The Heritage Foundation’s nearly 1,000-page Project 2025 report is what the conservative DC-based think tank hails as a game plan for Donald Trump to follow in running the US government if he wins in November.
Among the thirty-four authors of the document, more than half are appointees and staff from his government, and six are cabinet secretaries from his former administration. All told, more than 140 workers in the Trump administration reportedly had a hand in the Project 2025 report.
“It’s no secret that many people in Trump’s orbit were intimately involved with Project 2025,” Lawrence Norden, senior director of elections and government at the Brennan Center for Justice, tells CSO. Given that neither the Trump campaign nor the GOP has put forth any specific plans on cybersecurity, Project 2025 is the sole articulation of how a Trump administration might plan to address cybersecurity issues.
Project 2025 contains numerous cybersecurity recommendations spanning major departments and agencies, but experts say its proposal to dissolve the Cybersecurity and Infrastructure Security Agency (CISA) represents the most significant and dangerous departure from the US government’s existing approach to cybersecurity.
Another red flag, experts say, is a recommendation to move the Office of the National Cyber Director (ONCD) to the National Security Council (NSC), and to require NSC employees to submit to something akin to a political loyalty test, injecting partisan politics into cybersecurity policy, which has long been a nonpartisan issue among lawmakers and policy professionals.
Dismantling CISA is a ‘disastrous’ idea
In a section attributed to Ken Cuccinelli, who served as Deputy Secretary of Homeland Security under Trump, Project 2025 recommends wholesale dismantling of the Department of Homeland Security (DHS) because, the report argues, it has not gelled into “One DHS.”
The report recommends putting a host of current DHS offices, including US Customs and Border Protection (CBP), Immigration and Customs Enforcement (ICE), US Citizenship and Immigration Services (USCIS), the Department of Health and Human Services (HHS) Office of Refugee Resettlement (ORR), and the Department of Justice (DOJ) Executive Office for Immigration Review (EOIR) and Office of Immigration Litigation (OIL), into a standalone border and immigration agency at the Cabinet level.
It also lays out plans for moving other parts of DHS to other agencies and dividing the US Secret Service (USSS) into two parts, with the protective element moved to the DOJ and the financial enforcement element moved to the Department of the Treasury.
Amid this reshuffling, Project 2025 recommends dismantling CISA and putting it in the Department of Transportation. In breaking up CISA, Project 2025 says that the Chemical Facility Anti-Terrorism Standards (CFATS) roles should be moved to FEMA, and its school security functions should be transferred to state homeland security offices. The report states that CISA should refrain from duplicating cybersecurity functions done elsewhere at the Department of Defense, FBI, National Security Agency, and US Secret Service.
“I think [dismantling CISA] would be disastrous,” Michael Daniel, CEO of the Cyber Threat Alliance and former Special Assistant to President Obama and Cybersecurity Coordinator on the National Security Council Staff, tells CSO. “Reasonable people can disagree about how effective CISA has been, but we have labored for literally decades to create an effective cyber defense organization in the US government. And we are finally getting there with CISA. To make radical changes to that organization now just makes no sense to me whatsoever.”
Daniel says that eliminating CISA would be a significant threat to US national security. “I think it would significantly increase the cyber risk to the United States. It would put us at a huge disadvantage. It would dramatically undermine the cybersecurity of our critical infrastructure, putting many more Americans at risk of financial loss, and eventually even [become] a threat to public health and safety.”
Chris Painter, former US government official and cybersecurity specialist at the State Department, concurs. “I don’t think that makes any sense at all,” he tells CSO. “CISA and its predecessor at DHS certainly had growing pains, to be sure, but it’s beginning to hit its stride. It’s important to have that agency there as a civilian component of working to protect critical infrastructure, working hand in glove with other federal agencies, including State, DOJ, DOD, and others.”
Norden says, “I am very concerned that this proposal, if the government enacted it, would leave us, not just our election infrastructure, but all other infrastructure, whether it’s nuclear or chemical facilities or our water, vulnerable to cyberattacks that are only going to get more sophisticated in the coming years. Frankly, it’s the wrong time to suggest diluting this agency’s strength.”
Norden is particularly concerned given that US elections are highly prized targets for foreign adversaries. “This document misunderstands where CISA is so helpful in the cybersecurity space and also, frankly, in the physical security space for elections. Our elections have been under attack. There have also been physical threats to our election infrastructure. And a critical part of what [CISA] does is provide physical security for our election infrastructure. And that’s important as well. And this document completely misses that.”
