With less than a week left before the November presidential election, the world is on edge as the potential outcome could signal key changes in U.S. cyber policy.
While the contrast in the two major presidential candidates is stark, there is a hope that no matter the outcome, U.S. national policy on cybersecurity will maintain a level of stability far beyond those in other areas of government.
“First and foremost, I think both potential administrations will take cybersecurity, and the need to protect our critical infrastructures in cyberspace, very seriously,” said Mark Montgomery, executive director of CSC 2.0 and senior director at the Center for Cyber and Technology Innovation at the Foundation for the Defense of Democracies.
There is a broad consensus on the need for robust cyber protections and more resilient infrastructure, but the respective presidential candidates are likely to divert from each other on the role of government in enforcing security policy and the willingness to engage international partners to cooperate on key policy objectives.
“I think from my perspective, the broader issue is more about the overall tone and approach the administrations would take,” said Michael Daniel, president and CEO of the Cyber Threat Alliance.
The U.S. Chamber of Commerce said it expects a continuance of current cybersecurity policies no matter which presidential candidate wins in November. The group has pushed back against key regulatory issues in a number of areas, including Securities and Exchange Commission’s enforcement of cyber disclosure rules.
Chamber officials remain optimistic about a consensus on ways to address cyber resilience while reducing a growing regulatory burden on industry leaders.
“Among other things, we’d urge the next administration to partner with critical infrastructure to develop a constructive cyber incident reporting program,” Matthew Eggers, VP, cybersecurity policy of the Cyber, Intelligence and Security Division of the U.S. Chamber of Commerce, said via email. “Policymakers, including lawmakers, should also advance cybersecurity regulatory harmonization legislation”
Established track records
Each of the major presidential candidates have track records supporting efforts in the cybersecurity space.
Former President Donald Trump signed an executive order in 2017 focused on modernizing IT infrastructure at federal agencies. That same year, Trump also elevated the U.S. Cyber Command to a unified structure, increasing the nation’s deterrence capabilities.
In 2018, Trump signed the first national cybersecurity strategy in 15 years. The document led to more aggressive attribution policies, which called out rogue nations engaged in malicious activity. It also pushed for a more aggressive response to attacks, including the use of offensive capabilities.
Overshadowing much of his prior accomplishments, Trump fired former Cybersecurity and Infrastructure Security Agency Director Chris Krebs in the aftermath of the 2020 presidential election. Krebs publicly confirmed the November election was secure, which contradicted extensive claims of election fraud by the Trump campaign.
Vice President Kamala Harris also has experience dealing with data security and privacy issues, as cybersecurity was a major part of her portfolio as attorney general of California. In 2011, Harris launched an eCrime unit, created to prosecute identity theft and cyber intrusion.
The following year, Harris launched a Privacy Enforcement and Protection Unit, which had the authority to file civil charges to enforce violations of state and federal law.
After Harris took office under the Biden administration, one of her first major international initiatives was meeting President Emmanuel Macron of France to offer U.S. support for the Paris Call for Trust and Security in Cyberspace.
The agreement was considered an important step to help establish international norms in cyberspace and help unite countries against malicious nation-state affiliated cyber threats.
During a November 2021 press conference in Paris, Harris stressed the U.S needed to work with other nations to hold bad actors accountable when they abuse technology to weaken democracies. Harris said a growing number of nations were in agreement that such activity should be publicly attributed.
“We must call it out – to use a colloquial – when we see it,” Harris said. “And then we must do something about it, and that is the point about accountability.”
Historic threats to supply chain
Following the 2020 Sunburst supply chain attack and the 2021 ransomware attack against Colonial Pipeline, the Biden administration has taken significant steps to push for U.S. cyber resilience.
A May report from the Office of the National Cyber Director showed the U.S. has made significant progress in its effort to enhance the nation’s cyber resilience in the years since those attacks.
The U.S., alongside international law enforcement and intelligence partners, is working to identify and disrupt malicious cyber activity. The FBI has worked to intercept criminal ransomware operations and claw back proceeds to victims.
