The Future of American Cybersecurity

Editor’s Note: The following text is a slightly revised version of a talk given by the author at the May 2025 V2 Security Conference in Copenhagen.

 My theme today is to try and answer the question: “What do we expect from the Trump administration with respect to cybersecurity and data privacy in the next four years?” The “A” answer of course is that nobody really knows. Trump is exceedingly unpredictable—the more so with respect to issue areas where he really has no preconceived and settled notion. Unlike, say, tariffs, it seems likely that Trump has given little thought to cybersecurity or data privacy—and thus his reactions are likely to be off the cuff. But that would be a short analysis, and you deserve more. So let’s dive in.

My deeper analysis starts by providing a broad context for U.S.-EU cybersecurity and data privacy engagement today. I then turn to specific predictions about Trump’s expected actions in the areas of cybersecurity and data privacy. I conclude with some thoughts on how these actions will impact the EU and how the EU member states ought to consider responding.

Context

Geopolitics

Our consideration of Trump’s policies arises in the context of a particularly dangerous time in the world. Existing conflicts in Ukraine and Gaza are matched by potential conflicts over Taiwan and Kashmir. It is reasonably safe to say that the potential for state-on-state violence is at the highest level it has been since 9/11 and its aftermath or, possibly, since the Berlin Wall fell.

At the same time, the United States is systematically diminishing its ability to collect and analyze information on a global scale. Funding and staffing cuts at the Central Intelligence Agency, the National Security Agency (NSA), and the Department of State all portend less data on which to base decisions—as does a seeming rise in the reluctance of our traditional allies to share information with the U.S.

This is fundamentally scary—a more dangerous world about which we know less is a formula for disaster.

Further to the current geopolitical context, and more narrowly, Trump has taken an interest in changing the economic dynamic of the world, with a particular focus on China. It is no exaggeration to say that he is escalating economic conflict with that nation. Unfortunately, for the context of cybersecurity, the digital environment is the one area where China has peer capabilities with the United States. Their digital products (such as TikTok) are quite good, and their malicious capabilities are excellent (see, for example, Solar Wind). With funding and resource cuts to American digital defenses, Trump is ramping up the level of conflict with an adversary at the same time he is diminishing our technical response capability. Again: a fundamentally scary step in the wrong direction.

U.S.-EU Cyber Cooperation

Another context to consider as background is the nature of U.S.-EU cyber cooperation for the past 20 years. Here the context is more positive. It is fair to say that, on larger issues of security the U.S. and the EU have been closely aligned. We routinely share threat and vulnerability information—both on the governmental level and at the enterprise-to-enterprise level. We share a common framework for assessing security. And, despite several hiccups along the way, we have continued robust transatlantic data flows, both for commercial purposes and for shared intelligence analysis.

This is not to say that the relationship is without friction. We can identify two significant rub points of strategic disagreement. One is that the EU is significantly more regulatory in its approach to the digital environment. The recent 700 million euro fines issued against Meta and Apple under the Digital Markets Act would never have happened in the U.S. The second is a long-standing disagreement over privacy issues—by and large, the EU sees privacy as a fundamental right while the U.S. sees privacy as an operational value in service of other values. These differences have not caused a disruption of our overall general cooperation. But any description of the context for the next four years would be incomplete if it did not acknowledge their salience.

Trump

The context for predicting the next four years must include a nod to the direction of President Trump himself. I had wanted to make a joke about Greenland for my visit to Denmark, but I realized that the issue simply was not in any way funny.

Greenland is, however, a good metaphor for Trump more generally. He is, as I said, unpredictable. He is also, as the Greenland saga demonstrates, fundamentally transactional. Trump’s question is always “what’s in it for the U.S.? What’s in it for me?” Trump places no value on the commonality of interests with allies in the same way that U.S.-EU relations have proceeded for the past 80 years. It really is a radical change in the overall mentality of the leadership of the U.S. government.

Cybersecurity Changes Ahead

With that context in mind, we can turn to the topic at hand: What changes should we expect in cybersecurity in the next 4 years? [And note, I’m talking only about Trump-specific changes. There are numerous changes related to, for example, artificial intelligence (AI) and quantum computing that we could discuss, but they are not my topic here.]

