Cyber Threats to Make Trump Balance Security, Deregulation (1)

President-elect Donald Trump’s new administration will inherit a more complex cyber threat landscape than in its first term, raising questions about whether it will continue Biden-era security initiatives.

Trump will have to grapple with a steady rise in both the pace and scale of cyber attacks from foreign adversaries and criminals, growing system vulnerabilities, and generative AI’s emerging impact. But his campaign’s dual priorities—reducing regulation while strengthening national security—create uncertainty around cybersecurity policy, said Michael Daniel, from the Cyber Threat Alliance.

Caught in the middle is the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency created during Trump’s first term to focus on the country’s 16 most critical infrastructure sectors, including water, energy, and elections systems. Some Republicans targeted the agency over its attempts to prevent disinformation during this year’s election campaign.

Those dynamics will create “interesting tensions” within the administration over “which of these varying philosophies and approaches is going to dominate at any sort of given time,” said Daniel.

CISA’s CIRCIA

CISA has yet to finalize rules proposed in April that would require critical infrastructure entities to report “substantial” cyber incidents and ransomware payments.

The rulemaking, required under the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), elicited pushback from both industry and lawmakers. Comments for the proposal were due in July, and the agency hasn’t signaled its next steps.

The new Trump “administration will still seek to have some oversight and some regulation” on critical infrastructure, said Michelle A. Reed, partner at Paul Hastings. But “whether they go about it the same way that DHS has done it so far, I think, is probably a different scenario.”

While CISA focuses on critical infrastructure, it’s drawn fire from Republicans, including Trump, for its efforts to tackle election misinformation on social media platforms. Project 2025, a policy playbook written by Trump allies at the Heritage Foundation before the election, recommended moving CISA under the US Transportation Department. It’s not clear how such a shift would affect CISA’s authority or budget.

CISA Director Jen Easterly said she’ll step down on Inauguration Day, Jan. 20, a common move among politically appointed agency leaders. Trump hasn’t yet named his pick to lead the agency, but fired Easterly’s predecessor Christopher Krebs, a Republican, in 2020 after he rejected Trump’s claims of widespread voter fraud.

Despite the pent-up hostility toward the agency’s recent efforts, CISA has been central to efforts to strengthen critical infrastructure, and cutting those moves off could prove short-sighted, said Aaron Charfoos, partner at Paul Hastings.

“That has some significant implications, because right now, CISA was coming up with some cybersecurity guidelines and notification guidelines for critical industry,” Charfoos said. “So where that ultimately goes from there, I do think, is a question.”

Industry Focus

The Biden administration’s cyber efforts have been heavily industry-specific, with proposed rules targeting vital infrastructure sectors, like water and transportation.

The TSA published a Notice of Proposed Rulemaking on Nov. 6 that would mandate cyber risk and reporting requirements for certain surface-service operators. Like CISA’s proposal, the 300-page rulemaking received industry and Republican criticism at a Nov. 19 hearing. Comments for the rule are due Feb. 5.

Earlier this summer, the Federal Aviation Administration had issued its own proposed rules seeking to establish uniform design standards to address cybersecurity threats against airplanes, engines, and propeller systems. The cybersecurity regulations were framed as minor updates. The comment period ended in October.

The US Environmental Protection Agency in 2023 launched its own effort to boost the cybersecurity posture of public water facilities, releasing a memorandum stressing the need for states to assess cybersecurity risk at drinking water systems. A May alert from the EPA found over 70% of systems inspected since September 2023 violated the Safe Drinking Water Act’s requirements to develop risk assessments and emergency response plans.

A federal appeals court suspended it after a group of conservative-led states said the agency overstepped its authority, and the EPA withdrew it.

The Trump campaign has given few hints as to its position toward some of these proposed regulations. But its stance against potential agency overreach and administrative burdens signal a dampening of federal agencies’ influence over cybersecurity.

Oversight by public-facing regulatory agencies like the Federal Trade Commission and US Securities and Exchange Commission, for example, could be called into question.

“We will expect enforcement to be focused more on areas of high risk, national security, things like that, and regulation to be focused on that,” said Brenda Sharton, global chair of Dechert’s Cyber, Privacy and AI Practice. There will be less appetite for action “on consumer harm, which this administration has been very focused on through the FTC and SEC,” she said.

“Frankly, that will be a very welcome change for American companies in the cybersecurity space,” she added.

But rolling back of aggressive enforcement efforts could remove key incentives for companies and reduce organizations’ appetite to push forward on their cyber efforts.

“For many of our clients, those SEC disclosures, particularly on the 10-K side, were driving internal changes in terms of the way that they governed cybersecurity risk within the company,” Charfoos said.

Nevertheless, some companies are breathing a sigh of relief in light of potential reduced enforcement, especially from agencies that had started targeting individual executives at companies.

The agency’s case against SolarWinds, for example, which alleged the software provider misled investors about its cybersecurity practices and the significance of a major data breach disclosed in 2020 that spilled into the US government, targeted several executives.

“We’re getting a lot of questions about that, a lot of questions about how aggressive the SEC will be in a Trump administration, because, obviously, they’ve been jumping into cyber security in a very significant way,” said Edward McNicholas, who leads Ropes & Gray’s global data, privacy & cybersecurity practice.