Lawmakers Weigh Laws Proposed in Biden's Cyber StrategyDon't 'Overregulate,' GOP Subcommittee Chairwoman Tells White House Official
Members of a U.S. House subcommittee got their first look at the Biden administration's new national cybersecurity strategy and quizzed the White House cybersecurity director on the timeline, proposed regulations and incentives for private businesses.
The cybersecurity strategy, released March 2, focuses on five major areas: protecting critical infrastructure, disrupting threat actors, improving resilience, investing in cutting-edge technology and enhancing international partnerships. Among the provisions are mandatory requirements for critical infrastructure and new regulations to hold software developers responsible for poor practices.
The House Subcommittee on Cybersecurity, Information Technology, and Government Innovation on Thursday got a breakdown from Kemba Walden, acting national cyber director. Oversight Subcommittee Chairwoman Nancy Mace expressed support for the strategy but said she wants to know more about the implementation.
"We don't want China to eat our lunch or Russia or Iran or any of that," the South Carolina Republican said, "but from God's lips to my ears, you said you didn't want to overregulate."
"Who's going to coordinate the cybersecurity regulatory regime and then also de-conflict when that's necessary?" she asked.
Walden replied that the administration is already working through the Office of Management and Budget to ensure "regulatory harmonization."
"We will think through precisely what are the gaps, what are the regulations, what are the authorities that exist now that we're underutilizing for regulatory purposes of cybersecurity?" Walden said. "How do we fill any gaps that might exist? But most importantly, you and I agree that we need to harmonize so that we make sure that we incentivize investment in cybersecurity requirements and not compliance, which some sectors are doing right now."
"I feel that we're moving like a bullet train in this space. There is a sense of urgency here."
– Kemba Walden, acting U.S. national cyber director
Walden added that "cyberspace is a global commons. It's a public good. So the United States government has a responsibility and a duty to make sure that it's safe."
"One of those opportunities is raising baseline cybersecurity requirements across all critical infrastructure sectors, and there are many ways to do it," Walden said. "But as we do that, we need to make sure that no one particular sector is overregulated so that we encourage investment in raising baseline cybersecurity requirements rather than investing in compliance."
Asked by lawmakers about the timeline, Walden didn’t provide a schedule but pointed out that all top administrators in the federal government are charged with implementing zero trust and submitting a plan for compliance.
"I feel that we're moving like a bullet train in this space. There is a sense of urgency here," Walden said. "We want to get it right, though. So we have all of the departments and agencies working with us."
Cyber Liability for Software Makers
Rep. Gerry Connolly said the government must address the current "patchwork of cyber regulations” and that software companies that fail to meet best practices should be held liable for breaches caused by software bugs. One major political question overshadowing the Biden strategy is whether Congress will support it with new legislation to regulate these companies. Connolly, a Virginia Democrat, said Congress must support it.
"If we do not hold bad actors or actors more focused on sales than security accountable, we disadvantage responsible companies that take time to follow these best practices, and we increase systematic risk for our constituents," Connolly said. "Congress must provide the funding and clarify the authorities needed to ensure its success."
Rep. William Timmons pointed out that the private sector is one of the main targets of cybercriminals, and he questioned a plan for a national cybersecurity insurance backstop to help cover losses. "Do you think that the federal government has a role in backstopping those businesses and assuming they're doing everything possible to avoid an attack?" asked the South Carolina Republican.
"That is indeed one of the tools that we are considering," Walden said. "So, a cyber insurance backstop - think of it as flood insurance, for example, in order to make sure that for cybersecurity, small and medium businesses don't bear the full cost of the cybersecurity breach, while we're also working on making sure that the systems are resilient."