• 6 months ago
Sen. Gary Peters (D-MI) leads a Senate Homeland Security Committee hearing to examine the process of federal cybersecurity regulation.

Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:

https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript


Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Transcript
00:00:00 As we have become more reliant on technology and digital infrastructure, the threat of
00:00:06 cyber attacks has dramatically increased.
00:00:10 Every day our citizens, our critical infrastructure operators, and our federal, state, and local
00:00:16 governments have to defend against hundreds of thousands of potential cyber attacks.
00:00:23 These come from criminals who take advantage of our vulnerable people, foreign actors who
00:00:28 threaten our critical infrastructure, and hackers who try to destabilize American businesses.
00:00:35 Cyber attacks are more coordinated and more dangerous than ever.
00:00:40 In response to this threat, American regulators have begun to set new standards for cyber
00:00:45 security and digital safety.
00:00:48 They have moved quickly in that work.
00:00:50 And in the last four years alone, federal regulators have passed 48 rules on cyber security.
00:00:57 More than 10 per year.
00:01:00 And that doesn't include new policies at the state as well as the local level.
00:01:05 The surge of regulations comes from a good place.
00:01:08 It represents our government's response to a new and growing threat that has helped give
00:01:13 American businesses some important guidance on how to keep safe from these cyber threats.
00:01:21 The challenge is that even though all aspects of our society are vulnerable to cyber attacks
00:01:26 from electric grids to water systems to gas pipelines, no one – no one is coordinating
00:01:33 this effort.
00:01:34 This is a patchwork of new guidelines set by separate agencies.
00:01:39 Regulators are working to respond to the unique challenges that their sectors certainly face,
00:01:46 and they often are not looking at the bigger picture of how all of these different rules
00:01:50 all interact with each other.
00:01:52 And without that higher level of coordination, there is no way to ensure that these guidelines
00:01:57 don't overlap, duplicate, or quite simply contradict each other.
00:02:04 The results are often confusing and inefficient.
00:02:08 Businesses are scrambling to follow a web of new standards, ones that can change quickly
00:02:13 with new technological innovations.
00:02:17 Airlines have to adhere to three different regulators on cyber security.
00:02:22 Companies have six.
00:02:24 A bank could have 16 different oversight bodies, all of whom are passing their own standards
00:02:31 and expecting those standards to be followed.
00:02:34 This is not necessarily a case of where more is better.
00:02:38 We must be smart in these regulations to ensure the higher level of cyber security.
00:02:44 In short, businesses and their employees are spending too many resources trying to understand
00:02:50 these new guidelines.
00:02:52 Companies are taking their cyber security professionals off the line to fill out paperwork,
00:02:57 leaving their defenses undermanned and vulnerable.
00:03:01 We need effective regulations on cyber security, no question about that.
00:03:05 But we need them to be efficient, adaptable, and coordinated all across different agencies.
00:03:13 Harmonization and harmonizing these guidelines will make our government more efficient, help
00:03:17 businesses compete on the global stage, and ensure that we're addressing cyber security
00:03:22 threats in the most effective way.
00:03:25 And that's why I'm working on legislation to establish a harmonization committee at
00:03:29 ONCD that would require all agencies and regulators to come together, talk about cyber security
00:03:36 regulations, and work on harmonization.
00:03:40 Passing legislation is the only solution.
00:03:43 We have to bring independent agencies together and start harmonizing this effort.
00:03:49 Only Congress has the power to do so.
00:03:52 And if we fail at this mission, we won't be able to build the most effective response
00:03:57 to cyber threats.
00:04:01 It is the practice of this committee to swear in witnesses, so if each of you would please
00:04:05 stand and raise your right hand.
00:04:08 Do you swear that the testimony that you will give before this committee will be the truth,
00:04:14 the whole truth, and nothing but the truth, so help you God?
00:04:18 You may be seated.
00:04:19 Thank you.
00:04:22 Our first witness, Nicholas Lyserson, is an assistant national cyber director for cyber
00:04:28 policy and programs.
00:04:30 He previously served as ONCD's deputy chief of staff, and prior to joining ONCD, Nicholas
00:04:37 spent more than a decade on the staff of Congressman James R. Langevin, the principal author of
00:04:43 the National Cyber Director Act.
00:04:46 Mr. Lyserson, you are now recognized for your opening comments.
00:04:51 Good morning, Chairman Peters and distinguished senators of the committee.
00:04:55 Thank you for the opportunity to testify before you today.
00:04:59 Today's hearing is about a complex topic, how to set baseline cyber security requirements
00:05:05 across critical infrastructure in a harmonized manner.
00:05:08 It involves coordinating dozens of agencies, each implementing its own unique authorities.
00:05:15 Yet despite the complexity, our value proposition is simple.
00:05:19 In a harmonized regulatory environment, we will see better cybersecurity outcomes as we
00:05:24 reduce the dollars that are going into regulatory compliance.
00:05:29 Pursuant to the National Cyber Security Strategy Implementation Plan, the Office of the National
00:05:33 Cyber Director, or ONCD, released a request for information last year about cybersecurity
00:05:39 regulatory harmonization and reciprocity.
00:05:42 ONCD received 86 unique responses to the RFI, covering 11 of 16 critical infrastructure
00:05:51 sectors.
00:05:52 In all, the respondents represent over 15,000 businesses, states, and other organizations.
00:05:59 We have analyzed the responses.
00:06:01 And yesterday, we released our summary of the more than 2,000 pages of comments we received.
00:06:07 There are three key findings.
00:06:09 First, the lack of harmonization and reciprocity harms cybersecurity outcomes while increasing
00:06:15 compliance costs.
00:06:17 Second, challenges with harmonization extend to businesses of all sectors and all sizes
00:06:24 and cross jurisdictional boundaries.
00:06:27 And third, the United States government is positioned to act to address these challenges.
00:06:34 Let me share some of what we heard.
00:06:36 The Business Roundtable, a group of CEOs whose companies support one in four American jobs,
00:06:42 noted that, quote, "Duplicative, conflicting, or unnecessary regulations require companies
00:06:47 to devote more resources to fulfilling technical compliance requirements without improving
00:06:53 cybersecurity outcomes," close quote.
00:06:56 The National Defense Industry Association, whose more than 65,000 corporate and individual
00:07:01 members comprise much of our defense industrial base, wrote, quote, "Inconsistencies also
00:07:07 pose barriers to entry, especially for small and mid-sized businesses that often have limited
00:07:14 resources," close quote.
00:07:16 In some cases, respondents noted that chief information security officers were spending
00:07:22 30 to 50 percent of their time not on security but on compliance activities.
00:07:29 ONCD leads the coordination of implementation of national cyber policy and strategy.
00:07:35 In alignment with our mission, both the National Cybersecurity Strategy and the recent National
00:07:40 Security Memorandum on Critical Infrastructure assign ONCD the responsibility for coordinating
00:07:46 cybersecurity regulatory harmonization across the government.
00:07:51 Building federal coherence in partnership with our interagency and private sector stakeholders
00:07:56 is at the core of our mission.
00:08:00 Based on feedback from the RFI, ONCD has begun to build a pilot reciprocity framework.
00:08:06 We anticipate that this pilot will give us valuable insights as to how best to achieve
00:08:11 reciprocity when designing a cybersecurity regulatory approach from the ground up.
00:08:17 However, our vision cannot be fully achieved without help from Congress.
00:08:24 As the United States Chamber of Commerce noted in its filing, quote, "A significant challenge
00:08:29 to U.S. regulatory harmonization efforts are independent regulatory agencies," close quote.
00:08:34 And further, quote, "The U.S. Chamber urges Congress to consider legislation to address
00:08:40 this challenge," close quote.
00:08:43 The administration supports Chairman Peter's bill, consistent with the views previously
00:08:47 provided to the committee, that would allow ONCD to better carry out our mission by bringing
00:08:53 independent regulatory commissions to the table together with the interagency in a policymaking
00:08:59 process.
00:09:01 This would act as a catalyst to develop a cross-sector framework for harmonization and
00:09:06 reciprocity.
00:09:08 Such a framework is foundational to our desired end state, which would do three things.
