FOR IMMEDIATE RELEASE
Chairmen Garbarino, Green Deliver Opening Statements in Hearing on Cyber Regulatory Harmonization
WASHINGTON—Today, Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY) and House Committee on Homeland Security Chairman Mark E. Green, MD (R-TN) delivered the following opening statements in a hearing to examine opportunities to improve the cyber regulatory regime, including the role the Cybersecurity and Infrastructure Security Agency (CISA) should play in cyber regulatory harmonization moving forward.
Watch Chairman Green’s full opening statement.
As prepared for delivery:
Today’s hearing serves as a crucial opportunity to examine the effectiveness of the federal cyber bureaucracy. At a time when cyberattacks are growing more frequent and sophisticated—it is imperative that our regulatory process governing cyberspace is strengthened and harmonized. This will promote security and cooperation while minimizing cost and confusion.
Last May, this Subcommittee held a hearing focused on CIRCIA—the Cyber Incident Reporting for Critical Infrastructure Act of 2022. CIRCIA, among other things, directed CISA to create and implement regulations for cyber incident reporting across all 16 critical infrastructure sectors.
Although Congress passed CIRCIA nearly three years ago, widespread regulatory disharmony persists throughout the cyber incident reporting and response regime.
There are now at least 50 cyber incident reporting requirements in effect across the federal government. These regulations are often duplicative and complex, requiring private sector owners and operators to invest significant sums into regulatory compliance rather than security. This patchwork of conflicting and complex regulations place a significant burden on reporting entities.
Let’s be clear: improving our nation’s cyber regulatory regime will bolster our national security. Current cyber incident reporting regulations require too much of the private sector, drawing their attention away from securing their networks.
Federal regulations like the SEC’s public cyber disclosure rule clearly illustrate the urgent need for harmonization. This rule in particular is riddled with ambiguity and sets constrictive reporting timelines for organizations that experience cyber incidents.
Ambiguous and conflicting standards like the SEC rule are allowing compliance to take priority over security, leaving our critical infrastructure more vulnerable to subsequent attacks.
Injecting consistency and efficiency into the cyber regulatory regime is necessary to protect our nation from digital threats to our critical infrastructure. The security of our homeland depends on effective cooperation between the private and public sectors, and it is our duty to help remove any unnecessary barriers to collaboration.
Since CIRCIA is still in the rulemaking process until later this year, there is still time to ensure that regulatory effectiveness and harmonization are core features of our national cyber incident reporting requirements.
The CIRCIA final rule must not place an undue burden on private sector entities that are critical to our national cyber defense.
I want to thank our witnesses, Scott Aaronson from Edison Electric Institute, Heather Hogsett from Bank Policy Institute, Robert Mayer from USTelecom, and Ari Schwartz from the Cybersecurity Coalition for being here today.
Most of today’s panel previously testified during our CIRCIA hearing last May, each providing their invaluable insight to this Subcommittee.
It is a pleasure to have each of you join us again today. With President Trump in office, we have a unique opportunity to create a common-sense cyber regulatory structure that ensures compliance serves its purpose: to share actionable information with the federal government.
As nation-state threats rise, we must do all we can to ensure our cyber professionals can focus their precious time, attention, and resources on securing our networks and critical infrastructure. I look forward to working with you all as we pursue this shared objective.
###
