Is Red Tape Strangling America’s Cyber Defenders?

At a time when cyber threats to American critical infrastructure are intensifying, the current regulatory environment undercuts the ability of cyber defenders to focus on security. That is the costly reality facing thousands of companies navigating overlapping federal cybersecurity requirements, each with different forms, different deadlines, and often the same questions asked in different ways.

A survey of global security leaders by cybersecurity company CrowdStrike found that 78% of organizations experienced ransomware last year and 93% lost data regardless of whether or not they paid a ransom associated with a cyberattack. The onslaught against companies, large and small, is real, relentless, and cyber criminals only tell the beginning of the story.

More concerning is the threat posed by sophisticated nation-state actors: Consider the various campaigns attributed to China-based operators that target American and allied telecommunications, power, water, IT systems, and more. Collectively referred to as "the Typhoons"’ each of these campaigns proves that companies must protect their systems, data, and intellectual property urgently.

So, what is the best course forward?

We can say with certainty that it is not more of the same: Dozens of federal agencies issuing well-intentioned, but de facto, duplicative and conflicting rules—and/or guidance—that have become a hindrance to the intra-government collaboration necessary to protect American cyberspace.

At best, companies are spending precious resources demonstrating compliance rather than strengthening security; at worst, some are left without a clear, consistent understanding sense of what good security requires. Taken together, the lack of clarity and an overemphasis on procedural form rather than security outcomes and substance puts businesses, their customers, and our nation’s critical infrastructure at risk.

Companies and their security leaders desperately want to secure their systems and are doing their best on an uneven playing field.

Imagine being a bank or a credit union. You’re regulated by the Federal Deposit Insurance Corporation (FDIC), Consumer Financial Protection Bureau (CFPB), the Office of the Comptroller of the Currency (OCC), the Department of the Treasury, the Securities and Exchange Commission (SEC), state regulators, and more. Each agency has a different and valuable purpose: Ensuring the health of the financial system, protecting the interests of banking customers, ensuring shareholders understand if a breach occurs, and so on. Each agency cares if there was a breach. Each agency cares about the security of that company.

But when an incident occurs, you’re responding to different sets of questions, completing different forms, with different deadlines, and talking with several agencies all about the same issue.

If you’re a multinational company, you may be dealing with hundreds, if not thousands, of regulatory schemes around the world.

A study by the White House Office of the National Cyber Director (ONCD) last June revealed that across industries, compliance demands often outweigh time and resources devoted to improving security. CISOs in financial services spend 30-50% of their time on compliance—not hardening systems, but reporting their current status.

The simple truth is this: That’s not just inefficient—it sets us back. We cannot continue a system in which security professionals are being pulled from securing and defending systems, responding to attacks, and executing a quick recovery in their wake.

This reality, of course, is not news to security professionals. That is why the McCrary Institute and the U.S. Chamber of Commerce have partnered to launch a task force of cyber experts aimed at informing what a federal effort to streamline cyber rules can and should look like.

We are heartened to see that this issue is also a priority for the Trump administration. The President’s Cyber Strategy for America lays out the President's intention to promote common-sense regulation.

National Cyber Director Sean Cairncross and his team appreciate the urgency in reducing compliance burdens, addressing liability, and aligning with regulators in the US and abroad. This is encouraging.

Right now, the Administration is also working through the details of implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). If implemented smartly, this legislation has the potential to serve as a center of gravity to help align the interests and needs of government and the private sector.

So, what next? We must get CIRCIA right so companies can report once and leave it to government agencies to share among themselves. Next, it is critical that we identify regulatory overlap and duplication, supply common language and requirements to federal partners, ensure reciprocity where appropriate, share information across government agencies, and work with industry partners to ensure that regulations serve their purpose without overly burdening the regulated.

The choice is stark: We can continue forcing our best cybersecurity minds to fill out forms while adversaries breach our systems, or we can streamline these regulations, as the President has done with success in other policy domains, let America's cyber defenders do what they do best, and execute on what the President has identified as a priority action across government—defend America.

About the authors

Frank Cilluffo

Frank J. Cilluffo is the Director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University and host of the weekly Cyber Focus podcast.

Christopher D. Roberti

Christopher D. Roberti is senior vice president for Cyber, Space, and National Security Policy at the U.S. Chamber of Commerce.

Read more