Expectations and Priorities: Cyber Policy Predictions Under a Second Trump Administration

Introduction

With the incoming Trump administration, changes to the United States’ cyber policy and priorities can be expected. While speculation remains around who will be nominated for the top cyber positions within the federal government, looking at potential nominees, particularly at likely returning experts, can lend some perspective on what policy priorities may emerge. Additionally, drawing on cyber policy and directives from the first Trump administration can help shed light on what direction the incoming administration will take. Below are themes that are likely to guide the next administration’s cyber strategy.

Workforce

During Trump’s first administration, cyber workforce development was a top priority, as evidenced by the 2018 National Cyber Strategy and the Executive Order on America’s Cybersecurity Workforce. Many of the names floating around for different cyber positions are staunch supporters of cyber workforce development who backed these initiatives in the last Trump administration, like former National Director of the US Cyber Challenge Karen Evans and former Principal Assistant Secretary for the Office of Cybersecurity, Energy Security and Emergency Response (CESAR) Sean Plankey. It’s likely that many of the names seemingly up for consideration will prioritize the cyber workforce regardless of which position they are appointed.

While the Biden administration continued to prioritize cyber workforce development following Trump’s first administration, the potential cyber nominees may indicate a shift in strategy–specifically to a heightened focus on operational technology (OT) cybersecurity workforce development. During Trump’s first presidency, CESAR expanded CyberStrike, a training program to secure industrial control systems (ICS), from 15 training events to 150. Additionally, CESAR created the OT Defender fellowship in 2020 to provide OT security managers training on various cyber threats in the energy sector, creating “a pipeline from OT engineers to OT cyber professionals” as described by Plankey, who is cited as a major catalyst for its creation. With the potential return of Plankey and other OT cybersecurity advocates like Lucien Niemeyer, who previously served in the Office of Management and Budget, Brian Harrell, who served as Assistant Secretary for Infrastructure Protection at DHS, and Matt Hayden, who served as Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience Policy at DHS, one can expect a bolstering of existing OT cyber workforce programs and the development of new initiatives. 

CISA and ONCD 

Since standing up the Cybersecurity and Infrastructure Security Agency (CISA) in 2018, Trump and many of his allies have become steadfast critics of the agency. Complaints stem from accusations that the organization oversteps its bounds by engaging in campaigns to prevent mis- and disinformation, which the next administration is likely to roll back. Potential cyber nominees, such as Harrell; Dr. Mike Klipstein, the former Director of International Cybersecurity Policy for the National Security Council (NSC); and Nick Andersen, the former Principal Deputy Assistant Secretary for CESAR, suggested a narrowing of CISA’s scope in the next administration. Notably, Andersen criticized the organization for growing too large too fast and becoming a dumping ground for any cyber-related problem, calling for a streamlining and reduction of responsibilities for the organization. While not without his own criticisms of the agency, Hayden previously spoke about the need for proper funding for CISA to ensure that it can effectively carry out White House cyber mandates, remaining skeptical that CISA’s role would be completely negated. Across the various names currently in the running, there is a consensus that changes need to and will be made to CISA in the next administration.

While the next Trump administration is likely to reduce CISA’s responsibilities, another agency is positioned to gain additional roles. Harrell, Klipstein, and Joshua Steinman, previously a Senior Policy Director on the NSC, have all expressed that the Office of the National Cyber Director (ONCD) should play a leading role in harmonizing cyber measures across the federal government, relieving CISA of some of its current responsibilities. While in regards to workforce development, Evans has also noted ONCD’s prime position to coordinate efforts across agencies. These views suggest that ONCD may play a greater role in harmonizing and leading cyber policy under the incoming administration, reforming CISA’s mandate to focus its efforts on incident response, critical infrastructure, and supply chain security. Notably, lead Democrats previously expressed support around granting ONCD a leading role in harmonization efforts, foreshadowing a potential bipartisan effort. 

