Almost a year into the second Trump administration, public sector leaders and cybersecurity experts say budget cuts and gutting of federal agencies are weakening critical lines of government communication to help companies prepare and respond to cyberattacks, even as AI threats are rising.
The most recent assessment of cybersecurity, based on the goals set forward by the bipartisan U.S. Cyberspace Solarium Commission, found that the U.S. was slipping in its progress toward 82 goals to create a strong cyber defense. “We were surprised and disappointed,” said Ret. Admiral Mark Montgomery, the executive director of Cybersolarium.org. The goals include things like reducing complex regulations on critical infrastructure companies, adding to cyber capacity in the FBI and within intelligence agencies, and improving K-12 cybersecurity education.
Montgomery said the primary causes of the slip in cyber readiness are cuts at the Cybersecurity and Infrastructure Agency, as well as earlier DOGE efforts carving a wide swath through the State Department, the National Science Foundation, National Institute of Standards and Technology and the U.S. Department of Commerce.
Meanwhile, a law that enabled companies to share information about cybersecurity without antitrust or liability concerns lapsed on Sept. 30.
The assessment of the Cyberspace Solarium Commission, now part of the Foundation for Defense of Democracies, came despite public commitments by the Trump administration to cyber defense improvements, which the White House outlined in a June executive order framing its approach as “sustaining select efforts to strengthen the nation’s cybersecurity.”
“Under the leadership of President Trump and Secretary Noem [Department of Homeland Security Secretary Krisit Noem], CISA is steadfastly fulfilling its core mission by demonstrating daily operational collaboration, accelerating intelligence sharing, and strengthening our defense of cybersecurity and critical infrastructure across the nation,” wrote a CISA spokeswoman in an emailed statement.
“I agree that we have more pessimistic view of government cybersecurity efforts over the past eight months, as opposed to the administration’s self assessment,” said Montgomery.
A less proactive federal government when it comes to cybersecurity is concerning based on the recent history of rising nation-state linked attacks. On Thursday, the Congressional Budget Office was targeted in a hack, reportedly by a foreign nation-state actor, according to the Washington Post.
Some cybersecurity actions are also stalled in Congress. For instance, the Trump administration’s nominee for head of CISA, Sean Plankey, has yet to be confirmed since summer hearings.
The upshot, according to national security experts, is a federal government that is less active than it should be in cybersecurity efforts across the country.
“We’re shifting responsibility for primary coordination of cybersecurity to states and industry while simultaneously gutting the resources that would help them do that. Federal grant funding for state and local cybersecurity and critical partnerships has been slashed, while the Cybersecurity Information Sharing Act protection expired in October,” wrote Carole House, former National Security Council Special Advisor and CEO of Penumbra Strategies in a message. “We’re handing off coordination (to industry) while kicking away the ladder,” she added.
Experts are also concerned about a rule that would have made big tech companies responsible for developing safer software for businesses and consumers, which has been stripped of its enforcement mechanism. The result, according to experts’ assessments, is that Americans and the U.S. economy are less safe from cyberattacks than a year ago.
Nor are military agencies necessarily picking up the slack. “I’ve been very concerned about the top leadership at Cyber Command and the (National Security Agency) being vacant for eight months. That translates to inertia and lack of direction,” said U.S. Rep. Don Bacon, a Republican from the second district of Nebraska who is not running for re-election, in an emailed statement. “Further, this Administration has been significantly cutting the budget and personnel for CISA, which is out on the front lines to defend our private sector and infrastructure from cyberattack.”
‘Death by a thousand papercuts’
Montgomery cited the 2023 discovery of Volt Typhoon, a cyber attacker from the People’s Republic of China that had infiltrated critical infrastructure companies such as those operating in telecoms, water, transportation and energy, as an example of what is happening while the federal government retreats. Volt Typhoon could have been “operational preparation of the battlefield,” said Montgomery. When it was discovered, CISA issued recommendations of patches and steps that private companies should take. But not all of the infiltrations have been detected; and meanwhile, there are probably new attacks happening now. But the mechanisms for sharing that information have been gutted by the administration’s cuts and the political gridlock in Washington, D.C.
