This opinion piece is part of Access Partnership’s ‘A Digital Manifesto’ initiative, which recommends a framework to develop US global leadership on digital policy for the first 100 days of the Trump administration.
In the shadow of escalating digital threats, the US finds itself at a critical juncture in its cybersecurity approach. Despite the political handover from Biden to Trump, there’s a surprising thread of continuity emerging in how America plans to defend its digital borders.
Last October’s devastating ransomware attack on Change Healthcare, which disrupted medical payments and patient data access for thousands of healthcare providers nationwide, serves as the latest reminder of what’s at stake. The incident, which cost UnitedHealth Group over USD 872 million in recovery efforts, demonstrates why cybersecurity transcends partisan politics.
The Inheritance of Digital Defence
When Donald Trump reclaimed the Oval Office this January, cybersecurity experts wondered what his approach might be. Interestingly, one of Biden’s final acts – an executive order establishing a National Cybersecurity Strategy – remains intact under Trump. This isn’t actually that surprising when you look closer.
Four days before the second inauguration of President Donald Trump, his predecessor, President Joe Biden, issued an executive order to create a national cybersecurity strategy across federal agencies, private businesses, and critical infrastructure sectors. During his first term, President Trump laid significant groundwork in this arena. He elevated the US Cyber Command to a unified structure and issued the first national cybersecurity strategy in 15 years. These weren’t small steps – they represented a fundamental reshaping of how America approaches digital defence.
Over the years, the US has built on this foundation, establishing the Cyber Safety Review Board to study foreign threats and passing the Cyber Incident Reporting for Critical Infrastructure Act in 2022. This law requires critical infrastructure providers to report substantial breaches within 72 hours of discovery – a timeframe that feels both impossibly short to businesses and dangerously long to security experts.
Critical Infrastructure: America’s Digital Achilles’ Heel
The focus on critical infrastructure isn’t just bureaucratic box-checking. Water systems, power grids, healthcare networks – these aren’t just services, they’re the arteries of American life. And they’re increasingly vulnerable.
The 2021 Colonial Pipeline attack provided a sobering demonstration of this vulnerability. When hackers struck the pipeline operator with ransomware, it triggered fuel shortages across the East Coast and required a USD 4.4 million ransom payment (though the FBI later recovered much of it). The incident showed how quickly a cyber-attack can translate into physical-world consequences.
But protecting them has proven difficult. When federal officials tried to mandate security audits for water utilities, state officials pushed back. Local utility managers complained they lacked both resources and expertise to implement federal security mandates. It highlighted a persistent tension: standardised protection versus local control. Different states and local governments might implement different levels of investment or practices to critical infrastructure, which would amplify the challenge.
This is where the Trump administration faces its trickiest balancing act. The Republican platform explicitly states they will ‘use all tools of National Power to protect our Nation’s Critical Infrastructure and Industrial Base from malicious cyber actors.’ But how do you reconcile that with the administration’s preference for deregulation?
One approach might be standardisation without heavy-handed regulation – creating clear security baselines while giving businesses flexibility in implementation. As Tricia McLaughlin from the Department of Homeland Security (DHS) recently noted, the Cybersecurity and Infrastructure Security Agency (CISA) needs to ‘refocus on its mission’ – suggesting a more streamlined approach may be coming, although the first line of focus is set to be on election security.
The Geopolitical Chess Game
Cybersecurity isn’t just about defence – it’s become an offensive weapon in the modern geopolitical arsenal. During Trump’s first term, he signed National Security Presidential Memorandum 13 (NSM-13), which streamlined the Defence Department’s authority to conduct offensive cyber operations.
This aggressive posture isn’t likely to diminish. Cyber aggression has become entwined with nearly every military and political conflict worldwide. Russia’s digital attacks on Ukraine’s power grid in 2015 and 2016 served as a wake-up call. By temporarily cutting electricity to hundreds of thousands of Ukrainians, they demonstrated how cyber warfare could directly impact civilian populations.
The conflict has since then intensified. Microsoft’s Digital Defence Report documented over 300 distinct Russian cyber operations against Ukraine and its allies since the physical invasion began. These attacks have targeted everything from government agencies to transportation networks, media outlets, and critical infrastructure.
Working with allies will be crucial, though the specifics remain murky. The US cannot secure the digital world alone, yet coordination requires trust – something that’s been in fluctuating supply in international relations lately.
Business Impact: Security vs. Profitability
For American businesses, particularly those in critical infrastructure sectors, the coming years will require careful navigation. The final version of the rules stemming from the Cyber Incident Reporting for Critical Infrastructure Act isn’t due until later this year.
The stakes are enormous. IBM’s Cost of a Data Breach Report 2024 found that the average cost of a breach for US companies has reached USD 9.36 million – more than double the global average. For critical infrastructure organisations, the costliest industry breaches remain within the healthcare and financial services sectors.
Many conservative commentators felt CISA overstepped with its initially proposed rules. The US Chamber of Commerce has argued that the reporting requirements would create ‘substantial new compliance burdens’ without necessarily improving security outcomes.
Given Trump’s business background, the final version might be substantially pared down – but unlikely eliminated completely, given the genuine threats.
The ideal scenario would be a workable middle ground – enough regulation to ensure basic protections without suffocating innovation or profitability. It’s a delicate balance, but current signals suggest this is the target.
The Road Ahead
What’s clear is that cybersecurity remains a rare area of bipartisan concern. The appointment of a new CISA director signals change, but not abandonment of the agency’s core mission. The Cyber Safety Review Board is being ‘reconstituted’ rather than dissolved – suggesting a fresh approach rather than elimination.
As digital threats evolve, so too must America’s response. The continuity we’re seeing doesn’t mean stagnation – it reflects the reality that regardless of who sits in the White House, the digital frontier requires constant vigilance and adaptation.
For everyday Americans, these policy shifts might seem abstract, but their impact is increasingly personal. When MGM Resorts was hit with ransomware in September 2023, it wasn’t just a corporate problem – hotel guests were locked out of rooms, reservation systems collapsed, and even casino floors went dark.
For businesses, citizens, and government agencies alike, the message is clear: cybersecurity isn’t optional. However, how we achieve it remains up for debate – a debate that, much like the threats themselves, shows no signs of disappearing anytime soon.
Access Partnership helps businesses navigate the evolving cybersecurity landscape through expert analysis and strategic guidance. We work with policymakers and industry leaders to shape effective cybersecurity policies, ensuring clients can adapt to new regulations while maintaining security and growth. To learn more about how our expertise can support your organisation, contact Abhineet Kaul at [email protected].
