you, and this is, I think, a
very meaningful step. It will set an example of how we have to
bring them together in a key area. But I am with you all the
way, Senator, on that.
Senator Rosen, you are recognized for your questions early.
OPENING STATEMENT OF SENATOR ROSEN
Senator Rosen. Thank you, and I am going to say, as a
former software developer and systems analyst, I can tell you
IT modernization can really help with compliance issues, it can
streamline the process, and it can remove those duplicative
reportings because it can see what you are doing. You should
not have to, say, put this in this form. It should populate in
all the forms, just like we use when we use our phone. I think
there are a lot of things that can happen concurrently, not
necessarily consecutively. There are a lot of ways that we can
work on this, and I look forward to working on that, as well.
But I am going to talk about cyber incident trends, because
implementing these Federal cybersecurity regulations, they
really create large datasets of cyber incidents and information
about the state of private sector cybersecurity. When this data
is analyzed--like I said, I am a former analyst and software
developer--the aggregated data, it can bolster the resilience
of both the public and private sectors by identifying
widespread vulnerabilities, malicious cyber campaigns, emerging
threats, et cetera. It can also be used in other ways against
people, as well, because you can de-aggregate the data, in some
cases, so we have to be mindful of that.
But here, how are agencies collaborating, Mr. Leiserson, to
leverage the cyber incident data to identify these trends and
help us move forward faster to target the entities?
Mr. Leiserson. Thank you, Senator, very much for that
question. As a former programmer myself it is absolutely
something that is of interest to us in conversations that we
have been having as we work to implement the legislation that
this Committee pushed forward, the Cyber Incident Reporting for
Critical Infrastructure Act, to ensure that we are seeing
exactly those gains in terms of an understanding of the cyber
landscape.
One of the things that I remember General Alexander said
from the beginning of his time at the National Security Agency
(NSA), as the Director of NSA, was we need a common operating
picture of what is going on in cyberspace. CIRCIA allows us to
get there, but only if we are properly positioned to do the
appropriate data analytics once we get there. I have had
conversations with DHS's new Office of Statistics, Homeland
Security Statistics, which has a cybersecurity program, about
looking at exactly this challenge. I think it is one that as we
move toward CIRCIA implementation in September 2025, we
absolutely need to take advantage of what we can, from the
broader analytics landscape, is also something we, at ONCD, in
partnership with CISA and the Department of Treasury's Federal
Insurance Office are working on for cyber insurance data, as
well, because the insurers see a lot of these trends too.
Senator Rosen. I think it is important that we share some
of the data in smart ways so we are not in the silos, where
maybe the insurance data sees one thing in some other ways
electric companies see another, whatever that is. You are
missing these common threads, as you know, if you are working
as a programmer, as well.
Speaking of working as programmers, there is a workforce
shortage--we know it--especially in the private sector, and
there are currently nearly 470,000 cybersecurity jobs open in
the United States, across the tech industry, even more. But
compounding this challenge, cybersecurity teams, like I said,
what James was saying, they really are spending too much time
on compliance.
Do you want to add anything else about what he said about
how we use our staff in smart ways, how we use artificial
intelligence (AI), how we create easier reporting, and how do
we populate data across to avoid those duplicative efforts? If
there is any last thing you want to say about that, I would
like that, and then what additional support you might need from
us to help you do that.
Mr. Leiserson. Thank you, Senator, for that question. It is
a topic, the cyber workforce issue, is one that all of us at
the Office of the National Cyber Director are passionate about
and implementing the National Cyber Workforce and Education
Strategy. I got into cyber policy personally because as a
programmer, I did not get trained on secure software
development whatsoever. I was in public policy classes and
listening to my compatriots say, ``Hey, we have all these
concerns about cybersecurity.'' I looked at them and I was
like, ``I think I am the problem.'' [Laughter.]
It is absolutely a challenge that we see, I think. A lot of
the work that we are doing on regulatory harmonization and
reciprocity I would say is focused on actually reducing the
demand side. As Senator Lankford mentioned, right, we are
really interested in saying we want our cybersecurity personnel
focused not on delivering reports to multiple regulators but
instead focused on how are we going to actually secure systems.
