Source: Anna Moneymaker via Shutterstock
President-elect Donald Trump's return and his promised shift to a more insular foreign policy will likely result in a new set of cyber threats, fewer regulations for most industrial sectors, and possible business-friendly federal privacy legislation, cybersecurity and legal experts say.
The president-elect is moving quickly with nominations for cabinet officials and other high-level appointees. While he named South Dakota Gov. Kristi Noem to lead the Department of Homeland Security, Trump has not yet named a candidate for director of the Cybersecurity and Infrastructure Security Agency (CISA), which leads government cybersecurity efforts.
Overall, however, companies should expect far less emphasis on regulations and more focus on protecting critical infrastructure and technology companies, says Michael Bahar, co-lead of global cybersecurity and data privacy at Eversheds Sutherland, a global legal advisory firm.
"We are going to see — at the federal level — a deprioritization of cybersecurity regulations and cybersecurity enforcement," he says. "One really important exception is where cybersecurity intersects with trade policy and national security and technology. That's actually where you're going to see an increase of enforcement and at least a continuation of the regulatory environment."
Threats will likely shift depending on the changes in foreign policy initiated by the incoming Trump administration. Already, China has become a major concern for its cyber operations in the Asia Pacific, opposing US support for Taiwanese democracy and international opposition to China's claims to large areas of the South China Sea. Trump's stated support for Israeli settlers and for Russia's annexation of parts of Ukraine will also likely drive increasing cyber threats.
With the departure from the policy of the Biden administration, the incoming US government will spur different rivalries, says Lou Steinberg, founder and managing partner of CTM Insights
"As a new administration comes in — and there's a perception that maybe there's more support for Israel over Palestine, or more support for a deal with Russia, and maybe more toe-to-toe [tensions] with China — those will result in a different set of motivations, and so a different kind of response," Steinberg says. "We need to realign to the new kinds of threats that come from a new political landscape."
Administration — and Threats — to Focus on Critical Infrastructure
The GOP platform hosted on the Trump for President site already prioritizes the safety of critical infrastructure and the industrial base against cyber threats. But that remains the only mention of cyber in the entire document.
The president-elect's support for cybersecurity efforts shifted during his first term. In 2018, he signed the Cybersecurity and Infrastructure Security Agency Act, establishing the agency of the same name to lead efforts to protect critical infrastructure from cyberattack. Yet following his loss in the 2020 election, then President Trump criticized CISA's statement validating the security of the elections and fired then-Director Chris Krebs.
Still, the threat landscape has evolved since then, and in ways that align with the incoming Trump administration's priorities. Both China and Iran are considered larger threats, with a variety of officials pointing to China's effort to establish a network of digital beachheads for a future possible conflict as particularly dangerous.
President-elect Trump's pledge to set high tariffs on Chinese goods will likely increase tensions, and potentially lead to more significant attacks, causing China to shift its covert efforts to overt disruption, says Steinberg.
"If China thinks we're going to engage directly, their response could completely change," he says. "We're likely to see a sustained attack against critical infrastructure — so yes power, yes water, yes communications. We usually think of [distributed denial-of-service] attacks as last[ing] a couple of days, not months, but the point will be to degrade our ability to respond."
Meanwhile, Iran will likely ramp up efforts against US and Israeli targets, following the president-elect's deep support for Israel. Russia and Iran will likely continue to use disinformation against the US administration, but the approach may change, as both countries are focused on sowing discord, rather than supporting the agenda of one party over another.
Easing Regulations, but Will It Matter?
The deprioritization of cybersecurity regulations — and promised efforts to shrink the federal government — will likely lead to less enforcement of cyber regulations against businesses. Yet data-protection and privacy regulations will likely see a shake-up, as states look to bolster privacy and give their attorneys general the ability to pursue violators.
As a result, the US could see federal privacy legislation, says Bahar, who also co-leads Eversheds Sutherland's Congressional Investigations group.
"I think, at the state level, you're going to see an uptick — if that's even possible — of regulatory activity, in large part because there might be a perception that they need to step in to ... 'fill the void,'" he says. "It's actually likely you're going to get a federal privacy law — a very business-friendly federal privacy law — so that [companies do not have to deal with] that patchwork effect of state laws."
In the end, however, easing regulations may not result in less corporate focus on cybersecurity, because the latest cybercriminal attacks often threaten business operations, Steinberg says.
"We've seen more and more companies — even less regulated companies — start to worry about cyberattacks like ransomware," he says. "So do I think a decrease in the regulatory environment might lead to a decrease in cybersecurity investment? Yeah, a little, but probably not in the defense industry, probably not in financial services, and maybe not in healthcare."
With increasing global tensions come increasing dangers, Steinberg says, and most companies will likely not be able to justify cutting budgets in the face of an uncertain threat landscape.