Trump executive order takes steps to protect domestic hackers from blowback

The Trump administration announced Friday it is amending “problematic elements” of two landmark cybersecurity executive orders — though the extent of the changes in many cases appears modest.

The modifications are part of a new executive order signed Friday by President Donald Trump. The full text of the EO was released Friday afternoon, and the Trump administration first outlined details of the order in a White House fact sheet.

The fact sheet says the new order takes aim at two previous EOs focused on cybersecurity — one signed by former President Joe Biden in January just before leaving office, and one by former President Barack Obama in 2015.

The order outlines a potentially weighty change: the new EO would change the Obama-era order — which allows for sanctions on individuals behind cyberattacks on U.S. critical infrastructure — by limiting it "only to foreign malicious actors” and clarifying “that sanctions do not apply to election-related activities.”

While the fact sheet on the EO points to limiting sanctions against those interfering in U.S. elections, the text does not mention this, clarifying that only “foreign persons” can be targeted by sanctions for attacking critical infrastructure.

It is unclear if foreign hackers engaging in efforts to undermine U.S. elections, such as Russia, could therefore be exempt from possible U.S. sanctions.

Spokespersons for both the White House and the National Security Council did not immediately respond to requests for further comment on the executive order.

One key element of the Biden executive order was creating a pathway for the federal government to issue more digital identity documents for public benefits, such as mobile driver's licenses. It also outlined various measures to help the state and federal governments put these processes into effect.

The new order revoked this portion of the Biden document, with the fact sheet describing this effort as a “mandate for U.S. government-issued digital IDs for illegal aliens that would have facilitated entitlement fraud and other abuse.”

Some cybersecurity experts on Friday criticized the order as undermining the nation’s cybersecurity.

“The fixation on revoking digital ID mandates is prioritizing questionable immigration benefits over proven cybersecurity benefits,” said Mark Montgomery, senior director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation.

The order includes several less controversial directives on artificial intelligence, quantum computing and secure software development.

It directs the Pentagon, Homeland Security Department and the Office of the Director of National Intelligence to work with the White House on developing standards for tracking, mitigating, and responding to vulnerabilities in AI systems.

It also directs the NSA and the OMB to issue new encryption requirements that federal agencies must meet by 2030, in preparation for the arrival of more quantum computers.

The order puts a heavier burden on the Commerce Department and its National Institute of Standards and Technology than on other agencies in terms of requirements to oversee. NIST has been among the federal agencies to face workforce cuts in recent months.

It directs NIST to establish a consortium with industry to develop guidance on the implementation of the agency’s secure software development practices; to update its guidance on how to update and deploy fixes for security bugs; and produce a “preliminary update” to its secure software development framework.

Montgomery, the FDD expert, said that NIST will face “challenges” in overseeing the new order due to the budget cuts.

The fact sheet also says the new EO will “refocus” government efforts on AI and cybersecurity toward “identifying and managing vulnerabilities, rather than censorship.” It is unclear what censorship the language is referring to, though Republicans have criticized federal efforts to combat disinformation online related to election security.