There are a lot of gains that we can see in terms of reduction
on the demand side. That is still not going to deal with those
470,000 open jobs.
Senator Rosen. That is right.
Mr. Leiserson. The things that we are focused on right now
at ONCD, in particular, are broadening pathways and removing
barriers. I had mentioned earlier that we are doing a lot of
work to ensure that skills-based hiring for the Federal
Government is the way we look at things going forward. We are
also looking to do that in contracts. That has been a major
focus of ours is to say there should not be requirements in
Federal contracts if you are going to provide IT support to the
Federal Government, that you need to have any particular
degree.
Senator Rosen. That is right.
Mr. Leiserson. That is a great way, from our perspective,
to broaden the base that needs to come in.
Senator Rosen. In addition to expanding the private sector
workforce we know we have to implement the National
Cybersecurity Strategy, like I said, adding trained personnel
to so many agencies. Everybody needs it. Last Congress I was
proud to lead, with Chair Peters, the Federal Rotational
Cybersecurity Workforce Program to help Federal agencies better
enhance their cyber workforce.
Mr. Hinchman, which agencies that are required to oversee
the implementation of Federal cybersecurity regulations
themselves face significant cyber personnel shortages or
training deficiencies, and what do you think we can help with?
Mr. Hinchman. Certainly. That is a big unknown right now,
Senator. I do lead our IT and cyber workforce work at GAO. I
will be doing the GAO mandate that is in your bill that was
passed, that is due, I think, at the end of next year, after
the program has had a time to get up and operate for a bit.
One of the things that the Federal Government really
struggles with is not understanding what our cyber workforce
looks like within Federal agencies. We have a job that we are
doing under our broad Federal Information Security
Modernization Act (FISMA) mandate for this Committee, that is
looking at five of the largest consumers of cyber workforce and
trying to understand how they are managing their workforce
across the department, at the department level. We are finding
that in terms of the general practices that need to be applied
there is work that needs to be done.
There is also a job we are doing for Chairman Green at
House Homeland Security, looking at the cost of the Federal
cyber workforce, and that is going to be looking at all 24
Chief Financial Officers (CFO) Act agencies and comparing that
cost versus how much is spent on cyber as a service, when you
hire contractors to do your cybersecurity, as well as looking
for initiatives that different agencies have to try to get
Federal cyber workers into the workforce for us.
But overall, the government is really just now starting to
try to understand what the Federal cyber workforce looks like.
It is hard to answer where those holes are. I am looking
forward to this work. It is exciting. I think it is going to be
a body of work that is going to add a lot of value to this
conversation the government is having because there is a lot
that we need to be doing better to fill these cyber workforce
gaps.
Senator Rosen. If I had my way I would be down in every
elementary school teaching all the fun things about robotics
and computing and science, technology, engineering and
mathematics (STEM) and logic, things I carry with me every
single day, and show young folks the path forward and what
great, exciting careers they are, and hopefully get them early
and they get the bug--no pun intended--for software. But that
would be my hope, to really invest in our young folks in
bringing them along.
Thank you, Chair.
Chairman Peters. Thank you, Senator Rosen. We appreciate
your passion for that. Thank you so much.
Senator Blumenthal, you are recognized for your questions.
OPENING STATEMENT OF SENATOR BLUMENTHAL
Senator Blumenthal. Thank you very much, Mr. Chair. Thank
you both for your work. I think we are all becoming more and
more aware of the need for standard setting and rules in this
area of cyber. I think the general public is becoming more
aware of it, as well, as we see the effects of ransomware
throughout our economy and our society.
Just last February, as you well know, a ransomware group
launched an attack on Change Healthcare, one of our nation's
largest online health care claims and payments processors. We
are still seeing the effects of it in Connecticut, and I think
probably around the country.
Russia, China, Iran, and other foreign adversaries are
targeting our critical infrastructure and probing for
vulnerabilities for even more catastrophic attacks. Again, very
recently, just this past Monday, the head of our cyber team,
General Haugh, expressed his fears that China is, to use his
word, ``prepositioning'' itself in our critical infrastructure.
Essentially it is creating beachheads in case there is greater
conflict between our countries. A really scary set of
developments. We have already seen the immense costs and
disruption of attacks not only change health care but Colonial
Pipeline, Maersk, other major companies.
