One hard reality of cybersecurity is that the economics favor attackers. It is more costly to defend than it is to attack. As threat actors become more sophisticated and diverse, the cost to defend continues to grow. Defender resources — time, money, and people — are finite. As such, companies need to allocate them efficiently and effectively.
Unfortunately, the steady movement toward government-imposed cybersecurity regulations and enforcement actions poses a dilemma for many companies. Do they allocate resources to secure their environment or to ensure compliance with a multitude of government mandates and reporting rules?
The number of cybersecurity regulations imposed on industry is so voluminous that a core pillar of the Biden administration’s National Cybersecurity Strategy is to harmonize regulations. Yet government agencies continue to issue conflicting mandates that will divert resources from security to compliance.
One such example is the Federal Acquisition Regulations rule on Cyber Threat and Incident Reporting and Information Sharing, proposed by the U.S. Department of Defense, the General Services Administration, and NSA, which is estimated to impact upwards of 94,000 companies that contract with the federal government. This proposed rule alone is conservatively estimated to impose compliance costs of $1.52 billion annually on companies that service the federal government. The benefits, however, are less easy to quantify.
Advocates of mandatory reporting claim that it is necessary so that the government can have a better understanding of cyber threats, which will help them share information on how to defend against the threats.
Even if we accept this claim — that despite the collective resources of the NSA, Cyber Command, the CIA, the FBI, the U.S. Department of Homeland Security, and a nearly endless number of federal agencies, the government still does not have a sufficient understanding of the threat landscape — the proposed regulations will not achieve the purported goal. Instead, the government will be provided with a tsunami of information with seemingly no filter.
For example, the proposed FAR rule would require companies with government contracts, and their suppliers, to report on every anomaly observed on their network — which the proposed rule calls an incident that “may have occurred”— within eight hours (yes, eight hours) of it being noticed.
Companies investigate potential security incidents every day. Therefore the Cybersecurity and Infrastructure Security Agency could receive hundreds, potentially thousands, of reports each day on incidents that “may” have occurred. CISA will be quickly overrun with unverified and inaccurate information on security incidents that either didn’t occur or have no impact. The task of sorting through a mammoth amount of data will make it more difficult to provide actionable threat intelligence back to industry.
As such, at a minimum, the FAR regulations should limit mandatory incident reporting to consequential incidents such as those that impact government data or a contractor’s ability to perform its mission.
Other government agencies also are imposing regulations that likely will have a detrimental impact on security. The most high-profile of these is the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule, which creates another set of governance and reporting requirements for publicly traded companies. Under the SEC rules, publicly traded companies would have to publicly announce when they experience a cyber incident that has a “material impact.”
Under these regulations, companies must publicly disclose incidents and certain details even if doing so puts them or other companies at greater risk. For example, if a company is still remediating an attack, it faces the prospect of being attacked again by other actors who know that the company is already busy responding to the initial incident. Public information about a successful attack will undoubtedly be scrutinized and used by attackers.
Companies are anxiously awaiting the next round of regulation, due in March, when CISA issues its initial proposed regulations to implement CIRCIA. This law was passed in 2022 and requires companies to report incidents to CISA within 72 hours. Key areas of focus will be which companies will be required to report incidents and what type of incidents they will need to report.
These examples reflect only a sample of the regulations and mandates from just the federal government. States are developing their own set of cybersecurity requirements. This will make both security and compliance more difficult and costly.
Our nation faces a complex range of cyber threats. Nation-states are using their cyber armies to attack America’s critical infrastructure and government. They are actively stealing intellectual property and, according to the FBI, are lurking on networks waiting to pounce when the time is right. Unfortunately, the government’s response to this is to create a complex regulatory, compliance, and reporting environment that is both duplicative and contradictory.
It may not be realistic to begin the immediate rolling back of regulations and mandates. However, it is essential that the government collectively pause on issuing new cybersecurity regulations and mandates to focus on the much-needed regulatory harmonization.
Scott C. Algeier is Executive Director at IT-ISAC, a not for profit organization of companies dedicated to enhancing cybersecurity by sharing threat information.