One of the many challenges facing the new administration is how to defend critical corporate and government networks from a complex and evolving array of cyber threats. During the Biden Administration, cybersecurity policy was increasingly defined by regulatory mandates, enforced compliance and mandatory incident reporting. President Trump has an opportunity to reshape national cybersecurity policy to more effectively secure the digital infrastructure driving our modern economy.
The administration kicked off this process by issuing an executive order that mandates a comprehensive review of all pending and recently finalized regulations. The order requires agencies to halt the issuance of new rules, withdraw those pending publication, and consider delaying the effective date of recently published rules. This can be a wider launching point to change America’s approach to cybersecurity for the better.
We have reached a point where a maze of regulations is often duplicative, sometimes contradictory, and always costly and time-consuming to implement. The regulations are issued by well-meaning regulators for a specific purpose without accounting for pre-existing regulations and how those affect companies. Each new regulation increases costs and strains resources, without demonstrably improving security.
Sometimes regulations are issued without proper legal authority. For example, in 2023, the EPA issued cybersecurity regulations that were subsequently invalidated by a federal appellate court that ruled that the EPA did not have the authority to issue the rules.
Other times, agencies issue regulations that exceed congressional intent. One such example is the implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). This law created a requirement for specific critical infrastructure companies to report severe cyber incidents to the Cybersecurity and Infrastructure Security Agency and authorized CISA to create implementing regulations.
Instead of being narrowly targeted consistent with the clear legislative intent, however, the proposed regulations released by CISA would affect more than 316,000 organizations, including 310,000 resource-constrained “small entities.” This is on top of three dozen federal regulations and numerous state, local and international reporting requirements already in place. The regulatory overreach was so egregious that the legislation’s authors expressed concern.
These regulations are being developed as a Government Accountability Office report revealed that CISA needs more staff and more technology to manage the reporting requirements CISA proposed effectively. This and other cybersecurity regulations may encounter more significant judicial and administrative hurdles, or could stall, or face significant revisions.
In addition, the landmark decision in Loper Bright upended the government’s ability to impose regulations without specific congressionally designated authority. By ending the Chevron deference doctrine — where courts deferred to regulatory agencies’ interpretations of ambiguous laws — the ruling further opens the door to challenges against existing regulations across all industries and compels regulators and policymakers to rethink their approaches to policy adoption and implementation.
A new approach should recognize that cybersecurity poses an economic challenge — it is often far more expensive to defend against attacks than to launch them. Companies face a complex threat from nation-state adversaries to organized cybercriminal groups, while grappling with limited resources, time, personnel and funding.
Unwieldy and overreaching regulations exacerbate this security challenge by diverting resources from important security operations to compliance for uncertain benefits. In some organizations, regulatory compliance consumes more staffing and funding than actual cybersecurity and risk management efforts. A regulatory approach can also foster adversarial relationships between government and industry, creating a culture of fear and mistrust that detracts from collaborative problem-solving.
The laborious, years-long process of creating or updating regulations cannot keep pace with rapidly evolving technology and cyber threats. Threat actors are developing new tools and developing new attack techniques far faster than regulators can propose security practices to defend against them. Rather than increasing security outcomes, regulations force defenders to focus on reporting and compliance instead of securing their networks.
The barrage of recent cybersecurity regulations has forced a misallocation of these limited resources. We must pivot from a “check the box” regulatory and compliance approach to a risk-informed approach focusing on providing companies the threat intelligence they need to make risk-informed decisions on how to allocate their limited resources most effectively.
