Trump 2.0: What cybersecurity shifts lie ahead?


Cybersecurity and cyber defense challenges don’t go away with the change of administrations. A new Trump administration is likely to reject aspects of the Biden administration’s cyber strategies, while continuing others.

In March 2023, the Biden administration released its National Cybersecurity Strategy, which came in the wake of a series of significant cyber intrusions and ransomware attacks, including SolarWindsMicrosoft ExchangeColonial Pipeline, and JBS Foods. To push the United States toward a more cyber-secure future, the Biden strategy aimed to produce two “fundamental shifts.” The first sought to “rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity” onto “organizations that are most capable and best-positioned to reduce risks for all of us.” The second looked to “realign incentives to favor long-term investments,” balancing between the need to “defen[d] ourselves against urgent threats today” while “simultaneously strategically planning for and investing in a resilient future.”

In furtherance of these desired shifts, the strategy’s five pillars (defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals) outline a range of strategic objectives. These include integrating federal cybersecurity centers, modernizing federal defenses, integrating federal disruption activities of cyber threat actors, and increasing the speed and scale of intelligence sharing and victim notification.

While the federal government is responsible for achieving many of these strategic objectives, the private sector is expected to step up and address the vulnerability of U.S. technology. As Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly explained a month before the strategy was released, “incentives for developing and selling technology have eclipsed customer safety in importance … [and] the cybersecurity burden falls disproportionately on consumers and small organizations, which are often least aware of the threat and least capable of protecting themselves.”

To this end, the Biden strategy embraced the need for greater regulation of the private sector. For example, strategic objectives under the “defend critical infrastructure” pillar include establishing mandatory cybersecurity requirements to support national security and public safety as “the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.” Strategic objectives under the “shape market forces to drive security and resilience” pillar include holding stewards of data accountable, which is a call for privacy-focused legislation incorporating standards and guidelines developed by the National Institute of Standards and Technology.

But the strategy’s boldest and most controversial strategic objective involved the creation of legislation to hold software companies liable “when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.” Once dubbed the “third rail of cybersecurity,” this strategic objective was always a longer-term goal needing congressional action and thus one of the more aspirational aspects of the Biden strategy.

At this juncture, it’s fair to say that Trump 2.0 is likely to reject those aspects of any strategy that entails more regulation of the private sector.

Cybersecurity is a bipartisan issue

When anticipating radical shifts in policy that could take place under a new Trump administration, some have noted cybersecurity is a bipartisan issue. Indeed, the Biden strategy “continue[d] momentum” on many priorities, including “collaborative defense of the digital ecosystem,” found in the 2018 National Cyber Strategy issued under the first Trump administration.

As it stands, U.S. cybersecurity law is a “patchwork quilt” of state and federal regulations, with instances of duplicative or contradictory rules and requirements. This characteristic of the regulatory environment can negatively impact cybersecurity, as cybersecurity teams are forced “to prioritize compliance over security, ultimately lacking in a consistent approach to security.” Insofar as two goals of the new Trump administration are to create government efficiency and a more favorable environment for industry, it could set about harmonizing the existing regulatory landscape, which, as Brandon Pugh of the R Street Institute explains, is no small feat.

Such harmonization is, in fact, a strategic objective found in the Biden National Cybersecurity Strategy. Harmonization won’t obviate the need for new regulatory actions or enforcement, but regulatory harmonization is both a constructive and bipartisan place to start.

A different aspect of cyber strategy and defense we can expect to continue in the next Trump administration concerns U.S. efforts to counter malicious foreign cyber operations that target the U.S. outside of traditional armed conflict. The 2018 Department of Defense (DoD) Cyber Strategy issued under the first Trump administration outlined the contours of a modern defense strategy, which includes “defending forward.” Defending forward is a term of art for a particular form of forward defense where the DoD engages in out-of-network cyber operations. It represents one element of DoD’s shift from restraint to a more “proactive defensive and competitive security posture in cyberspace.”

