Regulatory Harm or Harmonization? Examining the Opportunity to Improve the Cyber Regulatory Regime

Summary

This meeting of the Committee on Homeland Security convened to assess the efficacy of the federal cyber regulatory regime and identify opportunities for harmonization across the federal government, particularly focusing on the challenges faced by critical infrastructure operators and the implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Speakers highlighted the urgent need to streamline duplicative reporting requirements and foster stronger public-private partnerships to enhance national cybersecurity.

Themes

Challenges with the Current Cyber Regulatory Regime

The current federal cyber regulatory landscape is characterized by its cumbersome, duplicative, and complex nature, imposing significant burdens on critical infrastructure owners and operators. With over 50 regulations at the federal level alone, companies spend considerable time and resources on compliance tasks rather than on actual security improvements. This fragmentation leads to misalignment, confusion, and can consume up to 70% of cybersecurity resources. A prime example of problematic rulemaking is the Securities and Exchange Commission's (SEC) requirement for cyber incident disclosure within four business days, which speakers argued could harm national security by revealing vulnerabilities to adversaries before they are patched[ 01:20:22 ]

[ 01:20:32 ] .

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Implementation

There is bipartisan concern that the proposed CIRCIA rule deviates significantly from congressional intent by having an overly broad scope for "covered entities" and "covered incidents". Stakeholders emphasized the need for CISA to meaningfully incorporate industry feedback, urging the withdrawal and reissuance of the proposed rule or, at minimum, establishing an "ex parte" process for transparent engagement. Without proper refinement, the rule risks overwhelming CISA with an unmanageable volume of reports and burdening critical infrastructure operators, potentially doing "more harm than good"[ 00:55:41 ]

Cybersecurity Information Sharing Act (CISA) of 2015 Reauthorization

The Cybersecurity Information Sharing Act of 2015, set to expire in September 2025, is considered foundational for public-private collaboration in cybersecurity. Its protections, including liability and antitrust exemptions for sharing cyber threat information, have fostered increased collaboration across sectors[ 01:06:37 ]

. Speakers warned that the expiration of this Act would significantly undermine national security by impeding critical information sharing and forcing companies to reorganize established processes[ 01:08:07 ] .

Role of the Critical Infrastructure Partnership Advisory Committee (CIPAC)

The recent disbandment of the Critical Infrastructure Partnership Advisory Committee (CIPAC) by the Department of Homeland Security raised significant concerns among speakers[ 01:21:56-01:22:06 ]

. CIPAC was lauded as a vital framework for effective industry-government partnership, providing protected dialogue and facilitating information sharing for a wide range of hazards, not just cyber threats[ 01:23:52 ] [ 01:24:09 ] . Speakers clarified that CIPAC is distinct from a typical advisory committee and its termination jeopardizes a successful, long-standing mechanism for collaboration[ 01:24:41 ] [ 01:24:49 ] [ 01:24:57 ] .

Offensive Cyber Capabilities and Active Defense

A debate emerged regarding the need for offensive cyber capabilities, particularly given the increasing frequency and sophistication of cyberattacks. While the private sector expressed hesitancy to engage in offensive operations, preferring to focus on defense and resilience, there was an acknowledgment that the current defensive posture alone is insufficient to deter nation-state actors. Speakers suggested a need for strong government-led offensive capabilities to create consequences for attackers, and proposed exploring models for enhanced operational collaboration or deputizing third-party contractors under strict government oversight[ 01:31:16 ]

[ 01:32:55 ] .

Tone of the Meeting

The meeting conveyed an urgent, bipartisan, and collaborative tone, reflecting widespread concern over escalating cyber threats[ 00:23:09 ]

. There was clear frustration with the existing fragmented cyber regulatory landscape and a strong consensus on the need for streamlining and harmonization to re-focus industry efforts on security rather than compliance. Speakers emphasized the critical importance of effective public-private partnerships and the need for high-level government leadership, such as from the White House or the Office of the National Cyber Director, to drive these necessary reforms[ 01:43:48 ] .