Two quick facts about American industry’s resilience against cyber-attack, (1) our critical infrastructure is inadequately protected and (2) federal regulation will be required to fix the problem, reliance on market forces alone will not be sufficient irrespective of whether or not Sony Pictures survives. Although regulation is needed, it needs to be coordinated and, above all, cost-effective.

Which agency is charge of regulating cybersecurity? Right now, it’s a free for all with agencies staking out turf and claims of authority. The Federal Trade Commission (FTC) which does not have specific critical infrastructure protection responsibilities under either Presidential Policy Directive 21 (PPD-21) or the President’s Executive Order 13636 on improving cybersecurity, is among the most aggressive of agencies in asserting regulatory authority.

One example of multiple agencies attempting to regulate the same thing is secure consumer use of their health data. The FTC, the FDA and the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) are all attempting to regulate mobile health aps. Unfortunately, when regulators compete, industry, innovation and consumers lose.

Federal regulation of private sector cybersecurity is well underway on an ad hoc basis, often using litigation, the crudest and most inefficient of regulatory mechanisms.

The result is uncertainty, more uncertainty and a salivating plaintiff’s bar.

Cybersecurity regulation by the Executive Branch agencies needs to be developed with transparent coordination and clear division of responsibilities across agencies. Moreover, the regulatory coordinating process should also involve state regulators and our major trading partners. In short, there is a need for the White House’s Office of Information and Regulatory Affairs (OIRA) to coordinate federal cybersecurity regulations.

OIRA, part of Office of Management and Budget (OMB), has been described as the “cockpit of the regulatory state” and is the regulator of federal regulatory agencies.

OIRA is responsible for reviewing and, if necessary, stopping federal regulations before they are promulgated. OIRA’s primary sources of authority include Executive Order 12866, the Paperwork Reduction Act and the Data Quality Act.

Although OIRA does not currently review the regulations of independent agencies such as the FCC and the FTC, the President clearly has the authority to direct OIRA review the regulations of all agencies and such review is supported by former OIRA officials.

OIRA has been given cybersecurity-specific regulatory duties. OIRA’s EO 13636 responsibilities, however, are of a retrospective rather than forward-looking basis. OIRA is charged by the Order with reviewing reports, two years after publication of the final Framework, from federal regulators of critical infrastructure companies which are “subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements.”

We need regulations that work correctly when they’re imposed, not that need to be fixed years later after they’ve done damage.

In order to (1) fulfill its regulatory review duty under EO 12866 “to enhance planning and coordination with respect to both new and existing regulations” and (2) to assist the President in achieving our country’s cybersecurity goals, including the Comprehensive National Cybersecurity Initiative‘s Initiative #11, “Define the Federal role for extending cybersecurity into critical infrastructure domains,” OIRA should employ its existing toolset including the regulatory calendar and rigorous benefit-cost analysis to prevent conflicting, shifting, superfluous or otherwise poorly planned and designed critical infrastructure protection regulations.

OIRA should also consider creating a task force of select industry officials along with state regulators, representatives of major trading partners and regulatory process specialists to provide advice on how to implement a regulatory coordinating process.

The financial industry is taking the lead in seeking coherent, coordinated and efficient regulation as is the retail industry. It’s up to OIRA to take the next step.