The U.S. government has made big strides over the past four years in the ongoing fight against the “scourge of ransomware,” as President Joe Biden described it.

At the start of his term, Biden and his administration were quick to declare ransomware a national security threat, unlocking new powers for the military and intelligence agencies. Since then, the United States has successfully disrupted ransomware infrastructure, clawed back millions in ransom payments, and targeted some of the most notorious ransomware operators with indictments and sanctions.

Despite the government’s onslaught of enforcement of late, the number of cyberattacks targeting U.S. organizations continues to rise, with 2024 set to be another record-breaking year for ransomware. This means when President-elect Donald Trump again takes office in January, he, too, will inherit a major ransomware problem.

While it’s difficult to predict what the next four years of cybersecurity policy could look like, the industry at large is bracing for change.

“It is hard to say what will happen with policy and regulation in the future as there are many layers, and players, involved in change,” Marcin Kleczynski, the chief executive at antimalware giant Malwarebytes, told TechCrunch. “However, I know that cyberattacks won’t stop, regardless of who is in office,” said Kleczynski, citing ransomware as a top concern.

A mixed-bag first term

From a cybersecurity point of view, Trump’s first term as president was a mixed bag. One of Trump’s first (albeit delayed) executive orders after taking office in 2017 required federal agencies to immediately assess their cybersecurity risks. Then, in 2018, the Trump administration unveiled the U.S. government’s first national cybersecurity strategy in more than a decade, leading to more aggressive “name-and-shame” attribution policies and the easing of rules to allow intelligence agencies to “hack-back” at adversaries with offensive cyberattacks. 

In late 2018, Congress passed a law founding CISA, a new federal cybersecurity agency tasked with protecting U.S. critical infrastructure. The Trump administration chose Chris Krebs as the agency’s first director, only for the then-president to summarily fire Krebs by tweet two years later for stating that the 2020 election — which Trump lost — was “the most secure in American history,” in contradiction of Trump’s false claims that the election was “rigged.”

While cybersecurity hasn’t featured heavily in Trump’s messaging since, the Republican National Committee, which backed Trump for office, said during the 2024 election cycle that an incoming Republican administration would “raise the security standards for our critical systems and networks.”

Expect a deluge of deregulation 

Trump’s push to slash federal budgets as part of his pledge to reduce government spending has sparked concerns that agencies may have fewer resources available for cybersecurity, potentially leaving federal networks more vulnerable to cyberattacks. 

This comes at a time when U.S. networks are already under attack from adversarial nations. Federal agencies have warned this year of the “broad and unrelenting threat” by China-backed hackers, most recently sounding the alarm over the successful infiltration of multiple U.S. telecom providers to access real-time call and text logs.

Project 2025, a detailed blueprint written by influential conservative think-tank The Heritage Foundation, which reportedly serves as a “wish-list” of proposals to be taken up during a second Trump term, also wants the president to pursue legislation that would dismantle the entire Department of Homeland Security and shift CISA to operate under the Department of Transportation. 

Lisa Sotto, partner at American law firm Hunton Andrews Kurth, told TechCrunch that deregulation will be an overarching theme of the Trump administration. 

“This could impact CISA’s role in shaping cybersecurity regulations for critical infrastructure, potentially leading to an emphasis on self-regulation,” said Sotto. 

Referring to new guidelines proposed by CISA in March that would require critical infrastructure companies to disclose breaches within three days beginning next year, Sotto said these so-called CIRCIA rules “may also be significantly revised to shrink the requirements around cyber incident reporting and related obligations.”

That could mean fewer required data breach notifications of ransomware incidents and ultimately less visibility into ransom payments, which security researchers have long cited as a problem.

Allan Liska, a ransomware expert and threat analyst at cybersecurity company Recorded Future, told TechCrunch in October that much of the hard work done by the United States over the last four years, including the creation of an international coalition of governments vowing not to pay a hacker’s ransom, could become an early casualty to wide-scale government deregulation.

“The global ransomware taskforce that President Biden set up has accelerated a lot of law enforcement activity because it’s opened up the exchange of information,” said Liska. “There’s a good chance that goes away, or at least that the U.S. is no longer part of that,” he said, also warning of a risk in increasing ransomware attacks with less intelligence sharing.

An eye toward more disruption?

With a scaled back focus on regulation, a second Trump term could pick up where it left off with offensive cyberattacks and employ a more aggressive approach in a bid to tackle the ransomware problem. 

Casey Ellis, founder of crowdsourced security platform Bugcrowd, says he expects to see a ramping up of U.S. offensive cyber capabilities, including an increased use of hacking-back.

“Trump has a history of supporting initiatives that pursue an outcome that deters enemies to U.S. sovereign security,” Ellis told TechCrunch.

“I’d expect this to include the use of offensive cyber capabilities, as well as ramping up the kind of ‘hack-back’ activities we’ve seen out of the partnership between FBI and DOJ over the past several years,” said Ellis, referring to the government’s disruption efforts against botnets, DDoS booter sites, and malware operations in recent years. “The kind of ransomware, initial access broker, cybercriminal infrastructure, and quasi-government operations previously targeted by the U.S. government would continue to be a focus.”