![The existing state of regulation. [CISO Perspectives] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2Ffdae65ce-9880-11f0-ae5e-471c7c3924b9%2Fimage%2F4576c79a6260b29daaff0ea0480913c0.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)
CyberWire Daily — CISO Perspectives
Episode: The Existing State of Regulation
Host: Kim Jones (A), N2K Networks
Guest: Ben Yellen (B), Program Director for Public Policy and External Affairs at University of Maryland Center for Cyber Health and Hazard Strategies
Date: September 23, 2025
Episode Overview
This episode delves into the rapidly evolving landscape of cybersecurity regulation in the United States, focusing on the effects of new federal policies, the tension between risk-based and regulatory approaches, and the impact of dissolving advisory boards. Host Kim Jones engages public policy expert Ben Yellen in a candid, practical exploration of recent changes and what they mean for CISOs, businesses, and the broader ecosystem.
Key Discussion Points & Insights
1. Introduction: Changing Regulatory Climate & Rising Stakes
- The conversation opens with a review of the SEC’s July 2023 reporting requirements for publicly traded companies to disclose material cybersecurity incidents within four business days.
- Materiality is defined as information “a reasonable investor would consider important” (00:02).
- The SEC's investigation into the SolarWinds breach, including criminal pursuit of a CISO (Tim Brown), set the tone for stricter enforcement and rising anxiety among industry leaders.
- Notably, a majority of incident filings did not actually declare material impact (only 14% as of Feb 2025).
- The episode highlights increased bureaucracy and decreased practical input due to the dissolution of advisory bodies like the Cyber Safety Review Board (CSRB) (00:02-05:00).
2. Meet the Guest: Ben Yellen
- Ben introduces himself as co-host of the Caveat podcast and explains his academic and public policy role at University of Maryland focused on cybersecurity and AI policy, including teaching courses on national security and electronic surveillance law (05:04-06:43).
- Quote: “We’ve had an increasing focus in recent months on state level policy related to artificial intelligence.” – Ben Yellen (05:58)
- Kim Jones enthusiastically endorses Ben's Caveat podcast (05:46).
3. Federal Regulation: Shifts, Freezes, and the Risk-Based Approach
- Ben describes the disruptive immediate aftermath of the administrative change in 2025, including layoffs at key agencies (CISA, NIST), regulatory freezes, and agency shutdowns (07:16).
- Quote: “We saw layoffs, for example, at CISA, we saw large scale layoffs. At NIST, we saw certain agencies pretty much shut down entirely.” – Ben Yellen (07:30)
- The administration’s regulatory posture is now characterized by fewer mandates and a greater emphasis on risk-based resilience, both in cybersecurity and emergency management (07:16-09:18).
- Quote: “…shift from mandates, so less of the focus on mandatory compliance and more around risk-based resilience.” – Ben Yellen (08:20)
4. AI Regulation: Biden vs. Trump Approaches
- Discussion of the shift in federal AI policy, contrasting Biden-era guiding principles (bias and equity) with the Trump focus on free-market competitiveness and deregulation.
- Both parties emphasize AI infrastructure, but differ markedly in their balance of innovation vs. protective guardrails (09:18-11:34).
- Quote: “Equity is kind of a word that's just not used in the Trump administration...” – Ben Yellen (10:44)
5. Risk-Based Approaches vs. Regulatory Mandates
- Kim argues that absolute security is a fallacy—risk management is always about trade-offs.
- Quote: “I can secure you absolutely, if you shutter your doors...But then again, you ain’t going to make no money.” – Kim Jones (12:09)
- Both speakers agree that relying exclusively on a risk-based approach is problematic, particularly regarding accountability.
- Ben explains downstream risks: using the Change Healthcare attack as an example to show how one event can cripple an entire sector (13:36).
- Quote: “When you look at the downstream effects of that attack, it doesn’t just affect the company...it starts to affect the providers...ambulances have to be deferred" – Ben Yellen (14:01)
- Kim asserts that all regulation is by nature a bit reactive, constructed to address “known unknowns” after-the-fact, yet stresses the ongoing need for continuous risk analysis and adaptability (15:32-17:46).
- **“If I am doing appropriate risk analysis...I should be able to react well.” – Kim Jones (16:46)
- Ben notes the slow pace of federal regulation, the balkanization of risk between agencies, and challenges small entities face in assessing risk; suggests hybrid models (e.g., EU AI Act’s risk tiering) could be a way forward (17:52-19:57).