00:09:13 First, strengthen cybersecurity readiness and resilience across all sectors.
00:09:18 Second, simplify responsibilities of cyber regulators while enabling them to focus on
00:09:23 their areas of expertise.
00:09:25 And finally, substantially reduce the administrative burden and cost on regulated entities.
00:09:33 Mr. Chairman, members of the committee, in closing, regulatory harmonization is a hard
00:09:39 problem.
00:09:40 It is a problem that has existed for decades, and the trend line is generally heading toward
00:09:45 more fragmentation, not more harmonization.
00:09:49 It is a problem that requires leadership from ONCD and Congress informed by the private sector.
00:09:57 We have the opportunity to set the stage for a more harmonized future, and I hope we will
00:10:02 do so together.
00:10:03 Thank you for the opportunity to testify today.
00:10:06 I look forward to your questions.
00:10:09 Thank you.
00:10:10 Thank you for your testimony.
00:10:11 Our next witness is David Hinchman.
00:10:13 He is the director of information technology and cybersecurity at the U.S. Government Accountability
00:10:18 Office.
00:10:19 In that role, he oversees audits on critical infrastructure, the IT and cybersecurity workforce,
00:10:26 cloud computing, and the IT modernization efforts at the IRS.
00:10:30 Prior to joining GAO in 2002, Mr. Hinchman worked as a business consultant for several
00:10:36 private sector firms and served as a surface warfare officer in the United States Navy.
00:10:41 Mr. Hinchman, you are now recognized for your opening remarks.
00:10:45 Thank you.
00:10:46 Chairman Peters, members of the committee, thank you for inviting GAO to discuss our
00:10:50 work on the federal government's efforts to harmonize cybersecurity regulations.
00:10:55 Our nation increasingly depends on computer-based information systems and electronic data to
00:11:00 execute fundamental operations and to process and maintain crucial information.
00:11:05 Cyber-based intrusions and attacks on both federal and non-federal systems by malicious
00:11:09 actors are becoming more common and more disruptive.
00:11:13 These attacks threaten the continuity, confidence, and integrity of these essential systems,
00:11:18 including those that support our nation's critical infrastructure.
00:11:21 Never has there been a greater need to ensure that these vital systems have the appropriate
00:11:25 direction and guidance needed to ensure their security.
00:11:29 Because the private sector owns the majority of this infrastructure, it's crucial that
00:11:33 the public and private sectors work together to protect these assets and systems.
00:11:38 However, when critical infrastructure sectors are subject to multiple regulations that grow
00:11:42 and evolve in a decentralized manner, this can result in conflicting, inconsistent, or
00:11:47 redundant requirements.
00:11:50 In recent years, interest in harmonizing these regulations has gained momentum, with several
00:11:54 actions taken both by Congress and the executive branch.
00:11:57 Today, I would like to briefly summarize the findings of GAO's work in this area, as well
00:12:02 as share our current observations on ongoing efforts.
00:12:05 In legislation sponsored by this committee, the 2022 Cyber Incident Reporting for Critical
00:12:10 Infrastructure Act, or CIRSIA, addressed the need for standardized cyber incident reporting,
00:12:15 in addition to incident reporting requirements, that are both deconflicted and harmonized.
00:12:21 Additionally, the administration specifically addressed harmonization as a core strategic
00:12:25 objective in the 2023 National Cyber Security Strategy.
00:12:30 The administration also addressed this important information in a request for information published
00:12:34 by the Office of the National Cyber Director, or ONCD, the organization that leads the administration's
00:12:40 harmonization efforts.
00:12:42 This request for information sought to gather public comments on opportunities for, and
00:12:47 obstacles to, harmonizing cyber regulations.
00:12:50 Further, the April 2024 National Security Memorandum on Critical Infrastructure Security
00:12:55 and Resilience called for an approach to harmonizing cyber regulations as part of a national plan
00:13:01 for infrastructure risk management.
00:13:04 Taken together, these congressional executive actions provide an important starting point
00:13:07 for the harmonization effort.
00:13:09 However, GAO's past work and ongoing observations offer cautionary notes on the challenges that
00:13:15 will be faced on this journey.
00:13:17 In February 2024, GAO reported that the ONCD's National Cyber Strategy did not define outcome-oriented
00:13:24 performance measures.
00:13:25 Our past work has consistently found, across the government, that well-defined performance
00:13:30 measures allow for more accurate assessment of the extent to which initiatives, such as
00:13:34 those found in the National Cyber Strategy, are achieving their stated objectives.
00:13:40 Without identifying appropriate outcome-oriented performance measures, ONCD may be limited
00:13:45 in its ability to deliver the effectiveness of the National Strategy in meeting its goals
00:13:50 of better securing cyberspace in the nation's critical infrastructure.
00:13:53 Further, a 2023 DHS report required by CERCIA found 45 existing incident cyber reporting
00:14:01 requirements across our nation's critical infrastructures.
00:14:05 Among these 45 requirements, DHS found substantive differences, such as varying definitions,
00:14:10 differing report timelines, and inconsistent reporting mechanisms.
00:14:14 Notably, this report looked at only one aspect of cyber regulations and still found these
00:14:20 45 applicable requirements.
00:14:22 This serves as a stark reminder of how many regulations likely exist in the broader realm
00:14:26 of general infrastructure cybersecurity and how much work will be required to harmonize
00:14:32 those numerous requirements once they're identified.
00:14:36 In summary, given the increasing need for harmonized cyber regulations, it will be important
00:14:41 for stakeholders in this vital process, representing both the legislative and executive branches,
00:14:46 to continue to work towards a common goal.
00:14:49 It will also be crucial to develop definitive goals for this process based on both realistic
00:14:53 timeframes as well as measurable performance.
00:14:56 This whole-of-government effort will require two things.
00:14:59 One, a continued focus to ensure that performance goals are well-defined and outcome-oriented,
00:15:04 and two, that the appropriate groundwork is laid to fully understand the universe of regulations
00:15:09 to be harmonized.
00:15:11 By taking these actions, we can better position our nation's critical infrastructure to successfully
00:15:16 defend itself against the growing and ever-present cybersecurity threat.
00:15:20 Mr. Chairman, this concludes my statement.
00:15:22 Thank you.
00:15:23 Well, thank you.
00:15:24 Well, as both of you have mentioned in your opening comments, and I mentioned in mine,
00:15:29 we know that regulations are used by federal agencies in multiple ways.
00:15:34 I mentioned in my opening about making sure we have clean water to drink, protecting investors
00:15:40 from predatory practices, and the list goes on.
00:15:44 Cybersecurity regulations have received a greater amount of attention, given the growing
00:15:49 threat of cyberattacks, which is not going down and probably, you would argue, exponentially
00:15:53 going up, and on our critical infrastructure and federal IT systems, which are a particular
00:15:59 target.
00:16:00 So, Mr. Leiserson, why do cybersecurity regulations lend themselves generally to be a good candidate
00:16:06 for harmonization all across these agencies?
00:16:10 We need to do a lot of harmonization in a lot of fields, but why cybersecurity in particular?
00:16:15 Thank you, Mr. Chairman.
00:16:16 It's a great question.
00:16:18 And from our standpoint, the reason that we're particularly interested in looking at baseline
00:16:24 cybersecurity requirements across critical infrastructure sectors is that the information
00:16:29 and communications technology that's used, whether you're in a bank, a nuclear power
00:16:35 plant, a water treatment facility, the information and communications technology is largely the
00:16:40 same, and the first thing that adversaries are trying to do when they get access, whether
00:16:45 they're trying to steal money, drop ransomware, or potentially affect our ability to mobilize
00:16:52 militarily, the first thing they're going after is these enterprise IT systems.
00:16:58 And for that reason, because the enterprise IT systems are common across sectors, we really
00:17:03 feel strongly that having a harmonized approach with reciprocity across different regulators
00:17:09 will help ensure that we get both better cybersecurity outcomes and less money spent on compliance.
00:17:17 Very good.
