Congress Presses on Cyber Readiness as Threats Outpace Policy

A recent congressional hearing focused on whether the current federal cyber posture, particularly CISA’s capacity and coordination model, is keeping up with increasingly aggressive and persistent nation-state activity. The conversation skipped over baseline definitions and instead drilled into execution gaps: reduced staffing, fragmented authorities, and the loss of structured public-private engagement mechanisms that had previously enabled more consistent coordination with industry.

Witnesses from telecom, IT, and national security backgrounds described a growing disconnect between how quickly infrastructure is scaling, across hyperscale data centers, cloud environments, and space-based systems, and how slowly policy and coordination models are adapting.

There was broad agreement that adversary access is becoming more persistent and better positioned, but less agreement on how to translate that into stronger operational resilience.

Several pointed out that recent rollbacks in collaboration frameworks are occurring at the same time dependencies are increasing, raising questions about whether the current model can keep pace without reinvestment and clearer alignment across agencies.

Why It Matters: The hearing confirmed a gap most CISOs are already managing in practice: defensive capacity is not keeping pace with adversary capability or the complexity of modern infrastructure. As dependencies expand across cloud, data centers, telecom, and space systems, exposure becomes more interconnected and harder to segment. At the same time, less consistent federal coordination and fewer structured engagement channels increase the burden on internal teams to fill visibility and response gaps. Without stronger alignment, clearer authority, and sustained investment, existing weaknesses, particularly around supply chain visibility, shared intelligence, and systemic dependencies, are likely to compound rather than improve.

• Capacity Constraints Are Undermining Coordination: Witnesses pointed to the loss of roughly a third of CISA’s workforce and the dismantling of mechanisms like the Critical Infrastructure Partnership Advisory Council (CIPAC/CPAC) as directly impacting day-to-day coordination. Industry participants noted that without these structures, information sharing has slowed or stalled, and legal protections for collaboration have become less clear, leaving some joint efforts effectively paused.

• Infrastructure Scope Is Outpacing Policy Boundaries: Multiple witnesses argued that hyperscale data centers, cloud platforms, and space systems are no longer just subsets of existing sectors. There were explicit calls to designate data centers and space as standalone critical infrastructure sectors, citing their economic weight, concentration risk, and role in AI, defense, and grid operations.

• Threat Activity Continues to Deepen in Persistence and Access: The Salt Typhoon intrusion was cited as a case where attackers maintained long-term access to U.S. telecom networks, including sensitive communications, without detection for extended periods.

• Supply Chain Risk Is Still Largely Unresolved: Discussion went beyond foreign hardware bans to highlight practical challenges: limited visibility into multi-tier suppliers, inconsistent standards across agencies (FCC, Commerce, DHS), and the reality that even U.S.-made systems (e.g., routers) have been exploited. Witnesses called for more coherent policy and better intelligence sharing on identified risks.

• Critical Dependencies Remain Exposed at Scale: Subsea cables were described as carrying ~95% of global data traffic and largely undefended against physical disruption. Similarly, space systems, now underpinning GPS, financial timing, and communications, are expanding rapidly without a unified security framework. Both were framed as high-impact targets with outsized downstream consequences if disrupted.

Go Deeper ->