Nearly a year into the second Trump administration, public sector leaders and cybersecurity experts say that despite the growing threat of AI, budget cuts and dismantling of federal agencies are weakening the government’s critical lines of communication that help businesses prepare for and respond to cyberattacks.
The latest assessment of cybersecurity, based on goals set by the bipartisan U.S. Cyberspace Solarium Commission, found that the United States is lagging in progress toward 82 goals to build strong cyber defenses. “We were surprised and disappointed,” Rhett said. Admiral Mark Montgomery, Executive Director of Cybersolarium.org. Goals include reducing regulatory complexity for critical infrastructure companies, strengthening cyber capabilities within the FBI and intelligence agencies, and improving cybersecurity education in K-12 schools.
Montgomery said the lack of cyber preparedness is largely due to cuts to the Cybersecurity and Infrastructure Agency, as well as early DOGE efforts across a wide range of agencies, including the State Department, National Science Foundation, National Institute of Standards and Technology, and the U.S. Department of Commerce.
Meanwhile, a law that allows companies to share cybersecurity information without antitrust or legal liability concerns expired on September 30th.
The Cyberspace Solarium Commission’s assessment, now part of the Foundation for Defense of Democracies, comes despite the Trump administration’s pledge to improve cyberdefenses, an approach outlined by the White House in a June executive order that “continues selected efforts to strengthen the nation’s cybersecurity.”
“Under the leadership of President Trump and Secretary Noem (Department of Homeland Security Secretary Chrisit Noem), CISA continues to deliver on its core mission by demonstrating daily operational cooperation, accelerating information sharing, and strengthening the cybersecurity and defense of critical infrastructure across the country,” a CISA spokesperson said in an emailed statement.
“We agree that we have a more pessimistic view of the government’s cybersecurity efforts over the past eight months, as opposed to the government’s self-assessment,” Montgomery said.
Given the recent history of increased nation-state-linked attacks, it is concerning that the federal government is not being too proactive when it comes to cybersecurity. The Congressional Budget Office was reportedly the target of a hack by foreign nation-state actors on Thursday, according to the Washington Post.
Some cybersecurity measures are also stalled in Congress. For example, the Trump administration’s nominee to head CISA, Sean Plunky, has not been confirmed since his summer hearing.
As a result, national security experts say, the federal government is less aggressive than it should be in addressing cybersecurity across the country.
“We are shifting responsibility for primary cybersecurity coordination to states and industry while simultaneously depleting the resources to support it. Federal funding for state and local cybersecurity and critical partnerships has been cut, and Cybersecurity Information Sharing Act protections expired in October,” Carol House, former National Security Council special adviser and CEO of Penumbra Strategies, said in a message. “We are handing over adjustments (to industry) as we take the ladder off,” she added.
Experts also worry that big tech companies have been stripped of enforcement mechanisms for rules that would hold them accountable for developing more secure software for businesses and consumers. As a result, the American people and the American economy are less secure from cyberattacks than they were a year ago, experts say.
Furthermore, military institutions are not necessarily regaining leeway. “I am extremely concerned that the top leadership positions at Cyber Command and the National Security Agency have been vacant for eight months, leading to inertia and a lack of direction,” Republican Rep. Don Bacon, from Nebraska’s 2nd Congressional District, who is not running for re-election, said in an emailed statement. “Furthermore, the current administration is drastically reducing the budget and staffing of CISA, which is on the front lines protecting the private sector and infrastructure from cyberattacks.”
“Death by a thousand paper cuts”
Montgomery cited the discovery in 2023 of the People’s Republic of China cyberattacker Bolt Typhoon, which was infiltrating critical infrastructure companies such as telecommunications, water, transportation, and energy, as an example of what is happening while the federal government retreats. The Bolt Typhoon may have been a “battlefield operational readiness,” Montgomery said. When this issue was discovered, CISA recommended patches and actions for private companies to take. However, not all intrusions were detected. On the other hand, new attacks are probably still happening. But the mechanisms for sharing that information have been destroyed by government budget cuts and political gridlock in Washington, D.C.