Norden also thinks that the cybersecurity functions of other agencies cited in the report can’t pick up what CISA does. “Project 2025 misunderstands the role of CISA in the ecosystem,” he says. “The FBI is a law enforcement agency. CISA is there to help jurisdictions build resilience, defend against cyberattacks, help them detect when cyberattacks happen, and inform the field of what they are seeing so that election officials can build more resilient systems and be prepared. That’s totally different than the role of an agency like the FBI, which is to investigate and eventually build a case to prosecute.”
CISA’s disinformation work is the primary spur
Project 2025’s primary motivation for dismantling CISA appears to be the agency’s work during the past two presidential campaigns to tackle misinformation and disinformation efforts by US adversaries.
“Of the utmost urgency is immediately ending CISA’s counter-mis/disinformation efforts. The federal government cannot be the arbiter of truth,” the report states. “The Cybersecurity and Infrastructure Security Agency (CISA) is a DHS component that the Left has weaponized to censor speech and affect elections at the expense of securing the cyber domain and critical infrastructure, which are threatened daily. A conservative Administration should return CISA to its statutory and important but narrow mission.”
Regarding this, Painter says, “It sounds more like a vendetta than a rational argument because CISA’s capability and focus are largely on computer security.”
Daniel says this reasoning is far too thin to justify scuttling CISA’s cybersecurity portfolio. “We face a lot of adversaries who are out to cause harm to a lot of Americans,” Daniel says. “They range from cyber criminals to nation-states. If anything, we need to be increasing our investment in cybersecurity and increasing our capability in this space.”
Moreover, most experts believe the dangers of misinformation and disinformation warrant CISA, as a protector of election security and integrity, taking on the task of identifying it. “I do think the truth is important,” Norden says. “CISA played a very small role in forwarding flags from election officials that they identified as false information to the social media companies.”
Norden highlights the most recent Supreme Court decision in Murthy v Missouri, in which the court ruled that CISA and the Centers for Disease Control’s communications to social media companies regarding false information did not violate the First Amendment and did not pressure the companies to do anything. He adds that in a recent survey conducted by the Brennan Center, 85% of election officials say it is beneficial for CISA to dispel false information about elections by promoting facts about election administration and technology.
Establishing a national security litmus test
Another recommendation for Project 2025 is to move the White House’s Office of the National Cyber Director (ONCD), created in 2021, and the Homeland Security Council, created in 2001, to the National Security Council. Although not as controversial as dismantling CISA, experts say this recommendation comes with dangerous directives.
Project 2025 states that following these moves, “the NSC should be properly resourced with sufficient policy professionals, and the National Security Advisor [NSA] should prioritize staffing the vast majority of NSC directorates with aligned political appointees and trusted career officials. For instance, the NSA should return all nonessential detailees to their home agencies on their first day in office so that the new administration can proceed efficiently without the personnel land mines left by the previous stewards and as soon as possible should replace all essential detailees with staff aligned to the new President’s priorities.”
“I presume what they mean is they’re assuming that anybody who is there, regardless of whether they’re a career civil servant or what the source of them is, is clearly a plant left behind by the previous administration that will do nothing but undermine the current administration, which again has no basis in reality of how it works,” Daniel says.
He adds, “If you denuded the National Security Council of all the people who know how to actually make it run, you would essentially collapse it, and you would have no capability to manage that national security process. So, it makes no sense in terms of a practical measure.”
Daniel says the ONCD and the NSC serve two different functions. “The NSC is really an inward-facing policy office that is designed to coordinate across the US government. It was never really designed to interact with the private sector and have the level of engagement with the private sector that the National Cyber Director’s Office is designed to do.”
Painter points out that the NSC is primarily made up of career employees and not political appointees. “When you go to the NSC, just like when you’re a career person, generally your loyalty is to make sure that the policy is carried out. And so, if someone at the NSC can’t do that, then they don’t stay. So [the kind of litmus test proposed by Project 2025] is weird. They want to get rid of a lot of career employees and have a huge, much larger percentage of political appointees,” he says.
The way Painter views it, Project 2025 aims to turn cybersecurity into a political issue, running counter to the past three decades when cybersecurity has mostly been considered a nonpartisan issue.
“Cybersecurity has traditionally been largely a nonpartisan issue, with senior officials and career employees dedicated to the mission of protecting our networks and responding to growing threats, and it should remain that way,” he says.