National cyber director calls for streamlined security regulations

Dive Brief:

• The U.S. must take collective action to address “unacceptable” cybersecurity risks to the country, National Cyber Director Harry Coker Jr. said in a speech at Columbia University’s Conference on Cyber Regulation and Harmonization in New York City. Coker called for federal authorities to work together with critical infrastructure providers, private sector companies and other stakeholders. 
• Cybersecurity threats like the China state-linked Volt Typhoon present unacceptable risks to the U.S., Coker said, and more investments are required to build long term cyber resilience. As part of that strategy, companies need to ensure that cybersecurity is as much of a focus as quarterly profits. 
• At the same time, Coker called for the government to streamline its regulations and harmonize compliance demands for the benefit of the private sector and critical infrastructure providers. This could allow CISOs and other security leaders to spend more time mitigating their own organizational cyber risk, he said.

Dive Insight:

Coker’s speech highlights a key concern for the Biden administration as it winds down its final months in office and moves into a new phase of implementing its national cybersecurity strategy. 

The U.S. is facing a major threat to critical infrastructure — sophisticated state-linked hackers have targeted the telecom industry in recent months — while other industries like energy, water utilities and other sectors face a combination of threats from nation states and criminal ransomware groups. 

“None of this is to ascribe malice to critical infrastructure owners and operators,” Coker said. “I’ve never met anyone who wants to get hacked or held ransom.”

Federal authorities have pushed tech manufacturers to adopt secure by design practices and bolster the security of their code, as many of these recent attacks on critical systems have exploited misconfigured IT systems and vulnerabilities in security tools.

Federal agencies have begun rolling out sector-specific regulations to set minimum security standards and are trying to leverage the government’s IT spending power to ensure widely used tools have security built into their product design. Their aim, among others, is to reduce the burden on under-resourced users.