“The only way to find out is with government assistance,” Montgomery said. “There are clear signs that we can share.”
In the spring, cybersecurity experts began calling the situation “death by a thousand paper cuts.”
Because America’s critical infrastructure is owned and managed across the board by companies large and small, the cybersecurity defense systems that have evolved under the past several administrations have been complex and dependent on public-private partnerships. Weaker public sector support for cybersecurity places more responsibility on businesses.
Among many other cuts, the Trump administration dissolved an organization called CIPAC. This allows information to be shared between the federal government and owners of some critical infrastructure, from water systems to financial companies, power grid operators, and hospitals. Because of its dissolution, many industrial councils no longer function as they once did, including the Industrial Council, which brought together companies in the defense industrial base to share information. Montgomery said he believes companies are exchanging information, but not as freely or in a coordinated way.
The industry-wide response has been haphazard. For example, E-ISAC, the cybersecurity information sharing council for the electrical industry, remains operational, while other organizations, such as the Election Infrastructure Council, have been defunded.
“The biggest setback is not the technology; it’s the adjustment,” Abnormal AI CEO Evan Reiser said in an email, echoing public sector leaders’ concerns. “Signals are locked in silos between agencies and vendors. Without real-time sharing of high-quality telemetry, defenders are fighting blind,” he said.
AI makes retreating in cyber defense more risky
Meanwhile, threats are rapidly changing and growing due to artificial intelligence, said Caitlin Betancourt, a partner at law firm Goodwin who focuses on cybersecurity law and compliance and AI strategy and governance. “I think the cybersecurity risks we face now are increasing exponentially, and the reduction in resources is the opposite direction of where we should be going,” she said.
Cybercriminals are incorporating AI across their operations, from victim profiling to automated service delivery to creating false identities. In one incident late summer, generative AI company Anthropic said criminals used its Claude chatbot to attack 17 different organizations with psychologically targeted, industry-specific extortion threats ranging from $75,000 to $500,000. The company announced that it was able to thwart the attack.
Most cyberattacks are carried out via traditional systems such as email and spreadsheets, used by humans who fall prey to increasingly sophisticated temptations. The Biden administration has introduced new measures requiring major software companies to certify to CISA that they have secure software. Those that fail will be referred to the attorney general for enforcement.
In June, President Trump issued an executive order amending President Obama and President Biden’s executive orders on cybersecurity. President Trump’s order maintained the certification requirement. This means that software companies must report and demonstrate that they have developed their software in a secure manner. However, the order also removed language encouraging the National Cyber Director to refer certificates that fail verification to the Attorney General as appropriate. In February, the Department of Justice brought enforcement action against software companies related to compliance with cybersecurity standards.
“President Trump’s order continues to focus on software supply chain cybersecurity. While the order retains much of the Biden administration’s framework, it scales back prescriptive directives and enforcement mechanisms, particularly related to the “certification” of secure software development, Betancourt and colleagues wrote.
Cybercriminals usually aim to steal data or shut down systems in extortion schemes. In some cases, they are just criminals. In other cases, criminals are affiliated with nation-states such as China, North Korea, and Iran, whose mission is to harm the United States or fund their own activities. For example, in February, North Korean-backed hackers stole about $1.5 billion in Ethereum from Binance, a cryptocurrency exchange with no official headquarters. Officials suspect the money is laundered and used for North Korea’s missile program.
In other cases, attackers, particularly those associated with geopolitical adversaries, may simply undermine the U.S. economy without triggering a conventional war. And, of course, in a cat-and-mouse game, the United States could issue its own orders or launch cyberattacks on other countries’ systems. Trump administration officials have talked publicly about increasing attack capabilities, but it is unclear how. Meanwhile, experts say both offense and defense are needed, and the latter relies heavily on the private sector spending in an informed way to protect systems.
“I think we can bounce back from this,” Montgomery said. “But you can’t keep cutting.”
