Infosec was literally the last item in Trump's policy plan, yet major changes are likely on his watch

Feature The Trump administration came to office this week without a detailed information security policy, but analysis of cabinet nominees’ public remarks and expert comments suggest it will make significant changes in the field.

The returned President certainly can’t afford to ignore cybersecurity, given the USA’s critical infrastructure appears vulnerable to attack after China’s Typhoon snoops utterly owned US telecoms infrastructure.

Ransomware remains rampant and is a favorite tool of adversaries including North Korea. Other foes continue to place misinformation online in the hope of influencing American opinion.

At home, debate continues to bubble about the best approach to securing businesses, which complain that existing infosec rules and incident reporting regulations vary between jurisdictions, can involve multiple agencies, and also overlap.

How to hold the tech industry accountable when it drops the ball, in terms of security, is another ongoing debate, with some calling for voluntary guidelines that incentivize secure development practices, while others want mandated security standards that make tech companies liable for flaws in their products.

Infosec was Trump’s last campaign priority

The Republican Party’s 2024 election platform document [PDF] mentions infosec just once, in the last paragraph of a 16-page manifesto, as follows:

None of the executive orders Trump had issued at the time of writing include more detailed information security policies.

But on its first day in office, the administration made two notable security-related changes.

One was to terminate all memberships of advisory committees that report to the Department of Homeland Security (DHS). That impacts infosec because DHS is the parent agency of the Cybersecurity and Infrastructure Security Agency (CISA), which in turn is home to the Cyber Safety Review Board (CSRB) – an org tasked with investigating major cybersecurity incidents.

Killing the board that pressured Microsoft to up its cybersecurity looks for all the world like payback for Microsoft's million dollar gift to Donald Trump's inaugural committee

CSRB is currently investigating the Salt Typhoon attacks on telcos but now appears to lack personnel to finish the job.

The board’s past work includes a scathing report that found Microsoft responsible for a "cascade of security failures" that allowed Chinese spies to break into senior US officials' email accounts.

US Senator Ron Wyden (D-OR) criticized the decision to terminate membership of DHS advisory committees.

"This is a massive gift to the Chinese spies who targeted top political figures," Wyden opined on Bluesky. "Killing the board that pressured Microsoft to up its cybersecurity looks for all the world like payback for Microsoft's million dollar gift to Donald Trump's inaugural committee."

The other big change was to revoke President Biden’s order on AI safety.

But at the time of writing, the executive order on cybersecurity signed by President Joe Biden just days before Trump's inauguration remains in place. That order requires software companies that sell to the government must submit proof to CISA that they are following secure software development practices.

The executive order also covers a slew of other topics including securing federal communications networks against foreign snoops, issuing tougher sanctions for ransomware gangs, and better securing AI while also using this technology to boost America's cyber defense capabilities.

Regulatory reduction plans

Whether Biden’s order will survive is unknown, but on the 2024 campaign trail Trump promised, if elected, to pursue the "most aggressive regulatory reduction" in American history. The Biden order is 17 pages long and contains over 9,000 words. Perhaps Trump’s team will find some of them impose onerous requirements.

In terms of cybersecurity regulations aimed at businesses, the Trump administration is expected to pursue a market-based approach and prefer voluntary security standards. A push for more harmonization of rules around incident reporting and baseline practices is also anticipated.

Infosec expert Davis Hake told The Register he thinks change will come to reporting rules.

Hake is now senior director of law firm Venable’s cybersecurity services, and previously served as manager of cyber operations at DHS and director on the US National Security Council where he led the cyber incident response team for federal IT networks.

"Companies are looking at the number of different ways they have to report on data breaches, and folks have asked whether the SEC could reexamine some of the requirements they have," Hake said, adding that discussions among lawmakers are ongoing about harmonizing the security incident reporting process.

"Across partisan lines everyone has agreed that cyber incidents are material to a company's financial well-being," he said. "But is the SEC reporting timeline unreasonably short? Is the SEC the right one to collect the technical data? What do those requirements looks like? Those details could all be up for examination as this next administration looks for areas to reduce the regulatory burden."

CISA’s new mission

Another expected change will see CISA’s mission altered.

The agency was formed under the first Trump administration, but became a target after its then-director and Trump appointee Chris Krebs spoke out against the president's baseless allegations that electoral fraud cost him the 2020 presidential election.

Trump famously fired Krebs with a tweet shortly after.

Under its Biden-appointed director Jen Easterly, CISA worked to counter election-security disinformation, which provoked heavy criticism from some Republicans including Trump's pick to lead the Department of Homeland Security, which as we said oversees CISA.

