Home / Blogs

Why OIRA Needs to Coordinate Federal Cyber Security Regulation

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.

Two quick facts about American industry's resilience against cyber-attack, (1) our critical infrastructure is inadequately protected and (2) federal regulation will be required to fix the problem, reliance on market forces alone will not be sufficient irrespective of whether or not Sony Pictures survives. Although regulation is needed, it needs to be coordinated and, above all, cost-effective.

Which agency is charge of regulating cybersecurity? Right now, it's a free for all with agencies staking out turf and claims of authority. The Federal Trade Commission (FTC) which does not have specific critical infrastructure protection responsibilities under either Presidential Policy Directive 21 (PPD-21) or the President's Executive Order 13636 on improving cybersecurity, is among the most aggressive of agencies in asserting regulatory authority.

One example of multiple agencies attempting to regulate the same thing is secure consumer use of their health data. The FTC, the FDA and the Department of Health and Human Services' Office of the National Coordinator for Health Information Technology (ONC) are all attempting to regulate mobile health aps. Unfortunately, when regulators compete, industry, innovation and consumers lose.

Federal regulation of private sector cybersecurity is well underway on an ad hoc basis, often using litigation, the crudest and most inefficient of regulatory mechanisms.

The result is uncertainty, more uncertainty and a salivating plaintiff's bar.

Cybersecurity regulation by the Executive Branch agencies needs to be developed with transparent coordination and clear division of responsibilities across agencies. Moreover, the regulatory coordinating process should also involve state regulators and our major trading partners. In short, there is a need for the White House's Office of Information and Regulatory Affairs (OIRA) to coordinate federal cybersecurity regulations.

OIRA, part of Office of Management and Budget (OMB), has been described as the "cockpit of the regulatory state" and is the regulator of federal regulatory agencies.

OIRA is responsible for reviewing and, if necessary, stopping federal regulations before they are promulgated. OIRA's primary sources of authority include Executive Order 12866, the Paperwork Reduction Act and the Data Quality Act.

Although OIRA does not currently review the regulations of independent agencies such as the FCC and the FTC, the President clearly has the authority to direct OIRA review the regulations of all agencies and such review is supported by former OIRA officials.

OIRA has been given cybersecurity-specific regulatory duties. OIRA's EO 13636 responsibilities, however, are of a retrospective rather than forward-looking basis. OIRA is charged by the Order with reviewing reports, two years after publication of the final Framework, from federal regulators of critical infrastructure companies which are "subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements."

We need regulations that work correctly when they're imposed, not that need to be fixed years later after they've done damage.

In order to (1) fulfill its regulatory review duty under EO 12866 "to enhance planning and coordination with respect to both new and existing regulations" and (2) to assist the President in achieving our country's cybersecurity goals, including the Comprehensive National Cybersecurity Initiative's Initiative #11, "Define the Federal role for extending cybersecurity into critical infrastructure domains," OIRA should employ its existing toolset including the regulatory calendar and rigorous benefit-cost analysis to prevent conflicting, shifting, superfluous or otherwise poorly planned and designed critical infrastructure protection regulations.

OIRA should also consider creating a task force of select industry officials along with state regulators, representatives of major trading partners and regulatory process specialists to provide advice on how to implement a regulatory coordinating process.

The financial industry is taking the lead in seeking coherent, coordinated and efficient regulation as is the retail industry. It's up to OIRA to take the next step.

By Bruce Levinson, SVP, Regulatory Intervention - Center for Regulatory Effectiveness

Related topics: Cyberattack, Law, Policy & Regulation, Telecom

 
   

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias

DNS Security

Sponsored by Afilias
Verisign

Cybersecurity

Sponsored by Verisign
Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015