Insights from Joy Ditto: Predicting Cyber Policy in the New Trump Administration

This is a contribution from policy expert Joy Ditto, Founder and CEO of Joy Ditto Consulting. With extensive experience in U.S. government, critical infrastructure, and the electric industries, Joy shares insights on what the new administration might mean for securing critical infrastructure in the new year.

In the frenetic aftermath of the November elections as pundits (lovers and haters), D.C. insiders, critical infrastructure industries and many others parse through what will happen in the second Trump Administration on…insert issue…it feels like anything but peace on earth. Amidst all this hullaballoo is good news – deep breath.  That is, we have recent history from which we can draw some conclusions. On the issue of cybersecurity, I will even venture to say that the new Trump Administration will share many things in common with the current Administration, with some shifts in emphasis and a general posture of streamlining agency action. Let me explain.  

Since the mid-2000s when cybersecurity became a matter of serious policy discussion – not quite 20 years ago – there have been four presidents, two Republican and two Democrat.  From my perspective as a D.C.-based representative of the electric sector, the federal posture on cybersecurity has not whipsawed back-and-forth like it has with other prominent policy issues such as climate change or border protection. Instead, the general attitude has been similar, both amongst these presidents and, often, on Capitol Hill, regardless of party.  That attitude can be characterized as “this issue is a serious threat to our national defense and critical infrastructure (CI) sectors and we have to figure out ways to address it,” through a combination of offensive tactics (government driven, such as engaging in cyber warfare, banning imports of key products from certain nation-states, sanctioning, etc.) and defensive strategies, which, from a policy perspective include creating incentives, offering trainings and collaborative exercises, enhancing private sector situational awareness of the threat, mandating regulatory regimes, working with national labs to create or pilot solutions,  and encouraging collaboration including through public private partnerships -- or a combination of all the above.  

As the sophistication of cyber warfare has evolved as our understanding of the issue has also evolved, the basic policy choices have not changed demonstrably. The main area of policy difference does not always play out along party lines – that area, I would argue, is whether the federal government should encourage/incentivize (voluntary) versus regulate (mandatory) in this arena. Typically, we would see Republicans fall closer to the incentive side of the spectrum and Democrats toward the regulatory side. Not so with cyber.  The lines blur heavily, for example, with many conservative Republicans unopposed to certain regulations related to cybersecurity. Several major cybersecurity incidents over the last 20 years, including the Colonial Pipeline ransomware attack and the Orion Solar Winds’ hack, have also informed policy makers’ responses.

As I’ve been alluding to above, cybersecurity policy is a combination of congressionally authorized and presidentially directed action, so there will be back-and-forth on the issue beyond the Executive Branch. It is also extremely important to understand what can be done via Executive Action and what must be blessed by Congress. With all this context, following are some predictions:

1. Bipartisan action will continue on cyber in Congress.  No roll-backs of the NERC/FERC regime for electric utilities will occur, as that would require congressional action and there is no real appetite to revisit.
2. FERC may not be as aggressive as it has been recently in directing NERC to act on certain cyber and physical security standards. However, it is also possible to see an effort by some at FERC to either directly or indirectly attempt to address distribution utilities’ cybersecurity under a federal umbrella.
3. Momentum is likely to stall regarding discussions of a NERC-like regime for the oil & gas sectors.  The likely Secretary of Energy comes from an oil & gas background, and these sectors have never been fans of the electric sector regime.
4. Emphasis from the new Administration and Congress on China – across the board, but specifically on cybersecurity.  While there has been an ambient level of interest and emphasis in the current Administration, the level of scrutiny is likely to heat up.
5. Potential slow-down of implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).  As I have noted previously, this law, while bipartisan, has ambiguities that have been left unresolved so far in the implementation process and that impacted CI sectors will see an opportunity to revisit.
6. Executive action to streamline agency jurisdictions, including those with cybersecurity roles. The hyper-discussed temporary agency known as the Department of Government Efficiency (DOGE), to be headed by Elon Musk and Vivek Ramaswamy, is unlikely to prioritize cybersecurity out of the gate as an area for that agency’s scrutiny, but certainly the White House’s leadership could direct overlapping agencies to figure out where there are unnecessary inefficiencies, unclear roles and responsibilities, overlapping roles, mission creep, and gaps in authority that could impact security. This could result in an updated National Infrastructure Policy Plan (NIPP) and associated presidential policy directives, among other things. Congress may have more explicit plans to consolidate, including eliminating or reducing departments in agencies such as DHS’s CISA – a devoted libertarian, Senator Rand Paul (R-KY) will head up the Senate Homeland Security and Government Affairs Committee.
7. The tenderness of the geopolitical environment could impact policy at any time. In the U.S., we often react to a crisis to force action on difficult issues, but the push to have government take on a more proactive role, even if to become more efficient, may provide opportunities for even greater CI/government collaboration and even CI-to-CI cross-collaboration.
8. The conundrum that the previous Trump Administration was not able to solve is how to suss out the “bad” software that’s embedded in our CI – it previously proposed “ripping and replacing” such software in the electric sector as has the current Biden administration.  Whether or not that is the policy direction, I cannot predict, but it is an issue lacking resolution.
9. The race for the U.S. to win on quantum computing will speed up.

With all this said, as of this writing, we do know who some of the leaders are likely to be in the new Administration – a few I already mentioned above. Included in the list of agencies charged, in whole or in part, with cybersecurity, are the Department of Homeland Security (DHS), especially via the subagency the Cybersecurity & Infrastructure Security Agency (CISA), the White House’s National Security Council, the Department of Defense’s Cyber Command, and individual Sector Risk Management Agencies. Also included are the career bureaucrats in these agencies as well as in our foreign intelligence agencies (Central Intelligence Agency, National Security Agency, Defense Intelligence Agency, etc.) and the owners and operators of critical infrastructures who have a key role in maintaining cybersecurity and collaborating with the federal government to do so.

Regardless of who these individuals are, cybersecurity policy has historically been bipartisan and is likely to continue to be approached in that same manner.  However, we don’t yet know many of the key individual leaders for some of these agencies and subagencies, especially for those likely to be the most focused on cybersecurity, such as CISA. And it is not yet known how much time the new Congress will dedicate to cyber, though tangential issues like AI, machine learning and geopolitics will all be on their radars. Below are a few of the people tapped to be nominated to date that will have a roll in the United States cybersecurity posture and policy:

DHS: Gov. Kristi Noem of South Dakota was tapped by the incoming administration, pending official nomination and Senate confirmation, to lead the Department of Homeland Security.  It is expected that much of her time and focus will be pulled to immigration and border security, likely leaving cybersecurity to a yet unnamed undersecretary and the yet unnamed director of CISA.

Director of National Intelligence (DNI or ODNI): Former U.S. Representative Tulsi Gabbard was tapped by the incoming administration, pending official nomination and Senate confirmation, as the director of national intelligence. Though she has never had a direct role in our intelligence community, she has served as a policy maker on the House Armed Services, Foreign Affairs and Homeland Security committees and was an officer in the U.S. Army National Guard for 17 years, including being deployed in Iraq, and continues to serve in the U.S. Army Reserve as a Lieutenant Colonel.

FBI: Kashyap “Kash” Patel was tapped by the incoming administration, pending official nomination and Senate confirmation, to serve as director of the Federal Bureau of Investigations (FBI). He has experience with government as a lawyer and former Chief of Staff to the then Acting Secretary of Defense Christopher Miller. Much of his background has been focused on counterterrorism.  However, the FBI has a significant role in cybersecurity issues - like data breaches, ransomware and cyber criminals, especially when both victim and perpetrator are U.S. based - though they are often in more of a supporting role to other agencies.

For more insights from Joy, we encourage you to check out www.joydittoconsulting.com.