Kristi Noem, Trump’s nominee for Homeland Security Secretary, last week used a confirmation hearing to indicate she would make cuts to CISA and described countering online foreign influence in US elections as "off mission." That disinformation-battling role is thus set to disappear from CISA's todo list, and Easterly left her position as part of the changeover in administration.

In an earlier interview, Bambenek Consulting President John Bambenek told The Register he expects CISA to "end any role in countering disinformation/misinformation" under the new administration.

Trump wants the agency to "focus solely on protecting the civilian government networks, public-private partnerships and information sharing on emerging threats, and coordinating protection of the nation's critical infrastructure," he added. "I imagine much of this will be executed upon quickly."

Playing offense?

US officials have publicly stated that the nation possesses offensive cyber-weapons and in 2022 the then-US Cyber Command chief General Paul Nakasone revealed they were deployed to assist Ukraine.

Trump’s choice to serve as National Security Advisor, Michael Waltz, has called for a change in doctrine to one that will "impose costs on the other side," ie: America carries cybersecurity offensives against adversaries that leaves a tangible financial mark on a target.

Tom Kellermann, who served on the Commission on Cyber Security under Obama, and is now senior veep of strategy at Contrast Security, believes the administration will adopt Waltz’s position.

"The US has, frankly, played defense for too long," Kellermann told The Register, pointing to a Google-Mandiant report that found 97 zero-day vulnerabilities were exploited in 2023, compared to 62 zero-days in 2022, and the People's Republic of China remains the top state-backed exploiter of zero-day holes.

"I'm hoping that they actually do begin to conduct more offensive operations, particularly against rogue nation states that have actively conducted destructive attacks against our infrastructures," Kellermann said.

They should go further than that and conduct destructive attacks against various Chinese military assets

"Given how we played in the past, typically it's a disruption of their command and control infrastructure associated with previous compromises of Western infrastructure," he noted.

"But I think they should go further than that and conduct destructive attacks against various Chinese military assets, particularly destructive attacks against the PLA [People's Liberation Army] cyber resources and the front companies in China that are acting as proxies for cyber attacks."

He suggested deploying data-wiping malware, or NotPetya-style ransomware designed to destroy data and render systems unrecoverable, in response to China's "systemic onslaught" against US networks. "It should be a proportionate response against those entities. Given the actions that we've already seen, I don't think sanctions are sufficient any longer."

But before any such malware is used against China, Kellermann expects the Trump administration to put Iran in America's cyber crosshairs "because of how passionate Trump is about empowering Israel and punishing Iran."

These will be "systemic, disruptive cyber attacks from the US, should Iran not kiss the ring of Trump after the inauguration and release the hostages," he added.

Securing the government

Trump seems likely to persist with President Biden’s national cybersecurity policy and the Executive Order 14028 that directed federal agencies to adopt zero-trust architectures.

That plan built on an executive order that Trump enacted in 2017, titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.

"Cybersecurity is a non-partisan topic," said John Ackerly, CEO and co-founder of encryption business Virtru. "Everyone can agree we need to protect our country, our citizens, and critical infrastructure from digital threats posed by domestic and international cybercriminals."

Ackerly previously worked in the George W Bush White House as a tech advisor.

"In regards to policy in Trump's second term, I expect to see a continued maturation of zero trust initiatives with a steady focus on national security," Ackerly said. "The actions we've seen from China in the cyber realm have been monumental. The Salt Typhoon cyberattack is a prime example."

Ackerly also expects further collaboration between Washington and the private sector.

Threat-intelligence sharing efforts between public-private partnerships, public agencies, and the private sector was also a major focus for CISA under Easterly and the Biden administration. Under her leadership, CISA started the Joint Cyber Defense Collaborative (JCDC) public-private group, and convinced hundreds of companies to sign its secure-by-design pledge.

"I expect the incoming administration to embrace public-private sector collaboration, which is a boon for commercial businesses as well as government organizations." Ackerly said. "Efficiency is a clear priority under the new administration, and I think you may see that theme mirrored in commercial businesses."

Private sector players may also determine the administration’s policy regarding made-in-China social media service TikTok, which is considered a national security threat and was therefore made the subject of a law compelling its owners to divest it to a US-approved company or shut it down. Trump has ordered the law not be enforced for 75 days while his administration finds “the appropriate course forward in an orderly way that protects national security while avoiding an abrupt shutdown of a communications platform used by millions of Americans.”

His most recent thoughts on how to achieve that balance is for the US government to acquire half of TikTok and operate it as a joint venture with either a US company or its current owner ByteDance. ®