00:17:19 You know, several public comments at ONCD's request for information on harmonization discuss
00:17:27 the difficulties in understanding and implementing cybersecurity requirements, which I think
00:17:33 leads to a compliance culture as opposed to dedicating resources to actually protecting
00:17:39 our systems from cyberattacks.
00:17:42 So, Mr. Hinchman, this question's for you.
00:17:45 How can regulators better tailor their requirements to promote cybersecurity rather than just a
00:17:52 check-the-box exercise that only incrementally increases security but unfortunately does
00:17:58 not move us forward, and in the process significantly increases the compliance burden while not
00:18:06 moving us forward?
00:18:08 Thank you, Senator.
00:18:09 I think one way to think of this, it's not a lot different from our duplication, overlap,
00:18:14 and fragmentation work that we do for the committee, in which Comptroller General was
00:18:18 up here several weeks ago talking to you about.
00:18:20 The idea of redundant conflicting requirements is not different.
00:18:24 It's on a much greater scale, and it's something that's national and something we're still
00:18:27 struggling to understand the real breadth of.
00:18:30 But I think the general idea that because regulations have grown patchwork here and
00:18:34 there, specific sectors will pass rules because it's important to them, they're dealing with
00:18:38 a certain threat.
00:18:40 And then when you have organizations that work across sectors or across state lines
00:18:44 or across international boundaries, you run into a lot of things that they have to do
00:18:49 in addition to what they may do with their sort of what I'll call their home set of rules
00:18:54 and regulations.
00:18:55 And so that compliance issue becomes a real cost burden.
00:18:58 And some of the work that we've done, we did a job in 2020 looking at states and dealing
00:19:04 with four agencies, FBI, IRS, SSA, and CMS.
00:19:09 And 35 of the states reported a moderate to significant increase in costs related to the
00:19:17 compliance that they had to do to meet the different regulations of each of those four
00:19:21 agencies.
00:19:23 And so to remove that, I think you need to look for a common framework.
00:19:26 People have talked about whether the NIST cybersecurity framework offers that possibility.
00:19:31 But a common set of minimum standards that stretch across the government that can then
00:19:37 be customized to meet the needs of individual sectors.
00:19:40 Very good.
00:19:42 Yeah.
00:19:43 As noted, Mr. Leiserson, in your opening statement, the Office of the National Cyber
00:19:48 Director is designated as the federal lead for addressing cybersecurity regulatory harmonization.
00:19:55 So my question for you, you've raised some of this, but to clarify for the committee,
00:19:59 what are the biggest challenges ONCD is now facing in harmonizing cyber regulations?
00:20:05 Certainly, Mr. Chairman.
00:20:07 Thanks for the question.
00:20:08 There are two things that I would highlight as the challenges.
00:20:11 One is the breadth that we have here, where you see dozens of regulators who have dozens
00:20:18 more regulations.
00:20:19 You mentioned the 48 that we've seen just in the past four years, which means that from
00:20:24 our perspective, you really need a strategic approach, a top-down approach that says this
00:20:30 is the framework that we're aiming at and gives that guidance to regulators.
00:20:35 But that gets into the second challenge, right?
00:20:37 So if the first challenge is the breadth of the problem and getting our hands around it,
00:20:41 the second challenge is getting all of the relevant parties to the table.
00:20:44 As I mentioned, from our perspective, the most important part of ensuring that we have
00:20:49 a framework that is applicable across sectors and does appropriately address the concerns
00:20:55 that different regulators have is to ensure all of them are participants in a policymaking
00:21:00 process to design such a framework.
00:21:03 But doing so at the moment, we are limited in our ability to do so with respect to independent
00:21:07 regulatory commissions, which is something that we truly need Congress' help with.
00:21:12 Mr. Reichlund, again, you stated in your testimony that the administration supports legislation
00:21:20 that would require all agencies, including our independent regulatory agencies, to come
00:21:26 up to the table, basically, and work on harmonizing their regulations with everybody else.
00:21:32 So the specific question for you, sir, is how would having this convening authority
00:21:36 help the ONCD actually address this issue?
00:21:40 What are going to be the strengths of getting this done?
00:21:44 Thank you, Mr. Chairman.
00:21:47 It would help enormously, frankly.
00:21:49 And it would help because right now, when we want to talk to our independent regulatory
00:21:54 commission partners, which we do as much as we can, we basically have a coalition of the
00:21:59 willing.
00:22:00 We have the folks who want to come to the table, who believe that this is an important
00:22:04 problem, and have a conversation about it.
00:22:07 But having a clear mandate from Congress to bring everyone to the table will let us do
00:22:13 what we do best at ONCD, which is listen to our partners, work with them to address the
00:22:18 challenges, and as I say, design a comprehensive framework that allows for harmonization, yes,
00:22:24 but just as importantly, reciprocity, right?
00:22:26 The idea that once I've proven as an entity that I've met the requirements once, I do
00:22:32 not need to do so, no matter how many other regulators are asking the same questions.
00:22:37 And that is what will allow us to both get better cybersecurity outcomes and at the same
00:22:43 time reduce the burden on businesses.
00:22:46 All right.
00:22:47 Thank you.
00:22:48 Senator Hassen, you're recognized for your questions.
00:22:51 Thank you very much, Mr. Chair, and I appreciate you and the ranking member holding this hearing.
00:22:55 I appreciate not only our witnesses being here today, but thank you and the teams you
00:23:00 work with for the work you do.
00:23:03 Mr. Leiserson, I wanted to just start with some questions about kind of where we are
00:23:09 on certain issues.
00:23:12 Recent cyberattacks, like the attack on Change Healthcare just a few months ago, have highlighted
00:23:17 the impact that a cyberattack can have on critical services.
00:23:21 In the Change Healthcare attack, we saw that an attack on a single major service provider
00:23:27 could result in a really major disruption to the whole national health network.
00:23:32 What steps have your office, CISA, and the agencies overseeing different infrastructure
00:23:37 sectors taken to identify potential single points of failure in critical infrastructure?
00:23:43 Thank you, ma'am, for that question.
00:23:45 It's one that actually is very important to our work in the administration.
00:23:51 When I was on the Hill, I actually worked with the Cyberspace Solarium Commission,
00:23:55 where we talked about systemically important critical infrastructure.
00:23:59 If you look at the President's letter to Congress delivering CISA's report on Section 9002 of
00:24:06 the Fiscal Year '21 National Defense Authorization Act, in response to Congress's request, he
00:24:10 specifically highlighted the fact that we need more policy on systemically important
00:24:16 entities as a key goal of the policy process that we kicked off in November of '22.
00:24:21 That has produced this new national security memorandum.
00:24:25 Right now, sector risk management agencies are working to, within their sectors, identify
00:24:29 exactly, as you described, these critical points of failure, and then working with CISA
00:24:35 as the national coordinator to help ensure that once we've got them identified, we can
00:24:39 provision resources appropriately and ensure that we're appropriately managing that risk.
00:24:44 Thank you for that.
00:24:46 Another question for you.
00:24:48 Effective implementation of cybersecurity laws requires a federal workforce with the
00:24:52 appropriate expertise and skills.
00:24:54 What's the National Cyber Director doing to expand the federal workforce of cybersecurity
00:24:59 professionals so that government agencies have the expertise needed to safeguard our
00:25:04 country's cybersecurity?
00:25:06 Thank you, Senator.
00:25:07 There are two things that I think I'll highlight for this, something that is a key priority
00:25:12 of National Cyber Director Harry Coker, Jr.
00:25:16 The first is that we recognize that our regulatory partners need capacity building for cybersecurity
00:25:23 regulations.
00:25:24 We're talking about how we need harmonization.
00:25:26 We also need to ensure they have the appropriate expertise.
00:25:30 That is something that we at the Office of the National Cyber Director, with our partners
00:25:33 in the Office of Management and Budget, in our annual budget guidance that we provide
00:25:38 to agencies, have specifically highlighted for the fiscal year '25 budget as a key priority,
00:25:44 that they are making investments in the personnel that they need in order to do their jobs effectively.
00:25:50 More broadly, one of the key goals of implementing the National Cyber Workforce and Education
00:25:55 Strategy we released last year is both removing barriers and broadening pathways to entry.
