WASHINGTON – Subcommittee on Cybersecurity, Information Technology, and Government Innovation Chairwoman Nancy Mace (R-S.C.) delivered opening remarks at a subcommittee hearing titled “Enhancing Cybersecurity by Eliminating Inconsistent Regulations.”In her opening statement, Subcommittee Chairwoman Mace highlighted how federal regulations intended to mitigate cybersecurity risk often subject key industry participants to overlapping and inconsistent requirements which creates an inefficient regulatory regime. She continued by emphasizing that strong, centralized leadership from the Executive Office of the President will be required to harmonize cybersecurity regulations and place a check on regulators within the bureaucracy who may be blind to the broader impact of rules they issue.
Below are Subcommittee Chairwoman Mace’s remarks as prepared for delivery.
Good morning, and welcome to this hearing.
Malicious cyberattacks on our nation’s critical infrastructure are increasing in frequency and scale. These attacks can create damaging disruptions and compromise highly sensitive data.
Much of our critical infrastructure is owned and operated by private sector companies. That includes transportation networks, energy production and distribution facilities, and the defense industrial base. Cyberattacks targeting such operations threaten our homeland security and our national security.
That’s why we need a strong partnership between the government and private operators of critical infrastructure.
Unfortunately, federal regulations intended to mitigate cybersecurity risk often subject key industry participants to overlapping and inconsistent requirements. This creates an inefficient regulatory regime. The cost and burden of compliance is high. Companies are forced to divert resources AWAY from cybersecurity enhancements to check various unnecessary compliance boxes. The unnecessary drain on resources also reduces the competitiveness of these businesses.
Regulations can proliferate out of control when multiple agencies are issuing rules on the same topic. A single company operating across critical sectors might need to comply with overlapping, inconsistent cybersecurity rules issued by a half-dozen different agencies.
So, it’s not surprising that companies are feeling besieged by the growing barrage of cybersecurity requirements.
In March of last year, the then-Acting White House Cyber director appeared before this subcommittee to discuss the Administration’s National Cybersecurity Strategy. She testified that day that, under the Strategy, her office and the Office of Management and Budget were jointly responsible for addressing this issue of cybersecurity regulatory harmonization.
A few months later, her office issued a Request for Information asking critical sector operators to identify “conflicting and mutually exclusive or inconsistent regulations” and describe the burden they impose.
The RFI describes the goals of “harmonization” and “reciprocity” in regulation. An illustration of “harmonization” would be multiple federal agencies agreeing on allowable forms of multi-factor authentication to access IT systems. “Reciprocity” would mean that if one regulator found a company’s multi-factor authentication was being appropriately used on an IT system, another regulator could accept that find—instead of doing its own independent assessment.
Unfortunately, judging from the response to the RFI, we have a long way to go to achieve harmonization and reciprocity.
The more than 100 respondents—a few of whom we will hear from today—describe a highly inefficient regulatory regime that detracts from cybersecurity outcomes by unnecessarily consuming scarce resources.
Some of the respondents noted that state-level and international cybersecurity regulations contribute further to the regulatory morass they must navigate.
The upshot, according to the Financial Services Sector Coordinating Council, is that many company Chief Information Security Officers spend as much as half their time on regulatory compliance, instead of upgrading their company’s cybersecurity posture.
In all, the Administration received more than two-thousand pages of comments to its RFI.
I appreciate that the Administration took the trouble to seek out the views of affected parties. But the response shows how challenging it will be to address this problem.
One thing seems clear: strong, centralized leadership from the Executive Office of the President will be required to harmonize cybersecurity regulations. That’s the only way to put a check on regulators within the bureaucracy who may be blind to the broader impact of rules they issue.
I look forward to hearing from our witnesses today, who will provide valuable insight on this problem from the perspective of different critical sectors.
But before I introduce them, I will first yield to Ranking Member Connolly for his opening statement.