Columbia SIPA Co-Hosts First Annual Cyber Regulation and Harmonization Conference
Columbia SIPA and the state of New York co-hosted the inaugural Cyber Regulation and Harmonization Conference on Nov. 13, gathering experts and leaders for two days of in-depth discussions. The convening, which will become an annual event, was organized by SIPA senior research scholar Jason Healey and co-sponsored by Columbia Engineering, the Data Science Institute at Columbia, and SIPA’s Institute of Global Politics (IGP).
Healey noted that the conference marked the “last time many from the Biden administration will be together” to discuss the role the government should play in mitigating cyber risk, a topic he said has “a lot of research left to be done.”
The proceedings focused on creating opportunities to harmonize often duplicative and byzantine cybersecurity compliance standards across different industries. During a panel on cyber harmonization, Microsoft senior cybersecurity strategist Monica Ruiz explained how an “increase in scale and sophistication of malicious attackers” has led to an increasingly fragmented regulatory space as different governments respond at differing speeds.
For example, the required timeframe for organizations and entities to report a cybersecurity incident differs from state to state in the US and from country to country globally, ranging from 24 hours to several days to no reporting requirements at all. Such variations can be challenging, especially for multinational corporations, as it can be unclear which jurisdiction’s requirements take precedence.
Cybersecurity isn’t just about physical infrastructure but human infrastructure as well, noted Secretary Hillary Rodham Clinton, chair of the IGP Faculty Advisory Board, in her Spotlight Interview with New York Governor Kathy Hochul. Hochul highlighted the creation of the Joint Security Operations Task Force and the Empire AI consortium and securing the nation’s largest supercomputer in Buffalo, which she said will use AI for the public good. Hochul also discussed ways to protect children from online threats and addicting algorithms, emphasizing the need for mental health support in schools and national regulation.
During a panel discussion, Colin Ahern, chief cyber officer for the State of New York, Chris Hetner, senior advisor for the National Association of Corporate Directors, and Nick Leiserson, assistant national cyber director for White House Cyber Policy and Programs, addressed the present and future of cyber regulation. Their conversation, moderated by adjunct professor Evan Wolff, included the potential regulatory impacts of the Supreme Court’s decision to roll back its “Chevron doctrine” and emphasized the importance of bipartisan support for and long-term investment in cybersecurity. “Cyber is one of the vanishingly small truly bipartisan issues, so I hope that [trend] continues,” Ahern said.
The relationships between regulation and national security framed a fireside chat between SIPA Dean Keren Yarhi-Milo and Anne Neuberger MIA ’05, ’05BUS, Deputy National Security Advisor for Cyber and Emerging Technology. When asked what the incoming Trump administration should prioritize in its first 100 days, Neuberger cited China, ransomware actors, and artificial intelligence (AI). She called ransomware groups out of Russia the “most disruptive adversary we face today” stressing the necessity of continuing the Biden administration’s work to implement minimum cybersecurity requirements across critical infrastructure.
National Cyber Director Harry Coker delivered the keynote address, calling for streamlining regulations and bipartisan legislation to create a structure for regulatory harmonization. “To live in the world envisioned in our National Cybersecurity Strategy, we must take collective action – individuals, governments, allies, civil society and the private sector,” he said.
Hetner, a former cybersecurity advisor to the US Securities and Exchange Commission Chairman, highlighted a common complaint: time spent on compliance represents financial resources that companies could spend elsewhere. Harmonization would also yield national security benefits, such as “better alignment allows for easier tracking and sharing of incidents,” said Ruiz.
“That is a clear opportunity,” said Art Lindo, deputy director for policy in supervision and regulation at the Federal Reserve Board, of harmonization.
While overlapping cybersecurity regulations can present challenges, the speakers across the conference’s panels clarified that the motivation to introduce and maintain security standards comes from a compelling societal need.
“The attack surface has grown,” said Alexander Evans, professor at the London School of Economics; targets now include critical sectors such as healthcare and energy infrastructure. With “multiple levels of losses likely to occur in the near-term,” said Lindo, the priority should be identifying who is best positioned “to mitigate or reduce those risks.”
Just this past year, Change Healthcare, a large healthcare payments processor, and Kaiser Permanente were subject to cyberattacks that exposed more than 100 million individuals’ data, including social security numbers and medical information. This incident and others were the topic of a dedicated panel on cyber regulation for the healthcare sector.
Cyber attacks can similarly weaponize the critical infrastructure citizens depend on every day in the United States. “The Colonial Pipeline attack was a watershed event,” said Harry Krejsa, director of studies at the Carnegie Mellon Institute for Strategy, while moderating a panel on cyber regulation for the energy transition. The attack prompted concerns that a foreign adversary could clandestinely “pre-position destructive capabilities in the US energy ecosystem.” The intensity of these threats has prompted US regulators to act at the state and federal levels. Working with the private sector to develop effective cyber regulatory policy has also been a federal priority. Kemba Walden, president of Paladin Global Institute and former acting National Cyber Director for the Biden administration, said that executive orders during the Obama administration “made clear it is US policy to be in partnership with the private sector” in efforts to bolster cybersecurity according to the specific needs of each industry. Since then, the Trump and Biden administrations have each issued executive orders articulating the same private-public partnership principles.
The benefits of harmonization, coupled with the expansion of the cyber threat, may explain the bipartisan push on Capitol Hill to pass regulatory harmonization legislation. US Senator Gary Peters [D-MI] introduced the Streamlining Federal Cybersecurity Regulations Act alongside Senator James Lankford [R-OK] to do just that.
According to Emily Ferguson, a member of Peters’ staff, the “demand for a congressional solution is strong and will only continue to grow.” Ahern, quoting Hochul, remarked, “We can either succeed together or fail separately, right?”