The Impact of the Trump Administration on Cyber Threats, Cyber Laws & Global Insecurity
As President-elect Donald Trump prepares to assume office for a second term, the number and complexity of cyberattacks targeting US organizations has continued to rise, with 2024 set to be another record-breaking year for ransomware attacks. Early indications, and the history from the first Trump Administration, suggest that the Trump Administration’s transition team is reimagining the approach to cyber policy and considering reorganization of the agencies tasked with cyber strategy, oversight and responsibilities.
The new administration is also expected to continue its hard line against China and countries considered as “foreign adversaries”. This could lead to an expansion on limits of outbound transfers of data to China and other national security developments, and a corresponding response from nation-state actors involving increased and more sophisticated cyberattacks against private sector businesses. The anticipated changes could increase the challenges for businesses in the context of global geopolitics.
Cybersecurity Policies & Agencies
The first Trump Administration issued multiple executive orders and revoked many executive orders issued by his predecessor (Obama). As the second Trump Administration begins, it will be helpful to consider the potential impact to the Biden Administration’s multiple Executive Orders affecting cybersecurity:
- Executive Order on Improving the Nation’s Cybersecurity (14028)
- Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries (2021)
- Executive Order implementing the EU-U.S. Data Privacy Framework (2022)
- Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (14117)
These executive orders expanded on orders issued during Trump’s first term and activated hundreds of federal agencies to enact cyber rules and regulations. It will be important to remain attentive to whether or how the Trump Administration responds to these existing orders. For example, the executive orders relating to protecting Americans’ sensitive data from foreign adversaries have generally received broad bipartisan support, and continued implementation (if not expansion) would be consistent with the overarching policy of taking a hard line against China and other countries of concern.
Perhaps in contrast, the Trump Administration could scale back or change the scope and authority of key agencies and offices that lead cybersecurity efforts, including the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the National Cyber Director (ONCD), and the White House’s National Security Council (NSC). Such reorganization efforts could end up being relatively limited in scope, such as carving out any role for CISA in managing election integrity and disinformation, or could be more widespread and involve the reorganization of much of CISA into the Department of Transportation or other departments.
Other aspects of cybersecurity oversight would likely require more than just executive orders to amend. For example, CIRCIA is a federal law that goes into effect in October 2025 and will require US businesses that operate in “critical infrastructure” to report ransom payments to CISA within 24 hours and cyber incidents within 72 hours. If the Trump Administration would seek and successfully pursue legislation to amend CIRCIA, there would be less information sharing to protect critical infrastructure from cyberattacks.
Future of Cyber Threats and China as Formidable Foreign Adversary
Other activities could increase geopolitical risks with China and other “countries of concern”. Similar to his first term, the Trump Administration could undertake offensive cyber measures like “hacking back” against foreign adversaries.
This aggressive strategy could put private sector businesses in the cross-hairs because 85% of US critical infrastructure is owned by the private sector. Earlier this year, CISA reported the People’s Republic of China (PRC) cyber actors are pre-positioning themselves on IT networks for disruptive or destructive cyberattacks against US critical infrastructure in the event of a major crisis or conflict with the United States. Eleven days before the election, Chinese-affiliated actors compromised and stole data from Trump and Vance’s mobile phones. These acts put China’s advanced cyber capabilities on the new Administration’s radar. A hard line against China could lead to retaliatory cyber-attacks by China against businesses with ties to the US. Foreign adversaries often pursue private sector businesses in order to disrupt supply chain and critical infrastructure. One thing is clear, cybersecurity needs to be a prominent issue in international relations.
US State Activities
To the extent that US states perceive that the Federal government is not doing enough, state regulators and lawmakers, perhaps largely in blue states, could take greater action against private sector businesses to protect consumers. For example, California is adopting strict requirements on cybersecurity audits for businesses under the California Consumer Privacy Act, and many more states are actively regulating privacy and cybersecurity. Colorado has also adopted a significant AI law, which is likely to spur similar actions by other state legislatures and regulators. The resulting patchwork of state cybersecurity, privacy, and AI laws and regulations will remain a continued challenge for US businesses.
Cyber Readiness & Resilience for Businesses in 2025
Multinational businesses should consider several strategies to prepare for this rapidly changing cybersecurity environment:
- Monitor ongoing changes in cybersecurity laws and regulations in the United States and other jurisdictions that can impact business operations, such as expanded US restrictions on outbound data flows, data localization requirements, and obligations to conduct cybersecurity and other assessments.
- Develop a cyber governance program that self-regulates and documents steps taken to secure company systems, train the workforce, and memorialize processes.
- Update data maps and assets to reflect geographies and consider data localization and geographic access management for regions globally to anticipate more restrictions on data transfers.
- Join information sharing organizations specific to your sector to keep up to date on current threat trends and solutions.
- Update incident response plans and create playbooks for outages and longer-term disruptions to business if there are attacks on US critical infrastructure then tabletop those new plans.
