Cybersecurity: are the United States really on the brink of collapse?

Nearly a year after Donald Trump’s return to the White House, a report is warning of the devastating consequences of his budget cuts, the elimination of 200,000 jobs within U.S. government agencies, and the effects of the longest shutdown in U.S. history. Some also see it as a windfall for the private sector.

Is there real cause for alarm? According to the annual report of CSC 2.0, the organization that succeeded the Cyberspace Solarium Commission—a bipartisan U.S. body created in 2019—the United States is falling behind in cybersecurity. “The most significant challenges are the result of staff reductions of more than 30% at CISA (the U.S. cyber defense agency) and at the National Security Agency (2,000 people),” confirms to INCYBER.org Mark Montgomery, a retired U.S. Navy rear admiral and executive director of the CSC. “The threat is growing rather than receding, and these staff reductions introduce risk. This year’s assessment clearly shows that technology is evolving faster than federal efforts to secure it. Our nation’s ability to protect itself and its allies against cyber threats is stagnating and, in several areas, declining.”

Artificial intelligence

According to documents consulted by the Reuters news agency, the Trump administration is preparing to entrust private companies with ensuring its cybersecurity. Due to a lack of budget, many strategic positions within the NSA remain vacant, limiting coordination and response to threats such as those posed by the Chinese hacking group Volt Typhoon. “Attacks of this kind against U.S. critical infrastructure constitute an aggressive effort to conduct ‘operational preparation of the battlefield’ and endanger U.S. national security,” says Mark Montgomery. At the same time, the threat is growing exponentially with the rise of artificial intelligence. In its annual report on digital threats published last October, Microsoft identified more than 200 cases of foreign actors using AI to generate false online content—more than double compared with 2024 and ten times more than in 2023.

New requirements

“Many operational functions responsible for monitoring threats and responding to incidents remain in place,” however, tempers Tony Anscombe. Based in San Francisco, California, he is chief security evangelist for the Slovak cybersecurity company ESET. “They were deemed essential and were not affected by the recent shutdowns. The U.S. government continues to rapidly modernize its use of information technology, including cybersecurity. This includes the introduction of new requirements, such as the CMMC (Cybersecurity Maturity Model Certification) rule, which requires more than 80,000 suppliers in the defense sector to comply with strict cybersecurity controls defined by NIST.”

Global transformation

While this policy shift targets external companies, similar changes are also being imposed on federal agencies, such as the new Cyber Risk Management Construct that applies to the Department of Defense. This evolution in practices is also reflected in operational decisions taken by CISA, for example Directive BOD 25-01, which addresses secure practices for cloud services. “While progress has recently been slowed by the shutdown of public services, the determination to accelerate global transformation through policies and concrete measures does not appear to have waned,” assures Mr. Anscombe confidently.

Commercial opportunities

Not everyone necessarily views this increased involvement of the private sector within U.S. federal agencies negatively. Kamel Ferchouche, CEO of the French cybersecurity software publisher Evertrust (which recently raised €10 million from the U.S. fund Elephant, ed.), believes that Donald Trump’s strategy could create new commercial opportunities by expanding the missions of companies traditionally confined to defense. “There are real consolidation movements in the United States to create behemoths,” he observes. “Palo Alto, for example, has just acquired the American-Israeli company CyberArk for $25 billion. They still have significant resources, but they are in the process of rationalizing and limiting the number of players, unlike Europe, where it’s teeming—there are many startups and a lot of innovation, but it’s hard to grow very large.”

Expanding the talent pool

The publication of the details of this new strategic plan developed by the Trump administration is imminent. “It’s a form of privatization and delegation,” summarizes Mr. Ferchouche, “but it will be exclusively American solutions that secure the governmental sphere—they are very protectionist. It’s impossible for a foreign player to access these markets.” In this context, the CSC 2.0 report puts forward several proposals, such as strengthening the powers of the national cyber director—a position created in 2020—which “still does not have, according to the study, the authority and interagency relationships necessary to enforce decisions across the government.” It also proposes restoring the budgets and staffing levels cut at CISA. Finally, the report suggests expanding the cybersecurity talent pool and improving retention. In this regard, the authors note that the Trump administration’s rollback on diversity, equity, and inclusion has significantly reduced the labor pool.