Inside Cybersecurity

January 27, 2023

Daily News

Ex-CISA official Kolasky cites end to ‘purely voluntary’ cyber approach; attorney Brown sees accelerating shift to regulation

By Charlie Mitchell / January 18, 2023

Former CISA senior official Bob Kolasky says more mandatory cyber requirements are coming for critical infrastructure operators, while prominent cybersecurity attorney Megan Brown warns that “the tide appears to be turning” away from a voluntary partnership model in federal cyber policy.

Kolasky wrote a piece on Jan. 13 for the risk managers association GARP on expectations for 2023 and regulatory requirements aimed at critical infrastructure operators.

“It has become clear that policymakers are not going to accept a purely voluntary approach to industry cybersecurity and are going to continue to look for ways to place more requirements on companies, especially those that own and operate critical infrastructure,” Kolasky wrote.

“[I]ncreasing requirements only works if the requirements make sense, can be linked to measurable outcomes, and are dynamic to emerging threats. This is a high bar to clear -- it requires collaboration between industry and government in implementation and focus on security outcomes rather than compliance costs,” according to Kolasky, who led CISA’s National Risk Management Center.

Kolasky said, “In 2023, we’ll see these administrative details fleshed out and a better sense of whether cyber requirements can be effectively designed and implemented.”

In addition, he wrote, “In 2023, initial federal requirements for software bill of materials and software development processes will come to fruition, which will drive the marketplace and innovation in tooling. It remains to be seen if additional transparency will significantly reduce software supply chain risk, but it is certainly a necessary step.”

Separately, Brown writes that federal officials have embarked on “a more aggressive” regulatory approach that will involve new requirements and increased liability.

“Policymakers are emphasizing new expectations, regulations, and mandates. Just a few examples illustrate how the government is moving away from ‘soft law’ standards and best practices in cyber and toward substantial new obligations with enforcement risk and penalties,” Brown, a partner at the Wiley Rein law firm, said in a Jan. 13 blog post.

She pointed to comments from senior officials at CISA and the Office of the National Cyber Director, along with regulatory initiatives at the Transportation Security Administration, FCC, SEC, FTC, and the Federal Acquisition Regulatory Council affecting a wide swath of the U.S. economy.

“States are getting in on the act as well,” Brown noted. “New York’s Department of Financial Services is amending its cybersecurity requirements for financial services companies to require specific technical controls, corporate governance procedures, and other cybersecurity risk management practices.”

Brown cited remarks from Deputy National Cyber Director for Technology and Ecosystem Camille Stewart Gloster at the recent Consumer Electronics Show that the upcoming national cyber strategy “would look to reallocate the burdens of cybersecurity from smaller organizations to larger and more capable companies. Such a reallocation likely can only be accomplished through regulation and mandates. The tone of the forthcoming strategy will be instructive, and we expect it to pick up on themes previewed across the Executive branch,” Brown said.

“For years, federal cyber policy has been based on successful public-private partnerships, collaboration, and the promotion of voluntary standards that can be tailored to sector and organization-specific risk and needs. That is poised to change as federal agencies ramp up regulatory proceedings, and the White House considers a more aggressive approach to the private sector,” Brown wrote.

“All told,” she said, “private sector organizations should prepare themselves for an array of new obligations in 2023 and beyond. We recommend that private organizations of all sizes factor this changing landscape into their regulatory and cyber risk management frameworks. While some mandates are not yet final or effective, their contours are becoming clear, so companies can make informed adjustments to their programs and plans.”

Brown said, “The private sector also should consider how best to work with regulators and Congress to limit burdens and avoid overly prescriptive approaches. Regulators and policymakers may not fully appreciate the burdens of fragmented requirements, or how difficult it may be to certify to the use of particular tools across an entire diverse enterprise. Participating in rulemakings and related proceedings is vital to give agencies solid information on which to base pragmatic policies.”

Wiley associates Lauren Johnson and Joshua Waldman contributed to the post. -- Charlie Mitchell (cmitchell@iwpnews.com)