Overview
In early 2022, anticipating an increase in hostile cyber operations related to Russia’s invasion of Ukraine, the Cybersecurity and Infrastructure Security Agency (CISA) launched its Shield’s Up initiative—a call on organizations across the private sector to “adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.” To support this call, CISA implemented a number of programs aimed at assisting the private sector’s cybersecurity posture by raising cyber threat awareness and “offer[ing] guidance and resources for individuals, organizations, and leadership to enhance online security.” And while CISA has never been responsible or authorized for providing direct, operational cybersecurity services to the private sector—that imperative and responsibility lies with businesses and private actors—it has played an increasingly important role in connecting “stakeholders in industry and government to each other and to resources, analyses, and tools to help them build their own cyber, communications, and physical security and resilience . . . .”
Despite these efforts, cyber risks continue trending in the wrong direction. For example, Ransomware attacks, some State sponsored, have grown in frequency and sophistication each year. Still, through the Joint Cyber Defense Collaborative, the Shields Up and related Shields Ready campaigns, and other efforts, CISA has played an important role in assisting private businesses improve their cybersecurity and driving down risk in the face of these persistent and ever-increasing cyber threats.
The Trump Administration’s Cybersecurity Strategy
However, the continued viability of CISA’s programs, and the Federal government’s commitment to defensive cyber operations more generally, have come into question. As the Trump administration determines its strategic approach to cybersecurity, it is far from certain that businesses can continue to count on the same level of CISA support. If initial signals are any indication, continuing to invest in defensive cyber capacity does not seem to be at the top of the Trump agenda.
There should be little doubt that the Trump administration will place greater emphasis on offensive cyber operations as a cornerstone of its approach. As early as January this year, in-coming National Security Adviser Mike Waltz stated, “We need to start going on offense and start imposing . . . higher costs and consequences” on cyber threat actors because years of “trying to play better and better defense when it comes to cyber” was not getting the job done. More recently, Alexei Bulazel, the senior director for cyber on the National Security Council telegraphed in remarks at the annual RSA Conference that the Administration will work to “destigmatize” offensive cyber operations, making them an “arrow in the quiver” of its efforts to counter hostile state and non-state cyber threats. This should come as little surprise as it would build on legal and policy shifts during the first Trump presidency toward more timely and flexible offensive options.
Offensive, counter-cyber operations should play a more prominent role in the Federal government’s cyber strategy—just not an exclusive one. There is little to suggest that the Administration will abandon wholesale defensive efforts, but to the extent that budget and personnel decisions reflect policy, there are some concerning initial signs.
First, CISA did not come through the DOGE cuts unscathed. According to some reports, upwards of 1,000 personnel, including many in key senior positions, have left the agency as a result and a number of key sub-elements, like the Cyber Safety Review Board and the Multi-State Information Sharing and Analysis Center, have been shuttered. Second, the Trump administration proposed a $491 million (17 percent) cut to CISA’s budget. And while the House has so far pushed back, the cut is still set at a not insignificant $135 million.
Next Steps for the Private Sector: Lean In on Defensive Cybersecurity
Where this will all land, and the level of defensive cyber effort the Trump administration will provide, remains uncertain. What is clear is that, in the face of cyber threats of increasing frequency and sophistication, and the possibility that a move to a more offensive posture might trigger some level of escalation, whatever degree of cybersecurity support the government provides will not be enough. The private sector, especially businesses of all sizes, will have to lean farther forward to secure their networks and data than at any time in the past. This will require prioritized investments and adoption of a 24-7, operational security mindset.
The enemy of good security is complacency. Relying on static, legacy approaches and “check-list” mindsets is a recipe for failure. To succeed against the increasingly dynamic cyber threat landscape takes intense, proactive preparation to understand and prioritize risk, make sound, risk-based security investments, build organizational and mission resilience, and develop effective incident response plans.
All of this starts with awareness—both of an organization’s attack surface, i.e., understanding its key assets, IT architecture, supply chains, and personnel posture, as well as current and evolving cyber threat trends and challenges.
For example, notwithstanding the year-over-year growth of known IT vulnerabilities subject to malware exploitation, humans remain the primary vector for a cyber breach. Some of these failures are unwitting, which speaks to the need for effective security policies, training, and monitoring of employee compliance. Others are deliberate, requiring good insider threat programs, starting with rigorous hiring due diligence. It is now well documented that North Korea has exploited the increase in remote work and lax hiring practices to place potentially thousands of cyber operatives with US companies to generate revenue for its weapons programs and to position for insider exploitation.
Supply chain attacks, Ransomware-as-a-Service, voice phishing or vishing, Deepfakes, business email compromise, Internet of Things and cloud computing attacks are just a few of the areas where threats are on the rise. And across the spectrum of malicious cyber operations, attackers are using artificial intelligence (AI) to increase the sophistication and impact of their operations.
Successfully navigating this threat space is not easy, but failure is. More than ever, raising the shields up higher is a business imperative. Organizations need a proactive, strategic combination of technology solutions, training, insider-threat management, security and data policies, and resilience planning. No two organizations are alike, requiring tailored approaches that must account for and ensure compliance with a complex legal and regulatory environment. Steptoe offers unique experience and in-depth cyber expertise to help companies confront these challenges and build and sustain successful cybersecurity programs.