Fewer Resources

Systematically, the U.S. will invest significantly less in cybersecurity at the federal level. The Department of Government Efficiency’s push to shrink the federal government is likely to have broad ramifications for the country’s cyber defenses.

The Cybersecurity and Infrastructure Security Agency (CISA) is the lead federal agency for working to protect critical American cyber infrastructure operated by the civilian government and the private sector. Already, the Trump administration has cut contracts and attempted to jettison probationary CISA employees. A more recent round of cuts is likely to affect every single part of the agency. To take but one example, in early March, CISA cut more than $10 million in funding to two critical cybersecurity intelligence-sharing programs that helped detect and deter cyberattacks and that alerted state and local governments about them. One program was dedicated to election security (a well-known beit noir for Trump), and the other to broader government assets, including electrical grids.

Likewise, to cite another example, the innovative Cyber Safety Review Board—based on the National Transportation Safety Board, which investigates transportation accidents—was created by the Biden administration to extract critical lessons from major breaches. It was dismantled soon after Trump took office, literally in the middle of several significant investigations.

The inevitable result is a diminution of defensive capability. Part of that will come from a brain drain as multiple senior CISA leaders have left. Another part of it will come from self-editing of analysis as CISA employees see that any divergence from the company line will result in adverse action (most notably, of course, the ongoing investigation of former CISA leader, Chris Krebs, for having the temerity to say, truthfully, that the 2020 election was not stolen). Without CISA in the lead, states and private enterprises will be left to fend increasingly for themselves.

It used to be that cybersecurity was a bipartisan priority. Apparently no longer. Rep. Bennie Thompson (D-Miss.), the ranking member on House Homeland Security, was scathing in his review of the cuts to CISA, calling them “unpopular and politically foolish.” He went on to say (correctly in my view) that “[e]viscerating CISA’s workforce is not only illegal, it tells our adversaries that it’s open season on our networks and infrastructure. It’s idiotic, irrational, and puts us all at risk.” His Republican counterpart Rep. Mark Green (R-Tenn.) disagreed, saying that Trump was “right to take steps to refocus CISA on its core mission—combating urgent cyber threats to our government networks and ensuring the resilience of critical U.S. infrastructure.”

Less Data Collected/Shared Domestically

Not only will resources generally be less, the result will be that there is less data collected and also likely less data shared domestically.

To begin, it is not even clear that the legal foundations for domestic public-private information sharing will retain vitality. The Cybersecurity and Information Sharing Act of 2015 (also confusingly sometimes abbreviated CISA and distinguished from the agency by using “CISA 2015”) is set to expire this fall. Though recent congressional hearings have emphasized its value and portend reauthorization, I think it’s up in the air as to whether it will be renewed and, if so, with what changes. CISA 2015 is the foundational cornerstone of cybersecurity threat and vulnerability information sharing in the U.S., so that revision is critical and currently indeterminant. I have no doubt that the information sharing and analysis centers will continue but there is a significant question about their future value and funding levels. And, of course, any reduction in information sharing will have a direct impact on the perceived value of public/private partnerships more generally.

Already it is clear that the threat intelligence from the federal government that many private-sector organizations have relied upon has decreased significantly in volume. Even worse, the reliability of that information is now being questioned. As one example, the administration’s changing political approach to Russia’s role in cyber threats means many private-sector companies are searching for other sources of information to understand risk and identify best options to protect themselves. Many in the private sector are revisiting their understanding of what it means for the U.S. to be “trusted partners” and how best to protect their organizations in light of that revision.

Less Research on Cybersecurity Issues

There will also be less basic research on cybersecurity issues. The funding cuts will hit academic institutions even harder than they will the federal government, if that is possible. More to the point, the capriciousness of the defunding will disrupt research agendas everywhere.

Perhaps even worse, though, is the climate of fear that Trump has created in academia. No sensible researchers will collaborate internationally in the same way that they have in the past—to the detriment of all involved. We can also foresee a shortfall in trained personnel—currently the graduate cohort in cybersecurity in the U.S. is approximately 60 percent foreign. That is surely going to decrease—without a commensurate increase in American training.

