The White House in Washington DC showing cybersecurity executive order

New Cybersecurity Executive Order Takes on Election Interference Sanctions, Encryption Standards and Disinformation Programs

A new and wide-ranging cybersecurity executive order from the Trump administration rolls back some Biden- and Obama-era directives and looks to steer government cyber defense efforts to “identifying and managing vulnerabilities, rather than censorship.” The order also further develops the roles of the National Institute of Standards and Technology (NIST), the National Security Agency (NSA) and the Office of Management and Budget (OMB) in implementing quantum-resistant encryption standards set to be in place by 2030.

Cybersecurity executive order takes particular aim at election interference, digital identity programs

The title of the cybersecurity executive order includes the two prior orders targeted for repeals: the Biden administration’s Order 14144 of January 2025, issued just days before the former president left office, and the Obama-era Order 13694 of April 2015. The older Obama order approved sanctions on individuals engaging in cyber attacks on US critical infrastructure, with the Trump administration narrowing its scope to only allow them to be placed on foreign malicious actors and not in the case of “election-related activities.” However, the text does not specifically state that sanctions cannot be levied in the event of foreign actors engaging in election interference.

The Biden executive order is amended to remove some of the digital identity document programs it founded, citing potential use of these IDs by illegal aliens to move about the country and access benefits. The Biden order had directed federal departments to develop guidance on mobile driver’s licenses and other phone-based IDs and to assist state governments in implementing these concepts, though the order did not have time to develop into anything too substantial before the Trump administration took the reins. About a dozen states have already rolled out mobile driver’s licenses, either fully or as a pilot program, and the Transportation Safety Administration (TSA) accepts most of these.

Less controversial elements look to shore up readiness and defenses

The repeals to the orders of prior administrations will no doubt be the most controversial elements and grab the most headlines, but the new cybersecurity executive order ranges well beyond this to address software security, AI priorities and the continued implementation of new encryption standards to counter the looming threat of quantum computing.

NIST finds itself facing an assortment of new work, ordered to produce guidance on the implementation of secure software development practices and measures for creating and deploying patches for discovered vulnerabilities. And the Pentagon, DHS and the Office of the Director of National Intelligence have been directed to develop new standards for identifying and addressing vulnerabilities in AI systems.

However, the Trump cybersecurity executive order also does scale back some of the security measures specified by the prior Biden order. It eliminates the requirement for mandatory attestations of software security compliance, and directs NIST to develop guidance in a model of a voluntary industry consortium rather than mandating DOJ-enforceable submissions.

The Trump cybersecurity executive order additionally reframes AI as a threat to be secured against, rather than promoting collaboration on defensive uses across government, industry and academia. The order mandates that federal agencies track vulnerabilities in AI systems and curtail data sharing with outside parties except when necessary and when security and confidentiality requirements can be set in place.

Though a number of the Trump cybersecurity executive order elements will likely be debated as to effectiveness and appropriateness, it does bring greater (and generally desired) clarity to the government’s roadmap for having quantum-resistant standards in place by the end of the decade. CISA and NSA have been ordered to produce a list of quantum-safe product categories by the end of this year, and the order mandates that the TLS 1.3 protocol must be in place by 2030. OMB will oversee the process for civilian agencies, while NSA tackles national security systems.

The order comes amidst some public antagonism by Trump toward CISA that dates back to the 2020 election. Trump fired former director Chris Krebs in November of that year, amidst accusations that the agency’s work on “disinformation” was meant to harm his re-election chances. In April of this year, Trump ordered Krebs’ security clearance revoked and asked the Justice Department to investigate him, which prompted his resignation from cybersecurity firm SentinelOne. Trump’s proposed budget for fiscal year 2026 has a long way to go through Congress, but in its present form would slash CISA’s budget by a total of 16.5% and eliminate some of its divisions entirely. DHS head Kristi Noem has echoed Trump in stating that CISA, which is a subordinate division of the department, has been too focused on “misinformation” and “disinformation” and needs to realign its operations to focus more on cyber defense. Trump nominee for CISA head, Sean Plankey, has also faced an uphill battle to appointment that has centered to a great degree on election security policies.

Kevin Bocek, CyberArk Senior Vice President of Innovation, notes that the AI security focus in the cybersecurity executive order is a fairly uncontroversial bright spot: “We are entering a new era of cybersecurity where AI and automation are everywhere, bringing with it new risks. Over the past few months, we’ve gained clearer insight into adversarial activity, particularly from China. As AI competition accelerates globally, we’re also seeing new attack areas emerge. It is affirming that the EO is serious about safe and secure AI, hopefully laying the foundation to critically address one of the most urgent and overlooked threats: machine identity sprawl. Machine identities, driven primarily by AI and cloud, now vastly outnumber human identities 82:1 within organizations – yet most organizations aren’t equipped to secure them. A recent survey we conducted found that 68% of organizations lack identity security controls for AI, and 75% of security professionals agree that their organizations prioritize business efficiencies over robust cybersecurity. The risks of not securing their identities are growing exponentially, and without clear federal guidance and accountability, this gap could become a major vulnerability in our national defense posture. I’m also bolstered by the EO’s directive around continuing secure software development and prioritizing detecting and managing vulnerabilities over censorship. Proper AI development is a tool for predictive defense, threat detection at scale, and securing the rapidly growing ecosystem of machine identities, but we must also ensure we secure the AI itself.

Steve Wilson, Chief AI and Product Officer at Exabeam, adds: “We strongly support the Biden-Trump executive order’s recognition that Artificial intelligence (AI) has the potential to transform cyber defense by rapidly identifying vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense. This is exactly right. We’re in an AI-vs-AI arms race in cybersecurity — not just with opportunistic hackers but with well-resourced nation-state actors who are weaponizing advanced generative and reasoning AI models. If we’re going to keep pace, our cyber defenses must be intelligent, adaptive, and fast. That requires major investments in AI. The move to ensure “existing datasets for cyber defense research have been made accessible to the broader academic research community” is also an important one. High-quality data is the fuel that powers AI. A nationally coordinated program to share cyber defense datasets — done securely and thoughtfully — is a necessary step toward building stronger, smarter AI systems for defense. We welcome this direction and hope to see it implemented with urgency and collaboration across the public and private sectors.”

Dave Gerry, CEO at Bugcrowd, takes a more pessimistic view of other elements: “This order walks away from important lessons. Rolling back secure by design software attestations and limiting sanctions to only foreign actors sends the wrong message at the wrong time. Those were put in place to reduce risk across the supply chain. Also, narrowing sanctions to only apply to foreign actors leaves a clear gap, especially when we’ve seen domestic enablers working in lockstep with foreign adversaries. The shift toward voluntary guidance sounds nice, however, in practice it often means slower adoption and fewer safeguards. It’s hard to see how this makes us safer. Cybersecurity should be a nonpartisan commitment to national resilience – not a political bargaining chip.”

 

Senior Correspondent at CPO Magazine