President Trump’s latest cybersecurity executive order addresses what he calls “problematic elements” that his predecessor put in place with his own EOs, particularly the last one he dropped in January four days before leaving the Oval Office.
Trump’s executive order, which was issued late last week and also addressed an area that President Obama focused on in one of his own orders issued in 2015, hits on a wide range of issues, from secure software development and post-quantum encryption to AI and Internet of Things (IoT) security, nation-state cybersecurity threat, collaboration between federal security agencies and private sector vendors, and the Border Gateway Protocol (BGP).
It touches on two of Trump’s high-profile issues, immigrants and election security – accusing President Biden of trying to “sneak problematic and distracting issues into cybersecurity policy” in the January EO – and directly names China, Russia, Iran, and North Korea as key nation-state adversaries that are threatening the U.S. government, critical infrastructure, and the private sector in the United States.
“These campaigns disrupt the delivery of critical services across the Nation, cost billions of dollars, and undermine Americans’ security and privacy,” the EO says. “More must be done to improve the Nation’s cybersecurity against these threats.”
That said, it also leaves in place many of the provisions that the Biden Administration issued in its previous executive orders. That includes having CISA play role in protecting federal civilian networks. In addition, it maintains much of what’s being done around BGP and encryption
The new EO also comes amid the backdrop of the Trump Administrations continued slashing of the federal workforce and budgets, including those of CISA and other cybersecurity-focused agencies.
Digital Identity Provision Removed
Among the provisions it eliminates was one Biden had put in place to protect against cyberthreats and fraud by expanding the use of digital identities, including for public health benefits. A fact sheet for Trump’s EO said that the move of “introducing digital identity mandates … risked widespread abuse by enabling illegal immigrants to improperly access public benefits.”
The group Better Identity Coalition pushed back on Trump’s decision in a posting on X (formerly Twitter), saying that bad actors backed by China and North Korea had stolen billions of dollars from victims in the United States through identity-based attacks and that it was “disappointed” that the president struck out the provision, “especially given that this language had strong bipartisan support and was praised by cybersecurity and fraud experts.”
Another provision eliminated was one mandating software developers selling into the federal government attest to the security of the software by submitting documentation showing they were following secure development processes. Trump wants the National Institute of Standards and Technology (NIST) to provide guidance but not require reporting.
The fact sheet said that Biden’s order imposed “unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments” and micromanaged “technical cybersecurity decisions better handled at the department and agency level, where budget tradeoffs and innovative solutions can be more effectively evaluated and implemented.”
Going Back a Decade
Reaching back 10 years, the new EO also changes President Obama’s order to enable sanctions on those launching attacks on U.S. critical infrastructure. Instead, Trump’s order limits such sanctions “only to foreign malicious actors, preventing misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities.”
For post-quantum cryptography, Trump is streamlining the steps federal agencies need to take in the coming years, including supporting TLS 1.3 or later versions of the protocol by 2030. He also is removing such mandates as the one requiring that the U.S. work with other governments and industry organizations in other countries.
A Change in the AI POV
Regarding AI, Trump narrowed what Biden had ordered, which had advocated broad collaboration with the private sector and academic researchers. Instead, in the president’s order, “AI is repositioned as a potential liability to be secured, not a universal defense engine,” Emil Sayegh, principal and CEO of B2B consultancy Profit Growth Insights and a contribute to Forbes, wrote for the news site.
“It requires agencies to track vulnerabilities in AI systems, integrate them into incident response pipelines and limit data sharing to only what is feasible under security and confidentiality constraints,” Sayegh wrote.
Overall, he added, Trump’s EO “not only modifies key elements of Biden’s January 2025 framework but also signals a broader realignment of federal cybersecurity priorities. It shifts focus away from federal digital identity initiatives and revises compliance-heavy software security mandates.”
