Inside Cybersecurity

February 16, 2025

Daily News

Former cyber officials see harmonization as key to future work under incoming administration

By Sara Friedman / November 1, 2024

Former officials with cyber responsibilities highlighted opportunities for an increased focus on harmonizing regulations under a new administration, identifying the role of the Office of the National Cyber Director and refining critical infrastructure policy across sectors as top priorities.

“The challenge with ONCD doing the harmonization is that ONCD has a great set of relationships with the non-independent regulators and the independent regulators see themselves as almost being outside that paradigm, and candidly they were designed to do just that,” Matt Hayden of General Dynamics Information Technology told Inside Cybersecurity.

Hayden said, “But when it comes to cyber, consistent regulatory frameworks for reporting and holding a baseline for cybersecurity standards, consistency is key. There’s not really a way to be overly aggressive with these independent entities but to find a way to get them to meet in the middle on what cyber regulation should be and to have those be consistent with traditional regulators that are already adding cyber to their existing frameworks.”

Matt Hayden

Matt Hayden, VP, General Dynamics Information Technology

Hayden was assistant secretary for cyber, infrastructure, risk and resilience policy at the Department of Homeland Security under the Trump administration.

ONCD has made cyber regulatory harmonization a top priority, releasing a request for information on harmonization in 2023 and backing legislation at a June 5 hearing to give ONCD authorities to convene federal agencies and independent regulators to work on a cross-sector framework for harmonization.

Senate Homeland Security Chairman Gary Peters (D-MI) and Sen. James Lankford (R-OK) introduced the bill on July 9 and it was approved in 10-1 vote by the full committee at a July 31 business meeting.

Hayden noted, “There’s also a moment of pause on regulatory harmonization as a result of several judicial decisions that may require additional Hill language to kind of bolster some of the efforts.” He pointed specifically to the water sector and efforts at the Environmental Protection Agency.

“For example, there’s questions if a sector risk management agency that already does safety for a particular sector can add cyber to that without additional legislative language that’s very direct and empowers them to regulate that specific element, as we saw with contested language coming out of the water sector.”

The incoming administration will have “up the game a bit” so these decisions are “so it’s not just in the hands of regulatory agencies and bodies and the executive branch,” Hayden said. “There is a legislative branch to that as well which complicates the ability to perform on a timeline. So there’s going to be a lot of ‘let’s make sure we get this’ either in small parts that lead to a larger package and demonstrate that this is the way harmonization can work.”

Alternatively, Hayden said, there will be “a very large regulatory reform package that has to do with cyber amending a lot of statutes coming to the Hill that will need blessing from the executive branch on both sides.”

“So there is this larger looming challenge when it comes to regulatory reform that doesn’t say ONCD can’t do it, it just means that ONCD’s going to have a lot of complementing help and acknowledgement that they are truly quarterbacking this effort,” Hayden said.

Former CISA official Brian Harrell told Inside Cybersecurity, “Cybersecurity policies under a Trump 2.0 will likely focus on removing redundant regulations, adding capabilities, and mitigating current and future threats from China, AI, and quantum computing.”

Harrell said he expects a second Trump administration would have a “national security focus with a strong emphasis on protecting critical infrastructure, government networks, and key industries from cyber threats.”

Harrell was CISA’s first assistant director for infrastructure security under the Trump administration.

“CISA would likely play a pivotal role in a Republican administration's cybersecurity strategy. While CISA has been an easy target recently for Republicans due to their mis-dis-information campaign, a Trump Administration could award funding for CISA to develop more robust threat detection and response capabilities, enhanced coordination with state and local governments, and greater support for initiatives aimed at protecting Industrial Control Systems,” Harrell said.

CISA should be “focused on their ability to provide value and share information with the private sector,” Harrell said.

He added, “Lastly, ONCD will likely play an instrumental, almost exclusive, role in cyber harmonization given the monumental amount of cyber regulation impacting the private sector. Similar to last time, more regulation will be dismantled than introduced- and this is a good thing.”

Norma Krayem of Van Scoyoc Associates also weighed in on what to expect with harmonization under a Trump or Harris administration.

Krayem said, “The topic or concept of cyber regulatory harmonization is a top issue no matter who wins the White House. There are certain sectors that have overlapping and duplicative regulations. I would expect either administration that comes in would focus on harmonizing cybersecurity regulations for those that have that overlap, that duplication.”

“And I would also expect that either administration for the sectors that don’t have any cybersecurity mandates would move forward to promulgate regulations for those,” Krayem said.

Krayem is vice president and chair of Van Scoyoc Associates’ Cybersecurity, Privacy & Digital Innovation Practice Group and a former senior official at the departments of Commerce, Transportation and State.

Meanwhile, former CISA cyber leader Jeanette Manfra reflected on harmonization during an interview with Inside Cybersecurity on the future of the cyber-focused agency.

Manfra acknowledged the Biden administration’s work on harmonization and said, “I would encourage other administrations to dig deeply” to consider whether they are “creating an environment that is helpfully managing risk in a piecemeal approach or are we just creating a lot of toil and compliance work that isn’t necessarily achieving some of these security and reliability goals that everyone has for more systemic security and resilience.”

Manfra was CISA’s first assistant director for cyber and left the agency in 2019 to join Google Cloud as senior director of global risk and compliance. -- Sara Friedman (sfriedman@iwpnews.com)