Public examples of defending forward are limited, but a 2019 Washington Post story describes how the U.S. military disrupted the Internet Research Agency’s internet access as part of broader U.S. government efforts to prevent Russia from meddling in the 2018 midterm elections. As the story indicates, another element of U.S. Cyber Command’s campaign to protect the midterm elections allegedly involved the targeting of trolls and hackers who worked for the GRU, the Russian military intelligence agency. In this effort, U.S. operatives used emails, pop-ups, texts, and direct messages to convey to these Russians that their true identities were known, and that they should not interfere in the affairs of other nations. The Washington Post also reported that, in October of 2020, U.S. Cyber Command “mounted an operation to temporarily disrupt what has been described as the world’s largest botnet,” Trickbot, which officials considered “one of the top threats to the 2020 election.”

DoD’s 2023 Cyber Strategy, which supersedes the 2018 DoD Cyber Strategy, indicates that DoD will “continue to defend forward by disrupting the activities of malicious cyber actors and degrading their supporting ecosystems.” Moreover, it acknowledges that, since 2018, DoD “has executed a number of such cyberspace operations under this policy … notably in the defense of U.S. elections” and has learned lessons from prior defend forward operations that “inform our pursuit of new capabilities and shape our approach to risk management.”

Whether or not a new Trump administration issues new cyber strategies, we can expect defend forward operations to continue in the ever-evolving threat environment where adversaries use cyber capabilities to seek political, economic, and military advantage over the United States.

The Salt Typhoon telecom hack

Like the beginning of the Biden administration, where national security officials had to contend with the SolarWinds intrusion, the new Trump administration must respond to the security failures that led to the telecom hack by Salt Typhoon, a Chinese hacking group. Senator Mark Warner (D-Va.), a former telecom venture capitalist, called the intrusion the “worst telecom hack in our nation’s history.” In a press briefing on December 4, Deputy National Security Advisor Anne Neuberger indicated that at least eight U.S. telecommunications carriers were hacked and that Chinese actors have not been fully removed “from these networks,” so there is a “risk of ongoing compromises of U.S. calls.”

How the intrusion happened and how exactly hackers were able to obtain “a nearly complete list of phone numbers” subject to wiretapping by the Justice Department, and get “so deep in the system that they could actually listen in to some conversations and read some unencrypted text messages,” is not publicly known. Limited public reporting and analysis suggests that a combination of factors and security failures could be at play, including Chinese hackers exploiting vulnerabilities in wiretapping capabilities built into networks that enable lawful access by law enforcement agencies. Senior CISA and FBI officials told reporters that while they couldn’t say it “was not the initial vector in every single case,” the “‘forensic analysis for the two victims … indicated that the actors were on other parts of their network … before pivoting’ to the wiretap portal.” Following a closed briefing by executive branch officials given to the Senate, Senator Rick Scott (R-Fla.) “expressed frustration,” indicating that “[t]hey have not told us why they didn’t catch it; what they could have done to prevent it.”

One way or another, a rigorous examination and explanation should occur. The Cyber Safety Review Board (CSRB), an advisory board established via Executive Order 14028, pursuant to authorities granted under the Homeland Security Act of 2002 (see 6 U.S.C. 451), is tasked with “review[ing] and assess[ing] significant cyber incidents and mak[ing] concrete recommendations that would drive improvements within the private and public sectors.” The current CSRB has indicated that it intends to examine the Salt Typhoon telecom hack. During the Biden administration, the CSRB issued a number of reports, including one focusing on the summer 2023 Microsoft Exchange Online Intrusion. The CSRB found that the intrusion was “preventable and should never have occurred.” In response, Microsoft Vice Chair and President Brad Smith indicated that the company was “taking action to address every one of the CSRB’s recommendations applicable to Microsoft.” A new Trump administration would be wise to maintain and support the work of the CSRB.

While Trump 2.0 is unlikely to continue all elements of the Biden administration’s cyber strategies, the Salt Typhoon telecom hack is but one example of the serious cyber threats and challenges that persist across administrations.


 

Comments