To harmonize cyber regulations, researchers and the government must first understand disharmonies and their causes.
If a large U.S. company suffers a data breach, losing a substantial amount of sensitive or personal data, to whom must it report and when?
The answer is anything but straightforward. Most individual states require reports within 60 days, but others range from 90 days to a single day. Some federal agencies require reports in three days, others four. There are 13 separate forms and 10 websites in use by the federal government for incident reporting, according to the federal Cyber Incident Reporting Council, and “of the 22 Federal agencies with current cyber incident reporting requirements, only three recognize or accept another agency’s form.” If the company is a bank, it turns out “eight Federal agencies currently have reporting requirements applicable to the financial services sector.”
This disharmony drives duplication without advancing security. Some large firms “may spend up to 40% of their cybersecurity budget submitting regulatory compliance reports” while other bank security executives “report spending 30 percent to upwards of 50 percent of their time on regulatory compliance.”
There appears to be widespread agreement on the need to fix these issues. When the White House’s Office of the National Cyber Director (ONCD) asked about the impact of the lack of harmonization, the answers were consistent. As the Business Roundtable summarized, “Duplicative, conflicting, or unnecessary regulations require companies to devote more resources to fulfilling technical compliance requirements without improving cybersecurity outcomes.”
But if everyone wants harmony, why does the government keep producing disharmony? Moreover, are all forms of disharmony inherently bad, or might some be beneficial?
Our analysis finds there are eight drivers of disharmony, as shown in Table 1. Five are inward facing, rooted in the internal processes of individual regulating agencies (rather than external risks or opportunities). Inward-facing drivers tend to be particularly arbitrary, “harming cybersecurity outcomes while increasing compliance costs through additional administrative burden,” as reported by ONCD. Paradoxically they may be easier to solve. Because they result from internal bureaucratic processes, each regulator could—in theory—unilaterally eliminate the disharmonies.
Another three drivers are outward facing, that is, dealing with the environment external to individual regulators. For example, a regulator might tailor different rules to different companies within a sector to address unique risks. While this is still a disharmony, such external drivers can accordingly be helpful, reducing cyber risks. However, when they are duplicative or unnecessary, outward-facing drivers can be harder to solve because they require coordination or consensus instead of unilateral action.
| Table 1: Drivers of Disharmony in Cyber Regulations | |
| Inward Facing (Internal to a Regulator) | Outward Facing (External to a Regulator) |
| Unique authorities and public policy purposes | Sector- and company-specific tailoring of regulations |
| Precedents to other regulations or bureaucratic processes | Evolving risk profiles due to shifts in geopolitics or technology |
| Uneven distribution of expertise and information | Lack of centralized governance and frameworks |
| Desire for sovereignty or organizational autonomy | |
| Bureaucratic inertia and particularities | |
Inward-Facing Drivers of Disharmony
The five inward-facing drivers of disharmony typically arise from bureaucratic idiosyncrasies and irrationalities. They tend to be more problematic than the external drivers.
Unique authorities and public policy purposes
Incident reporting, as summarized above, is one of the best examples of unique authorities and public policy purposes driving disharmony. Because each U.S. regulatory agency has been authorized by law to mandate reports to advance its mission and public policy, there are now “45 requirements across 22 agencies” to report cyber incidents, according to a report by the federal Cyber Incident Reporting Council. There is a wide range of “differences in the definitions of reportable cyber incidents; the timelines and triggers for when reports must be made; the content of reports; and how the reports are submitted to relevant agencies.”
Some public policy demands very short reporting timelines. When a Russian ransomware group disrupted Colonial Pipeline, for example, the Department of Homeland Security (including the Transportation Security Administration [TSA] and the Cybersecurity and Infrastructure Security Agency [CISA]) needed to know immediately, to assess the potential impact on public health and safety and to enhance situational awareness across critical infrastructure sectors.
The timelines are far more relaxed for assessing the effectiveness of security controls or developing actuarial data for insurance and reinsurance. Rather than hours or days, that information can usually trickle in over weeks and months. These differing timelines produce disharmony.
The most important U.S. reporting legislation, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), forces very short reporting deadlines—just 72 hours—not just for immediate crises to “assess potential impact of cyber incidents” affecting the nation’s infrastructure but also for reports for which there is no rush, such as “assess[ing] the effectiveness of security controls.”