6. Offensive Operations and Legal Ambiguity
- Kim recounts Google's public move toward offensive cyber tactics and the escalating tit-for-tat responses from attackers (21:31-23:11).
- Both speakers grapple with the risks of "hacking back," including the danger of accidental collateral damage and legal uncertainties at the intersection of warfare and cybersecurity.
- Quote: “There’s always going to be risk in offensive operations. There’s always going to be the risk of escalation.” – Ben Yellen (23:11)
- The lack of international legal clarity creates dilemmas: when does defensive hacking cross the threshold into an act of war? (24:12–26:10)
- Quote: “It’s naturally a legal gray zone because it’s somewhere between what we would call espionage and what we would call warfare.” – Ben Yellen (26:10)
- The conversation veers into the blurred boundary between non-state actors (like Google) and traditional state actors, discussing terrorism definitions and domestic laws (27:05–28:16).
7. Advisory Boards, Institutional Knowledge, and Policy Gaps
- Kim and Ben lament the administration’s dismissal of all DHS advisory boards, including those crucial for cross-sector feedback (29:28).
- Quote: “In my mind, these committees...give a perspective that is outside of the potential federal echo chamber…” – Kim Jones (29:28)
- Ben illustrates the wider impact: mass loss of “institutional expertise for no real reason,” accidental purges of critical experts in other sectors (nuclear, weather, vaccine boards), and long-term consequences for policy quality (31:05–33:00).
- Quote: “I think we have lost a lot of institutional expertise for no real reason.” – Ben Yellen (31:05)
- With protections for these appointees weakened, Ben foresees stronger state and regional cooperation as potential mitigations (33:00–34:30).
8. Call to Action: Understanding and Participating in Administrative Law
- As a final takeaway, Ben urges listeners to educate themselves on how the federal regulatory process actually works, particularly the under-appreciated administrative law apparatus.
- Quote: “If you care about the regulatory state, learn how the process works...follow what happens within regulatory agencies.” – Ben Yellen (34:45)
- He emphasizes that real impact can be made through public comments and engagement, especially for smaller organizations.
Notable Quotes & Memorable Moments
- “It’s good at addressing risks that we already know exist, but it is not good at putting up guardrails around the entire industry to protect us from risks that do not exist.” – Ben Yellen (15:19)
- “Absolute security, by definition, is an oxymoron.” – Kim Jones (12:11)
- “Our government in the face of a cyber 9/11 would be nimble enough to make those changes. There could be a second Patriot Act…” – Ben Yellen (27:37)
- “If advisory committees are no longer recognized as having value, what is that going to do in terms of the impact of decisions regarding regulation…?” – Kim Jones (29:28)
Timestamps of Key Segments
- 00:02 — Intro; SEC rules, SolarWinds, advisory boards dissolved
- 05:04 — Ben Yellen’s background
- 07:16 — State of federal regulation post-administration change
- 09:18 — Contrasting Biden and Trump AI strategy
- 11:34 — Risk-based vs. regulatory approaches
- 13:36 — Downstream risks example: Change Healthcare attack
- 21:31 — Google’s offensive cyber stance and legal/policy aftermath
- 24:12 — Acts of war, international law, hacking back
- 29:28 — Value and loss of federal advisory committees
- 34:45 — Administrative law: how listeners can engage
Tone & Style
The episode is conversational, frank, and laden with industry-insider observations and wit. Both speakers blend wit with gravity, underscoring the high-stakes, nuanced trade-offs facing cybersecurity leaders.
Summary Takeaways
- The new federal administration has fundamentally shifted the cybersecurity regulatory landscape—favoring deregulation, risk-based resilience, and a free-market approach to AI.
- Key regulatory bodies have been disrupted by layoffs and dissolved committees, potentially leaving dangerous gaps in policy expertise.
- Risk-based frameworks offer flexibility but may lack necessary guardrails and can struggle with enforcement, especially for smaller organizations.
- The escalation towards offensive cyber tactics by private companies (e.g., Google) raises perilous, unresolved questions in international law and escalation risk.
- Listeners are encouraged to become literate in administrative law and engage in regulatory processes, exploiting public comment opportunities to avoid ceding the field to industry giants and fringe voices.
For leaders charting strategy in turbulent regulatory waters, the episode offers grounded perspective, practical warnings, and a call for informed participation.