We have been warned. We need to treat this crisis like a
national emergency. We need to give it the urgency that
Americans should feel as a Nation, in effect, under attack. We
should be ramping up our efforts to make sure that Russia and
China cannot keep exploiting this critical infrastructure.
My question to both of you is, where are we falling behind
on setting cybersecurity rules that counter these efforts by
Russia and China, set the bar higher so that we are more
invulnerable to their creating havoc?
Mr. Leiserson. Senator, that is a very good point, and I
really appreciate the question. Let me do a little bit of
framing, I think, and then I will talk about some of the
specific sectors and what we are up to and then why we think
that regulatory harmonization will help.
On the framing side, I think we, at the Office of the
National Cyber Director, could not agree more that this is
something that the American people need to understand and know
about. I have heard my boss, the National Cyber Director, Harry
Coker, Jr., say he was so grateful for the opportunity to
testify in January in front of the House about the Volt Typhoon
activity. This is the People's Liberation Army and the People's
Republic of China (PRC) targeting our critical infrastructure
for exactly as General Haugh suggested, prepositioning, and the
fact that that is putting America at unacceptable risk. It is
unacceptable risk, and we need to take action as a government
to address that risk.
One of the ways to do so is to put in place baseline
cybersecurity requirements. I think what you have seen this
Administration do leading on, in particular, the transportation
sector, where we have emergency directives from the
Transportation Security Administration (TSA). Those are turning
into Notices of Proposed Rulemaking to solidify the significant
gains that we have seen there. There was an Executive Order
(EO) that the President signed out earlier this year giving the
U.S. Coast Guard (USCG) additional authorities in the maritime
sector. I think one of the areas that we are most interested in
right now is seeing what we can do in the water and wastewater
system sector, where there are still significant deficiencies
and work that we need to do.
I think foundational to our approach at ONCD is knowing
that we need to see better cybersecurity outcomes if we have a
framework and we can say, across sectors, here is how you
should be approaching securing your enterprise IT systems,
which are what the adversaries are targeting to get that
initial access, to set those beachheads, we will see better
cybersecurity outcomes. In fact, you will be able to invest
more in cybersecurity instead of in compliance. We will
actually see better cybersecurity outcomes with a harmonized
baseline.
That is why we are so focused on this at ONCD. We are a
cyber office. Our concern is cybersecurity outcomes. When we
see the amount of time and effort that is being spent on
compliance from duplicative regulations that is not helping us
get cybersecurity outcomes, and we need to have better ones.
Senator Blumenthal. Thank you.
Mr. Hinchman. I would echo Mr. Leiserson's comments. The
single cybersecurity framework is the important starting point,
and I do not have much to add that he did not say. But I also
think that Congress needs to consider expanding regulatory
authority for some agencies in charge.
As I mentioned in my oral comments that the private and
public sector have to work together in critical infrastructure,
and in many cases we cannot compel private organizations to do
certain things absent regulatory authority. That does not mean
that we should be passing wholesale power out there, but very
targeted specific, and the number of different plans have been
put forward by the Administration talking about the need for
those agencies to approach Congress with specific proposals for
what they need to increase that.
I think to echo the water and wastewater thought, I have a
review looking at cybersecurity in the water and wastewater
sector that we are doing for two subcommittees on House
Homeland Security. That is exactly the problem they ran into.
This past fall there was a much publicized snafu that the
Environmental Protection Agency (EPA) ran into trying to impose
cybersecurity requirements through sort of a back door, because
they did not want to go through the onerous rulemaking process.
They were met with a lot of resistance, a number of lawsuits,
both from States and organizations. They withdrew their
requirements.
I think that there needs to be a different thinking about
how we get the private sector to come along with these
requirements once they are in place.
Senator Blumenthal. Thank you. Thank you both for your work
and your answers to those questions, and thank you, Mr. Chair,
for having this hearing. There are a lot of multi-syllable
words in the title to this hearing--harmonization,
cybersecurity, regulatory--but it really is a matter of
national security, and we need to pay attention more vigorously
than we have done.
Thank you both. Thanks, Mr. Chair.
Chairman Peters. Thank you, Senator Blumenthal.
