White House Limits Cyber Sanctions, Cuts Digital ID Mandates and Refocuses AI Rules
President Donald Trump signed Friday an executive order reframing U.S. cybersecurity policy, eliminating what the Republican White House described as “problematic elements” inherited from Democratic administrations.
See Also: OnDemand | Navigate the threat of AI-powered cyberattacks
The new order strikes a push for digital identity documents made by then-President Joe Biden in one of his last acts as commander in chief (see: Final Biden Cybersecurity Order Will Face Political Hurdles).
It reaches back into the presidency of Barack Obama to strike policy in effect since 2015 allowing sanctions against “any person” engaged in foreign-directed hacking operations. The new policy is that only a “foreign person” can be sanctioned.
A White House fact sheet says the order limits cyber sanctions strictly to foreign malicious actors to prevent “misuse against domestic political opponents” and criticizes the Biden administration for “micromanaging technical cybersecurity decisions better handled at the department and agency level.”
The announcement – which also says “cybersecurity is too important to be reduced to a mere political football” – comes just days after the White House proposed deep budget and staffing cuts at CISA, a move analysts and former officials warn could seriously weaken federal cyber defenses (see: ‘There Will Be Pain’: CISA Cuts Spark Bipartisan Concerns).
The Trump order removes a Biden requirement that would have required software developers to submit attestations validating their use of secure software development practices that were outlined in a 2021 executive order. The Trump order says the government will lean on voluntary secure software development guidance developed by consortium established by the National Cybersecurity Center of Excellence with industry.
In one change that imposes a deadline rather than lifting it, the order directs the Cybersecurity and Infrastructure Security Agency to establish by Dec. 1, 2025 a list of product categories that widely support post-quantum cryptography. Experts say a transition to post-quantum cryptography should begin immediately to head off “harvest now, decrypt later” attacks in which foreign powers save intercepted encrypted communications for later decryption by a quantum computer. Most experts anticipate that a “cryptanalytically relevant quantum computer” – as it is known – will likely come online in the first years of the coming decade. The Biden administration in 2024 estimated the cost through 2035 for transitioning key federal systems to post-quantum encryption will be at least $7.1 billion (see: US NIST Formalizes 3 Post-Quantum Algorithms).
The order places new emphasis on artificial intelligence software flaws within interagency coordination for vulnerability management, “including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems.”
It gives the Trump administration stamp of approval for a cybersecurity labeling program for Internet of Things devices launched by the Democratically-controlled Federal Communications Commission during its last month in power. Federal agencies, the order says, should start within a year to only but IoT devices that carry a U.S. States Cyber Trust Mark (see: White House Launches US Cyber Trust Mark for IoT Devices).
