The headline item of the new Trump administration cybersecurity executive order is its rollbacks of programs previously established by Biden and Obama, but it also contains interesting developments in the areas of AI and quantum-ready cryptography standards.
The order reflects both ongoing political tensions and necessary cybersecurity realities, ranging from discouraging adoption of mobile driver’s licenses to reframing AI and automation defense approaches to address new developments. Critics will find much that seems purely political, but some of the developments in cyber defense areas are those broadly welcomed by the security community.
Cybersecurity executive order’s terms reflect shifting priorities for federal agencies
The revocations from the orders of prior administrations essentially amount to limitations on sanctions related to hacking and a rejection of federal support for digital ID rollout. The new elements are generally more constructive, though not without points of contention among stakeholders.
Secure-by-design software development and federal agency handling of vulnerability identification and patching will get a boost from the National Institute of Standards and Technology (NIST), who are tasked with creating new guidance in each of these areas. The Pentagon, DHS and the Office of the Director of National Intelligence have additionally been tasked with developing new standards for identifying and mitigating vulnerabilities in AI systems.
Outside of the repeals of prior executive orders, AI is the element that receives the most attention. Federal agencies will shoulder increased responsibilities in tracking vulnerabilities in the AI systems they use, but are also more limited in what data they can share with private industry partners and other outside parties.
Quantum-resistant cryptography standards are also a major point of focus of the cybersecurity executive order. A new list of quantum-safe product categories will be available by the end of 2025, courtesy of CISA and NIST, and there is now formal order to have the TLS 1.3 protocol (or a superior successor) in place by 2030.
Political elements of the Trump cybersecurity executive order
The more attention-grabbing aspect of the cybersecurity executive order is the targeting of the orders of two prior administrations, both of which he had very antagonistic relationships with.
The Obama Order 13694 was issued in April 2015 and expanded the ability to sanction foreign threat actors targeting US critical infrastructure, to include attempts to meddle in elections. The Trump administration appears to have peeled back the part about elections, but without expressly stating that a foreign hacker attempting election interference cannot be sanctioned. Instead, it says that the terms of the prior order no longer apply to sanctions on “election-related activities,” which leaves some room for interpretation.
The Biden order, issued in January of this year just three days before the inauguration, essentially ordered federal agencies to develop and foster support for states to adopt “digital driver’s license” programs that allow for identification via mobile phone. About a dozen states have some version of this concept in place and many are accepted by the TSA and other government agencies, though they are not yet generally widely used. The Trump cybersecurity executive order appears to be throwing cold water on this system out of belief that it will be a security hazard and abused by illegal immigrants to obtain benefits and legal permissions they should not otherwise have.