00:26:02 A key initiative we are focused on right now is skills-based hiring.
00:26:06 It's removing the barrier of saying, if you have the appropriate skills to do a cybersecurity
00:26:12 job but you do not have a four-year college degree, that should not be a barrier in terms
00:26:16 of your being able to join the federal government.
00:26:20 Just at the end of April, we announced that next year, the 2210 series, which is the largest
00:26:25 series of federal IT positions, the Office of Personnel Management is working to ensure
00:26:29 that all 2210s you can hire using a skills-based process, which we believe is incredibly important
00:26:36 to getting the talent that we need into federal jobs.
00:26:39 That's really helpful.
00:26:41 Please stay in touch if there are additional strategies that we can employ to help bring
00:26:47 people in from the private sector to work for the federal government.
00:26:51 Mr. Hinchman, your written testimony discusses the need to harmonize cybersecurity requirements
00:26:56 with national infrastructure risk management planning.
00:27:00 Last year, I introduced bipartisan legislation with Senator Romney to codify the Department
00:27:04 of Homeland Security's national risk management process.
00:27:07 I'm pleased to see that the White House's recent national security memorandum includes
00:27:11 a requirement to implement part of our bill.
00:27:14 The memorandum requires the Department of Homeland Security to develop a national infrastructure
00:27:19 risk management plan and to update it periodically.
00:27:23 How could this plan improve cybersecurity across U.S. critical infrastructure and how
00:27:28 could the plan help harmonize current cybersecurity regulations?
00:27:32 Well, I think that this plan is going to go a long way towards all of those things.
00:27:37 The national infrastructure protection plan was last updated in 2013.
00:27:41 It is desperately needed.
00:27:43 The world has changed so much in the last 11 years, both in terms of technology, how
00:27:48 it's used, as well as the threat we face on a daily basis.
00:27:51 And I think that the national cyber strategies approach of building up from a risk management
00:27:57 plan that starts at the sectors, very sector specific, makes them go out, understand what
00:28:02 does their threat landscape look like, which then all come in to ONCD, or excuse me, to
00:28:08 DHS, which then inform the development of the national plan, which is then submitted
00:28:13 to the White House, is a very important first step for understanding what it is that we're
00:28:18 facing and what we need to have out there so that we can ensure that individual sectors
00:28:24 have the customized cybersecurity standards that they need, in addition to the national
00:28:29 framework that's developed.
00:28:31 And as they have the customized cybersecurity infrastructure that they need, you're also
00:28:34 able to identify things that they have in common.
00:28:37 And as we're talking about harmonizing efforts, right?
00:28:39 Absolutely.
00:28:40 Trying to make sure that the regulatory framework really is reflective of those specific needs.
00:28:47 Absolutely.
00:28:48 I think the way I think of it right now is we don't yet understand what we don't know.
00:28:51 And until that work is done, and as these efforts, as Mr. Leiserson has been describing,
00:28:56 that's all going to start to come together, and we're going to start to understand the
00:28:59 landscape a lot better.
00:29:00 And that's what's going to enable the really positive developments like the framework,
00:29:04 the customized specialties within sectors, as well as the commonalities that the sectors
00:29:09 share, as you mentioned.
00:29:11 Okay.
00:29:12 Thank you.
00:29:13 One more question to you again, Mr. Hinchman.
00:29:14 There are important reporting requirements for companies that are targeted by a cyberattack.
00:29:19 For example, some companies need to inform, must inform the Department of Homeland Security
00:29:24 about cyberattacks on critical infrastructure.
00:29:27 These reporting requirements provide the federal government with important information to prevent
00:29:31 cyberattacks on other companies.
00:29:34 One way to improve reporting requirements is to streamline them across state and federal
00:29:38 levels, which will help ensure that companies are aware of and able to fulfill their obligations.
00:29:43 How is the federal government coordinating the efforts of various federal agencies to
00:29:47 streamline reporting requirements for cyberattacks?
00:29:51 I think I would argue that that effort is very much in its infancy.
00:29:55 I think the press that you see every day about the SEC rule that came out last year with
00:30:01 CISA's notice of proposed rulemaking has a lot of people very concerned about just what
00:30:06 you mentioned, that there isn't that harmonization that's happening yet.
00:30:10 A lot of small businesses are very scared that these reporting requirements will crush
00:30:14 them under administrative burden.
00:30:16 And so I think that there's some work still to be done to make sure that we're imposing
00:30:21 the right requirements on the right organizations with the right threshold of burden.
00:30:25 There's going to be a burden.
00:30:26 We can't get around that.
00:30:27 But I think there needs to be sensitivity to what that burden is to different size organizations.
00:30:32 Thank you very much.
00:30:33 Thank you, Mr. Chair.
00:30:36 Thank you, Senator Hessen.
00:30:37 Mr. Reicherson, this next question will be for you.
00:30:40 In July of 2023, the Office of the National Cyber Director released a request for information
00:30:47 on cybersecurity regulatory harmonization.
00:30:51 The main theme of a lack of coordination amongst regulators, particularly independent regulatory
00:30:56 agencies such as the Securities and Exchange Commission, the Federal Communications Commission,
00:31:01 the Federal Trade Commission, certainly stands out to me.
00:31:06 So my question for you is, how is the ONCD incorporating the feedback from the RFI into
00:31:12 their work?
00:31:14 Thank you, Mr. Chairman.
00:31:15 We are very much -- the reason that we put out the RFI in the first place is absolutely
00:31:21 that we rely on the input from all of our partners, both in the private sector and in
00:31:26 the interagency, to inform our work.
00:31:29 There are a couple of things that I think really stood out to us in terms of the RFI
00:31:34 and have crystallized how we're approaching our regulatory harmonization and reciprocity
00:31:39 work going forward.
00:31:41 One element in particular is the fact that reciprocity, which we had theorized should
00:31:47 probably be part of the solution, was really highlighted in the RFI respondents as something
00:31:52 that is absolutely critical to our getting this right.
00:31:58 The focus on the compliance burden really points to the fact that, yes, you want a harmonized
00:32:03 baseline because that gives you the simplicity, the clarity of understanding what specifically
00:32:09 it is that you need to do.
00:32:11 But you need the reciprocity to ensure that that also translates into less compliance
00:32:16 costs.
00:32:17 The other thing that I think I'll highlight is the amount of focus on supply chain risk
00:32:22 management and the fact that for a number of companies, they are right now trying to
00:32:27 figure out how do they manage risk in their supply chains, cyber risk that can come because
00:32:33 there are either connections back into their networks or the fact that a disruption in
00:32:37 their supply chain could materially impact their business.
00:32:40 And having a harmonized framework would also help them do their own internal risk management
00:32:47 processes, which I will admit was not something that we were really thinking through at the
00:32:52 outset.
00:32:53 And now we look and say, well, this actually could be a catalyst for businesses, too.
00:32:57 You may have regulation that actually helps them manage their own business risk by being
00:33:01 able to look and say, oh, these folks have met the baseline standards.
00:33:06 That helps us understand what their posture is for our own internal business focus supply
00:33:11 chain risk management.
00:33:14 Mr. Hitchman, in your testimony, you highlighted that the federal government should adopt model
00:33:20 definitions and consider setting minimum cybersecurity requirements.
00:33:26 So how do conflicting definitions and requirements contribute to the difficulties in overall
00:33:32 compliance?
00:33:34 Anytime that an organization is subject to multiple -- the word of art is regime, reporting
00:33:40 regime, you run into compliance burdens.
00:33:43 And we've done work in the financial sector where CISOs from financial services firms
00:33:49 who have reported, their folks spend 30 to 40 percent of their time on compliance rather
00:33:54 than focusing on cybersecurity.
00:33:56 And it gets back to the point I'd initially made about duplication overlap, that when
00:34:00 you have multiple reporting regimes with multiple requirements that are not alike, you spend
00:34:05 a lot of time doing paperwork rather than focusing on your job, because you need to
00:34:10 meet the requirements of both of these frameworks that you're subject to.