Greater Confrontation With China

As I already alluded to briefly, Trump’s broader geopolitical goals are likely to create greater cyber confrontation with China. Escalating U.S.-China trade tensions are likely to fuel a surge in Beijing-backed cyber espionage. U.S. companies and government agencies were already grappling with an unprecedented wave of hacking activity linked to the Chinese government. New tariff threats could intensify the pressure of Chinese cyber activity.

As a collateral effect, cybercriminals are likely to exploit the confusion around tariffs with phishing campaigns and other scams. There will be more “fuzz” in the domain—and everyone will take advantage of that.

Meanwhile, we can anticipate that the U.S. will “start going on offense” in cyberspace against China. The firing of Gen. Timothy Hough—former director of the NSA—is, I think, a prelude to detaching the military command from NSA. Once detached, this administration will likely unleash U.S. Cyber Command’s operatives for more offensive cyber strikes against foreign adversaries notwithstanding the risk to the country’s own espionage efforts.

Broader Economic Context

The broader economic context of Trump’s worldview will have some direct cybersecurity impacts. The administration has an overall deregulatory impulse. This impulse means there will be no regulation of cryptocurrency, for example, with a resulting increase in use, both lawful and criminal. Likewise any direct cybersecurity regulation (like, say, the imposition of liability for code) is dead. It may be that the lack of federal regulation leads to greater state regulation in this space—a development which will be increasingly burdensome for private-sector organizations.

Meanwhile, Trump’s love of tariffs will also impact cybersecurity. I predict tariffs will be extended to digital goods, like outsourced service systems. The tariffs will also, predictably, disrupt the global supply chains for hardware components.

In sum, the next four years will see a significant disruption in the U.S. cybersecurity posture—almost all of it in a bad way. It is hard (almost impossible) to see any positive signs.

Data Privacy Changes Ahead

The same, sadly, is true for data privacy in the United States, though perhaps the prospects are not quite so grim. Here are a few likely results:

First, and most obviously, there will not be a federal privacy law enacted. Though we have been chasing a General Data Protection Regulation equivalent for years (and came close under Biden), all prospects for a law appear, to me, to be dead.

Second, I anticipate a significant pull-back on privacy in the privacy-security debate. The most notable signal of this is the firing of Democratic appointees to the Privacy and Civil Liberties Oversight Board. If ultimately successful (the firing is in litigation), Trump will, no doubt, either appoint members who are more like-minded or fail to make any appointments at all, disabling the board. I do not foresee any greater solitude for the other parts of the Data Privacy Framework (DPF)—like the court and the Federal Trade Commission (FTC).

We will also see more broadly a pull-back on regulatory impulses at the regulatory agencies—the FTC, the Consumer Financial Protection Bureau, the Securities and Exchange Commission and others both generally (as I already noted) and as to privacy in particular. Here, too, the firing of the Democratic FTC appointees is a harbinger of a change in perspective on privacy.

Unlike cybersecurity, in data privacy there are some small grounds for optimism. State activity, as in California, has already been significant in areas of privacy and regulation. It will only increase as the federal government steps back (unless, of course, federal preemption laws are passed—like the proposal to ban AI regulation by the states for the next 10 years). My own prediction is that for the next four years, the locus of transatlantic privacy discussions will be on the Sacramento-Brussels axis.

In a related vein, I think that greater political activism and protests against Trump may have the silver lining of sparking the development of more privacy protective technologies and more consciousness around data collection and use issues. One small personal example: Many of my colleagues and I have moved our conversations to Signal.

Impacts on Europe

So how will all of this impact Europe? In many significant ways. Here are a few:

As a general matter, there will be less transatlantic data sharing. This change will be a reflection of U.S.-EU economic tensions as well as ongoing disagreements about national security issues such as Ukraine and NATO. This will lead the U.S. to pull back, especially on government-level threat and intelligence sharing.

The lack of cross-Atlantic information sharing may well soon be reciprocal. From an overarching national security perspective, EU governments will likely have concerns around access to and management of classified information, even at the lowest classification levels in the U.S. After Signalgate, our international partners may perceive the same lack of priority when securing sensitive information, intelligence sharing, and asset protection for their own systems, resulting in a reluctance to share some information.

