What Trump’s Whirlwind First Few Weeks Mean for Cyber Risk
Table Of Contents:
Less than a month of the new Trump administration must feel like a year to cyber risk professionals. The president has worked at incredible speed, issuing a flurry of executive orders that have had an unprecedented impact on national security and risk preparedness.
One thing underpins many of the new government’s measures, says Herbert Lin, Senior Research Scholar at Stanford University’s Center for International Security and Cooperation. He is surprised by the Trump administration’s aggressively anti-Biden stance. “He just wants to get rid of everything that ever had a touch of Biden in it,” he says, calling the level of aggression “unprecedented”.
This approach is dangerous, warns Lin, who served on President Obama’s Commission on Enhancing National Cybersecurity in 2016. He suggests that it could remove people focused on clear and present threats.
The new administration terminated all memberships across the Department of Homeland Security’s advisory committees in its early days. These include the Cyber Security Review Board (CSRB), a Biden-era initiative tasked with analyzing major cyber incidents and recommending measures to strengthen digital defenses. The CSRB was perhaps most famous for hauling Microsoft over the coals following attack group Storm-0558’s acquisition of internal signing keys from the company.
Concerns Over Data Exchange
President Trump’s White House also removed three Democrat-affiliated members of the Privacy and Civil Liberties Oversight Board (PCLOB), which helped review the Transatlantic Data Privacy Framework (TADPF).
TADPF is the latest iteration in an ongoing effort to normalize data exchange between the US and the EU. Accepted by the EU in 2023, it replaced the EU-U.S. Privacy Shield, which the EU Court of Justice struck down over concerns about US surveillance practices.
NOYB, the Austrian nonprofit headed by lawyer Max Schrems, warned that removing the three Democrats made it impossible for the board to achieve quorum. This effectively disables the PCLOB until new appointees can be found.
“We’ve called it decapitated at this point,” said Cody Venzke, Senior Policy Counsel, Surveillance, Privacy, and Technology at the American Civil Liberties Union. A key component of the TADPF was the ability for EU citizens to challenge the US government’s interception and use of their communications and data. The board oversaw the Data Protection Review Court, which led these efforts.
“It’s not clear if PCLOB is going to be able to engage in the certifications required by the data privacy framework,” Venzke warned. “That’s going to raise serious questions on both sides of the Atlantic about the state of cross-border data flows.”
The Department of Government Efficiency
Perhaps one of the most impactful executive orders was the one creating the Department of Government Efficiency (DOGE). When Trump came into office, the world was already aware of his plans to appoint Elon Musk as a government efficiency czar, but the ensuing events stunned commentators.
Musk’s department quickly gained control over the computing systems at multiple federal agencies, with the consent of agency heads newly appointed by Trump and confirmed by a Republican-controlled Senate.
One of the first agencies on DOGE’s list was the Treasury, which controls the processing of government funds. Another was the Federal Aviation Authority. New Transportation Secretary Sean Duffy explained that DOGE’s team of twenty-somethings were preparing to “plugin to help upgrade our aviation system”. Systems at the Department of Energy and Department of Labor were similarly accessed.
Security guru Bruce Schneier has been dismayed by DOGE’s actions. “There’s a national security risk here,” he says. “It’s about their tactics of having people without security clearances move data from secure computers to insecure computers and all the things that make this data more vulnerable. Their tactics are dangerous for society.”
In an essay on the issue, Schneier highlights three security implications of these actions. The first is external actors’ ability to alter everyday system operations (such as withholding funds). The second is data exposure, which extends beyond millions of Americans’ PII to architecture information on some of America’s most sensitive computer systems. Finally, those operators can modify the systems themselves in unaccountable ways.
A Seismic AI Shakeup
Cybersecurity operations were not the only area where Trump U-turned on the former administration’s policies. Three days after his inauguration, he also signed the Removing Barriers to American Leadership in Artificial Intelligence Executive Order. This order effectively replaced Biden’s own October 2023 order on Safe, Secure, and Trustworthy Development and Use of AI, which Trump rescinded.
This worries Venzke, who suggests a hands-off approach to AI could leave a fast-moving car careering down the road with no one at the wheel.
“This administration is full steam ahead with AI, and that raises deep concerns that with no guardrails, we’re going to harm people where AI is being used,” he warns, adding that this could include who gets put on watch lists and who receives governmental benefits. “All without any of the rudimentary safeguards that the Biden administration was beginning to lay down.”
The new administration certainly has its foot firmly on the gas pedal. However, when it comes to cyber risk, at least some notable commentators worry that it is going dangerously fast in the wrong direction.
