Cybersecurity takes a big hit in new Trump executive order
Provisions on secure software, quantum–resistant crypto, and more are scrapped.
Cybersecurity practitioners are voicing concerns over a recent executive order issued by the White House that guts requirements for: securing software the government uses, punishing people who compromise sensitive networks, preparing new encryption schemes that will withstand attacks from quantum computers, and other existing controls.
The executive order (EO), issued on June 6, reverses several key cybersecurity orders put in place by President Joe Biden, some as recently as a few days before his term ended in January. A statement that accompanied Donald Trump’s EO said the Biden directives “attempted to sneak problematic and distracting issues into cybersecurity policy” and amounted to “political football.”
Pro-business, anti-regulation
Specific orders Trump dropped or relaxed included ones mandating (1) federal agencies and contractors adopt products with quantum-safe encryption as they become available in the marketplace, (2) a stringent Secure Software Development Framework (SSDF) for software and services used by federal agencies and contractors, (3) the adoption of phishing-resistant regimens such as the WebAuthn standard for logging into networks used by contractors and agencies, (4) the implementation new tools for securing Internet routing through the Border Gateway Protocol, and (5) the encouragement of digital forms of identity.
In many respects, executive orders are at least as much performative displays as they are a vehicle for creating sound policy. Biden’s cybersecurity directives were mostly in this second camp.
The provisions regarding the secure software development framework, for instance, was born out of the devastating consequences of the SolarWinds supply chain attack of 2020. During the event, hackers linked to the Russian government breached the network of a widely used cloud service, SolarWinds. The hackers went on to push a malicious update that distributed a backdoor to more than 18,000 customers, many of whom were contractors and agencies of the federal government.
The departments of Commerce, Treasury, Homeland Security and the National Institutes of Health were all compromised. A large roster of private companies—among them Microsoft, Intel, Cisco, Deloitte, FireEye, and CrowdStrike—were also breached.
In response, a Biden EO required the Cybersecurity and Infrastructure Security Agency to establish a “common form” for self-attestation that organizations selling critical software to the federal government were complying with the provisions in the SSDF. The attestation had come from a company officer.
Trump’s EO removes that requirement and instead directs National Institute for Standards and Technology (NIST) to create a reference security implementation for the SSDF with no further attestation requirement. The new implementation will supplant SP 800-218, the government’s existing SSDF reference implementation, although the Trump EO calls for the new guidelines to be informed by it.
Critics said the change will allow government contractors to skirt directives that would require them to proactively fix the types of security vulnerabilities that enabled the SolarWinds compromise.
“That will allow folks to checkbox their way through ‘we copied the implementation’ without actually following the spirit of the security controls in SP 800-218,” Jake Williams, a former hacker for the National Security Agency who is now VP of research and development for cybersecurity firm Hunter Strategy, said in an interview. “Very few organizations actually comply with the provisions in SP 800-218 because they put some onerous security requirements on development environments, which are usually [like the] Wild West.”
The Trump EO also rolls back requirements that federal agencies adopt products that use encryption schemes that aren’t vulnerable to quantum computer attacks. Biden put these requirements in place in an attempt to jump-start the implementation of new quantum-resistant algorithms under development by NIST.
“What we basically ended up with is less firm direction and less guidance where we already didn’t have much,” said Alex Sharpe, who has 30 years of experience in cybersecurity governance. He and other industry experts caution that the transition to quantum-resistant algorithms will be among the biggest technological challenges the government and private industry have ever undertaken. That, in turn, creates friction and resistance to the job of overhauling entire software stacks, databases, and other existing infrastructure that will be necessary.
“Now that the enforcement mechanism was taken off, there are going to be a lot of organizations that are less likely to deal with that,” he said.
Trump also scrapped instructions for the departments of State and Commerce to encourage key foreign allies and overseas industries to adopt NIST’s PQC algorithms.
Other changes mandated by the EO include:
- Barring the Treasury Department from sanctioning people in the US who are involved in cyberattacks on US infrastructure. The accompanying White House statement said the change would prevent “misuse against domestic political opponents.”
- Lifting language that declared Border Gateway Protocol, the primary means for routing traffic on the Internet, is “vulnerable to attack.” Also dropped are existing requirements that the Commerce Department, working with NIST, publish guidance on implementing “operationally viable BGP security methods” such as Resource Public Key Infrastructure and creating Route Origin Authorizations for government networks and contracted service providers. These defenses are designed to prevent the types of BGP attacks and mishaps that have hijacked IP addresses belonging to banks and other critical infrastructure.
- Abandoning the Biden administration’s plans to encourage the use of digital identity documents. The White House statement said implementing digital IDs “risked widespread abuse by enabling illegal immigrants to improperly access public benefits.”
“I think it’s very pro-business, anti-regulation,” Williams said of the overall thrust of the new EO. Besides weakening SSDF requirements, he said: “Striking the BPG security messaging is a gift to ISPs, who know this is a problem but also know it will be expensive for them to fix.”
Sharpe said that most of the deleted requirements “made a lot of sense.” Referring to Trump, he added: “He talks about the burden of compliance. What about the burden of noncompliance?”
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
