In Brief:
- A top federal cybersecurity agency has drawn criticism from congressional Republicans who want to slash its funding, but it’s unlikely to be abolished.
- Trump will likely reduce regulations on tech companies and impose fewer cybersecurity requirements on organizations that provide vital services, while conducting more hacks against cyber adversaries.
- The Biden administration is rushing to spend semiconductor industry subsidies before Trump takes office.
Donald Trump is returning to the Oval Office at a time when cybersecurity concerns are only growing more challenging. On his watch, the nation will face threats from international cyber crime gangs that hack hospitals, schools, cities and major companies. Cyber extortionists are constantly evolving their pressure techniques.
International tensions are also playing out in cyber space. China-backed hackers have been penetrating systems essential to U.S. life, including water systems and power grids. Some fear China could try to disrupt or destroy these systems, should geopolitical tensions rise.
As his administration responds to such threats, Trump isn’t expected to follow President Joe Biden’s playbook entirely. Biden often tried to use regulations to compel organizations in critical sectors to improve their cyber defenses. Trump will more likely seek to reduce regulations, trying to find ways to encourage voluntary improvements from the private sector. He may also put more emphasis on hacking adversaries’ IT infrastructure.
A considerable number of Republican lawmakers have also called for slashing the budget of the Cybersecurity and Infrastructure Security Agency (CISA). They believe it mis-stepped in past efforts to discourage the spread online of election-related disinformation. That agency does far more than call out disinformation, however. It also issues alerts about cyber threats and helps support state and local governments, as well as the private sector, in defending critical infrastructure.
Some experts believe the cyber agency could lose some of its authority but that there’s enough bipartisan support for its other work that Trump and the new Congress will refrain from eliminating it altogether.
Although the new administration’s plans in regard to technology policy in general are still evolving, here are some of the dynamics observers in the field expect to see emerging over the next four years:
Mohamed Ahmed Soliman/TNS
CISA’s Fate
One of CISA’s many responsibilities is election security. Some conservatives remain unhappy that the agency contacted social media companies about probable election-related disinformation on their platforms during the 2020 election. They charge that this amounted to CISA censoring free speech and unfairly targeting conservative voices. The agency denies these complaints but discontinued such activities prior to the 2022 election.
In September, more than 100 House Republicans made a failed effort to cut CISA’s funding heavily. Project 2025 — a transition document prepared by the Heritage Foundation and authored, in part, by new Trump appointees — calls for moving CISA into a different federal department and reassigning any duplicative cybersecurity work to other agencies.
Trump himself has had a mixed relationship with CISA. He signed the act that created it, then at the end of his first term famously fired Chris Krebs, then its director, for insisting the 2020 election was secure. Some lawmakers in 2021 sought to insulate the agency from presidential changes by giving the CISA director a five-year term but their bill failed.
Accusations against CISA could get a stronger voice when Kentucky Republican Rand Paul, a critic, becomes chair of the Senate Homeland Security and Governmental Affairs Committee. Despite the criticism it's attracted from some quarters, CISA will probably not be dismantled under Trump, thanks to the valuable — and less-controversial — work it does in other areas, including protecting critical infrastructure and election processes from cyber and physical attacks.
There’s also been both industry and bipartisan political support for CISA projects such as the Secure by Design initiative — which asks software developers to design their products with cybersecurity in mind — and the Joint Cyber Defense Collaborative, a public-private information sharing and collaboration project.
“I don’t think they’re going to get rid of CISA,” says Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. “I think even Rand Paul knows he can't get rid of CISA, although he's pissed at it.”
Jim Watson/Peter Klaunzer/TNS
International Concerns
Cybersecurity is an international question, with many ransomware criminals conducting attacks from overseas while operating out of safe harbor countries like Russia. And nation-states are a pressing threat, with China-backed hackers having penetrated U.S. water and power systems, perhaps readying to disrupt them should geopolitical tensions rise. China-linked actors also recently were found hacking deep into U.S. telecommunications networks, where they apparently spied on U.S. wiretapping and captured some communications from political figures.
The Trump administration may want to go on the offensive against such threats. His first administration supported increasing efforts to hack foreign networks in order to combat adversary hackers and prepare to disable IT infrastructure in case of a future conflict.
A more aggressive approach might entail efforts to disrupt IT infrastructure used by cyber criminals in the countries harboring them, and potentially imposing sanctions in response to China-backed hacks on U.S. critical infrastructure, as well as being more aggressive in efforts to arrest or prosecute cyber criminals and other actions, says Michael Daniel, president and CEO of the nonprofit Cyber Threat Alliance.
The Trump administration will probably “call out Chinese misbehavior a little more,” Montgomery suggests, while continuing to help partner nations hunt malicious behavior lurking in their networks. But when it comes to working with other nations, Trump will probably be less interested in multilateral collaborations, Daniel says, and instead focus on one-on-one relationships with other countries.
The U.S. is also unlikely to ratify the United Nations Cybercrime Convention, he says, both because of its multilateral nature and objections from privacy, civil liberties and law enforcement groups.