“The only way you’re going to detect this is with assistance from the government,” said Montgomery. “There are tell-tale signs that can be shared.”
In the springtime, cybersecurity experts began referring to the situation as “death by a thousand papercuts.”
Because critical infrastructure in the United States is owned and managed by companies large and small across the company, the cybersecurity defense system that had evolved under the past few administrations was complex and relied on public-private partnerships. The weakening of the public sector support for cybersecurity is throwing more responsibility onto companies.
Among many other reductions, the Trump administration disbanded an entity called the CIPAC, which enabled sharing of information between the federal government and the owners of parts of critical infrastructure, ranging from water systems to finance companies to electric grid operators to hospitals. Because it was disbanded, many industrial councils, including the one that pulled companies in the defense industrial base together to share information, are not operating as they were before. Montgomery said he believed companies were exchanging information, but not as freely or in as coordinated a way.
The responses across industries have been haphazard. For instance, the E-ISAC, a cybersecurity information sharing council for the electric industry, is operating, but others, including the elections infrastructure council, have been defunded.
“The biggest regression is not technology, it is coordination,” said Evan Reiser, CEO of Abnormal AI, who said by email that he agreed with the concern from public sector leaders. “Signals are trapped in silos across agencies and vendors. Without real-time sharing of high-quality telemetry, defenders fight blind,” he said.
AI makes retreat on cyber defense more dangerous
Meanwhile, the threat is changing and growing exponentially because of artificial intelligence, said Kaitlin Betancourt, a partner at law firm Goodwin who focuses on cybersecurity law and compliance, and AI strategy and governance. “I think the cybersecurity risks that we’re being presented with right now have gone sharply up. Any cutting back of resources is the opposite direction of where we need to be,” she said.
Cybercriminals are embedding AI throughout their operations, from victim profiling, to automated service delivery and creating false identities. In one case in late summer, generative AI company Anthropic said criminals used its Claude chatbot to attack 17 different organizations with psychologically targeted, industry-specific extortion threats ranging from $75,000 to $500,000. The company said it was able to stop the attack.
Most cyberattacks come through legacy systems, such as email and spreadsheets, used by humans who fall prey to increasingly sophisticated lures. The Biden administration put in place a new measure requiring large software companies to attest to CISA that they had secure software. Those that failed would be referred to the attorney general for enforcement.
In June, Trump issued an executive order amending Obama and Biden executive orders on cybersecurity. The Trump order kept the requirements for attestation — meaning software companies need to report and show that they developed their software in a safe fashion. But the order also removed language that encouraged the national cyber director to refer attestations that fail validation to the attorney general for action as appropriate. In February, the Justice Department had brought an enforcement action against a software company related to compliance with cybersecurity standards.
“Trump’s order retains an emphasis on software supply chain cybersecurity. It retains much of the Biden administration’s framework but scales back prescriptive directives and enforcement mechanisms, particularly those related to secure software development “attestations,” Betancourt and her colleagues wrote.
Cybercriminals generally aim to steal data or shut down systems in extortion schemes. In some cases, they are simply criminals; in other cases, the criminals are affiliated with nation-states, such as China, North Korea or Iran, whose missions are to damage the U.S. or fund their own operations. For instance, in February, hackers sponsored by North Korea stole approximately $1.5 billion in ethereum from the Binance cryptocurrency exchange, which has no official headquarters. Officials suspect the money will be laundered and used for the North Korean missile program.
In other cases, the attackers, especially those affiliated with geopolitical foes, may simply be undermining the economy of the United States without triggering a conventional war. And, of course, in the cat-and-mouse game, the United States can be waging its own instructions and cyberattacks on other countries’ systems. Officials from the Trump administration have spoken publicly about beefing up offensive capabilities, though it’s not clear how. Meanwhile, experts say both offense and defense are necessary – with the latter relying heavily on the private sector to spend in an informed way to protect their systems.
“I think we can recover from this,” Montgomery said. “But you can’t continue to cut.”
