Is the government’s cyber policy moving from partnership to command-and-control?

Cybersecurity in the private sector has long been a matter of collaboration. Companies and sectors worked with government to establish risk management approaches to what companies would ultimately decide to do. Our next guest believes that statements coming from the administration signal a move to cyber regulations, mandates and oversight. Attorney Megan Brown, a partner at Wiley Rein, talked about it on the Federal Drive with Tom Temin.

Tom Temin
You did a stint in the Justice Department. So you kind of know these tea leaves, don’t you when you hear these different communications coming around?

Megan Brown
Yeah, I think you can read a lot into the tone and tenor of what’s coming out of both the White House, but also the federal agencies, both executive branch and independent.

Tom Temin
All right, give us some examples of what you’re hearing, and then we’ll get into what it might be leading to?

        Join us May 6 at 1 p.m. EST for Federal News Network's Industry Exchange Data where we'll explore how you can employ data to modernize your agency. | Register today!

Megan Brown
Well, I think a lot of people are waiting, for example, for the White House to release the National Cybersecurity strategy, which is expected imminently. Recently, some administration officials were characterizing that strategy and used language that certainly suggests more of a regulatory push. I think that one of the words that folks liked to use was sort of reallocate the burdens of cybersecurity from smaller players to larger players. And I think across federal agencies, you’re seeing just such a flurry of activity, that we’re definitely headed down this path in many forms.

Tom Temin
Right. You mentioned too, the Federal Communications Commission, for example, is proposing a significant update to something called the customer proprietary network information breach reporting rules.

Megan Brown
Yes, well done on the unpacking the acronym: CPNI. The rules are a bit dated, and they’re proposing some substantial updates, I think they’re going to get a lot of feedback on the scope of those updates, in terms of the kinds of things they want to do, the kinds of data they want to regulate, and how those rules are going to sit with other federal rules regarding incident management, such as is being developed by the Department of Homeland Security right now.

Tom Temin
All right, yeah. And so even more, perhaps serious you cite in your essay, Securities and Exchange Commission and Federal Trade Commission, both of which have been kind of turned into activist organizations seemingly beyond their traditional swim lanes of what it is they’re supposed to regulate.

Megan Brown
I think I’ll take them sort of separately. The Federal Trade Commission has been really active on data security and cybersecurity for a long time. But it has been using enforcement actions and kind of case by case telling people you know, this is unreasonable. That was unreasonable. Now, they’re moving to rules, like very specific tangible rules. So that’s a big change for them. But they’re not new to the security space. What’s particularly interesting about the Securities and Exchange Commission is they really are stepping into some new terrain that I think they’re gonna find quite challenging, and their regulated entities are going to find it quite challenging to deal with them as a regulator in this space. I don’t think it’s a good move for that agency.

Tom Temin
Interestingly, so do you feel that like industry could produce lawsuits? I mean, I read somewhere where on an unrelated to cybersecurity rule that the FTC is contemplating, the Chamber of Commerce says it’ll take them to court, if it gets to that?

Megan Brown
It’s an interesting question. I don’t know what the appetite is to sue federal agencies over security related rules. There’s a lot of things an association would have to consider, as it’s thinking about that. But yeah, you’re right. The U.S. Chamber on, I think you have in mind there, the Federal Trade Commission’s noncompete regulations, which are pretty dramatic, in terms of what the agency is trying to do there. And I think everyone expects that to be subject to judicial challenge.

Tom Temin
And finally, on the federal acquisition itself, the front there for federal contractors. There are lots of rules coming from the Federal Acquisition Council. And once things are in the [Federal Acquisition Regulations (FAR)], they tend to stay there.

        Read more: Cybersecurity

Megan Brown
Yes. Another of our favorite acronyms here at Wiley. Yeah, I think there’s a lot of breath being held across Washington for what those rules are actually going to look like when the council releases them. But yes, there’s a lot of rules that already exist. And I think some challenges that companies may have, if the rules get too prescriptive, there are a lot of standards that already exist for, say, the Defense contractors and lots of others. But I think that’s an area in particular, where we’re urging the federal government to really try and closely harmonize so that you don’t have a very different approach in the procurement space than you do elsewhere. It’s just this multiplying. That is so, so worrisome.

Tom Temin
We’re speaking with Attorney Megan Brown, she’s a partner at Wiley Rein. And so what then do you think the landscape will look like once whatever agencies are driving at, whatever the administration is driving at. Because that’s got to be the unifying force behind all of these separate measures happening in all the regulatory agencies, I’m guessing. What do you think we’re going to end up with?

Megan Brown
I fear we’re going to end up with a real onerous patchwork of lots of different things that companies are going to have to go through, many checklists of things that they’ll have to do for different agencies and different types of data. But I am cautiously optimistic that the Cyber Incident Reporting Council that Congress set up, which is headed at DHS, they have an opportunity to really shine a light on this Balkanization, this fragmentation, they’re supposed to do a report to Congress soon, that identifies areas of overlap. They have a real opportunity there. And I think the folks working on that report are very thoughtful, and they get this, what the private sector is worried about.

Tom Temin
Interesting. And in the meantime, what should companies be doing? Should they prepare for this kind of regime or should they participate in the rulemaking? I mean, what’s your advice?

Megan Brown
I would say yes to both of those things. One, they should be trying to read the tea leaves of what the government has been saying about substantive cybersecurity. The Department of Homeland Security, for example, has put out these cybersecurity performance goals under a President Biden executive order; that is a good place to look to see what your regulators are probably going to want to see from you, even though they’re not mandatory right now. There’s lots of other places to look to sort of jack up your actual cybersecurity readiness. As far as participating in some of these proceedings, of course, my answer is going to be yes. A thousand times yes. File comments, talk to the regulators, talk to Congress, who I expect to have a busy cyber docket in the new Congress as well. And I think these messages need to get to the policymakers about limiting the burdens and really focusing on what is going to actually make a difference to cybersecurity and not just new regulations.

Tom Temin
And what is your sense of the impetus behind this drive toward more command and control type of regulation of cyber? Because the status of the number of incidents and the number of losses seems to be fairly steady state? Or is that the problem, that it’s not going down?

Megan Brown
That’s an interesting question. I think we saw an uptick in concern from the White House, for example, after the Ukraine-Russia issue. That was sort of a kick in the butt for a lot of people to say, Oh, we’re worried about cyber in a specific way. But I think more generally, there’s probably just a difference in philosophy, a regulatory philosophy difference between, say, this administration and the previous administration. But also, I think we’re kind of maturing  as a regulatory body. And some folks are saying there’s enough consensus on things to move forward with some sort of baselines. And if you’re from the perspective of you don’t love trusting only you want to trust but verify that that I think that could be the next logical step. I don’t think a lot of these regulatory mandates make a lot of sense. But I understand the feeling of certain parts of government that they need to have better eyes on what’s actually happening.

        Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app

Tom Temin
So in some sense, DoD is way ahead of the civilian side of government, with it’s still nascent CMMC program and some of the other requirements on the Defense side. We could see those becoming requirements on the civilian side.

Megan Brown
I mean, I’ve always thought that what the DoD does tends to lead or be adopted by other civilian agencies. But I think the jury is still out on the effectiveness of CMMC and a lot of what they’re doing. And so I think, from my perspective, I’d love to see a bit of a pause on some of this push, and maybe some data gathering about what has worked, what information sharing has gone on. How have these programs actually rolled out? Learn some lessons before just jumping to expand them across the civilian agency space.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.