The prevailing mood on the inbound Trump administration’s possible impact on Biden-era cybersecurity reforms? Uncertainty.
Trump rode to office on promises to roll back or slash countless regulations. Yet how far that will extend into the cybersecurity arena is unclear due to the huge variety of actors impacted, the number of key roles yet unfilled, and the perception Trump’s stance on cybersecurity regulations is malleable, experts told IT Brew.
First things first—is CISA gonna be OK?
It’s hardly a secret that the Cybersecurity and Infrastructure Security Agency (CISA) had a rocky honeymoon with Trump.
Trump “terminated” its founding director Chris Krebs, after Krebs accurately contested claims of fraud during the 2020 elections. CISA’s current administrator, Jen Easterly, has announced she will resign, effective Inauguration Day.
“Unless the Constitution is just thrown out the window, this will be Trump’s last election,” Stephanie K. Pell, a fellow in governance studies at the Brookings Institution and senior editor at Lawfare, told IT Brew—so maybe Trump will swallow those past grievances.
However, CISA’s rocky time with Trump has evolved into larger arguments from congressional Republicans over the extent of the agency’s mandate and its interpretations of its authority.
For example, a 2022 law called Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) created obligations that critical infrastructure entities report cyber incidents to CISA, but delegated many decisions to the agency—such as who’s subject to compulsory compliance. CISA’s current plan specifies over 300,000 entities across 16 critical infrastructure sectors. Industry groups have pushed for a more limited scope.
On the other hand, Trump signed the law creating CISA in the first place and portrays himself as a security hawk (particularly when it comes to China).
“The incoming administration, no matter how business-friendly and innovation-friendly it is, it’s still going to be very concerned with that intersection of cybersecurity and national security,” Michael Bahar, legal partner and co-lead of global cybersecurity and congressional investigations at Eversheds Sutherland, told IT Brew.
CISA’s mission mainly involves partnership building and facilitating threat intelligence sharing, Pell said: “Presumably, those would be the kinds of things that a Trump administration wouldn’t be against.”
A recent Supreme Court ruling throwing out Chevron deference has also opened the door for potential legal challenges to CISA’s interpretation of CIRCIA—although no case has materialized yet.
Biden-era reforms may be more vulnerable, though
Arcane federal rulemaking processes do mean Trump’s appointees will face obstacles peeling back reforms already in motion, according to Pell.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“Will they start out day one trying to identify every single rule-making process in existence?” Pell said. “I’m more comfortable saying we’re not going to see a new rush of regulatory efforts.”
Pell noted some nominees like proposed Federal Communications Commission chairman Brendan Carr have pledged to continue cybersecurity reforms. (Carr, for example, said he’d put “all hands on-deck” after receiving classified briefings on the extent of the Salt Typhoon crisis.)
Easterly long stated she did not want to transform CISA into a regulatory agency, and under her tenure the agency largely focused on public–private partnerships and voluntary initiatives. Near the end of her term, she noted market forces are moving in the wrong direction on nationwide vulnerabilities.
Rules and regulations with compulsory compliance—such as Securities and Exchange Commission rules requiring many publicly traded companies to disclose material cyberattacks—may fare differently.
“That’s one that will at least get rolled back, because the current version is very aggressive,” Bahar predicted.
The SEC rule has received major pushback from Republicans and lobbying groups like the Chamber of Commerce. Andy Lunsford, the CEO of breach management software developer BreachRX, told Cybersecurity Dive via email that the number of reports filed so far indicates corporate compliance is “incredibly low.”
Executive orders on cybersecurity primarily target federal agencies, so some experts believe they may be more likely to survive the Trump transition.
Legislative opening?
One area where Bahar sees the potential for advancement is federal data privacy law, as roughly 10 states either have their own laws or are working on them. California’s law, for example, is almost as strict in some respects as the European Union’s sweeping General Data Protection Regulation (GDPR).
Data privacy laws inherently have a huge effect on cybersecurity because they specify the conditions and terms under which both public and private entities can collect and store sensitive data.
Circumstances are actually ripe for federal legislators to finally pass a data privacy law, Bashar said, because creating one set of standards that pre-empts stricter state ones is a “very business-friendly approach.”
Lawrence Gentilello, the CEO of consumer data removal firm Optery, said he anticipates more of the status quo.
“Every year or two people get really excited that there’s going to be a federal privacy law, and that still hasn’t happened,” Gentilello told IT Brew.