Regulatory Harm or Harmonization? Examining the Opportunity to Improve the Cyber Regulatory Regime
Cybersecurity and Infrastructure Protection
2025-03-11
Loading video...
Source: Congress.gov
Summary
No summary available.
Participants
Transcript
Without objection, the chair may declare the committee in recess at any point. Without objection, the gentleman from New York, Ms. Clark, and the gentleman from Puerto Rico, Mr. Hernandez, are permitted to sit in the dais and ask questions of witnesses. The purpose of this hearing is to evaluate the effectiveness of the federal cyber regulatory regime and to identify opportunities to harmonize cyber regulations across the federal government. Specifically, we will examine the challenges that private sector owners and operators of critical infrastructure face while navigating cyber regulatory regime, including the potential impact of the final CRCIA rule if it does not meet congressional intent. I now recognize myself for an opening statement. Good morning. I'm honored to serve as chairman of this subcommittee again in the 119th Congress. Ranking member Swalwell, it's great to serve alongside you for another term. I'd also like to welcome all of our members returning and the new ones that are here. I'm looking forward to working with all of you and to making this a productive Congress. As cyber threats to information technology and operational technology increase, we must work hard to ensure cybersecurity is front and center on Congress's agenda. Until we change our cybersecurity posture, we'll continue to see rogue nation state actors target our nation's critical infrastructure. In that spirit, I am pleased to give this Congress with a bipartisan priority that is vital to our nation's security, regulatory harmonization. For too long, we have talked about the cumbersome nature of cyber regulatory regime without seeing the changes necessary to solve it. In fact, the Biden administration tried to add more regulations on the sector, on sectors such as health care and water. While it is important for the federal government to work with those sectors that are not as cyber mature, more regulation is not the answer. With over 50 regulations at the federal level alone, it is time to streamline requirements to ensure they promote useful, actionable, and reasonable information sharing within the timeframe requested. When organizations face their most vulnerable moment, they should only be thinking about one thing, securing their networks.
Hours of duplicative compliance tasks and hundreds of thousands of dollars invested to navigate the landscape must come to an end. With the beginning of the new administration, we have an opportunity to reset the regulatory regime once and for all. In 2022, Congress passed landmark legislation to streamline cyber incident reporting, the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA. This direct insisted to develop regulations to set an acceptable standard for cyber incident reporting across all 16 critical infrastructure sectors. Unfortunately, as many of today's witnesses reinforced last year, the scope of the proposed CIRCIA rule went far beyond congressional intent. Knowing that the deadline for the final rule is approaching, we will dig into the value of SIRCIA and what the future of the rule should look like. This new administration presents an opportunity to get cyber incident reporting right. We should seize it. Beyond SIRCIA, different regulatory agencies have imposed rules that directly contradict congressional intent with SIRCIA. Securities and Exchange Commission's rules on cybersecurity risk management, strategy, governance, and instant disclosure are a perfect example of how rulemaking should not be done, that is, without buy-in from their key stakeholders, industry, and Congress. As we strive for regulatory harmonization, collaboration across the public and private sector is vital. We cannot allow malicious cyber actors to get ahead of us because paperwork holds us back from effective cyber risk management, mitigation, and response. I look forward to hearing from our witnesses about the steps we can take to finally achieve regulatory harmonization. I now recognize the ranking member for an opening statement. I thank the chairman and excited to begin this new Congress again with the chairman. It's not a great place to be in the minority, but if you have a chairman like Mr. Garbarino on your subcommittee, It's a great place to get things done, and that's our mission here, is to get things done for the good of our constituents and the security of the people and companies we represent.
This first hearing is focused on a bipartisan priority, identifying opportunities to improve implementation of the Cyber Incident Reporting for Critical Infrastructure Act, SIRSIA, and the need to harmonize cyber regulations. Before I begin, though, I did want to take a moment to recognize and express my condolences to the family, friends, and constituents of Congressman Sylvester Turner, who passed away last week. He was a member of this subcommittee and his passion for cybersecurity whether it was as the mayor of one of America's largest cities in Houston, that was clear also as a member of Congress serving on a committee that works on that. And it was clear during his first two full committee hearings last month. And we'll miss his contributions that he made and would have made to this subcommittee. Turning to the subject of today's hearing, I agree that compliance costs can outweigh the security benefit of regulations when compliance with duplicative regulations cuts into investment and security.
Sign up for free to see the full transcript
Accounts help us prevent bots from abusing our site. Accounts are free and will allow you to access the full transcript.