Johnson Seeks Bipartisan Cybersecurity Solution as ITI CEO Calls Hearing 'First Step'
Senate Homeland Security Committee Chairman Ron Johnson, R-Wis., told us he will seek a bipartisan answer to reduce duplicative and conflicting cybersecurity regulations and empower a central agency or individual to oversee that coordination with the private sector. "We've got to consolidate our efforts," he said after a Wednesday hearing on the issue. Representatives from the health, financial, state and technology sectors said businesses and agencies face multiple regulators and redundant efforts to ensure cybersecurity compliance or sometimes are unsure whom to go to for guidance.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
"There's got to be somebody in charge to harmonize and integrate so we don't have ... these conflicting standards and this 40 percent burden," said Johnson, citing "pretty powerful testimony" from Christopher Feeney, president of BITS, the technology policy division of the Financial Services Roundtable. Feeney told lawmakers a chief information officer of a member firm estimated that 40 percent of his group's time was spent deciphering cybersecurity regulations rather than focusing on protecting systems.
Johnson was inclined to consolidate cybersecurity coordination within the Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC), but he said it could also be under the federal CIO or some other entity. Ranking member Claire McCaskill, D-Mo., told Johnson that their committee should let the Trump administration know the members are "anxious" to nominate and empower an individual to identify conflicting regulations or coordinate different agencies.
Information Technology Industry Council President Dean Garfield told us after testifying that ITI, which represents 60 companies including Amazon, Apple, Facebook, Google and Microsoft, doesn't have a "strong view" on which agency or individual should be in charge of the coordination, but it should be empowered with close contact with the White House. "Whether it's DHS or the [federal] CIO, we'll live with whatever is defined as long as they're an agency that has some experience working closely with the private sector," he said.
Garfield testified that three executive orders have been issued over the past five years focused on driving cybersecurity coordination, but it hasn't occurred. He pointed to EO 13718 (Commission on Enhancing National Cybersecurity) and EO 13636 (Improving Critical Infrastructure Cybersecurity) issued by the Obama administration and EO 13800 (Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure) issued by the Trump administration last month. Garfield said creation of a "center point" should be built around driving the strategy, which is the National Institute of Standards and Technology's Cybersecurity Framework.
Daniel Nutkis, CEO of the nonprofit Health Information Trust (HITrust) Alliance that helps healthcare organizations safeguard data and manage risk, provided one example of the redundancy. HITrust, he said, is an information sharing and analysis organization with NCCIC and provides industry data to the center regarding cyberthreats. But he was "surprised" to learn about a recent Department of Health and Human Services effort to create an NCCIC equivalent called the Healthcare Cybersecurity and Communications Integration Center (HCCIC). It takes a "significant level of effort" to engage in cyber information sharing with organizations and the government, he said. In response to a question from McCaskill, he said he found out about the HCCIC through the media and was unclear how much value it would provide, and HITrust is only working with NCCIC.
Garfield told us the hearing was an "important first step" and there should be follow-up. "There is talk by the administration," he said, "in doing a convening, and I think Congress should be a part of that. It is clear to me from today's hearing that a solution is within reach."