Rules Navigator

Global corporate CISOs urge world governments to harmonize cyber rules

Image of a group of people in a room with their laptops open on their desks and laps.
Photo: Sean Gallup/Getty Images

Julie DiMauro

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The letter urges governments to use high-level forums to “focus on greater alignment of cybersecurity regulations.”

A letter jointly crafted by 45 global corporate chief information security officers (CISOs) has called on world government leaders to take certain recommended efforts to streamline cybersecurity regulations for businesses.

The signatories include include CISOs from tech giants, large banks, major hospital chains and healthcare firms, with businesses featured including Amazon Web Services, LinkedIn, Honeywell, Colonial Pipeline, Marriott, Eli Lilly and Mastercard, and also include foreign titans such as Enbridge, Siemens, Swisscom and Danske Bank.

Their letter was sent to members of the Group of Seven nations and the Organization for Economic Cooperation and Development (OECD). It urges governments to use such a high-level forum to develop a more consistent implementation of existing rules, more collaboration on future rules, faster threat intelligence-sharing and more corporate engagement in rule development.

Their letter notes that the OECD is uniquely positioned to help drive meaningful progress across key countries. By convening relevant stakeholders, analyzing regulatory impacts, and providing data-driven recommendations, the letter states, the OECD can serve as a key facilitator in ensuring cybersecurity regulations are effective and aligned across jurisdictions.

“Collaboration between international organizations, governments, and industry is essential to translating these efforts into impactful, real-world solutions,” they wrote.

CISO recommendations

Adding such synergies and engagement could help alleviate the problems they detail in the letter, the CISOs contend – from difficulty in implementing consistent security measures across different jurisdictions, to added complexity involved with dealing with a variety of time-sensitive incident response activities, plus sometimes conflicting reporting requirements, all of which exacerbates what they call a “cybersecurity talent shortage.”

In performing multiple reports and audits, the CISOs note that time that could be best spent on actual security is being squandered.

The CISO community called on governments to:

  • encourage high-level commitments from global policymakers to enhance regulatory alignment and promote a balanced approach to cybersecurity regulations;
  • facilitate international dialogue among regulators through established global platforms, including the OECD, ensuring diverse stakeholder participation;
  • explore mutual recognition agreements and other mechanisms that streamline compliance while raising the global cybersecurity baseline.

The CISOs also suggested specific ways to harmonize rules, from reciprocity agreements, to international standards, to expanded authorizations for third-party audits.

Trump and Congress

Earlier this year, President Donald Trump directed White House senior security advisers to draw up a national resilience plan to protect critical infrastructure. The move aims to shift more responsibilities to the state and local level, helping these local government entities prepare more effectively for cyber attacks and severe weather events.

Amid increased scrutiny from the White House, the Cybersecurity and Infrastructure Security Agency has been firming up plans to slash staffing and spending.

Under current SEC rules put into place in 2023, public companies that have experienced recent cyberattacks need to disclose relevant information to the agency and file yearly reports about their cybersecurity risk management, strategy and governance practices.

The rules have not been changed by the current administration, and enforcement activity in this area continues.

Last August, the Senate Homeland Security and Governmental Affairs Committee voted to advance a bill introduced by Senators James Lankford (R-OK) and Gary Peters (D-MI) to establish a comprehensive framework for streamlining cybersecurity regulations across the federal government.

The bill – still awaiting a vote to pass it – would mitigate challenges associated with conflicting, contradictory cybersecurity compliance requirements by establishing an interagency Harmonization Committee at the Office of the National Cyber Director.

Blog from Microsoft

Microsoft referred to the CISO letter in its own, separate blog post. The company noted that there are many cybersecurity conferences, but “there is currently no dedicated forum that regularly convenes cybersecurity regulators and provides an opportunity to learn from each other and to engage with industry to ensure we achieve stronger cybersecurity.”

The blog post commends the joint CISO letter recommending that the OECD serve as a key facilitator in ensuring cybersecurity regulations are effective and aligned across jurisdictions. “Collaboration between international organizations, governments, and industry is essential to translating these efforts into impactful, real-world solutions,” the post states.

Salt Typhoon

One telling example of how extraordinarily pervasive, destructive, and international cyber attacks have become is the Chinese-based Salt Typhoon hacking campaign from last year.

The FBI is seeking information from the public about the damage it wreaked, issuing a Bureau notice this month, noting the hacks “resulted in the theft of call data logs, a limited number of private communications involving identified victims, and the copying of select information subject to court-ordered US law enforcement requests.”

Salt Typhoon accessed at least nine US telecom providers and dozens of others around the world. 

Trump appointees have vowed to exact revenge on China for the hacks, but the investigatory body in the Department of Homeland Security that was probing the hacks was cleared of its employees soon after Inauguration Day.

, , , , , , ,

You may also like