The anticipated impact of federal cybersecurity regulation on industry.

Yesterday's release of the US National Cybersecurity Strategy will see inherent impacts to industry in new regulations that will see future implementation. Some praise the strategy's facilitation of a national baseline for cybersecurity, while others view the regulations as troublesome.

Industry executives see potential positives stemming from the addition of federal cyber regulations.

"This is a bold agenda and step in the right direction for creating a safer digital future for all,” says Corey Thomas, CEO and Chairman at Rapid7, who praises the clarity of a federally-standardized approach. “We live in a world today where every company, government, and non-profit is becoming a software provider in an effort to better serve their customers and constituents. Many of these organizations are still maturing their ability to develop software and services securely. Clear national standards will be a significant step in the right direction."

The Washington Post shared that former White House homeland security official, Tom Bossert, commended the strategy for taking into account the effects and costs to industry in implementing new regulations, and notes that how well the standards are implemented is dependent on how they are written. A lack of detail can also leave the door open to potential future intergovernmental collaboration without a need for immediate action, said former Defense Department official, Jonathan Reiber, to the outlet. Fran Rosch, ForgeRock’s Chief Executive, sees the regulations as a solid foundation to go off of, saying "I believe that Federal oversight will help improve the baseline for our country as a whole. It isn’t uncommon for the government to enforce new regulations to ensure public safety and national security. Software shouldn’t be any different.” Lauren Van Wazer, Vice President of Global Public Policy at Akamai, corroborates this idea, noting that "The devil will really be in the details of implementation. The success of items -- such as increased regulation for software and cloud providers and the shift of security liability to software and service providers -- will be set by how the administration determines regulatory safe harbors. If these shifts are not done thoughtfully, this could adversely impact the potential for innovation in the dynamic online environment. We look forward to hearing from and working with the government moving forward.”

Sean Tufts, OT/IoT practice director at Optiv, praises federal involvement as a necessity, welcoming the strategy as a starting point:

"In the public sphere, electric utilities and oil/chemical companies have binding cyber regulations. This is helpful but isolated to these industries. CISA defines 16 total industries as critical, but the majority have no defined OT cyber regulations. Our food and beverage production, transportation systems, manufacturing firms and many others need formal guidance and regulation in the same vein. We welcome this support and look forward to further Federal involvement to encourage investment in people, process and technology for all critical industries."

“Today’s release of the Biden-Harris Administration’s National Cybersecurity Strategy is a much-needed and welcome step towards building a bigger, more inclusive and effective U.S. cybersecurity workforce,” said Clar Rosso, CEO of (ISC)2, praising the strategy’s commitment to diversity, equity, and inclusion. “The strategy recognizes that organizations are trying to hire from too small a talent pool. We welcome that diversity is recognized as a valuable investment that expands the pool, bolsters the nation’s ability to manage and mitigate incidents, develop new skills to protect our digital future and underpin the next generation of cybersecurity research and development.”

Some find more harm than help in additional government-implemented regulations.

An opinion piece on CSO Online details some holes in the argument of software liability regulation, namely, the difficulty with defining the standard for regulations and what level of security is “good enough,” as well as the issues that lie with strict blanket requirements for cybersecurity on devices and systems. The article notes the impracticality of stringent requirements, both in price and usability, due to added implicit charges and unusability of specific security features on certain products and devices. “With the new policy, the onus is now on technology companies to mitigate cyber risks and as result, they are forced to take a hard look at their security programs to ensure they are meeting these new standards and guidelines. That said, they must also look beyond their current approaches to discover new ones that will strengthen their cybersecurity frameworks even further,” says Camellia Chan, CEO and Co-Founder of Flexxon. “This adds another level of pressure that security professionals already experience as cyberattacks continue to grow in volume and complexity.”

The Record reported yesterday that House Homeland Security Committee Chairman Mark Green and Cybersecurity Subcommittee Chairman Andrew Garbarino, while praising some aspects of the strategy, noted that the increased regulations went against the government and private sector harmony promised by the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The lawmakers assert that a focus on streamlining existing implemented cybersecurity standards should be prioritized, rather than additional red tape.

Cody Cornell, Co-Founder & Chief Strategy Officer at Swimlane, discusses the potential issues within a framework that sees no enforcement if sectors aren’t aptly defined:

"The need to defend critical infrastructure was top of mind for many in 2022, with both the Colonial Pipeline ransomware attack and multiple attacks on water treatment facilities that continue to reinforce the need for improved protection and resiliency from both state-sponsored actors and individual attackers alike. The White House is calling for new regulation that is not only for critical infrastructure, but sector-specific regulatory frameworks. While the idea of sector-specific frameworks is a good one, these frameworks are not one size fits all and have specific guidance and controls that can be very beneficial. There is a lot of work to be done on defining the sectors, the frameworks, getting buy-in and providing guidance on not just implementation, but how they will be measured and enforced, because a framework with no enforcement is entirely voluntary and runs contrary to the goal of rebalancing the responsibility of defending cyberspace. As we’ve seen as an industry, getting a standard built, especially a collaborative one, can be extremely time-consuming, and the ability for it to become watered down and lack the teeth to drive change is always a risk in the development and refinement process.”