00:34:14 A single overarching framework, which is then customized as appropriate within sector, ideally
00:34:19 would remove a lot of that burden, so that there is a single point of reference that
00:34:23 everyone starts from when thinking about cybersecurity in their organizations, and that includes
00:34:28 reporting requirements, anything else.
00:34:30 And when we talk about reporting requirement, there's a whole framework beyond that, you
00:34:34 know, identification management, protection of data, response, recovery.
00:34:41 And so I think it's really important that people be able to go to one place, know where
00:34:46 that starts, and then figure out what they're required to do from there, so that you can
00:34:51 streamline those compliance requirements.
00:34:53 There will always be some compliance burden, as I mentioned a moment ago, but we can do
00:34:57 a lot to streamline that and minimize it.
00:34:59 Yeah, very good.
00:35:00 Mr. Reicherson, to what extent has disharmonization of cyber regulations and compliance mechanisms
00:35:07 actually impacted the ability of companies to compete internationally?
00:35:13 Thank you, Mr. Chairman.
00:35:14 That has absolutely been something that we have heard, because -- for a number of reasons,
00:35:21 I would say.
00:35:22 So, first and foremost, it can mean that companies need to invest in multiple systems.
00:35:26 So you are basically forcing them to duplicate some of their information and communications
00:35:31 technology spend, because they are subject to disharmonious regulatory regimes.
00:35:39 And when that is the case, if they're competing against a company in, say, Europe that is
00:35:46 only operating under an EU framework, they will be at a competitive disadvantage.
00:35:53 I think that that really points to part of what we are hoping to get out of this effort
00:35:58 if we have a strong federal framework for baseline cybersecurity requirements that is
00:36:05 developed by all of the relevant parties in the interagency, including the independent
00:36:09 regulatory commissions.
00:36:11 That actually is very helpful for us in digital trade negotiations, in other export of American
00:36:19 businesses, because we can then go forth and say, hey, now we're looking for mutual recognition
00:36:23 with our international partners, and we can give folks an understanding of what exactly
00:36:28 that means, because we have a single framework to point to.
00:36:32 Whereas right now, when you look at mutual recognition, it's often challenging, because
00:36:36 we're pointing back to what we're doing that is a kind of hodgepodge of different regulatory
00:36:43 requirements.
00:36:44 Thank you.
00:36:45 Thank you.
00:36:46 Senator Lankford, you're recognized for your questions.
00:36:49 For my 19 minutes of questions.
00:36:51 For your 19 minutes.
00:36:52 Yeah, that's all I see.
00:36:53 Senator Rosen's here.
00:36:54 She'll want you to be brief.
00:36:55 Yeah, it'll be a little more brief than that.
00:36:57 Thank you both.
00:36:58 Thanks for the information and the background on it.
00:37:00 I apologize I've had to run in and out through this hearing as well.
00:37:06 You gave a stat earlier that I want to be able to drill down a little bit on it.
00:37:10 You gave a stat that one of the business organizations said they spend 30 to 50 percent of their
00:37:13 time not on security, but on compliance.
00:37:18 So let's drill down on that a little bit.
00:37:20 Do they give you information or do you have a sense of what that compliance is that could
00:37:25 not be done so they could spend more time on security?
00:37:29 Absolutely, Senator, and thanks very much for that question.
00:37:32 So that 30 to 50 percent number is for chief information security officers in their time.
00:37:39 That was in response to our RFI last year.
00:37:41 More recent testimony actually that was given in April before the Committee on Homeland
00:37:46 Security said that when you look at the CISO's teams' time, sometimes it's up to 70 percent.
00:37:52 So 70 percent of the human capital that in this case, this is the financial services
00:37:57 sector that had done this survey, 70 percent of their team's time were spent on compliance
00:38:02 activities.
00:38:03 And the concern that I think we have is not that there shouldn't be requirements.
00:38:08 There absolutely must be.
00:38:10 The financial services system, for instance, is absolutely vital to our economy, to our
00:38:14 national security.
00:38:16 However, when you have time spent on developing reports, on responding to examiners' questions,
00:38:25 not in a standardized, harmonized way, that is a challenge.
00:38:30 And a further challenge is if another regulator then comes in after you have just finished
00:38:34 an examination with the first, the second regulator comes in and says, hey, yes, you
00:38:41 have all of these reports that you've developed for the first, but we have a different opinion
00:38:47 with respect to risk.
00:38:48 And the chairman had asked earlier about why cybersecurity is particularly amenable to
00:38:53 harmonization.
00:38:54 And the reason is the risk that we're talking about here is the same.
00:38:58 It is the same information systems.
00:39:01 So that's really one of the challenges that we see out there and why we believe the approach
00:39:05 here is so important.
00:39:07 So what is the right percentage of time, do you think, to be able to do compliance?
00:39:11 Because they're going to have to do some, you're right, but 70 percent is clearly not
00:39:14 the right number on this to try to get it down to that level.
00:39:17 It's going to be just a ballpark.
00:39:18 I get that.
00:39:19 Yeah, I am more of a cybersecurity guy, Senator, than a compliance guy, but I'd be happy to
00:39:26 take that back and get some sense.
00:39:27 But 70 percent is not correct.
00:39:29 It's not correct.
00:39:30 I met with some folks that were in rural health care yesterday and nursing homes and skilled
00:39:35 nursing.
00:39:37 They're frustrated because their compliance requirements continue.
00:39:40 They're adding additional nurses, not to see patients, but to fill out forms that are now
00:39:44 being requested by CMS.
00:39:47 It's the same issue here.
00:39:49 They don't have the same issue of multiple regulators.
00:39:51 They just have increased amount of compliance to be able to fill out forms.
00:39:55 And when you take nurses away from patients to be able to fill out forms, you've got more
00:39:59 forms but not more care.
00:40:02 We have the same situation, my fear is, in that I know we have duplication, but we also
00:40:07 have increased requirements to be able to do some of these completed forms to be able
00:40:11 to turn in for someone to be able to put in a drawer so that later if there's a problem,
00:40:15 they can show, yes, here's your problem.
00:40:17 You didn't fill out this form correctly, rather than helping them with compliance.
00:40:20 That's my perspective on that, but that's one I'd be able to push on.
00:40:23 I need to ask, though, why OMB doesn't already have the authority to do this.
00:40:28 So obviously there's a lot of authority that OMB has to be able to coordinate against all
00:40:33 agencies.
00:40:34 What is unique about this legislation that gives authority that OMB doesn't have right
00:40:37 now?
00:40:38 Senator, thanks very much for that question.
00:40:41 And I will say a couple of things.
00:40:42 First of all, we are lockstep with OIRA, the Office of Information and Regulatory Affairs,
00:40:48 at OMB.
00:40:49 We work very closely with them.
00:40:52 Part of the challenge that they have is they do not have a gold standard that they can
00:40:55 point to when it comes to executive branch regulators and say, this is not harmonized
00:41:01 with something.
00:41:02 Right?
00:41:03 The challenge right now is you can come to a regulator and say, this doesn't look like
00:41:06 other regulations, but there isn't a policy that says this is what good baseline cybersecurity
00:41:12 requirements cross-sectorally for enterprise IT looks like.
00:41:16 That's part of what we're trying to solve.
00:41:18 The other challenge, though, is the independent regulatory commissions, which we do not have
00:41:23 the authority, neither OMB nor the Office of the National Cyber Director, to bring to
00:41:27 the table to help design that framework.
00:41:29 And from our standpoint, it needs to be an inclusive process.
00:41:32 We need to hear from everyone in order to design something effectively.
00:41:36 And that is something that, from the administration's perspective, not just ONCD's, the administration
00:41:42 supports the approach that Chairman Peters has laid out.
00:41:45 Okay.
00:41:46 I'm going to defer the time and actually be done earlier rather than later.
00:41:50 That's shocking.
00:41:51 I'm sorry, everybody.
00:41:52 I know everyone's shocking on this.
00:41:53 But Chairman Peters, this is an area we need to work on, the independent agencies, not
00:41:59 just in this area, but in a broader area.
00:42:01 My perspective, and I'm not going to force GAO to be able to make a comment about this,
00:42:06 my perspective on this, there are independent agencies that feel like they're independent
00:42:10 from everybody.
