(Editor’s Note: This is the next installment of our series, “Tech Policy under Trump 2.0.” Read the first article in the series here).
By the time this analysis is published, or by the time you read it, President Donald Trump may have withdrawn or modified the Jan. 16 “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity” and other cybersecurity policies issued under the Biden Administration. Enacted in the final days of the Biden administration, Executive Order (EO) 14114 aims to strengthen the federal government’s cybersecurity policies by requiring–rather than simply encouraging–government vendors, cloud providers, and contractors to meet certain cybersecurity requirements.
The wide-reaching cybersecurity EO, which covers everything from the federal government’s cybersecurity practices to AI-powered cyber defenses, represents a culmination of the Biden administration’s efforts to address longstanding, fundamental vulnerabilities in digital infrastructure – vulnerabilities that high-profile security breaches of U.S. critical infrastructure, including by China-sponsored hacking groups Volt Typhoon and Salt Typhoon, highlight. The EO builds on the Biden administration’s previous policies linking cybersecurity and data security to national security, including its May 2021 Executive Order 14028, implementation of the March 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), March 2023 National Cybersecurity Strategy, and use of federal authorities to promote security in defense contracting, information and communications technology, and access to Americans’ sensitive personal data.
The latest cybersecurity EO leans heavily on procurement authority, sanctions issued under the International Emergency Economic Powers Act (IEEPA), mandatory agency practices, and non-binding standard-setting. Several new requirements for federal contracts will have spillover effects that may benefit the private sector, such as incentivizing secure products and services and enhancing their visibility in the marketplace. Overall, the order reflects an emphasis on: (1) moving beyond cybersecurity policies that merely encourage reporting and cooperation and (2) shifting responsibility for security upstream from consumers to producers and providers of software, cloud services, and other components of the cyber ecosystem.
The Trump administration may leave the EO in place, withdraw it, consider modifications during the implementation periods it sets forth, or pause it for a more comprehensive review of security policy. Whatever approach the new administration takes, cybersecurity is largely a bipartisan issue, and the new EO – along with the rest of the Biden administration’s cybersecurity strategy – pulls together assessments of important problems, proposes potential mitigations, and increases public awareness of critical cybersecurity threats and better practices.
Broadening the Scope of Potential Sanctions
Sanctions against cyber threat actors located abroad represent a critical policy tool for strengthening U.S. cybersecurity. Isolating threat actors from financial and other support raises costs on adversaries and makes it more difficult for them to operate. Section 9 of the EO amends the Obama-era Executive Order 13694, which authorized sanctions against malicious cyber actors under narrower criteria, to authorize sanctions on individuals engaged in malicious cyber activity such as:
- Activities related to gaining or attempting to gain unauthorized access to a computer of the United States or a U.S. person, U.S. ally or partner, or a citizen, national, or entity organized under the laws of a U.S. ally or partner
- Providing material assistance to malicious cyber activities enumerated in the EO
- Targeting critical infrastructure
- Compromising the integrity of computers or information they contain
- Disrupting the availability of computers or information they contain
- Causing misappropriation of funds, confidential information, or personal identifiers
- Tampering with, altering, or causing misappropriation of information to interfere with or undermine election processes or institutions
- Ransomware attacks affecting the confidentiality, integrity, or availability of computers or information they contain
These categories are broad and potentially could include any cybercrime with a foreign nexus that is “reasonably likely to result in,” or has “materially contributed to,” a threat to U.S. national security, foreign policy, economic health, or financial stability. This enhanced sanctions authority is significant because it increases the ability of the United States to cut off malicious cyber actors’ resources. It also could increase risk for ransomware victims, security researchers, and other private-sector actors who deal with cyber criminals, who risk violating sanctions if they pay designated individuals or organizations.
Other Key Provisions
On the defensive side, the EO also aims to address longstanding vulnerabilities in digital infrastructure. Exploitation of these weaknesses has grown increasingly dangerous as dependencies increase through greater connectivity and as adversaries’ capabilities advance. Whether the Trump administration implements each of these provisions, the EO provides an essential, if partial, catalog of risks and mitigations that are useful for government actors, private-sector entities, and security professionals to understand the evolving cyber threat landscape.
Promoting Software Security
The EO recognizes the need for security not only in the development of software, but also in the delivery of software and application of patches. Section 2 leverages federal purchasing power by directing agencies to develop software security standards and incorporate those standards into the Federal Acquisition Regulation (FAR). It also requires federal government vendors to attest to the security of their development practices. The Cybersecurity and Infrastructure Security Agency (CISA) will validate security attestations. The National Cyber Director will publish results of CISA’s validation, so non-government customers will also benefit from CISA’s validation process. Vendors whose attestations fail validation may be referred to the Department of Justice.
Promoting Cloud Security
Increased reliance on cloud-based services offers potential security benefits, but consumers of cloud-based services can expose themselves to substantial security risk if they do not carefully adjust settings such as access controls and permissions. CrowdStrike, for example, has noted that “[c]loud misconfigurations — the gaps, errors and vulnerabilities that occur when security settings are poorly chosen or neglected entirely — provide adversaries with an easy path to infiltrate the cloud” and “clear the path for adversaries to move quickly” during a breach.
