The National Security Implications of New Rules of the Road for Cyber

EXPERT PERSPECTIVE — The Cyber Initiatives Group (powered by The Cipher Brief) filed national security-related comments in support of the SEC’s proposed rules regarding Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies this week. The official filing is below.

Commenters, led by former National Security Agency General Counsel Glenn Gerstell, include Kelly Bissell, Global Security Services Lead, Microsoft Corporation, The Hon. Sue Gordon, former Principal Deputy Director of National Intelligence, Matt Hayden, former Assistant Secretary of Homeland Security for Cyber, Infrastructure, Risk and Resilience, Gen. Michael Hayden (Ret.), former Director of the Central Intelligence Agency and the National Security Agency, HON. S. Leslie Ireland, former Assistant Secretary of the Treasury for Intelligence and Analysis, Richard H. Ledgett, Jr., former Deputy Director, National Security Agency, RADM Mark Montgomery (Ret.), former Executive Director Cyberspace Solarium Commission and Debora Plunkett, former Director of the Information Assurance Directorate of the National Security Agency.

File Number S7-09-22 – Comments on Proposed Rule

The undersigned submit these comments in support of the objectives of the rules regarding Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies proposed by the Commission on March 9, 2022 (the “Proposed Rules”).

The undersigned are Principals of the Cyber Initiatives Group, a committee formed and sponsored by The Cipher Brief, a private media organization that engages with the private sector in the United States to promote awareness of cybersecurity and national security matters. Many of us currently have direct involvement in cyber matters in the private sector and have significant experience in both policy and operational aspect of cybersecurity; many of us have served at the highest levels of our nation’s armed forces or intelligence community, while others have leading roles at the nation’s most significant cybersecurity firms and technology providers. (We are writing in our individual capacities and the affiliations noted below are merely for identification purposes.)

Our purpose in submitting these comments is to support the objectives of the Proposed Rule, to advise the Commission that in our opinion national security concerns are a valid and significant rationale for the rulemaking, and to underscore that the Proposed Rule has the potential to benefit not only investors and registrants but also, and in our view more importantly, our national security. In doing so, we are not commenting on the scope, regulatory burden, or other technical aspects of the Proposed Rule – as others can more appropriately address those details. We are, however, in a position to comment on the national security ramifications of a better cybersecurity posture for public companies.

As the Commission notes in its Background Statement accompanying the Proposed Rule, “[l]arge scale cybersecurity attacks can have systemic effects on the economy as a whole, including serious effects on critical infrastructure and national security.”

All of the undersigned are familiar with the technical sophistication of our cyber adversaries and believe that this will continue to increase, imposing greater risks to our nation. In that regard, we note that the Annual Threat Assessment of the U.S. Intelligence Community (dated February 7, 2022) cited cyber-malevolence from four nation-state adversaries – China, Russia, Iran and North Korea – as top-ranked threats. Unfortunately, as the adversarial threat increases, so too has our vulnerability, as we increasingly rely on digital technology throughout all aspects of our commercial, governmental and personal lives. The advent of the internet of things, and the vast amounts of data that are being generated, stored, and used by 5G telecom technology, artificial intelligence and potentially quantum computing (to name just a few developments), will create additional attractive targets for malicious cyberactivity, thus increasing the risk to our nation’s infrastructure, businesses and citizens. Much of this technology is owned and operated by public companies. These vulnerabilities can directly affect our national security.

We believe that the goals