Trump 2.0 Portends Big Shift in Cybersecurity Policies – Source: www.darkreading.com

Abaca Press via Alamy Stock Photo

Before it was subsumed by political commentary, the Cybersecurity and Infrastructure Security Agency (CISA) was a Trump accomplishment — signed into existence in 2018 during his first administration. But that was before accusations of dirty politics and free speech shenanigans turned CISA into a conservative pariah.

Now, CISA is facing an existential political clash with the incoming Trump administration, threatening to take much of the US federal government’s involvement in cybersecurity along with it. The result could potentially increase cyber-risk, but also open up business, investment, and innovation opportunities. A lot of things can be true at once.

CISA’s original mandate couldn’t have seemed more apolitical: coordinate defending US infrastructure against cyberattacks, and then help share critical information among US enterprises to increase the nation’s overall posture in the bargain. But then came the 2020 election, CISA’s efforts to combat what the agency deemed “misinformation,” and the subsequent conservative backlash.

Trump and the Politics of CISA

Chis Krebs, then the agency’s director, was very publicly fired just weeks after the 2020 election for rejecting claims of fraud from the Trump administration, and has remained a high-profile political player ever since. Krebs is a regular on the cable news circuit, and in July 2023, he confirmed to CNN that he was interviewed by special counsel Jack Smith in the investigation into Trump and the 2020 election. In the runup to the 2024 election, Krebs appeared on outlets including Face the Nation to once again push back on Trump campaign claims of election fraud.

His replacement, Jen Easterly, took a more low-key approach. Her accessibility, deep military ties, and cybersecurity expertise — sprinkled with a dash of aspirational cool-girl charm — made her a hit among the cyber rank-and-file. She also mostly stayed away from politics, leading the fledgling agency through a crucial four years. But that effort, however disciplined and well intentioned, hardly spared Easterly or CISA from widespread conservative ire. In January 2024, Easterly was even targeted at home in a swatting incident.

“I think Jen Easterly had a tremendous challenge solidifying the role of a very young agency, and one mired in allegations from Republican politicians,” cybersecurity expert Jake Williams tells Dark Reading. “Given those very real challenges, she did an outstanding job. I can only imagine what could have been with bipartisan support for CISA’s many missions.”

Following the 2024 election, Easterly said she will resign on Inauguration Day. But the agency is still at work, publishing a draft of an updated National Cyber Incident Response Plan for federal agencies and industry to work together during major cyber events, which is open for comments until January 2025.

That kind of coordination between CISA and the private sector was exactly what the agency was built to become under the Biden administration. It took a proactive role in developing cybersecurity standards, and offering cybersecurity grants to states to invest in their own cyber operations, led largely by the efforts of Easterly. During his administration, President Biden allocated billions to strengthen the US cybersecurity infrastructure, and signed a flurry of executive orders on everything from AI to zero trust in an effort to raise the country’s level of cyber preparedness.

Some of the agency’s notable accomplishments during the past four years included establishment of the joint cyber defense collaborative (JCDC) and the Known Exploited Vulnerabilities (KEV) program, according to Casey Ellis, Bugcrowd founder. Ellis also worked with CISA on the federal CEB vulnerability disclosure program, where CISA serves as a repository for researchers who discover flaws in government systems so they can be reported and mitigated more quickly.

There have been setbacks as well. While the KEV list has been credited with speeding up remediation, it can take months to make the list. Much of that new cyber infrastructure and rulemaking also came with regulation and compliance headaches that some criticized as a barrier to innovation, particularly by Congress. Others defended the agency’s moves as necessary to drive security investment.

“Under Jen Easterly, CISA’s proactive initiatives such as Secure by Design and faster reporting of attacks by companies were positive for both the sell and buy side of the cybersecurity industry,” says Jason Soroko, senior fellow at Sectigo. “What could be seen as regulatory burden was actually a positive call to arms to do the right thing.”

Accomplishments and accolades aside, Easterly and CISA haven’t been able to convince key conservatives like Sen. Rand Paul, who is about to chair the Senate Homeland Security and Governmental Affairs Committee, which oversees CISA, that the agency is doing any good. After acknowledging he probably won’t be able to eliminate CISA altogether, last month Paul vowed to inflict strict limits for actions he said the agency took to target conservative voices as part of its work in combatting foreign influence operations. At a minimum, CISA will likely be stripped of its mandate to investigate misinformation.

Williams also expects the agency will have a diminished role in overseeing election security, the very issue that catapulted the cyber agency into the national headlines in 2020.

Cybersecurity Opportunities Under Trump 2.0

A shrinking CISA footprint and the Trump administration’s expressed distaste for regulation and interest in opening government operations to more public-private partnerships mean there are going to be potential opportunities in the next few months for the private sector that hadn’t existed before.

“I expect we’ll see a more direct set of conversations around cyber offense and deterrence, especially as it relates to countering Russia, Iran, and in particular, China,” Ellis predicts. “This could include changes to the structure of [the National Security Agency] and Cyber Command, and the inclusion of the private sector in defend-forward and disruption operations.”

Beyond new opportunities to work with government, Ellis adds cybersecurity deregulation is on the way.

“In general, I think we can expect a more overt and domestically deregulated approach to cyberspace, reflecting the general policy approach of the Trump administration and a more open acknowledgement that Cold War 2 is already underway.”

The new administration also likely signals a change in federal enforcement of Securities and Exchange Commission (SEC) regulations against chief information security officers (CISOs), like what security executives from SolarWinds and Uber experienced, according to expert John Bambenek.

“Regulatory enforcement on companies will lessen, for instance, [and] it is doubtful CISOs will see any government attempts to make them liable for breaches,” Bambenek says. “I’m not sure any more antitrust action will commence against large tech companies either, which will fuel further consolidation of technology and security companies.”

There is cautious optimism this more hands-off approach from the Trump administration will include maintaining a basic role for the federal government in cybersecurity. It’s particularly necessary in terms of resources, according to Roselle Safran, the director of the White Office of the President security operations center under Barack Obama, and currently president of cybersecurity company KeyCaliber.

“While there are certainly plenty of other issues that appear to be top priorities for the next administration, it is my hope that cybersecurity will not be relegated to the back burner,” Safran says. “It’s important that there is recognition that cybersecurity needs significant and sustained resources.”

Trump takes office against the backdrop of unprecedented numbers of cyberattacks, the rise of artificial intelligence, and cyber-military conflicts across the globe. Keeping politics out of the conversation is the best way for CISA to continue its work beyond the next election, experts advise. However, that might be an impossible challenge.

“I’m concerned about some of the negative sentiment around CISA impacting progress that has been made since 2018,” Ellis adds. “However, I am cautiously optimistic that the priorities Trump had in mind when he formed the agency will see its overall defensive mission carry forward.”