Relying again on federal procurement authority, Section 3 of the EO directs agencies to “incentivize or require” cloud service providers (CSPs) who provide services to the federal government through the FedRAMP Marketplace to “produce baselines with specifications and recommendations for agency configuration of agency cloud-based systems in order to secure Federal data based on agency requirements.” In other words, CSPs selling to the federal government will have to provide instructions on how to set up and operate cloud-based services in a secure way. Those instructions will benefit private-sector consumers, who may similarly implement recommended security settings and practices as well.
Strengthening Encryption And Other Internet Building Blocks
The advent of quantum computing threatens to render traditional encryption methods ineffective Without encryption, there can be no privacy or security of, or confidence in the integrity of, internet communications or commerce. Among other entities, The National Institute of Standards and Technology (NIST) has released quantum-resistant encryption tools. Section 4 requires federal agencies to adopt post-quantum cryptographic systems, with an eye toward boosting the market for such systems and broadening their visibility.
Section 4 further requires federal agencies to adopt practices that address traditional and persistent vulnerabilities of the internet. Border Gateway Protocol (BGP), which routes internet traffic, is susceptible to hijacking by bad actors who misdirect internet communications to infrastructure they control. Similarly, the Domain Name System (DNS), which translates website names into Internet Protocol (IP) addresses that allow internet routing, is notoriously vulnerable when not secured. The EO requires federal agencies to deploy secure versions of BGP and DNS, and to use encrypted communications systems. These steps not only secure the federal government, but also support secure products and services that can be made commercially available.
Providing Secure Digital Identity
Cybercrime at all levels often relies on bad actors falsely representing themselves as someone else. A centralized, secure, validated digital identification could help reduce fraud and false personation. On the other hand, a “National ID” managed by the federal government raises concerns about privacy and surveillance. Section 5 of the EO encourages adoption of digital identity documents in the context of public benefits programs in a manner that is accessible and that supports privacy, data minimization, and interoperability. It also calls for consideration of federal funding for mobile driver’s licenses and other secure digital means of identification.
The EO calls for agencies to implement digital identification in a manner that does not enable surveillance or tracking of the use or location of credentials; agencies may face an uphill battle in demonstrating that such surveillance or tracking is not possible for a particular technology. The EO also mandates a pilot program that will alert users to identity-related fraud.
Advancing AI for Cyber Defense
The EO requires federal agencies to accelerate the development and deployment of AI for cybersecurity, noting that AI “has the potential to transform cyber defense by rapidly identifying new vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense.” Section 6 of the EO calls for the Secretary of Energy, in coordination with the Secretary of Defense and Secretary of Homeland Security, to launch a pilot program–working with private-sector critical infrastructure entities–on the use of AI to enhance cyber defenses of critical infrastructure in the energy sector. Section 6 further calls for the Department of Defense to establish a program to use AI in cyber defense and for agencies to prioritize AI research focusing on cybersecurity – both the use of AI to enhance security, and the security of AI systems themselves.
General Cybersecurity Practices
NIST recently updated its Cybersecurity Framework, which many organizations rely on as a tool to evaluate and improve cybersecurity. It generally does not prescribe how to achieve desired outcomes or what steps an entity should take, but instead describes desired outcomes. Section 7 of the EO directs NIST to “evaluate common cybersecurity practices and security control outcomes that are commonly used across industry sectors” as well as other security frameworks, and to publish guidance on “minimum cybersecurity practices.” Federal contractors will be required to follow those practices and the private sector will have access to NIST standards as well.
Section 7 of the EO also promotes adoption of the “United States Cyber Trust Mark” for Internet of Things (IoT) devices by requiring federal vendors of consumer IoT devices to use Trust Mark labeling, a program that verifies devices’ security.
What Comes Next
If the cybersecurity EO survives the presidential transition, many changes will not be visible to the public, because most of the mandates fall on federal agencies. Federal contractors and suppliers will have to meet the enhanced security standards that roll out. Businesses and consumers may find themselves more aware of cybersecurity issues in the products and services they use – and may find more secure products and services available. Civil libertarians will scrutinize the privacy impacts of state-sponsored digital identities. And, ideally, cybersecurity will improve overall as the policies, practices, technologies, and products outlined in the EO permeate the U.S. digital infrastructure.
Even if President Trump decides to withdraw, supersede, or modify the EO, it provides a useful set of goals, practices, and tools that governments, businesses, and civil society should adopt in a manner appropriate to their risk profile. The order also advances important concepts, such as security standards and requirements that take a more aggressive, affirmative approach and the shifting of security responsibility up the chain from consumers and end-users to those who develop and implement technology and software higher up the digital chain. The specific ideas and directives contained in the EO–and the Biden administration’s other cybersecurity policies–may not persist in their current form, but robust analysis of how best to protect cybersecurity and, by extension, critical infrastructure and national security, will remain central to U.S. policy.