Businesses around the world must presently comply with numerous cybersecurity regulations, most of which are neither harmonized within a single country nor between like-minded countries.
Harmonization involves aligning regulations and requirements across different agencies (and sometimes across governments) to ensure consistency, drive policy toward common outcomes, and avoid duplicative or conflicting rules and requirements.
The US government has identified harmonization as a major objective; the Office of the National Cyber Director’s Summary of the 2023 Cybersecurity Regulatory Harmonization Request for Information found that regulatory harmonization would help “to achieve better cybersecurity outcomes while lowering costs to businesses and their customers,” which explains why harmonization was one of the priorities in the US National Cybersecurity Strategy. Those documents recognize that harmonizing cybersecurity regulations benefits companies, their customers (including government agencies), and the resilience of the entire digital ecosystem – it’s a win-win-win.
The benefits of harmonizing cybersecurity requirements are numerous and include:
- Improving cybersecurity by reducing complexity and cost of compliance (allowing companies to allocate resources toward security activities).
- Promoting innovation by increasing how much they compete on their ability to provide more effective and secure products and reducing how much companies compete on their ability to efficiently comply with numerous cybersecurity regulations.
- Growing the economy and delivering for citizens by removing barriers to entry for innovative companies and guaranteeing customers and government agencies access to best-of-breed solutions.
- Delivering secure government services by improving procurement processes and focusing resources on an agencies’ core missions.
Despite these and other benefits, cybersecurity regulation harmonization faces challenges. The first (and obvious) challenge is that there are numerous regulations that need to be harmonized. The congressionally mandated Department of Homeland Security (DHS) Report to Congress on Harmonization of Cyber Incident Reporting to the Federal Government (CIRC Report), identified 52 in-effect or proposed cyber incident reporting requirements alone.
The second challenge is that government agencies are simply not motivated or incentivized to harmonize their cybersecurity regulations. Agencies tend to focus on their specific needs rather than aligning their cybersecurity interests. Consolidating needs across government can ensure that cybersecurity systems and the entire IT ecosystem are updated more quickly and to contemporary practices.
To overcome these challenges, Congress should consider the following actions:
- Establish an expert commission to drive harmonization of cybersecurity regulations. This commission would be composed of government regulators and industry experts with a mandate to drive harmonization of all cybersecurity regulations, including cybersecurity incident reporting. We recognize that the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) tasked the Computer Incident Response Center (CIRC) with writing a report on cyber incident reporting, but the first step toward harmonizing cybersecurity regulations tasking harmonizing cybersecurity regulations to a single entity.
- Direct this commission to deliver a comprehensive report to Congress, building on the CIRC report, that identifies all existing and proposed cybersecurity regulations along with specific recommendations on how regulators should harmonize them.
- Begin harmonizing cybersecurity regulations across relevant agencies pursuant to the Commission’s recommendations or require agencies to provide reports on Congress on why they are declining to do so.
- Leverage aggressive and effective oversight: Congress should leverage the Commission’s recommendations and the regulator’s responses to drive regulators to harmonize their cybersecurity regulations through aggressive and effective oversight.
Combining these actions and engagement with like-minded allies to harmonize cybersecurity laws and policies across borders will make these efforts even more impactful. For this reason, Congress and the Administration should ensure that our diplomatic engagements prioritize harmonization of cybersecurity regulations between governments.
Harmonizing cybersecurity requirements is an ideal issue for the US Government, like-minded allies, and industry to work together to achieve because it is a win-win-win. It’s time start singing from the same song sheet.