While a largely voluntary approach to critical infrastructure cybersecurity has led to some improvements, a general lack of mandatory requirements has too often resulted in inconsistent and insufficient protections against cyber intrusions. Recognizing this, the White House unveiled a National Cyber Strategy that calls for comprehensive regulations explicitly focused on bolstering the security and resilience of the cyber ecosystem.
We support this outlook and urge industry stakeholders to embrace the opportunity to collaborate on a security upgrade the nation needs while working to ensure the government does not overstep.
As the former General Counsel of the Office of Management and Budget, I recognize the major shift in the government’s approach to regulations that the National Cybersecurity Strategy represents. In my experience working with industry and government, ensuring the right mix of regulations and incentives are in place can significantly bolster the effectiveness of organizations’ security efforts.
Although many organizations have taken actions to meaningfully improve their cybersecurity, others do not have defenses that are commensurate with the risks we all face from cybercriminals and adversary nations.
When the consequences of disruption or breach affect large portions of the population or economy, we must err on the side of strengthening future resilience. As the National Strategy contends, this should mean requiring security where security is not currently required.
There are a number of ways regulation can support national security and public safety by enhancing cooperation with the private sector, putting more responsibility on companies to implement ‘security by design,’ improving the cyber workforce, and strengthening global efforts to improve cyber hygiene. The National Strategy has the opportunity to build momentum around alignment on cybersecurity requirements with our international partners.
However, any security requirements must be outcome-oriented and flexible. Regulations must account for the fact that not every critical infrastructure sector can be treated the same — water services will be different from healthcare — while prioritizing consistency on baseline security expectations. Regulations can do more harm than good if they are overly burdensome, complex, or not tailored to account for sectoral differences.
Given the urgent need for collaboration between government and industry to promote cybersecurity, we are particularly supportive of the administration’s commitment in implementing Coordinated Vulnerability Disclosure (CVD). The National Cybersecurity Strategy prioritizes updating cybersecurity programs with processes to accept, analyze, and respond to reports of vulnerabilities. Organizations that incorporate vulnerability disclosure programs will be better equipped to uncover cybersecurity flaws in their systems so that they can apply patches and implement mitigations efficiently.
With the publication of the new National Cybersecurity Strategy, I hope to see industry engage positively in a new push to strengthen national resilience. It’s the beginning of a long process, and it will not be without challenge. Still, as our society and economy continue their digital transformation, ensuring strong cybersecurity is the right path for our infrastructure, our nation, and our future.
Ilona Cohen is the former General Counsel of the White House Office of Management and Budget and the current Chief Legal and Policy Officer of HackerOne.