Home / Blogs

Why OIRA Needs to Coordinate Federal Cyber Security Regulation

Two quick facts about American industry’s resilience against cyber-attack, (1) our critical infrastructure is inadequately protected and (2) federal regulation will be required to fix the problem, reliance on market forces alone will not be sufficient irrespective of whether or not Sony Pictures survives. Although regulation is needed, it needs to be coordinated and, above all, cost-effective.

Which agency is charge of regulating cybersecurity? Right now, it’s a free for all with agencies staking out turf and claims of authority. The Federal Trade Commission (FTC) which does not have specific critical infrastructure protection responsibilities under either Presidential Policy Directive 21 (PPD-21) or the President’s Executive Order 13636 on improving cybersecurity, is among the most aggressive of agencies in asserting regulatory authority.

One example of multiple agencies attempting to regulate the same thing is secure consumer use of their health data. The FTC, the FDA and the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) are all attempting to regulate mobile health aps. Unfortunately, when regulators compete, industry, innovation and consumers lose.

Federal regulation of private sector cybersecurity is well underway on an ad hoc basis, often using litigation, the crudest and most inefficient of regulatory mechanisms.

The result is uncertainty, more uncertainty and a salivating plaintiff’s bar.

Cybersecurity regulation by the Executive Branch agencies needs to be developed with transparent coordination and clear division of responsibilities across agencies. Moreover, the regulatory coordinating process should also involve state regulators and our major trading partners. In short, there is a need for the White House’s Office of Information and Regulatory Affairs (OIRA) to coordinate federal cybersecurity regulations.

OIRA, part of Office of Management and Budget (OMB), has been described as the “cockpit of the regulatory state” and is the regulator of federal regulatory agencies.

OIRA is responsible for reviewing and, if necessary, stopping federal regulations before they are promulgated. OIRA’s primary sources of authority include Executive Order 12866, the Paperwork Reduction Act and the Data Quality Act.

Although OIRA does not currently review the regulations of independent agencies such as the FCC and the FTC, the President clearly has the authority to direct OIRA review the regulations of all agencies and such review is supported by former OIRA officials.

OIRA has been given cybersecurity-specific regulatory duties. OIRA’s EO 13636 responsibilities, however, are of a retrospective rather than forward-looking basis. OIRA is charged by the Order with reviewing reports, two years after publication of the final Framework, from federal regulators of critical infrastructure companies which are “subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements.”

We need regulations that work correctly when they’re imposed, not that need to be fixed years later after they’ve done damage.

In order to (1) fulfill its regulatory review duty under EO 12866 “to enhance planning and coordination with respect to both new and existing regulations” and (2) to assist the President in achieving our country’s cybersecurity goals, including the Comprehensive National Cybersecurity Initiative‘s Initiative #11, “Define the Federal role for extending cybersecurity into critical infrastructure domains,” OIRA should employ its existing toolset including the regulatory calendar and rigorous benefit-cost analysis to prevent conflicting, shifting, superfluous or otherwise poorly planned and designed critical infrastructure protection regulations.

OIRA should also consider creating a task force of select industry officials along with state regulators, representatives of major trading partners and regulatory process specialists to provide advice on how to implement a regulatory coordinating process.

The financial industry is taking the lead in seeking coherent, coordinated and efficient regulation as is the retail industry. It’s up to OIRA to take the next step.

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global