Assessing the Trump Administration’s Shift in U.S. Cybersecurity Policy

Recent executive actions and agency restructures mark a significant change in federal cybersecurity strategy, raising questions about national resilience and private-sector preparedness.

It’s not often that you see a government intentionally dismantle reasonable advances that have been made by a predecessor, but the Trump executive branch is filled with surprises. It doesn’t just seem to have halted activities in several cybersecurity areas at precisely the time when it needs to hit the accelerator; in some cases, it’s moving as quickly as possible in reverse.

Nowhere is this clearer than in the latest report from the Cyber Solarium Commission (CSC) – or rather the CSC 2.0. The Commission was originally established as part of the 2019 Defense Authorization Act, to develop a strategic approach to defences against significant cybersecurity attacks on the U.S. After it was sunsetted in 2021, it was resurrected as a non-profit in the Center on Cyber and Technology Innovations (CCTI) at the Foundation for the Defense of Democracies (FDD).

The fifth annual report from the CSC shows that the U.S has materially regressed in its cybersecurity stance. Last year’s report showed that it had implemented 48% of the CSC’s cybersecurity recommendations. This year, implementation has dropped from 48% to 35%. Nearly a quarter of fully implemented recommendations from 2024 lost that status following sweeping changes by the current administration.

One of the five areas that the report recommends the country addresses to get back on track is the workforce crisis at CISA. The Trump administration slashed CISA workforce by one-third earlier this year, cutting it from 3,300 to 2,200 people.

Moving Fast and Breaking Things on Purpose

The Trump administration has moved so quickly with its changes that it’s difficult to keep up, but here are some key ones. Upon his inauguration, the President’s team terminated all memberships on DHS advisory committees, which effectively killed the Cyber Safety Review Board that had been investigating the Salt Typhoon attacks.

Then, Trump fired head of U.S. Cyber Command Timothy D. Haugh in April following pressure from far-right activist Laura Loomer.

Even bigger changes came in June with Trump’s executive order “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144,” which walked back many Biden-era cybersecurity measures.

This EO slashed AI security policies, eliminated secure software security attestation requirements for federal software suppliers (including software bill of materials, or SBOM), and stymied a push to adopt digital identity for federal benefits. It justified the latter by claiming that it “risked widespread abuse by enabling illegal immigrants to improperly access public benefits”

Cyber diplomacy (a key strategic pillar under the Biden administration) also took a hit. In July the State Department effectively killed the three year-old Cyber Diplomacy Bureau (CDP), firing key staff including five of the eight people working on bilateral and regional affairs, and reassigning its active head. It will pull apart the CDP and move parts of it to different wings of the agency, said reports. The new government also paused a January 2025 FCC IoT security law.

Trump has cut primary funding from the election governance and anti-disinformation initiatives especially hard. It cut funding for the Election Infrastructure Information Sharing Analysis Center (EI-ISAC), and an executive order called “Restoring Freedom of Speech and Ending Federal Censorship” cut funding for research on foreign malign influence.

The administration also shut down the FBI’s Foreign Influence Task Force and the Global Engagement Center, which focused on fighting anti-American information campaigns. It now doesn’t let states use funds to purchase services from the Multi-State information Sharing and Analysis Center, and has cut funding to that initiative on the premise that it censors free speech.

AG Pam Bondi also deprioritized enforcement of the Foreign Agents Registration Act (FARA) and dismantled the Justice Department’s Foreign Influence Task Force and the National Security division’s Corporate Enforcement Unit. That paves the way for foreign hack-and-leak operations and troll farms. And the DoJ abandoned Project KleptoCapture, a Biden-era initiative to seize the assets of Russian oligarchs that might be used to fund foreign influence campaigns.

These measures have diminished the government’s ability to help private sector organizations at the time when they need it most. April saw Checkpoint Software record a 47% in cyber-attacks for Q1 2025, reaching average of 1,925 weekly attacks per organisation, along with a 126% rise in ransomware attacks. CrowdStrike recorded a rise of up to 300% Chinese attacks on targeted industries.

ISO 27001 as a Resilience Baseline

Planning for resilience is especially important in the light of the government’s U-turn on some cybersecurity policies. The absence of government guidance makes it even more important that companies follow accepted norms.

In some cases that will mean following the spirit of stronger government regulations that have been walked back. Standards such as ISO 27001 are also useful aids for companies that want a robust grounding in good information security practices. In particular, ISO 27001:2022 defines Annex A 5.29 – Information Security During Disruption, for ensuring information security during times of disruption.

For any of this to work, however, business leaders must buy in and be accountable for structure information security measures. It’s up to them to ensure the proper structure to prepare for, respond to, and mitigate disruption. It might not yet be appropriate to say “no one is coming to save you”, but if there was ever a better time to raise the drawbridge, now would be it.