Obama- and Biden-era cybersecurity rules will no longer be used to punish Americans and U.S. firms who engage in malicious cyber activities, nor used to deter election meddling, among other changes ordered up by President Trump on Friday.
Trump’s order, the latest of his second-term cybersecurity mandates, rolls back an order that the State and Treasury departments have used to financially punish people who supported attacks that harmed U.S. national security.
The late-Friday order “limits the application of cyber sanctions only to foreign malicious actors” and prevents “misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities,” according to an press release.
The provision reflects longstanding claims by Trump and his allies that cyber and surveillance authorities were politicized to target his inner circle, particularly in the wake of election-related enforcement and disinformation crackdowns that some on the right called tools to silence domestic political actors.
Trump’s cyber order also strikes and amends various parts of Biden’s January cyber order, considered by many to be a kitchen-sink directive built on lessons learned throughout Biden’s time in the White House. Nextgov/FCW previously reported that Trump White House staff would review parts of Biden’s order and scrap parts of it they didn’t like.
One major change removes a mandate for U.S. government agencies to ramp up use of digital ID technologies, with the fact sheet arguing they would be used by “illegal aliens” and would have “facilitated entitlement fraud and other abuse.” That digital ID provision was first reported by Nextgov/FCW.
The order keeps a directive on protecting internet traffic routes, though it strips out Biden-era language about why this matters — namely, risks like border gateway hijacking.
On the flip-side, the order directs the Commerce Department to work with private industry and improve how software is built and secured starting in August.
It also works to prepare the U.S. for post-quantum cryptography, where quantum computers would be able to crack modern-day encryption standards. It directs the NSA and the Office of Management and Budget to issue government agency standards for PQC by December so that tougher security protections are in place by 2030.
Trump’s directive also focuses on AI vulnerabilities. By November, federal defense, intelligence and homeland security agencies must begin treating AI software flaws like any other cybersecurity risk and must track, report and share indicators of compromise as part of their existing incident response systems.
“Proper AI development is a tool for predictive defense, threat detection at scale and securing the rapidly growing ecosystem of machine identities, but we must also ensure we secure the AI itself,” Kevin Bocek, CyberArk’s SVP of Innovation, said in a statement to Nextgov/FCW.
And within a year, the government must launch a pilot program to test a new “rules-as-code” approach to cybersecurity policy. NIST, CISA and OMB will begin rewriting some of their cybersecurity guidance in machine-readable formats, with the aim of allowing computers to interpret and apply the rules.
The order also mirrors a prior effort launched under Biden. By January 2027, any smart devices the government buys will need to carry a “Cyber Trust Mark” label showing they meet baseline security standards. That labeling scheme was largely overseen by the Federal Communications Commission.
“The continued focus on cybersecurity and resilience as a critical priority for the administration, and recognition of the imminent threat landscape is encouraging,” Amit Elazari, the CEO of OpenPolicy, a Washington, D.C.-based policy intelligence firm, said in a text message to Nextgov/FCW. “Specifically the directives on software supply chain, the use of AI for cybersecurity and the bolstering of AI security as well as bolstering IoT security posture and PQC remediation — all represent a critical policy focus on emerging, significantly expanded, attack vectors.”
Read the full article here