Different internal precedents and processes
Inconsistencies also arise when regulators rely on different internal precedents and processes. Whereas the previous driver related to legal authorities and mission, these internal precedents rely on the culture or existing processes of a regulator.
For example, in 2023, the Securities and Exchange Commission (SEC) had little choice but to mandate a four-day reporting timeline for public companies, once an incident was determined to be material by the company’s board. The SEC has the authority to choose any deadline, unlike the three-day deadline mandated by CIRCIA. But since four days is the timeline for reporting any kind of material incident, the SEC naturally stood by its existing internal precedent, even though other financial regulators mandate shorter reporting timelines.
Uneven distribution of expertise and information between regulatory agencies
There is also an uneven distribution of expertise and information between regulatory agencies. Some companies are regulated by the Department of Defense, which has access to classified threat information—driving particular requirements. Some of those same companies might also be regulated by the Federal Aviation Administration, which lacks that classified information, leading to looser requirements.
When CISA reviews reports submitted by banks under CIRCIA, it will have far fewer experts to understand the impact than finance-sector regulators whose only job it is to understand that sector. Those regulators, with on-site supervisors at the large banks, will also have access to extensive, nonpublic information that they usually cannot share with other government parties.
Sovereignty and organizational autonomy
State data-breach notification laws—which differ widely—provide insight into sovereignty and organizational autonomy as a driver. Each state is sovereign and can insist on unique, unharmonized rules. New Jersey’s breach notification law, for example, requires notification to state police prior to notifying consumers, while Virginia mandates simultaneous notification to the state attorney general and consumers.
When customers’ sensitive personal health information has been stolen, different states have mandated a wide range of notification time frames, from 90 days to a single day, according to data from the Cooperative Exchange, The National Clearinghouse Association. These differences are not tied to different authorities or missions, as each state has the same broad purpose to protect citizens’ data. Each is doing so—uncoordinated with one another—because there is no reason not to.
Bureaucratic inertia and particularities
As Jim Dempsey has explained in Lawfare, regulators developed different security controls for ostensibly similar purposes. These changes seem to arise entirely from idiosyncratic or arbitrary choices made by each regulator rather than being carefully tailored to each sector.
For example, Dempsey found that CISA’s Cybersecurity Performance Goals (CPGs) “have a section on supply chain risk, a topic not covered at all” in TSA’s directive on pipeline security, while the TSA directive “has controls not mentioned in the CPGs, such as the capability to monitor or block connections from known or suspected malicious command-and-control servers.”
Banks are subject to cybersecurity audits from multiple regulators. Despite the regulators being concerned about nearly identical risks, banks find “only 30 percent of exam documentation can be reused due to slight differences in exam scope and cadence between different regulators,” which increases costs as “repackaging exam responses to account for modest variations in exam scope consumes significant staff resources and leaves less time for core security activities.” In such cases, the regulation depends not on the external risk, specific authorities, or any existing precedents, just the specific people and processes involved..
Outward-Facing Drivers
Other drivers of disharmony are external to the regulators. These can sometimes be beneficial—reducing high-level risks at reasonable cost and without duplication—when they are tailored to specific risks and not merely arbitrary. These issues are related to the previously mentioned “unique authorities and public policy purposes” but relate to the external environment, not the internal factors of each regulator.
Sector- and company-specific tailoring
Most obviously, the need for sector- and company-specific tailoring will lead to differences in regulations. Facing many similar threats, banks are heavily regulated for cybersecurity while casinos are not. When sectors and companies are treated differently, there are opportunities for disharmony and inconsistency. That does not mean these regulations are arbitrary or need to be eliminated.
Any particular regulation, such as mandatory reporting of an incident within 72 hours, may be too rapid for some sectors and companies but too delayed for others. Some sectors are just more used to dealing with regulations (compare, say, bulk electricity versus water and wastewater) or have more resources to deal with them (such as rich Wall Street banks), requiring different regulations.
Individual companies can also require tailored rules. Systemically Important Financial Market Utilities and Global Systemically Important Banks are deemed so critical to the economy by regulators as to require substantial additional requirements. The same concept underpins CISA’s work on Systemically Important Entities.
Tailoring regulations for sector specificity is generally beneficial but does impose costs for companies that operate across different sectors, each with its own set of rules. Defense contractors “are often subjected to multiple incongruent cyber requirements across a multitude of varying cyber frameworks,” while companies in the aviation industry could be subject to 11 different incident reporting requirements.