A couple of final questions here for both of you. Federal
agencies, as you know very well, are not the only agencies that
have cybersecurity regulations. We have State regulations,
local cities, other localities across the Nation have all sorts
of requirements for businesses that operate in their areas.
I will give you a couple of examples. For example,
Massachusetts State law requires all persons who own or license
personal information about Massachusetts residents to develop,
implement, and maintain a comprehensive information security
program. The New York Department of Financial Services (DFS)
has also adopted a robust set of cybersecurity rules with
significant requirements for any company that provides a
financial or credit service within the State of New York. I
could just go on and on with that list.
Mr. Leiserson, how is the Federal Government working to
coordinate with State, local, Tribal, territorial (SLTT)
governments all across the government landscape to harmonize
these regulations?
Mr. Leiserson. Thank you, Mr. Chair. I will highlight a
couple of points. First of all, both the New York Department of
Financial Services and the State of New York responded to our
RFI, our request for information, and one of the things that
stood out to me was the fact that they really were asking for
Federal leadership in this space. DFS and the State said having
strong Federal guidelines, which a harmonized set of baseline
requirements would do, would help them significantly in terms
of how they would model their work. DFS, the Department of
Financial Services, has worked with Federal regulators. It is
something that we are concerned about. Again, like when we see
duplicative requirements that are attempting to control the
same risks, whether they are at the State level, at the Federal
level, or the international level, that gives us pause.
But if we can get the Federal house in order, if we can set
a strong Federal baseline requirement, if we can lead, we do
have strong confidence that both our State governments will
look at that as a gold standard and also start to move in that
direction, and also our international partners.
One of the things that the National Cyber Director, Harry
Coker, Jr., has consistently impressed upon me is in his
conversations with international counterparts they bring up
regulatory harmonization. They ask what is it that we are doing
to help control risks to critical infrastructure, and they say,
``Gee, it would be great to see Federal leadership here. We
need the United States to help us understand. You have the most
sophisticated tech sector. You have the most reliance on
technology. If you can set a gold standard that would help us.
That would give something for us to shoot for, as well.''
I think it really is incumbent upon us, in the Federal
Government, partnering between the Administration and Congress,
to set that standard.
Chairman Peters. Mr. Hinchman, how does this contrasting
Federal, State, local regulations, how does that impact
businesses in our country?
Mr. Hinchman. I think very similar to the problems we have
with just sort of Federal agencies. It is the multiple
requirements and who do you need to do, and for what. I think
the examples you drew are great.
I live in Texas. The Texas Department of Information
Resources has an incident reporting rule that schools are
required to follow in an attack. The CISA Notice of Proposed
Rulemaking also includes schools. Now you are going to have
schools that are trying to figure out how to do their local
reporting as well as the national reporting, and these are
organizations that traditionally do not have resources for
this. They are already undermanned. IT is probably underfunded.
In a small district you may have one person that does IT for
the entire district, including the cyber side. I do not know
that that is sustainable.
I think we really need to think about how those State and
local rules are impacted by perhaps the Federal leadership that
has been called for, so that they have more of a benchmark to
follow. I think there are also things like privacy. States are
increasingly passing privacy laws, which may be conflicting
with guidance they are getting from the Federal level. How does
a business operating manage both of those? It is similar to how
sort the patchwork of Federal regulations has popped up, is the
patchwork of State laws pop up, as well. That all needs to be
managed and sort of brought into a common framework so that
folks know who they are operating from and what the standards
are.
Chairman Peters. Very good. I want to thank both of our
witnesses. Thank you for being here today and sharing your
thoughts. Congress and the entire Federal Government must work
together to harmonize our country's cybersecurity regulations.
I think the testimony from both of you was very clear to that
point, and it is, without question, a critical step in
protecting both our citizens as well as our businesses from
cyber threats.
I look forward to continuing to work together with both of
you and others to strengthen cybersecurity standards and make
sure that they are also coordinated, effective, and efficient
and give our industries the guidance that they need.
The record for this hearing will remain open for 15 days,
until 5 p.m. on June 20, 2024, for the submission of statements
and questions for the record.
This hearing is now adjourned.
[Whereupon, at 11:05 a.m., the hearing was adjourned.]
A P P E N D I X
----------
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]