Charleston Reporter

WASHINGTON – Subcommittee on Cybersecurity, Information Technology, and Government Innovation Chairwoman Nancy Mace (R-S.C.) delivered opening remarks at a subcommittee hearing titled “Enhancing Cybersecurity by Eliminating Inconsistent Regulations.” In her statement, Mace highlighted how federal regulations intended to mitigate cybersecurity risk often subject key industry participants to overlapping and inconsistent requirements, creating an inefficient regulatory regime. She emphasized that strong, centralized leadership from the Executive Office of the President is required to harmonize cybersecurity regulations and oversee regulators within the bureaucracy.

Below are Subcommittee Chairwoman Mace’s remarks as prepared for delivery:

"Good morning, and welcome to this hearing.

Malicious cyberattacks on our nation’s critical infrastructure are increasing in frequency and scale. These attacks can create damaging disruptions and compromise highly sensitive data.

Much of our critical infrastructure is owned and operated by private sector companies. That includes transportation networks, energy production and distribution facilities, and the defense industrial base. Cyberattacks targeting such operations threaten our homeland security and our national security.

That’s why we need a strong partnership between the government and private operators of critical infrastructure.

Unfortunately, federal regulations intended to mitigate cybersecurity risk often subject key industry participants to overlapping and inconsistent requirements. This creates an inefficient regulatory regime. The cost and burden of compliance is high. Companies are forced to divert resources AWAY from cybersecurity enhancements to check various unnecessary compliance boxes. The unnecessary drain on resources also reduces the competitiveness of these businesses.

Regulations can proliferate out of control when multiple agencies are issuing rules on the same topic. A single company operating across critical sectors might need to comply with overlapping, inconsistent cybersecurity rules issued by a half-dozen different agencies.

So, it’s not surprising that companies are feeling besieged by the growing barrage of cybersecurity requirements.

In March of last year, the then-Acting White House Cyber director appeared before this subcommittee to discuss the Administration’s National Cybersecurity Strategy. She testified that day that, under the Strategy, her office and the Office of Management and Budget were jointly responsible for addressing this issue of cybersecurity regulatory harmonization.

A few months later, her office issued a Request for Information asking critical sector operators to identify 'conflicting and mutually exclusive or inconsistent regulations' and describe the burden they impose.

The RFI describes the goals of 'harmonization' and 'reciprocity' in regulation. An illustration of 'harmonization' would be multiple federal agencies agreeing on allowable forms of multi-factor authentication to access IT systems. 'Reciprocity' would mean that if one regulator found a company’s multi-factor authentication was being appropriately used on an IT system, another regulator could accept that finding—instead of doing its own independent assessment.

Unfortunately, judging from the response to the RFI, we have a long way to go to achieve harmonization and reciprocity.

The more than 100 respondents—a few of whom we will hear from today—describe a highly inefficient regulatory regime that detracts from cybersecurity outcomes by unnecessarily consuming scarce resources.

Some respondents noted that state-level and international cybersecurity regulations contribute further to the regulatory morass they must navigate.

The upshot, according to the Financial Services Sector Coordinating Council, is that many company Chief Information Security Officers spend as much as half their time on regulatory compliance instead of upgrading their company’s cybersecurity posture.

In all, the Administration received more than two thousand pages of comments in response to its RFI.

I appreciate that the Administration took the trouble to seek out views from affected parties. But the response shows how challenging it will be to address this problem.

One thing seems clear: strong centralized leadership from the Executive Office of the President will be required to harmonize cybersecurity regulations. That’s the only way to put a check on regulators within bureaucracy who may be blind to broader impact rules they issue."

Mace concluded by expressing anticipation for insights from witnesses representing different critical sectors before yielding time for Ranking Member Connolly's opening statement.