Offensive Cyber Activity and Cyber Force 

The first Trump administration authorized the National Security Presidential Memorandum (NSPM) 13, granting “well-defined” authorities to the DoD to conduct time-sensitive military operations in cyberspace, in effect streamlining the approval process. This policy was later revised by the Biden administration, in part due to other agencies’ concerns that the operations could have  wide-ranging impacts on human rights, diplomatic efforts, and private infrastructure. The revised policy granted limited approval power to the State Department. The next administration is likely to once again prioritize such streamlining efforts, which will only be bolstered by the appetite for a more offensive cyber posture from past and potentially returning Trump cyber experts, such as Andersen and Hayden. Speaking in an interview with Cipher Brief, Hayden argued that current deterrence measures are ineffective because malicious actors do not believe they will face any consequences. He elaborates, saying that the US possesses the tools and expertise to take on strategic deterrence and must begin to leverage capabilities like the US Cyber Command. 

Underlying this attitude is the increasing number of state-backed cyber attacks. President Trump returns to the White House during the “worst telecom hack in our nation’s history,” where People’s Republic of China (PRC)-linked group Salt Typhoon targeted the President-elect’s own phone. As the government remains trying to fully remove Salt Typhoon from telecom networks, this will undoubtedly influence any cyber strategy coming out of the next administration.

Alongside conversations of increased offensive cyber operations under the next administration, discussion is also stirring around the possible creation of an independent Cyber Force. In his previous term, President Trump stood up the Space Force, the first new US military branch in 73 years. When paired with the likely emphasis on offensive cyber operations in the next administration, some argue that the Space Force establishes a precedent, hinting that the President-elect may be more amenable to the creation of a Cyber Force. Those in favor of a Cyber Force argue this would allow for a more centralized management of US cyber capabilities, enabling more efficient responses as well as recruitment requirements tailored to the unique needs of cyber operations versus traditional military operations. Critics, however, argue it would only lead to further information siloing, reducing the military's effectiveness in the cyber domain. Trump himself has not spoken publicly about the matter.

Space 

As evidenced by the Space Force, the first Trump administration recognized the rising threats in space. The administration particularly recognized and prioritized the cyber-threat to space systems and the need to build resilience into current and future space systems, as outlined in the National Cyber Strategy. This administration also revived the National Space Council and pioneered Space Policy Directive 5, which outlined cybersecurity principles for space systems, and was the first policy document that called for encryption in space systems. Potential returning cyber expert Klipstein remains concerned about cybersecurity in space since his time in the White House, stating that “space is more the wild west than the internet is.” In an interview with podcast Resilient Cyber, Klipstein specifically advocated for a NIST standard to support Space Policy Directive 5. It is also notable that, following his first administration, President-elect Trump developed a close relationship with SpaceX founder, Elon Musk, which may lend him some influence in space policy directions. Overall, with an already strong portfolio when it comes to securing cyberspace in space, one can expect that the second Trump administration will continue to prioritize securing space systems.

AI and Cybersecurity 

Potential nominees for top cyber positions in the next administration have recognized the security enhancing capabilities of AI. Plankey, Hayden, and former Deputy Assistant of State for Cyber and International Communications and Information Policy at the State Department Rob Strayer have all spoken about the opportunities to strengthen cyber resilience utilizing AI. Strayer has gone as far as to say, “AI is the best tool defenders have to identify and prevent zero-day attacks and malware-free attacks because AI can defeat novel threats based on behavior cues rather than known signatures.” Hayden has spoken multiple times about the various applications of AI in enhancing cybersecurity, speaking about the potential in OT security and implementing zero-trust architecture, in identifying vulnerabilities, and in monitoring supply chain threats. One can expect that AI enabled and enhanced cybersecurity measures will continue to be integrated into government cyber security strategies. 

Conclusion

Only time will reveal how cyber policy will unfold under the incoming administration. However, while this certainly not an exhaustive list, this analysis hopes to provide prospective priorities grounded in potential nominees past engagements and cyber priorities demonstrated by the last Trump administration.