Much attention has been paid to the incoming administration’s stated intentions to roll back regulations, as well as their criticism of certain cybersecurity and artificial intelligence (AI) policies adopted by the Biden administration. A more comprehensive review of policy statements and past actions suggests that the Trump administration will support strong cybersecurity defenses and best practices as well as practices that encourage the responsible and trustworthy development and adoption of AI.
The First Months
The new administration immediately put a hold on pending regulations, as is typical. In the first Trump administration and the Biden administration, the new White House Chief of Staff issued on Inauguration Day a memo to the heads of executive departments and agencies to immediately freeze any new or pending regulations to allow review by the new administration. The Trump administration also released a large number of executive orders on his first day of office, though only one addressed AI or cybersecurity in a material way (see below).
We expect that many members of Congress will reintroduce cybersecurity and AI legislation from the previous session, and new legislation on these hot issues will be introduced for the first time.
Based on precedent, it is possible that Congress will use the Congressional Review Act to reject regulations that have already been enacted by federal agencies. The law, enacted in 1996, has only been used to overturn a total of 20 rules, with 16 of those actions taking place early in the first Trump administration with a Republican majority in both chambers of Congress. To take effect, the Congressional Review Act requires Congress to introduce a joint resolution within 60 Congressional session days of its receipt of the regulation, so only relatively recent regulations are subject to the law.
Cybersecurity Policy and Regulations
CISA
Republican lawmakers and incoming administration officials have criticized the Cybersecurity and Infrastructure Security Agency (CISA). However, these criticisms against CISA are largely not related to cybersecurity, but rather for perceived expansion beyond its core mission of protecting federal and critical infrastructure to address issues such as disinformation. The Republican Party Platform emphasized a commitment to “use all tools of National Power to protect our Nation’s Critical Infrastructure and Industrial Base from malicious cyber actors. This will be a National Priority, and we will both raise the Security Standards for our Critical Systems and Networks and defend them against bad actors.” We expect the new administration to refocus CISA on cyber protection and scale back or defund disinformation initiatives, but not to dismantle CISA.
CIRCIA
CISA is finalizing regulations to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), enacted in 2022. The proposed rule requires a wide range of businesses in critical infrastructure sectors to report covered cyber incidents and ransomware payments to CISA. Many of the public comments, including those submitted by members of Congress that had sponsored the original legislation, argued that the draft regulations went beyond the intention of Congress by applying the rule to too many entities, requiring too many cyber incidents to be reported, and not providing enough reciprocity with similar cyber incident reporting regulations. Expect members of Congress to closely review and scrutinize the nature and scope of the final regulations.
Cybersecurity Executive Orders
The Biden administration released its second executive order on cybersecurity in his final week in office. The order focused on improving the United States’ defenses against the escalating threats from foreign adversaries, particularly the People’s Republic of China (PRC).
The new administration will certainly review all executive orders issued by the prior administration and consider whether to repeal them entirely, repeal them and replace them with their own executive order, or take no action. Given the scope of the order and the new administration’s focus on cyber defense and countering the malicious activities of national adversaries, particularly China, a full repeal without replacement in the short term may be unlikely. It is worth recalling the Trump administration issued its own executive order on cybersecurity in its last day in office, which the Biden administration did not repeal.
Coordinated Vulnerability Disclosure Practices
Coordinated vulnerability disclosure practices, including the implementation of Vulnerability Disclosure Policies and the use of bug bounties by federal agencies have been supported by both the Trump and Biden administrations, are well established in federal agencies, and are unlikely to be rolled back. Russell Vought, who has been nominated to return to his prior role as Director of the Office of Management and Budget, directed federal agencies to implement such programs in a 2020 memo. These practices also enjoy bipartisan support in Congress, which is actively working to pass legislation to require the adoption of Vulnerability Disclosure Policies by federal contractors.
Artificial Intelligence
Both President Trump and President Biden issued executive orders related to AI. President Biden’s order directed over 50 federal entities to take more than 100 specific actions to implement its guidance in areas including safety and security, consumer protection, worker support, and consideration of AI bias and civil rights. Proposed rules resulting from the order include those proposed by the Department of Commerce that would require mandatory reporting to the federal government by leading AI developers and cloud providers. Republicans raised concerns about the order’s reliance on the 1950 Defense Production Act for its authority to require such disclosures, as well as the order’s impact on free speech, innovation, and focus on addressing bias and discrimination. The Trump administration repealed President Biden’s executive order on AI on its first day in office, honoring a commitment made during the campaign. In doing so, he issued his own order to remove barriers to American innovation and “to sustain and enhance America’s dominance in AI to promote human flourishing, economic competitiveness, and national security.”
While the Trump administration is expected to take a lighter regulatory approach to AI, its past approach through executive order has recognized the importance of regulatory guidance, technical standards, and transparency and trustworthiness to realizing the benefits of AI innovation. As OMB Director, Vought issued guidance to federal agencies for regulation of AI applications, writing that “agencies should continue to promote advancements in technology and innovation, while protecting American technology, economic and national security, privacy, civil liberties, and other American values, including the principles of freedom, human rights, the rule of law, and respect for intellectual property.” The memo emphasized the importance of public trust in AI and the validation of AI systems while encouraging agencies to “be mindful of any potential safety and security risks and vulnerabilities.
Congressional action on artificial intelligence has been limited to date with the executive branch stepping in to shape government policy and practices related to AI use and regulation. However, Congress and the states show willingness to take this issue up in the coming legislative term.
Focus Areas for HackerOne and Our Partners
HackerOne’s policy team continues to advocate for the enactment of legislation and regulation that enhances cybersecurity defenses and promotes the responsible adoption and use of AI. This advocacy will continue across administrations and Congresses. Regardless of how the regulatory environment evolves, companies should continue to proactively identify and manage vulnerabilities in their own systems and AI models to protect their assets and maintain the trust of the public, their customers, and investors.