Cyber Insurance , Governance & Risk Management , Standards, Regulations & Compliance

Lawmakers Weigh Laws Proposed in Biden's Cyber Strategy

Don't 'Overregulate,' GOP Subcommittee Chairwoman Tells White House Official
Lawmakers Weigh Laws Proposed in Biden's Cyber Strategy
Kemba Walden, acting national cyber director, addresses the subcommittee. (Source: U.S. House of Representatives)

Members of a U.S. House subcommittee got their first look at the Biden administration's new national cybersecurity strategy and quizzed the White House cybersecurity director on the timeline, proposed regulations and incentives for private businesses.

See Also: Cyber Insurance Assessment Readiness Checklist

The cybersecurity strategy, released March 2, focuses on five major areas: protecting critical infrastructure, disrupting threat actors, improving resilience, investing in cutting-edge technology and enhancing international partnerships. Among the provisions are mandatory requirements for critical infrastructure and new regulations to hold software developers responsible for poor practices.

The House Subcommittee on Cybersecurity, Information Technology, and Government Innovation on Thursday got a breakdown from Kemba Walden, acting national cyber director. Oversight Subcommittee Chairwoman Nancy Mace expressed support for the strategy but said she wants to know more about the implementation.

"We don't want China to eat our lunch or Russia or Iran or any of that," the South Carolina Republican said, "but from God's lips to my ears, you said you didn't want to overregulate."

"Who's going to coordinate the cybersecurity regulatory regime and then also de-conflict when that's necessary?" she asked.

Walden replied that the administration is already working through the Office of Management and Budget to ensure "regulatory harmonization."

"We will think through precisely what are the gaps, what are the regulations, what are the authorities that exist now that we're underutilizing for regulatory purposes of cybersecurity?" Walden said. "How do we fill any gaps that might exist? But most importantly, you and I agree that we need to harmonize so that we make sure that we incentivize investment in cybersecurity requirements and not compliance, which some sectors are doing right now."

"I feel that we're moving like a bullet train in this space. There is a sense of urgency here."
– Kemba Walden, acting U.S. national cyber director

Walden added that "cyberspace is a global commons. It's a public good. So the United States government has a responsibility and a duty to make sure that it's safe."

"One of those opportunities is raising baseline cybersecurity requirements across all critical infrastructure sectors, and there are many ways to do it," Walden said. "But as we do that, we need to make sure that no one particular sector is overregulated so that we encourage investment in raising baseline cybersecurity requirements rather than investing in compliance."

Asked by lawmakers about the timeline, Walden didn’t provide a schedule but pointed out that all top administrators in the federal government are charged with implementing zero trust and submitting a plan for compliance.

"I feel that we're moving like a bullet train in this space. There is a sense of urgency here," Walden said. "We want to get it right, though. So we have all of the departments and agencies working with us."

Cyber Liability for Software Makers

Rep. Gerry Connolly said the government must address the current "patchwork of cyber regulations” and that software companies that fail to meet best practices should be held liable for breaches caused by software bugs. One major political question overshadowing the Biden strategy is whether Congress will support it with new legislation to regulate these companies. Connolly, a Virginia Democrat, said Congress must support it.

"If we do not hold bad actors or actors more focused on sales than security accountable, we disadvantage responsible companies that take time to follow these best practices, and we increase systematic risk for our constituents," Connolly said. "Congress must provide the funding and clarify the authorities needed to ensure its success."

Rep. William Timmons pointed out that the private sector is one of the main targets of cybercriminals, and he questioned a plan for a national cybersecurity insurance backstop to help cover losses. "Do you think that the federal government has a role in backstopping those businesses and assuming they're doing everything possible to avoid an attack?" asked the South Carolina Republican.

"That is indeed one of the tools that we are considering," Walden said. "So, a cyber insurance backstop - think of it as flood insurance, for example, in order to make sure that for cybersecurity, small and medium businesses don't bear the full cost of the cybersecurity breach, while we're also working on making sure that the systems are resilient."

About the Author

Cal Harrison

Cal Harrison

Editorial Director, ISMG

Harrison helps ISMG readers gain new perspectives on the latest cybersecurity trends, research and emerging insights. A 30-year veteran writer and editor, he has served as an award-winning print and online journalist, mass communication professor and senior digital content strategist for DXC Technology, where he led thought leadership, case studies and the Threat Intelligence Report for the Fortune 500 firm's global security, cloud and IT infrastructure practices.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.