Trump Executive Order may create new security challenges

The U.S. government today exercises so much influence over cybersecurity that even the smallest change in policy can now have a profound impact. An executive order issued by President Trump is no exception, especially when it concerns rules requiring Federal agencies to start testing phishing-resistant authentication technologies and the adoption of both digital identities and post-quantum cryptography (PQC).

Specifically, the administration is reversing a previous executive order issued by former president Joe Biden that called for more aggressive adoption of more robust authentication technologies and digital identities to both improve cybersecurity and reduce fraud. The Trump administration, however, given the current focus on enforcing immigration policies, is concerned digital identities might be used by illegal aliens to gain access to benefits they are not entitled to receive.

The second major shift eliminated a Biden order that required Federal agencies to start using quantum-resistant encryption “as soon as practicable” in addition to requiring vendors to use PQC when technologically possible. The Trump administration also eliminated instructions for the departments of State and Commerce to encourage key foreign allies and overseas industries to adopt post quantum computing algorithms defined by the National Institute of Standards and Technology (NIST).

A third shift concerns securing software supply chains. Previously, any vendor selling software to the federal government attest to the security of the software by submitting documentation showing they were following best DevSecOps practices. Now the U.S. government via NIST will only provide guidance, rather than requiring vendors to provide an actual report.

Additionally, provisions that required the Cybersecurity and Infrastructure Security Agency (CISA) to verify attestations provided by vendors, required the Office of the National Cyber Director (ONCD) to publish the results of those reviews and encouraged ONCD to refer companies whose attestations fail a review to the Justice Department “for action as appropriate” have been eliminated.

The Trump administration also eliminated rules that required NIST to issue guidance identifying minimum cybersecurity practices based on a review of globally accepted standards that required vendors to follow those practices.

The fact sheet provided by the Trump administration said the previous Biden order imposed “unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments” and micromanaged “technical cybersecurity decisions better handled at the department and agency level, where budget tradeoffs and innovative solutions can be more effectively evaluated and implemented.”

The Trump administration is also narrowing the scope of a previous order pertaining to artificial intelligence (AI) security. The Trump order now requires Federal agencies to track vulnerabilities in AI systems, integrate them into incident response pipelines and limit data sharing to only what is feasible under security and confidentiality constraints. Previously, Federal agencies shared that information with other countries allied with the U.S.

The Trump administration is modifying a previous order issued by President Obama nearly 10 years ago. Now sanctions can not be applied in any election-related activities and only to foreign malicious actors to prevent misuse against domestic political opponents.

Finally, the executive order also cut language from a previous executive order that directed the Office of Management and Budget (OMB) to advise agencies on addressing risks related to IT vendor concentration.

Regardless of which political direction any cybersecurity professional might lean, the one thing everyone can agree on is that the U.S. Federal government sets an example for others to follow. As such, changes that rely more on suggestions rather than requirements are going to make achieving and maintaining cybersecurity that much more challenging.