(E. Jason Wambsgans/Chicago Tribune/TNS)
Protecting Critical Infrastructure
The impact of cyber attacks on critical infrastructure can be massive. Last summer’s ransomware attack on Change Healthcare, a health-care tech company, affected roughly a third of Americans. Separately, the Environmental Protection Agency warns that drinking water systems are falling seriously short of necessary cyber protections.
The Biden administration often looked to regulation to safeguard these and other critical infrastructure sectors. In the wake of the Change Healthcare attack, it announced plans to set minimum cybersecurity standards for hospitals. The EPA also tried, although unsuccessfully, to use its authority to require public water systems to assess their cybersecurity periodically. And the Biden administration responded to the 2021 ransomware attack on Colonial Pipeline, which caused gasoline panic buying in the Southeastern states that depleted many gas stations, by setting cybersecurity requirements for pipeline owners and operators.
As the incoming administration considers how best to defend health care, water and other critical infrastructure, it is more likely to seek to reduce regulations, not add to them. The Trump team is expected to emphasize private-sector collaboration and voluntary efforts, potentially including offering some incentives.
The Cyber Incident Reporting for Critical Infrastructure Act, enacted in 2022, was designed to help the federal government better understand the cyber threats facing the nation and warn potential victims about threats more quickly. But the law is not expected to be implemented until 2026. In the meantime, CISA has been hammering out details for how to put it into action. The Trump administration will be looking to harmonize the 2022 law with other existing federal cyber incident reporting regulations, Montgomery says.
Some have questioned if South Dakota Gov. Kristi Noem, Trump’s pick to run the Department of Homeland Security, might push back on the State and Local Cybersecurity Grant Program. South Dakota was the only state that repeatedly declined to participate in it. The law is set to expire in 2025, after four years.
Many state government cyber leaders have said that four years’ worth of grants has been helpful but not enough money to meet their needs. They’re calling for a reliable, recurring stream of cybersecurity funds.
Full Republican control of Congress could lead to progress on data privacy legislation. That effort has been at a standstill due to arguments over issues such as whether a federal law would pre-empt existing state privacy laws or allow private right of action. California lawmakers have been strong opponents of any federal law superseding their strong state policy, and this dispute prompted former House Speaker Nancy Pelosi, a California Democrat, to frustrate an earlier attempt to pass a federal law. California’s Democrat-dominated delegation will have less influence now, however.
AI Safety
The Trump administration’s lighter approach to regulation will inform its approach to artificial intelligence, as well. A Biden executive order invoked the Defense Production Act to require tech companies to inform the federal government if they’re training advanced AI models that present a “serious risk” to national security, economic security or public health and safety, as well as to share safety test information. The order also called for efforts to combat algorithmic discrimination and for creating new standards and tools to test if AI systems were “safe, secure, and trustworthy” before they’re released to the public.
Trump’s campaign platform included a promise to repeal the order, characterizing its use of the Defense Production Act as government overreach.
Efforts to prevent unfairness and bias in AI systems are likely to be less of a priority for the Trump administration, says Daniel Castro, vice president of the Information Technology and Innovation Foundation, a tech think tank. Under Trump, the focus will shift to questions such as whether AI systems perform as advertised, or will AI used in medical devices, transit systems or other areas cause physical harms to users.
AI companies are facing threats of intellectual property theft, and often don’t realize the level of security they need to defend against both nation-state and non-nation-state actors, says Montgomery, of the Center on Cyber and Technology Innovation. He hopes the incoming administration reaches an agreement with companies on a minimum cyber and physical security standard for AI labs. “This administration is going to take a much more laissez-faire attitude, in general, to the AI labs, but I hope in the very specific area of security, they actually turn the screws more than what has happened so far,” Montgomery says.
Trump is also reportedly weighing whether to appoint an AI czar. Such an official would be charged with coordinating federal policies on AI, guiding government use of the technology and helping the new Department of Government Efficiency use AI to find fraud and waste.
Implications for Tech Companies
Meanwhile, the fate of a major Biden-era effort to boost the domestic semiconductor industry is unclear. The 2022 bipartisan CHIPS and Science Act promised billions to incentivize U.S.-based semiconductor chip manufacturing, research and development. On Tuesday, Intel secured an $8 billion grant under the program.
Trump has criticized this law, arguing that his tariff plans would do more to shift production to the U.S. without requiring government spending. Most of the subsidies authorized by the CHIPS Act remain unspent, but the Biden administration intends distribute “almost all” the money before Trump takes office, according to Commerce Secretary Gina Raimondo.
And, although many conservatives have criticized social media companies for alleged censorship, it’s unclear if the Trump administration would seek to roll back the legal protections that allow for content moderation. Section 230 of the Communications Decency Act shields online services from civil liability over user-created content they host. It also allows social media companies to make well-intentioned efforts to moderate user-posted content, including letting them take down posts they deem harassing, obscene or otherwise objectionable.
Some Republicans have sought to rewrite Section 230 to prevent what they view as social media platforms censoring conservative voices. However, Castro says that while companies are likely to take extra care to display neutrality in content moderation, the situation has changed. Trump and Elon Musk — a major Trump financial backer and co-leader of the new Department of Government Efficiency — both own social media platforms, potentially dampening desires for Section 230 repeal.
