The new administration hasn’t said much about its plans for combating the growing array of cyber threats facing Americans, but experts expect President Donald Trump to focus less on new regulation and more on cutting bureaucratic cyber red tape for industry and business.
The approach would mark a notable shift from the Biden administration’s regulation-driven approach to cybersecurity.
“I would be surprised if the Trump administration would embrace new categories of liability,” said Brandon Pugh, policy director for R Street Institute’s Cybersecurity and Emerging Threats team. Instead, Pugh reckons, the new administration might “look to other market forces that could get to the same outcomes.”
That seemed all the more likely on Friday, during South Dakota Gov. Kristi Noem’s nomination hearing for Secretary of Homeland Security.
“I fully acknowledge that people in Washington D.C. do not have all of the answers, and therefore, I will leverage private-public partnerships, I’ll advance cutting edge, state of the art technologies to protect our nation’s digital landscape,” Noem said in her opening statement, referring to a “comprehensive whole-of-government approach to cybersecurity.”
A challenging time
The Trump administration arrives at a time when increasing tensions with China resulted in state-backed hackers infiltrating U.S. telecommunication firms and burrowing into critical networks. Those incidents, along with high-profile criminal cyber attacks and outages, have highlighted the fragile digital ecosystem that holds together day-to-day life — as well as the chain of interconnected businesses and infrastructure at the center of the challenge.
One of the biggest shifts during President Joe Biden’s administration was the change in focus from voluntary partnerships with the private sector to pushing for mandated minimum cybersecurity standards. Biden’s cybersecurity officials believed that voluntary rules had failed, pointing to multiple critical infrastructure sectors like energy, water, and healthcare sectors which have become a favorite extortion target by criminal ransomware gangs.
Biden’s push for basic cybersecurity standards for all critical infrastructure sectors is unlikely to be pursued under the new administration, however, businesses should expect the new administration to continue streamlining existing mandates within various federal entities and state governments, said R Street Institute’s Pugh. Part of Biden’s goal in harmonizing cyber mandates was to remove duplicative requirements from different federal agencies in order to reduce the resource burdens for digital defenders. The incoming administration is expected to continue that trend.
But just how far incoming Trump officials follow Biden’s path on broader cyber policy remains unclear, particularly when it comes to the flurry of technology and national security-related executive orders signed by Biden over the last week or so. The Trump transition team did not hold any cybersecurity-focused talks with the outgoing team at the National Security Council, said Anne Nueberger, deputy national security advisor for cyber and emerging technology, during a call with reporters on January 15.
“To the best of my knowledge, the new cyber team has not been named. So while we’ve had broader national security discussions it is unclear who will lead this work for the Trump administration,” Neuberger said.
Additionally, the Trump transition team has yet to make any official nominations for the top cyber positions such as the National Cyber Director, the director of the Cybersecurity and Infrastructure Security Agency (CISA), and the State Ambassador at Large for Cyberspace and Digital Policy, leaving some experts worried.
More freedom, more threats
The incoming administration’s expected business-friendly policies around technology like cryptocurrency and artificial intelligence could also change the cyber threat landscape as well. New technologies and fast innovations could also accompany a change in risk, said Munish Walther-Puri, former director of cyber risk at New York City Cyber Command. As businesses adopt quickly changing technologies in an effort to keep pace with innovation, new vulnerabilities could be exploited by bad actors faster than defenders can apply protections. Walther-Puri said that executives should be prepared for increased innovation in their sectors to be accompanied by a change in risk as well.
A shift in the regulatory framework — from the government overseeing security through regulatory policies to removing policies — would also require more action by the private sector. “There is going to be a serious shift in the balance of private sector expectations with national security,” Walther-Puri said.
Business leaders should look at their own sector and see how responsibilities are divided between the public and federal and expect the shift to move towards the private sector, he noted.
But experts don’t think that the new administration will start from scratch either.
“The understanding of the importance of cyber and the importance of critical infrastructure security is bipartisan, so I think you are not going to see massive swings or massive changes in policy,” said Annie Fixler, director of the center on cyber technology at the Foundation for the Defense of Democracies. “I do think you will see changes in color.”
One example may be the cyber reporting mandate. CISA is expected to finalize reporting for critical infrastructure sectors in late 2025. The rule would require critical infrastructure sectors to report major breaches within 72 hours and ransomware payments within 24 hours.
But the Security and Exchange Commission’s own cyber reporting mandate requiring companies to report breaches within four days and which has been blasted by the private sector might not survive the Trump administration. What’s more, Trump reportedly called for the elimination of 10 regulations for each new mandate issued, but what that means for cybersecurity is still unclear.
CISA itself may be in danger of seeing reduced funding or responsibilities. Since its inception during the Trump administration the cyber agency has taken on more authorities to protect federal and critical infrastructure networks. However, as election interference became a hot topic on the right the agency drew increased scrutiny from Republican lawmakers.
Noem told lawmakers on Friday that the agency “gotten far off-mission” in combating mis- and dis-information. If she is confirmed, she said, CISA will be “smaller, more nimble” and will work to “hunt and to help harden our nation’s critical infrastructure.”
In a blog on Wednesday, CISA Director Jen Easterly pointed to the agency’s Secure by Design push as a key point of deterrence against Chinese hackers. The abundance of vulnerable products “made it easy” for hackers to dive into sensitive networks, she cautioned.
Easterly told Fortune at an event in Washington, D.C. last week that she hopes Congress plays a part in continuing a software liability regime and harmonizing cybersecurity policies.
“You want people focused on risk reduction, not compliance.” Easterly told Fortune. “So, at the end of the day I hope that they pick up the baton.”