00:42:12 They're not independent from everybody.
00:42:14 They still need additional oversight.
00:42:15 They still need to be able to go through the OIRA review.
00:42:18 There's still some boundaries that need to be there when they're creating new regs, that
00:42:23 they're not a completely independent fourth branch of government, that they do need to
00:42:27 have some kind of oversight.
00:42:29 This is something I think we need to look at not only in this area, but in a broader
00:42:32 area in the days ahead and the authority this committee has.
00:42:37 Well, I agree with you.
00:42:38 But this is, I think, a very meaningful step.
00:42:41 It'll set an example of how we got to bring them together in a key area.
00:42:45 But I'm with you all the way, Senator, on that.
00:42:48 Senator Rosen, you're recognized for your questions early.
00:42:50 Well, thank you.
00:42:51 And I'm going to say, as a former software developer, systems analyst, I can tell you
00:42:56 IT modernization can improve, really help with compliance issues.
00:43:01 It can streamline the process.
00:43:02 And it can remove those duplicative reporting, because it can see what you're doing.
00:43:07 You shouldn't have to say, put this in this form.
00:43:11 It should populate in all the forms, just like we use when we use our phone.
00:43:16 And so I think there's a lot of things that can happen concurrently, not necessarily consecutively.
00:43:21 There's a lot of ways that we can work on this.
00:43:23 And I look forward to working on that as well.
00:43:25 But I'm going to talk about cyber incident trends.
00:43:29 Because implementing these federal cybersecurity regulations, they really create large data
00:43:35 sets of cyber incidents and information about the state of private sector cybersecurity.
00:43:41 And so when this data is analyzed, like I said, I'm a former analyst and software developer,
00:43:46 the aggregated data, it can bolster the resilience of both the public and private sectors by
00:43:53 identifying widespread vulnerabilities, malicious cyber campaigns, emerging threats, et cetera.
00:44:00 It can also be used in other ways against people as well, because you can de-aggregate
00:44:07 the data in some cases.
00:44:09 So we have to be mindful of that.
00:44:11 But here, how are agencies collaborating, Mr. Lierson, to leverage the cyber incident
00:44:17 data to identify these trends and help us move forward faster to target the entities?
00:44:27 Thank you, Senator, very much for that question.
00:44:30 As a former programmer myself, it is absolutely something that is of interest to us in conversations
00:44:35 that we've been having as we work to implement the committee or the legislation that this
00:44:40 committee pushed forward, the Cyber Incident Reporting for Critical Infrastructure Act,
00:44:45 to ensure that we are seeing exactly those gains in terms of an understanding of the
00:44:51 cyber landscape.
00:44:52 One of the things that I remember General Alexander said from the beginning of his time
00:44:57 at NSA as the director of NSA was we need a common operating picture of what's going
00:45:01 on in cyberspace.
00:45:03 CERCIA allows us to get there, but only if we are properly positioned to do the appropriate
00:45:08 data analytics once we get there.
00:45:10 And I have had conversations with DHS's new Office of Statistics, Homeland Security Statistics,
00:45:16 which has a cybersecurity program, about looking at exactly this challenge.
00:45:21 And I think it is one that as we move towards CERCIA implementation in September 2025, we
00:45:26 absolutely need to take advantage of what we can from the broader analytics landscape.
00:45:31 It's also something we at ONCD, in partnership with CISA and the Department of Treasury's
00:45:37 Federal Insurance Office, are working on for cyber insurance data as well, because the
00:45:42 insurers see a lot of these trends too.
00:45:45 I think it's important that we share some of the data in smart ways so we're not in
00:45:50 the silos where maybe the insurance company, insurance data sees one thing and some other
00:45:55 ways, electric companies see another, whatever that is, and you're missing these common threads,
00:46:00 as you know if you're working as a programmer as well.
00:46:04 And speaking of working as programmers, there's a workforce shortage, we know it, especially
00:46:10 in the private sector.
00:46:11 And there's currently nearly 470,000 cybersecurity jobs open in the United States, of course
00:46:17 across the tech industry, even more.
00:46:20 But compounding this challenge, cybersecurity teams, like I said, which is what James was
00:46:25 saying, they really are spending too much time on compliance.
00:46:30 And so if you want to add anything else about what he said, about how we use our staff in
00:46:37 smart ways, how we use artificial intelligence, how we create better, easier reporting, and
00:46:43 how do we populate data across to avoid those duplicative efforts.
00:46:46 If there's any last thing you want to say about that, I would like that, and then what
00:46:52 additional support you might need from us to help you do that.
00:46:57 Thank you, Senator, for that question.
00:47:00 It is a topic, the cyber workforce issue is one that all of us at the Office of the National
00:47:05 Cyber Director are passionate about, and implementing the national cyber workforce and education
00:47:09 strategy.
00:47:10 I mean, I got into cyber policy personally because as a programmer, I did not get trained
00:47:16 on secure software development whatsoever.
00:47:18 And I was in public policy classes and listening to my compatriots say, hey, we have all these
00:47:24 concerns about cybersecurity.
00:47:25 And I looked at them and I was like, I think I'm the problem.
00:47:30 So it is absolutely a challenge that we see.
00:47:33 I think a lot of the work that we're doing on regulatory harmonization and reciprocity,
00:47:38 I would say, is focused on actually reducing the demand side.
00:47:41 As Senator Lankford mentioned, I think we're really interested in saying we want our cybersecurity
00:47:46 personnel focused not on delivering reports to multiple regulators, but instead focused
00:47:52 on how are we going to actually secure systems.
00:47:57 So there's a lot of gains that we can see in terms of reduction on the demand side.
00:48:01 That's still not going to deal with those 470,000 open jobs.
00:48:05 The things that we're focused on right now at ONCD in particular are broadening pathways
00:48:11 and removing barriers.
00:48:12 I had mentioned earlier that we are doing a lot of work to ensure that skills-based
00:48:17 hiring for the federal government is the way we look at things going forward.
00:48:22 We're also looking to do that in contracts.
00:48:24 That has been a major focus of ours, is to say there should not be requirements in federal
00:48:30 contracts if you're going to provide IT support to the federal government that you need to
00:48:35 have any particular degree.
00:48:37 And that is a great way from our perspective to broaden the base that needs to come in.
00:48:41 Well, you know, in addition to expanding the private sector workforce, we know we have
00:48:46 to implement the National Cybersecurity Strategy.
00:48:51 Like I said, adding trained personnel to so many agencies.
00:48:54 Everybody needs it.
00:48:55 And so last Congress, I was proud to lead with Chairman Peters the Federal Rotational
00:49:00 Cybersecurity Workforce Program to help federal agencies better enhance their cyber workforce.
00:49:06 And so, Mr. Hinchman, which agencies that are required to oversee the implementation
00:49:11 of federal cybersecurity regulations themselves face significant cyber personnel shortages
00:49:17 or training deficiencies?
00:49:19 And what do you think we can help with?
00:49:21 How do you think we can help with that?
00:49:24 That's a big unknown right now, Senator.
00:49:26 I do lead our IT and cyber workforce work at GAO.
00:49:29 I will be doing the GAO mandate that's in your bill that was passed.
00:49:33 That's due I think at the end of next year, after the program's had a time to get up and
00:49:38 operate for a bit.
00:49:39 One of the things that the federal government really struggles with is not understanding
00:49:42 what our cyber workforce looks like within federal agencies.
00:49:46 We have a job that we're doing under our broad FISMA mandate for this committee that is looking
00:49:51 at five of the largest consumers of cyber workforce and trying to understand how they're
00:49:56 managing their workforce across the department at the department level.
00:50:01 And we're finding that, you know, in terms of the general practices that need to be applied,
00:50:05 there's work that needs to be done.
00:50:07 I think there is also a job we're doing for Chairman Green and House Homeland Security
00:50:11 looking at the cost of the federal cyber workforce.
00:50:14 And that's going to be looking at all 24 CFO Act agencies and comparing that cost versus
00:50:19 how much is spent on cyber as a service when you hire contractors to do your cyber security,
00:50:25 as well as looking for initiatives that different agencies have to try to get federal cyber
00:50:31 workers into the workforce for us.
