Key Takeaways
- Cyber threats to U.S. critical infrastructure are growing, yet overlapping federal rules force defenders to spend more time on paperwork than on actual security.
- A CrowdStrike survey shows 78% of organizations faced ransomware last year and 93% lost data, underscoring the real, relentless nature of attacks.
- Sophisticated nation‑state campaigns—collectively called “the Typhoons”—target telecom, power, water, IT systems and other vital sectors, demanding urgent protection.
- Regulatory fragmentation (multiple agencies, forms, deadlines) diverts 30‑50% of CISOs’ time in financial services to compliance rather than hardening defenses.
- Streamlining rules—exemplified by smart implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)—can let cyber professionals focus on defending systems while still meeting government oversight needs.
The Growing Threat Landscape
At a time when cyber threats to American critical infrastructure are intensifying, the current regulatory environment undercuts the ability of cyber defenders to focus on security. Adversaries are becoming more sophisticated, and the volume of attacks is rising, yet defenders are often bogged down by administrative demands that distract from active defense and recovery efforts.
Evidence from the Field: Ransomware and Data Loss
A survey of global security leaders by cybersecurity company CrowdStrike found that 78% of organizations experienced ransomware last year and 93% lost data regardless of whether or not they paid a ransom associated with a cyberattack. These figures illustrate that the onslaught against companies, large and small, is real, relentless, and that paying a ransom does not guarantee data recovery or prevent further harm.
Nation‑State Campaigns: The “Typhoons”
More concerning is the threat posed by sophisticated nation‑state actors. Consider the various campaigns attributed to China‑based operators that target American and allied telecommunications, power, water, IT systems, and more. Collectively referred to as “the Typhoons,” each of these campaigns proves that companies must protect their systems, data, and intellectual property urgently, as adversaries seek strategic advantage beyond mere financial gain.
Regulatory Fragmentation Hinders Defense
We can say with certainty that it is not more of the same: dozens of federal agencies issuing well‑intentioned, but de facto, duplicative and conflicting rules—and/or guidance—that have become a hindrance to the intra‑government collaboration necessary to protect American cyberspace. The patchwork of requirements creates confusion and forces firms to juggle multiple, often contradictory, obligations.
Compliance Over Security: Wasted Resources
At best, companies are spending precious resources demonstrating compliance rather than strengthening security; at worst, some are left without a clear, consistent understanding of what good security requires. Taken together, the lack of clarity and an overemphasis on procedural form rather than security outcomes and substance puts businesses, their customers, and our nation’s critical infrastructure at risk.
A Financial‑Services Example
Imagine being a bank or a credit union. You’re regulated by the Federal Deposit Insurance Corporation (FDIC), Consumer Financial Protection Bureau (CFPB), the Office of the Comptroller of the Currency (OCC), the Department of the Treasury, the Securities and Exchange Commission (SEC), state regulators, and more. Each agency has a different and valuable purpose—ensuring the health of the financial system, protecting banking customers, informing shareholders of breaches—but when an incident occurs, you must answer different sets of questions, complete different forms, meet different deadlines, and talk with several agencies about the same issue.
The Burden of Incident Reporting
If you’re a multinational company, you may be dealing with hundreds, if not thousands, of regulatory schemes around the world. This multiplicative effect amplifies the compliance load, forcing security teams to allocate disproportionate effort to reporting rather than to threat hunting, patch management, or resilience building.
Data on Compliance Time Consumption
A study by the White House Office of the National Cyber Director (ONCD) last June revealed that across industries, compliance demands often outweigh time and resources devoted to improving security. CISOs in financial services spend 30‑50% of their time on compliance—not hardening systems, but reporting their current status. This diversion directly reduces the capacity to defend against active threats.
Impact on Security Professionals
The simple truth is this: that’s not just inefficient—it sets us back. We cannot continue a system in which security professionals are pulled from securing and defending systems, responding to attacks, and executing a quick recovery in their wake. The talent shortage in cybersecurity is exacerbated when skilled staff are relegated to paperwork instead of frontline defense.
Industry‑Led Efforts to Streamline Rules
This reality, of course, is not news to security professionals. That is why the McCrary Institute and the U.S. Chamber of Commerce have partnered to launch a task force of cyber experts aimed at informing what a federal effort to streamline cyber rules can and should look like. Their work seeks to identify duplicative requirements, propose common language, and create a framework that balances oversight with operational effectiveness.
Administrative Recognition and the Cyber Strategy
We are heartened to see that this issue is also a priority for the Trump administration. The President’s Cyber Strategy for America lays out the President’s intention to promote common-sense regulation. National Cyber Director Sean Cairncross and his team appreciate the urgency in reducing compliance burdens, addressing liability, and aligning with regulators in the US and abroad. This signals a willingness to act on the problem identified by industry experts.
Opportunity Presented by CIRCIA
Right now, the Administration is also working through the details of implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). If implemented smartly, this legislation has the potential to serve as a center of gravity to help align the interests and needs of government and the private sector. A single, standardized reporting mechanism could eliminate the need for multiple, duplicative filings after an incident.
Next Steps: Streamlining and Collaboration
So, what next? We must get CIRCIA right so companies can report once and leave it to government agencies to share among themselves. Next, it is critical that we identify regulatory overlap and duplication, supply common language and requirements to federal partners, ensure reciprocity where appropriate, share information across government agencies, and work with industry partners to ensure that regulations serve their purpose without overly burdening the regulated.
The Choice Ahead
The choice is stark: we can continue forcing our best cybersecurity minds to fill out forms while adversaries breach our systems, or we can streamline these regulations—as the President has done with success in other policy domains—let America’s cyber defenders do what they do best, and execute on what the President has identified as a priority action across government—defend America. By reducing unnecessary paperwork and fostering inter‑agency coordination, we can reclaim the focus and resources needed to protect the nation’s critical infrastructure.