Private sector representatives emphasized the importance of streamlining cybersecurity regulations and improving information sharing efforts between the government and industry during a recent hearing before the House Committee on Homeland Security’s Subcommittee on Cybersecurity and Infrastructure Protection. 

Intended to determine whether the plethora of cybersecurity regulations and reporting requirements are helping or harming the ability to secure the nation’s systems and critical infrastructure, it was clear that industry continues to play an important role not only in the formulation of the cybersecurity regulatory regime, but also in putting it into practice. Subsequently, it is critical for lines of communication between industry and government to remain open, as collaboration between the groups is critical to ensuring security. 

During the hearing witnesses, including Ari Schwartz, Coordinator for the Cybersecurity Coalition, considered potential improvements for sharing cyber threat intelligence and other information related to incidents with the government. These include potentially reauthorizing the Cybersecurity Information Sharing Act of 2015 (CISA 2015), revising the final Cyber Incident Reporting Critical Infrastructure Act of 2022 (CIRCIA) rule, and reinstating the recently disbanded Critical Infrastructure Partnership Advisory Committee (CIPAC). 

These are critical levers for ensuring that information is being shared bi-directionally in a productive, meaningful way, with the end goal of improving the cybersecurity posture of the U.S. The country is facing long-term, persistent campaigns from nation-state actors, which require a coordinated approach, application of, and enforcement of joint information sharing efforts between the public and private sectors. 

Additional operational collaboration within agencies and between sectors is also critical. These partnerships offer another tool to ensure defenders are looking at a more complete threat picture and taking advantage of all the capabilities of private sector organizations and government agencies – including law enforcement – to thwart bad actors.  

Another consideration raised during the hearing was the potential increased use of offensive cyber operations against our greatest threats, most notably, The People's Republic of China (PRC), which has been prioritized by the Administration following targeted campaigns against telecommunications companies. Previous efforts have been made to deputize companies to “hack back” following a cyber attack, and this debate will evolve in the coming months as policymakers consider how, and to what degree, private sector entities should be taking counteroffensive cybersecurity measures into their own hands.   

With respect to some immediate actions the federal government could take to enhance  cyber defense – in particular, information sharing and incident reporting efforts – Schwartz highlighted the increasing global demand for cybersecurity regulation. He noted that U.S. regulations are often overseen by sector-specific agencies that may lack expertise in cybersecurity. This can complicate harmonization efforts, particularly as new cross-sector and international regulations emerge. Schwartz offered several recommendations for the Subcommittee to consider:

• Engage with critical infrastructure sectors: The Cybersecurity and Infrastructure Security Agency (CISA) should engage more actively with Sector Coordinating Councils and the Council of Information Sharing and Analysis Centers (ISACs) through an ex-parte process, as intended by Congress.
• Streamline reporting requirements: CISA should clarify and refine reporting requirements to avoid duplication and reduce unnecessary reporting burdens. Schwartz described the fragmented state of incident reporting, which has become increasingly difficult to manage due to overlapping and duplicative requirements. These varying requirements create confusion and inefficiency.
• Collaborate with federal and international partners: Work closely with the Office of Management and Budget (OMB), other federal agencies, state and local agencies, and international partners to harmonize and streamline incident reporting processes.
• Revise CIRCIA: Issue a revised version of the proposed rule addressing industry concerns before finalizing it, ensuring that it aligns with Congress's goals and enables effective stakeholder feedback. Schwartz argued that the proposed rules did not meet the goal of harmonization.
• Reauthorize CISA 2015: Support the reauthorization of the Cybersecurity Information Sharing Act of 2015. Schwartz argued that this act facilitates the sharing of cyber threat information with liability protections, advocating for streamlining cybersecurity regulations to make it easier for organizations to implement effective cybersecurity measures.

Schwartz, and others, also suggested reinstating the recently disbanded Critical Infrastructure Partnership Advisory Council (CIPAC). These types of government-run organizations enable industry to participate in meaningful conversations with government officials making policy decisions regarding the cybersecurity community.

In particular, CIPAC enabled critical infrastructure owners and operators to provide feedback and support cybersecurity resilience efforts across sectors. This goes beyond sharing cyber threat information and reporting incidents to the government. It enabled a public private sector partnership model that facilitates ongoing discourse, allowing real time feedback and exchanges between a variety of cybersecurity stakeholders.

Now more than ever it’s about collaboration as the term “public private sector partnership” has evolved. Sharing cyber threat information and reporting incidents to the government is just one of many mechanisms available. Industry needs to be thoughtful in how to approach and deploy these tools, ensuring the removal of extraneous, time-consuming, compliance-driven reporting requirements from breach victims and sharing information in a purposeful, meaningful, contextual way. 

While these types of activities won’t solve all our cybersecurity challenges, they certainly contribute to a more cohesive community with a shared interest and mission for ensuring the security, safety, and resilience of our critical infrastructure. 

‍