00:50:33 But overall, the government is really just now starting to try to understand what the
00:50:38 federal cyber workforce looks like.
00:50:40 So it's hard to answer where those holes are.
00:50:43 I'm looking forward to this work.
00:50:45 It's exciting.
00:50:46 I think it's going to be a body of work that's going to add a lot of value to this conversation
00:50:49 the government's having because there's a lot that we need to be doing better to fill
00:50:53 those cyber workforce gaps.
00:50:55 Well, if I had my way, I would be down in every elementary school teaching all the fun
00:51:01 things about robotics and computing and STEM and logic, things I carry with me every single
00:51:07 day and show young folks the path forward and what a great, exciting careers they are
00:51:15 and hopefully get them early and they get the bug, no pun intended, for software.
00:51:20 But that would be my hope to really invest in that, in our young folks and bringing them
00:51:25 along.
00:51:26 Thank you, Chairman.
00:51:27 Thank you, Senator Rosen.
00:51:28 We appreciate your passion for that.
00:51:29 Thank you so much.
00:51:30 Senator Blumenthal, you're recognized for your questions.
00:51:33 Thank you very much, Mr. Chairman.
00:51:35 Thank you both for your work.
00:51:39 I think we're all becoming more and more aware of the need for standard setting and rules
00:51:45 in this area of cyber.
00:51:52 I think the general public is becoming more aware of it as well as we see the effects
00:51:57 of ransomware throughout our economy and our society.
00:52:04 Just last February, as you well know, a ransomware group launched an attack on Change Healthcare,
00:52:11 one of our nation's largest online healthcare claims and payments processors.
00:52:17 We're still seeing the effects of it in Connecticut and I think probably around the country.
00:52:23 Russia, China, Iran, and other foreign adversaries are targeting our critical infrastructure
00:52:29 and probing for vulnerabilities for even more catastrophic attacks.
00:52:37 Again, very recently, just this past Monday, the head of our Cyber Command, General Hao,
00:52:43 expressed his fears that China is, to use his word, pre-positioning itself in our critical
00:52:50 infrastructure.
00:52:51 Essentially, it's creating beachheads in case there is greater conflict between our countries.
00:52:57 It's a really scary set of developments.
00:53:02 We've already seen the immense cost and disruption of attacks, not only Change Healthcare, but
00:53:09 Colonial Pipeline, Maersk, other major companies.
00:53:15 We've been warned we need to treat this crisis like a national emergency.
00:53:21 We need to give it the urgency that Americans should feel as a nation, in effect, under
00:53:30 attack.
00:53:32 We should be ramping up our efforts to make sure that Russia and China can't keep exploiting
00:53:37 this critical infrastructure.
00:53:40 My question to both of you is, where are we falling behind on setting cybersecurity rules
00:53:47 that counter these efforts by Russia and China, that set the bar higher so that we are more
00:53:58 invulnerable to their creating havoc?
00:54:02 Senator, that is a very good point and I really appreciate the question.
00:54:11 Let me do a little bit of framing, I think, and then I'll talk about some of the specific
00:54:15 sectors and what we're up to, and then why we think that regulatory harmonization will
00:54:19 help.
00:54:20 On the framing side, I think we at the Office of the National Cyber Director could not agree
00:54:24 more that this is something that the American people need to understand and know about.
00:54:29 I have heard my boss, the National Cyber Director, Harry Kokir, Jr., say he was so grateful for
00:54:35 the opportunity to testify in January in front of the House about the Volt Typhoon activity.
00:54:41 This is People's Liberation Army and the People's Republic of China targeting our critical infrastructure
00:54:46 for exactly, as General Hawks suggested, pre-positioning, and the fact that that is putting America
00:54:52 at unacceptable risk.
00:54:53 It is unacceptable risk and we need to take action as a government to address that risk.
00:54:59 One of the ways to do so is to put in place baseline cybersecurity requirements.
00:55:04 I think what you've seen this administration do, leading on in particular, is the transportation
00:55:09 sector where we have emergency directives from the Transportation Security Administration.
00:55:14 Those are turning into a notice of proposed rulemaking to solidify the significant gains
00:55:20 that we've seen there.
00:55:22 There was an executive order that the President signed out earlier this year giving the Coast
00:55:27 Guard additional authorities in the maritime sector.
00:55:29 I think one of the areas that we're most interested in right now is seeing what we can do in the
00:55:33 water and wastewater system sector where there are still significant deficiencies and work
00:55:41 that we need to do.
00:55:42 I think foundational to our approach at ONCD is knowing that we need to see better cybersecurity
00:55:48 outcomes if we have a framework and we can say across sectors, "Here's how you should
00:55:54 be approaching securing your enterprise IT systems," which are what the adversaries are
00:56:00 targeting to get that initial access to set those beachheads.
00:56:04 We will see better cybersecurity outcomes.
00:56:06 In fact, you will be able to invest more in cybersecurity instead of in compliance.
00:56:12 We will actually see better cybersecurity outcomes with a harmonized baseline.
00:56:17 That is why we are so focused on this at ONCD.
00:56:21 We are a cyber office.
00:56:23 Our concern is cybersecurity outcomes.
00:56:25 When we see the amount of time and effort that's being spent on compliance from duplicative
00:56:30 regulations, that's not helping us get cybersecurity outcomes and we need to have better ones.
00:56:36 Thank you.
00:56:37 Mr. Hinchman.
00:56:39 I would echo Mr. Leiserson's comments.
00:56:43 The single cybersecurity framework is the important starting point.
00:56:47 I don't have much to add that he didn't say.
00:56:49 I also think that Congress will need to consider expanding regulatory authority for some agencies
00:56:53 in charge.
00:56:55 As I mentioned in my oral comments, that the private and public sector have to work together
00:57:00 in critical infrastructure.
00:57:01 In many cases, we can't compel private organizations to do certain things absent regulatory authority.
00:57:08 That does not mean that we should be passing wholesale power out there, but very targeted
00:57:13 specific.
00:57:14 A number of different plans have been put forward by the administration talking about
00:57:18 the need for those agencies to approach Congress with specific proposals for what they need
00:57:24 to increase that.
00:57:25 I think to echo the water and wastewater thought, I have a review looking at cybersecurity in
00:57:30 the water and wastewater sector that we're doing for two subcommittees on house homeland
00:57:35 security and that's exactly the problem they ran into.
00:57:39 This past fall, there was a much publicized snafu that EPA ran into trying to impose cybersecurity
00:57:45 requirements through sort of a backdoor because they didn't want to go through the onerous
00:57:49 rulemaking process.
00:57:52 They were met with a lot of resistance, a number of lawsuits, both from states and organizations,
00:57:57 and so they withdrew that requirement.
00:57:59 I think that there needs to be a different thinking about how we get the private sector
00:58:03 to come along with these requirements once they're in place.
00:58:07 Thank you.
00:58:08 Thank you both for your work and your answers to those questions.
00:58:12 Thank you, Mr. Chairman, for having this hearing.
00:58:15 There are a lot of multi-syllable words in the title to this hearing, harmonization,
00:58:20 cybersecurity, regulatory, but it really is a matter of national security and we need
00:58:26 to pay attention more vigorously than we have done.
00:58:31 Thank you both.
00:58:32 Thanks, Mr. Chairman.
00:58:33 Thank you, Senator Blumenthal.
00:58:34 A couple of final questions here for both of you.
00:58:39 Federal agencies, as you know very well, are not the only agencies that have cybersecurity
00:58:44 regulations.
00:58:45 State regulations, local cities, other localities across the nation have all sorts of requirements
00:58:52 for businesses that operate in their areas.
00:58:55 I'll give you a couple of examples.
00:58:56 For example, Massachusetts state law requires all persons who own or license personal information
00:59:02 about Massachusetts residents to develop, implement, and maintain a comprehensive information
00:59:06 security program.
00:59:08 The New York Department of Financial Services has also adopted a robust set of cybersecurity
00:59:13 rules with significant requirements for any company that provides a financial or credit
00:59:18 service within the state of New York.
00:59:21 I could just go on and on with that list.