Though there's still work to be done, federal authorities have made progress toward improving the security of software, promoting the adoption of secure by design and default principles.
As mandated by President Biden’s 2021 Executive Order, federal agencies are transitioning towards zero-trust security, an architecture that assumes all users are potential adversaries that must be properly authenticated before they are allowed to access a computer system.
The U.S. has also begun rolling out sector-specific changes to make critical infrastructure more resilient from attack. Initial efforts focused on water infrastructure, healthcare facilities and agriculture.
However, state officials successfully blocked efforts to require audits for water utilities and industry officials decried what they saw as excessive overreach to micromanage overburdened, community-based utilities that lacked the resources or expertise to carry out federal security mandates.
A presidential transition report from Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security outlined a series of priority measures the next administration should take to improve the nation’s cyber resilience.
Among those, Frank Cilluffo, director of the McCrary Institute, highlighted three high-priority recommendations:
- Conduct a comprehensive review of federal rules on cybersecurity and incident reporting.
- Develop a true level of cyberspace deterrence, which will impose consequences on cyber adversaries.
- Address the need to fill hundreds of thousands of job openings in the nation’s cybersecurity workforce.
“Regardless of who wins in November, cybersecurity must be a top priority,” Cilluffo said via email.
CISA under partisan fire
Among the most partisan discussions taking place leading up to the November election is the future role of CISA
CISA has come under fire from numerous GOP officials for its prior efforts to combat misinformation. A 2023 House report said that CISA’s work exceeded the agency’s statutory duties and led to calls to scale back the agency’s authority.
Project 2025, a presidential transition blueprint from the conservative Heritage Foundation, calls for significant changes at CISA, in part due to concerns over the agency’s role in combating misinformation.
Project 2025 wants the president to pursue legislation that would dismantle the entire Department of Homeland Security, and among other proposed moves, shift CISA to operate under the Department of Transportation.
Cybersecurity functions that are considered duplicative would be moved to other agencies, including the Department of Defense, the FBI, National Security Agency and U.S. Secret Service.
The role of Congress will be a critical factor in how the nation moves forward on cybersecurity, according to industry analysts.
The recent court ruling on the Chevron doctrine also means that courts will no longer cede regulatory action to executive branch expertise, but look to Congress on how to interpret the intent of federal oversight rules.
“The need to sync up both ends of Pennsylvania Avenue will take on even greater importance in the days ahead,” Cilluffo said.
A priority issue of the current administration is how to create some type of liability framework that would hold companies accountable for the security of their software.
“I am not claiming this is going to be easy by any stretch of the imagination,” Daniel said. “This is going to require government action, probably congressional action to really get at the problem, because otherwise the incentives are going to stay misaligned.”
Bipartisan cooperation
Congress has demonstrated its ability to deliver bipartisan legislation related to cyber risk in recent years.
“There is undeniable bipartisan agreement that cyber risks are rising and Congress passing the CIRCIA act is evidence of that,” Katell Thielemann, distinguished VP analyst at Gartner, said via email.
President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law in 2022. The law requires covered critical infrastructure providers to report substantial cyber breaches or attacks to CISA within 72 hours of discovery.
While Moody’s Ratings agrees that cyber policy has been bipartisan in many respects, there are key policy differences that could lead to important changes.
U.S. relationships with foreign allies will play a key role in combating global ransomware and state-linked adversaries. The U.S. has faced years of malicious activity threat groups linked to Russia and China, and increased threat activity linked to Iran.
A Harris administration is likely to maintain robust support for the Ukraine war effort following Russia's 2022 invasion. Malicious cyber activity has been a major component of the war, with state-linked hackers targeting critical infrastructure in the West.
Iran has been hostile to the Biden-Harris administration and linked to physical threats against the Trump administration.
Threat groups linked to the Islamic Revolutionary Guard Corps have ramped up attacks against critical infrastructure in the U.S. and Israel since the outbreak of the war in Gaza, and the U.S. and U.K. have seen increased threat activity targeting water.
Threat activity from state actors linked to China is expected to continue no matter who takes office, as geopolitical tensions over the future of Taiwan’s status continue.