Geopolitical and technological changes
Geopolitical and technological changes also create disharmonies, especially when they occur rapidly. For example, after the full-scale Russian invasion of Ukraine, CISA worked with the Defense Department to identify the entities that might be most likely to come under attack. This did not lead to any additional security burdens, though it might in the future if—for example—China invades Taiwan.
As for technological changes, artificial intelligence seems likely to invite disharmonies, as it will disproportionately impact different sectors at different paces. Also, since “federal regulations in the US electricity sector focus on bulk distribution,” those rules will need to change as renewable energy becomes ever more important to the U.S. economy.
Lack of centralized governance mechanisms and frameworks
The last disharmony, a lack of centralized governance mechanisms and frameworks, is rarely so beneficial as the other external-facing drivers. There are few top-down instruments to coordinate harmony between regulators, many of which are independent agencies. In the United States, the proposed Cybersecurity Regulation Harmonization Act would establish a Harmonization Committee, augmenting the existing Cybersecurity Forum for Independent and Executive Branch Regulators.
The European Union has faced similar regulatory challenges, as the Network and Information Security Directive (NIS 1) gave too much discretion to member states, leading to disharmonies. The revised NIS 2 accordingly introduced simplified definitions, a unified penalty regime, and common fines across the member states.
These disharmonies are magnified by a lack of cross-border coordination mechanisms, forcing multinational companies to institute costly compliance mechanisms that may not improve security.
However, there are some low-cost solutions. Common frameworks are an easily implementable tool to improve coordination and governance, including across borders. Many of the existing frameworks are at the level of individual cybersecurity controls. As Dempsey points out, these can have anywhere from 36 to nearly 1,200 separate controls, so improvements here can have a substantial impact. Other useful frameworks assess whether regulations are performance based or management based.
Recommendations and Conclusions
Congress and the executive branch—including independent regulatory agencies—must not only eliminate inconsistent regulations but also go after the source of the problem, tackling these drivers of disharmony. If not, then new, inconsistent rules will continue to proliferate, even as old ones are removed. Accordingly, we offer the following six recommendations.
First, congressional committees should review where legislation might be overly specific (such as mandating reporting within 72 hours, per CIRCIA) or not specific enough. This is especially important with the Supreme Court’s decision in Loper Bright, which puts “greater onus on Congress to write laws that clearly express its intent.”
Second, Microsoft, Google, the Bank Policy Institute, and other industry groups have stressed the need to designate a national entity charged with harmonizing regulations. It is essential to pass purposeful legislation, such as the Streamlining Federal Cybersecurity Regulations Act, to create an interagency Harmonization Committee, run by ONCD, with sufficient staffing and budget.
This committee must have real enforcement mechanisms to coordinate independent or recalcitrant agencies, as there may be far too many regulations, governed by far too many agencies (and congressional committees), for such a committee to succeed if it lacks teeth.
Third, regardless of the status of any legislation, ONCD should create a new office for regulatory matters and prepare a regulatory strategy for the ultimate approval by the National Security Council and National Economic Council. Regulation is one of the most complex—and certainly the most politically sensitive—cybersecurity initiatives ever taken by the U.S. government. It deserves the special attention of a dedicated office and strategy and approval at the highest levels of government.
Fourth, ONCD should expand efforts to develop regulatory frameworks. These frameworks should cover not just specific controls but also categories of regulations (such as performance based versus management based) and specific market failures. Regulatory harmony is far easier with management- and principles-based regulations, so the White House should be absolutely clear about what those regulations look like and how to craft them.
Fifth, ONCD should create, or task the National Institute of Standards and Technology or CISA to create, a centralized repository of risk profiles and document the labyrinth of different security controls. Google and MITRE are among those recommending such a step to facilitate reciprocity between regulators.
Sixth, Congress and ONCD should consider establishing one or more regulatory clearinghouses. A clearinghouse, perhaps at CISA “or by an independent third party on behalf of the federal government,” could operate as a central hub for all incident reports, forwarding the details to whichever agency requires them. Another clearinghouse, such as the White House’s Office of Information and Regulatory Affairs, might operate as a gatekeeper, reviewing any proposed regulations “to ensure they are consistent with cybersecurity regulatory harmonization objectives.”
***
Regulatory disharmonies are inevitable unless their root causes are addressed. Effective governance, smart regulations, and routine pruning are key to minimizing such disharmonies, which pose significant threats to cybersecurity.
– Jason Healey, Samuel Dab, Published courtesy of Lawfare.