00:59:24 Mr. Elisha, how is the federal government working to coordinate with state, local, tribal,
00:59:31 territorial governments all across the government landscape to harmonize these regulations?
00:59:40 Thank you, Mr. Chairman.
00:59:41 I will highlight a couple of points.
00:59:43 First of all, both the New York Department of Financial Services and the state of New
00:59:46 York responded to our RFI, our request for information.
00:59:51 One of the things that stood out to me was the fact that they really were asking for
00:59:55 federal leadership in this space.
00:59:57 DFS and the state said having strong federal guidelines, which a harmonized set of baseline
01:00:05 requirements would do, would help them significantly in terms of how they would model their work.
01:00:13 They have worked.
01:00:14 DFS has worked.
01:00:15 The Department of Financial Services has worked with federal regulators.
01:00:19 It is something that we're concerned about.
01:00:21 Again, like when we see duplicative requirements that are attempting to control the same risk,
01:00:25 whether they're at the state level, the federal level, or the international level, that gives
01:00:30 us pause.
01:00:31 But if we can get the federal house in order, if we can set a strong federal baseline requirement,
01:00:37 if we can lead, we do have strong confidence that both our state governments will look
01:00:45 at that as a gold standard and also start to move in that direction, and also our international
01:00:50 partners.
01:00:51 One of the things that the National Cyber Director, Harry Coker, Jr., has consistently
01:00:56 impressed upon me is in his conversations with international counterparts.
01:01:00 They bring up regulatory harmonization.
01:01:02 They ask, what is it that we're doing to help control risk to critical infrastructure?
01:01:07 And they say, gee, it would be great to see federal leadership here.
01:01:12 We need the United States to help us understand you have the most sophisticated tech sector.
01:01:17 You have the most reliance on technology.
01:01:20 If you can set a gold standard, that would help us.
01:01:23 That would give something for us to shoot for as well.
01:01:26 So I think it really is incumbent upon us in the federal government, partnering between
01:01:32 the administration and Congress, to set that standard.
01:01:37 And Mr. Hitchman, how does this contrasting federal, state, local regulations, how does
01:01:42 that impact businesses in our country?
01:01:44 Well, I think very similar to the problems we had with just sort of federal agencies,
01:01:50 it's the multiple requirements and who do you need to do and for what.
01:01:53 I think the examples you drew were great.
01:01:55 I live in Texas.
01:01:57 The Texas Department of Information Resources has an incident reporting rule that schools
01:02:01 are required to follow in a tech.
01:02:03 Well, the notice of proposal we're making also includes schools.
01:02:07 So now you're going to have schools that are trying to figure out how to do their local
01:02:11 reporting as well as the national reporting.
01:02:14 And these are organizations that traditionally do not have resources for this.
01:02:18 They're already undermanned.
01:02:19 IT is probably underfunded.
01:02:21 In a small district, you may have one person who does IT for the entire district, including
01:02:26 the cyber side.
01:02:28 And I don't know that that's sustainable.
01:02:30 And so I think we really need to think about how those state and local rules are impacted
01:02:38 by perhaps the federal leadership that's been called for so that they have more of a benchmark
01:02:43 to follow.
01:02:44 I think there's also things like privacy.
01:02:46 States are increasingly passing privacy laws, which may be conflicting with guidance they're
01:02:50 getting from the federal level.
01:02:52 And so how does a business operating manage both of those?
01:02:57 Similar to how sort of patchwork of federal regulations have popped up is the patchwork
01:03:01 of federal -- excuse me, state laws pop up as well.
01:03:05 That all needs to be managed and sort of brought into a common framework so that folks know
01:03:10 who to -- who they're operating from and what the standards are.
01:03:13 >> Well, very good.
01:03:16 I want to thank both of our witnesses.
01:03:19 Thank you for being here today and sharing your thoughts today.
01:03:25 Congress and the entire federal government must work together to harmonize our country's
01:03:30 cybersecurity regulations.
01:03:31 And I think the testimony from both of you was very clear to that point.
01:03:37 And it's without question a critical step in protecting both our citizens as well as
01:03:41 our businesses from cyber threats.
01:03:43 So I look forward to continuing to work together with both of you and others to strengthen
01:03:50 cybersecurity standards and make sure that they are also coordinated, effective, and
01:03:55 efficient and give our industries the guidance that they need.
01:04:00 The record for this hearing will remain open for 15 days until 5 p.m. on June 20th of 2024
01:04:07 for the submission of statements and the questions for the record.
01:04:11 This hearing is now adjourned.
01:04:13 [GAVEL BANGS]
01:04:13 [BLANK_AUDIO]

Recommended

1:00
I
Up next
Robert De Niro stars as former president facing deadly cyber attack in Netflix’s Zero Day
The Independent
0:20
Watch: Passengers stranded on Christmas Eve as American Airlines grounds all flights
The Independent
0:57
Watch: Behind-the-scenes clip of Gavin and Stacey Christmas Special teases return
The Independent
3:44:29
House Rules Committee Debates Anti-ICC Bill After Arrest Warrants Issued Of Israel's Netanyahu
Forbes Breaking News
43:38
BREAKING NEWS: GOP Senators Tear Into Biden Over New Executive Order On Border Security And Asylum
Forbes Breaking News
3:53
Raul Ruiz Asked Point Blank: 'What's Your Position On Gain Of Function Research?'
Forbes Breaking News
3:56
Top Dem Defends 6-Foot Social Distancing After Bombshell Fauci Admission It 'Wasn't Based On Data'
Forbes Breaking News
0:33
AOC: 'Patently Unproductive' To Have Israel's Netanyahu Address Congress
Forbes Breaking News
14:50
Chuck Grassley Calls Out Hillary Clinton & Crossfire Hurricane In Response To Trump Guilty Verdict
Forbes Breaking News
14:38
'We Should've Been Honest': Brad Wenstrup Confronts Fauci Over His Handling Of COVID-19 Pandemic
Forbes Breaking News
2:26
JUST IN: Hunter Biden Arrives At Wilmington, Delaware, Federal Court For Hearing In His Gun Trial
Forbes Breaking News
31:46
BREAKING NEWS: Speaker Johnson, House GOP Leaders Rip 'Sham Trial' That Led To Trump Guilty Verdict
Forbes Breaking News
13:33
Bernie Sanders Slams 'Netanyahu And His Extremist Government' After Biden Announces Ceasefire Deal
Forbes Breaking News
7:08
BREAKING NEWS: Matt Gaetz Directly Confronts Merrick Garland About 'Lawfare Against Trump'
Forbes Breaking News
1:19
BREAKING NEWS: First Lady Dr. Jill Biden Arrives At Federal Court For Hunter Biden’s Gun Trial
Forbes Breaking News
4:01
'I Know Where You're Going': Fauci Grilled By GOP's Lawyer About Gain-Of-Function Research
Forbes Breaking News
31:31
WATCH: GOP Lawyer Spends Half An Hour Questioning Dr. Fauci About Vaccine Mandates, 6-Foot Rule
Forbes Breaking News
2:22
Dr. Fauci Asked Point Blank About How 6-Foot Social Distancing Rule Came About
Forbes Breaking News
1:10
Marjorie Taylor Greene Says Funding Government 'Does Not Matter' After Trump Guilty Verdict
Forbes Breaking News
1:07
VIRAL MOMENT: John Rose’s Son Steals The Show Making Funny Faces Behind Dad’s House Floor Speech
Forbes Breaking News
7:42
JUST IN: Senate Democrats Warn Of Threats To Reproductive Rights After Dobbs Decision
Forbes Breaking News
11:28
'Enormously Disappointed': Chrissy Houlahan Fires Back At Beth Van Duyne Over Abortion Amendment
Forbes Breaking News
1:19
JUST IN: Famed Sex Therapist, Dr. Ruth Westheimer, Dies At 96
Forbes Breaking News
4:05
Political Scientist Reveals Issues In Minnesota Under Gov. Tim Walz
Forbes Breaking News
7:25
‘SBA Has Failed To Substantially Produce Documents’: Beth Van Duyne Presses Offical On Delay
Forbes Breaking News