32.5 F
Washington D.C.
Saturday, February 15, 2025

Cybersecurity Priorities for the New Administration

The recent announcement of successful, highly complex attacks against leading telecommunications providers – dubbed Salt Typhoon – demonstrates the scale and sophistication of cyberattacks against our country the digital realm. Nation-state actors dedicate substantial resources to launch attacks against critical corporate and government networks. As these threats have increased, policymakers have responded by imposing cybersecurity regulatory mandates, enforced compliance and mandatory incident reporting. While issuing security mandates and regulations may seem like a sound approach, the unintended consequences risk making us less secure. 

The regulatory approach neglects the core reality of the cybersecurity challenge, which is that cybersecurity is an economic problem. Simply, it is more expensive to defend than to attack. Time, people and money are limited resources in every industry and these resources must be allocated across multiple business priorities and goals, not just cybersecurity.  

To remain competitive and successful, organizations allocate resources for maximum effect. But regulations are having a crowding out effect–diverting companies’ limited resources from optimal usage, such as solving security challenges and defending their networks–to managing and keeping up with thousands of pages of regulations. As a result, it is not uncommon for larger security teams to have more people devoted to regulatory compliance than actual cybersecurity.  

The regulatory approach often requires industry to spend their limited resources for no clear benefit. As one example, in 2022 Congress passed a law mandating that the Cybersecurity and Infrastructure Security Agency (CISA) develop regulations that require certain critical infrastructure companies to report specified cyber incidents. This is on top of, according to CISA, more than three dozen federal regulations alone related to mandatory incident reporting – not including state, local and international regulations. The proposed regulations that CISA developed were widely criticized, including by members of Congress, for their over-the-top broad scale and scope.  

Further, a report from the U.S. Government Accountability Office (GAO) found that CISA lacks resources to manage the program. The GAO wrote that CISA, “lacked sufficient technology and staff to effectively handle these cyber incident review requirements.”  So, hundreds of thousands of companies are being asked to develop compliance programs to provide incident reports to CISA that they can’t process or consume in a meaningful way. The answer is not to build more bureaucracy, but rather to reduce the regulatory burden and work to harmonize requirements that contribute to shared objectives and benefits. 

Unreasonable or excessively burdensome regulations can also create adversarial relationships between government and industry, which, in a field like cybersecurity, harms both sides. The possibility of arbitrary or unpredictable scrutiny, where regulators with the benefit of hindsight can review and cherry-pick from complex internal deliberations, creates a culture of uncertainty and mistrust. This often forces Chief Information Security Officers (CISOs) or other executive tech leaders to spend precious hours with their legal teams to limit corporate and personal liability or prepare regulatory filings. This time could be better spent on improving their cybersecurity resiliency and posture. 

President-elect Trump and the incoming Administration have an opportunity to course correct. 

First, they can order a pause on creating new cybersecurity regulations until there is a comprehensive review of all applicable rules to determine which actually contribute to positive security outcomes.  There also should be a cost-benefit analysis that considers the cost of implementing mandates to the security benefits they derive.  As this is done, work to harmonize and streamline existing regulations should continue.   

Second, the Administration can re-establish an effective partnership between industry and government. Private industry fends off attacks daily and security professionals in industry have ideas on how to improve the nation’s collective cybersecurity posture. These voices have been neglected, in favor of “solutions” imposed by the government. Yes, building a partnership of equals among industry and government is not easy. But there is a long history of industry and government successfully collaborating for a common goal. It’s been done before and can be done again. 

Third, a task force comprised of industry, government and economists should be convened to develop economic incentives that will help companies make enhanced cybersecurity investments. While companies manage risks at the enterprise level, they are facing attacks that could have national and economic security implications. There is a gap between the cost of defending against enterprise risk and the cost of defending against national security risks. This task force should look at how to close that gap.  

Fourth, the Administration should consider building a joint industry-government cyber threat intelligence center to share timely and actionable threat intelligence across industry and government in near-real time.  Without the ability to do this, we will continue to fail to meaningfully improve our cyber security. One step toward achieving a joint cyber threat intelligence center would be for CISA to designate analysts charged with building and maintaining relationships with industry-specific Information Sharing and Analysis Centers (ISACs). ISACs facilitate threat intelligence sharing within and across critical infrastructure sectors. Despite being formed at the request of the government, they are vastly under-utilized by the government.  

By integrating these capabilities with those of CISA and other cyber centers across the country we can achieve a common operating picture among industry and government — sharing threat intelligence as broadly and quickly as possible to the critical industries defending against the ongoing cyberwar being waged by adversaries. This is among the easiest and most cost-effective steps that can be taken to prevent, detect and respond to cyber threats. 

A fifth area of focus can be to impose consequences on our adversaries. Our law enforcement agencies have done yeomen’s work in taking down criminal gangs–important arrests have been made. However, most cyber-criminal actors live beyond the reach of U.S. law enforcement. Nation-state actors and cyber criminals continue to increase the size, scale and complexity of attacks. These malicious actors are stealing vast amounts of intellectual property and personal data, extorting victims and compromising government and critical systems. They will only stop when the cost of continuing the attacks becomes too high. 

The complex threats we face require a reconsideration of past approaches and priorities. The laborious, years-long process of creating or updating regulations cannot keep pace with the evolving threat environments. Network defenders must quickly adjust to the changing tactics of attackers to defend, as opposed to focusing on compliance with a myriad of regulations and mandates. The economics of cybersecurity requires public policies that enable industry to make better use of their limited security resources. 

Scott Algeier
Scott Algeier
Scott C. Algeier is the Founder, President, and CEO of cybersecurity consulting firm Conrad, Inc., Executive Director of the Information Technology – Information Sharing and Analysis Center (IT-ISAC), and Executive Director of the Food and Agriculture – Information Sharing and Analysis Center. He has spent the past twenty years at the intersection of cybersecurity policy and operations. Previously, Scott was Manager for Homeland Security at the U.S. Chamber of Commerce, where he coordinated the U.S. Chamber’s critical infrastructure protection, cybersecurity, and disaster management public policy initiatives. Scott earned his Master’s degree in International Relations and European Studies from the University of Kent (England) and is an honors graduate of Gettysburg College.

Related Articles

Latest Articles