There will also be less operational cooperation. Over the past several years, one of the success stories has been how joint operations have successfully been managed in the cyber domain. This includes both coordinated cyber defensive efforts (for example, in Ukraine) and coordinated law enforcement efforts against criminal ransomware gangs and other transnational criminal organizations. With the increasing closeness of U.S. interests to those of Russia (or at least the perception thereof), I am certain that EU authorities will pull back on these cooperative efforts.

And, further, as suggested in my discussion of data privacy, I see grave risks to the DPF. Several of Trump’s actions have disabled or diminished privacy oversight that was integral to the adoption of the DPF. My lack of confidence in Trump’s commitment to privacy is part of the reason why I resigned as special advocate to the Data Protection Review Court. Indeed, Trump’s lack of commitment is so great that the DPF may collapse of its own accord—but if it does not, then his actions have substantially increased the likelihood that Schrems III will, once again, result in the European Court of Justice annulling a transatlantic privacy agreement. Microsoft’s recent announcement that it would offshore some of its data holdings in Europe is just one example of the impact that this trend will have.

So what does this mean for Europe going forward? It means that you’re on your own. As Trump’s press secretary said recently: “The President has always maintained that Europe always needs to do more.” Here are some ways in which I think Europe can and should modify its course of action in the cyber domain:

• The U.S. is unlikely to be a good source of standards going forward. Reduced resources at the National Institute of Standards and Technology (NIST), for example, mean that the NIST Cybersecurity Framework won’t be updated in a timely manner, degrading the reliability of vulnerability assessment. The EU should consider adopting a new standard, either one of its one or perhaps a joint one with the Cyber Assessment Framework used in the U.K.

• Less data from the U.S. doesn’t mean that the EU won’t need data. But it does mean that the U.S. is no longer a reliable source (witness the near-death of MITRE’s Common Vulnerabilities and Exposure database). That in turn suggests that the EU should consider greater reliance on domestic data sources, such as the European Union Agency for Cybersecurity, and should consider enhancing its data collection capabilities.

These changes won’t come cheap. The EU will need to increase its resource investment substantially—in terms of both money and personnel. The EU needs its own sources of intelligence and independent response capabilities. And, if you will accept the advice of a friend, the EU needs to also reconsider and reduce the regulatory burdens it imposes on digital innovation. We all have stories about how difficult it is to deploy new technology in the EU and how many divergent reporting and certification requirements there are.

While I am not saying that the EU should mimic the U.S. anti-regulatory posture completely, this might be a propitious time to reconsider the current state of affairs. If you play your cards right, EU regulations can play an increasingly dominant role in shaping the cybersecurity landscape. The EU is already a key player in setting standards for data protection and privacy. You can move into cybersecurity, if you are sufficiently accommodating to innovation.

Of course, with opportunity comes risk in the form of greater vulnerability. One consequence of American rapprochement with Russia is likely to be a diversion effect. Russian cyber gangs directed by Vladimir Putin away from American targets will refocus their attention on the EU. And the target is attractive. Amsterdam is already home to one of the world’s best payment processors (Adyen) and may emerge as a hub for EU-based companies. As the “Buy EU” sentiment grows, European firms are likely to expand commercially, creating a potential bright spot in the tech sector. And a bigger target. Denmark’s strategic position in the technology sector makes it a particularly likely target for such activities.

What About the Future?

Will this situation last? In some ways this kind of disruption comes about every four years as American administrations change. And it is crucial to avoid broad generalizations about the “ignorance” of the American people. Instead, the issue lies with our leadership, who fails to understand our international interests and devalues the expertise of the nation.

And so, once Trump is out of office, one can hope his successor doesn’t perpetuate the same style of leadership, potentially creating an even more polarized environment.

But, to me, that is too optimistic—this transition seems more fundamental. When, for example, the vice president begins his term by coming to Munich and lecturing the EU about free speech and how you spend money, a sea change in perception has become reality. I fear that 80 years of cooperation generally and 20 years of cyber cooperation have been fractured, perhaps permanently. That is not an optimistic scenario, but you asked me for my opinion and that is the unvarnished version of it.

– Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company. He formerly served as a senior advisor to The Chertoff Group and deputy assistant secretary for policy in the Department of Homeland Security. He is a professorial lecturer in law at George Washington University, a senior fellow in the Tech, Law & Security program at American University, and a board member of the Journal of National Security Law and Policy. Published courtesy of Lawfare.