Is Federal Cyber Policy About to Make a U-Turn? Notes from #CES Suggest It Might.
For years, federal cyber policy has been based on successful public-private partnerships, collaboration, and the promotion of voluntary standards that can be tailored to sector and organization-specific risk and needs. That is poised to change as federal agencies ramp up regulatory proceedings, and the White House considers a more aggressive approach to the private sector. Recent comments by the Deputy National Cyber Director, Technology & Ecosystem Security, ONCD at #CES2023 preview significant changes ahead.
Cyber policy has been built on collaboration, standards and flexibility.
To level set, the private sector faces some sector-specific security requirements, such as HIPAA (healthcare) or GLBA (financial services), but for the most part, organizations have been encouraged to develop risk-based approaches that use consensus standards and frameworks, like the Framework for Improving Critical Infrastructure Cybersecurity, created in 2014 by the National Institute of Standards and Technology at the direction of President Obama under Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” That framework has been revised once and is now being revisited in a substantial overhaul. Several of our clients are participating in that overhaul and are watching to see how big the changes are so they can consider what adjustments they need to make.
Congress in 2015 endorsed collaboration and information sharing in the Cybersecurity Information Sharing Act of 2015, and the government has encouraged the creation and use of Information Sharing and Analysis Centers (ISACs) and other robust partnerships. Several sectors of critical infrastructure have robust ISACs and operational partnerships, like the Financial Sector ISAC and the Communications ISAC. These partnerships have been vital and the importance of such collaboration is recognized across government. The lead author of this post wrote a paper for the National Security Institute urging policymakers to protect such partnerships, which have been the bedrock of federal cyber policy.
But the tide appears to be turning. Rhetoric has been changing. From the White House to regulatory agencies, there has been a marked shift in messaging. For those who have been watching these issues over the past two decades, the change is significant. As Congressman Bennie Thompson, then Chairman of the House Homeland Security Committee observed in 2021, “the administration is aggressively leveraging existing authorities” in its changing cyber policy agenda.
The Deputy National Cyber Director, previewing the forthcoming National Cyber Strategy on a panel at #CES2023, said that the new strategy would look to reallocate the burdens of cybersecurity from smaller organizations to larger and more capable companies. Such a reallocation likely can only be accomplished through regulation and mandates. The tone of the forthcoming strategy will be instructive, and we expect it to pick up on themes previewed across the Executive branch.
CISA Director Easterly commented in October “[t]o reduce risk to the infrastructure and supply chains that Americans rely on every day, we must have a set of baseline cybersecurity goals that are consistent across all critical infrastructure sectors.” The Cybersecurity Performance Goals being created by CISA do not have the force of law and cannot by their terms be mandatory. But some policymakers may treat them as the standard of care for critical infrastructure. Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger described the goals as “setting a higher cybersecurity standard for sectors to meet.” Director Easterly, responding to questions from a Congressman touting the need for mandates over voluntary approaches, said that “there is a role for insuring that we are holding those who own and operate critical infrastructure accountable for ensuring that their systems and networks are secure and resilient.”
Enforcement agencies have been forward leaning as well. The FTC has made statements suggesting that companies can violate standards of care by not heeding specific agency guidance and enforcement actions, underscoring a more demanding approach to baseline expectations and liability.
The U.S. Department of Justice, long touting the importance of collaboration with the FBI and the importance of protecting and helping corporate victims of cybercrime, has shifted its messaging, announcing a Civil Cyber-Fraud Initiative in 2021 that targets private companies and appears to reflect a growing skepticism about the intentions and actions of many in the private sector.
Policymakers are emphasizing new expectations, regulations, and mandates. Just a few examples illustrate how the government is moving away from “soft law” standards and best practices in cyber and toward substantial new obligations with enforcement risk and penalties.
Congress has set in motion a major new area of regulation in the Cyber Incident Reporting for Critical Infrastructure Act Of 2022 (CIRCIA), which the U.S. Department of Homeland Security (DHS) is implementing to mandate incident reporting. Congress has considered several regulatory steps, such as new obligations on Systemically Important Entities and other new regulatory proposals from groups like the Cyberspace Solarium Commission. Several Executive Orders use language that suggests mandates and regulations will be the preferred approach. For example, President Biden’s Executive Order on supply chains requested agency recommendations for “any executive, legislative, regulatory, and policy changes…to strengthen [supply chain] capabilities.”
An array of proceedings are looking to increase regulatory obligations and oversight of the private sector’s cyber and data security practices.
- The U.S. Securities and Exchange Commission has proposed expanding disclosure requirements for public companies to provide information about their cybersecurity risk management, strategy, and governance and to make rapid, public notifications of material cybersecurity incidents.
- The Federal Trade Commission is looking at imposing broad regulations on “data security” including “breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices,” as part of its August 2022 Advanced Notice of Proposed Rulemaking on “Commercial Surveillance and Data Security.”
- The Transportation Security Administration and DHS are considering expanding new Security Directives for the rail and pipeline industries into a formal regulation that would require adopting a detailed cybersecurity risk management program. Such a program would include mandatory sets of access and technical security controls, vulnerability assessments including for supply chain risk, and organizational behaviors such as documented incident response plans, reporting, training, and exercises.
- The Federal Communications Commission is proposing a significant update to the customer proprietary network information (CPNI) breach reporting rules that would include requiring reporting breaches to the Commission (in addition to the existing requirement to report to law enforcement), and would reduce the waiting period for notifying affected consumers.
- The Federal Acquisition Council is finalizing multiple rules for federal contractors, including cybersecurity supply chain requirements, standardizing cybersecurity contractual requirements for unclassified U.S. government information systems, and requiring cyber incident reporting and threat sharing.
Congress in this year’s National Defense Authorization Act addressed cybersecurity, but refrained from finalizing some of the more onerous mandates that had been under consideration. Those may be revived in the new Congress.
States are getting in on the act as well. New York’s Department of Financial Services is amending its cybersecurity requirements for financial services companies to require specific technical controls, corporate governance procedures, and other cybersecurity risk management practices.
Get Ready for New Requirements
All told, private sector organizations should prepare themselves for an array of new obligations in 2023 and beyond. We recommend that private organizations of all sizes factor this changing landscape into their regulatory and cyber risk management frameworks. While some mandates are not yet final or effective, their contours are becoming clear, so companies can make informed adjustments to their programs and plans. The private sector also should consider how best to work with regulators and Congress to limit burdens and avoid overly prescriptive approaches. Regulators and policymakers may not fully appreciate the burdens of fragmented requirements, or how difficult it may be to certify to the use of particular tools across an entire diverse enterprise. Participating in rulemakings and related proceedings is vital to give agencies solid information on which to base pragmatic policies.