The Trump administration recently issued a cybersecurity Executive Order. While it contains some potentially questionable (cyber sanctions not applying to election-related activities) and agenda-motivated directives (immigration-focused mandates and calling out "problematic elements" from the Biden and Obama administrations), there are a number of key points, including:
- The Order directs the Federal government to advance secure software development.
- The Order directs department and agency level actions on post-quantum cryptography to ensure protection against threats that may leverage next generation compute architectures.
- The Order directs adoption of the latest encryption protocols.
- It refocuses artificial intelligence (AI) cybersecurity efforts towards identifying and managing vulnerabilities, "rather than censorship."
- The Order directs technical measures to promulgate cybersecurity policy, including machine readable policy standards and formal trust designations for “Internet of Things” as a way to ensure that Americans can know that their personal and home devices meet basic security engineering principles.
Tim Miller, field CTO of Dataminr, offered the following response:
"This Executive Order (EO) marks a critical recalibration of our national cybersecurity strategy, emphasizing tangible technical measures and proactive defense against foreign threats. The focus on secure software development and deploying AI to identify and manage vulnerabilities, in particular, demonstrates a clear understanding of the evolving threat landscape.
"However, let's be clear: automation isn't about replacing humans; it's about empowering them. It's about 'tech with people,' not 'tech over people’ with AI empowering humans to see the invisible and predict the unpredictable. This EO is a mandate to enhance secure technology practices, but we can’t underestimate the value of the human element in this equation. AI empowers security teams to have visibility and context into security threats, so that they can ultimately make the critical judgment calls that machines simply can't.
"This EO is a decisive move to strengthen our digital borders/devices and protect critical infrastructure, all while reinforcing that a pragmatic, technically-driven approach, powered by human ingenuity, is our most effective defense.
AuditBoard CISO Richard Marcus also shared some thoughts:
"The executive order’s “rules-as-code” pilot program could introduce a new era for public sector compliance. As OMB, NIST, and CISA transform cybersecurity policies into machine-readable code, there is massive transformative potential, setting the stage for genuinely automated governance, risk, and compliance operations within federal agencies. This shift could bring clarity, consistency, and accelerated enforcement to compliance (which has always been a manual headache and subject to human error), enabling agencies to quickly adapt to the cyber threat landscape while freeing critical resources from tedious GRC practices.
"Implementing a policy-as-code framework is a step toward automation and efficiency, but it comes with significant risks that must be carefully managed: translating nuanced policy into precise code, implementing mass-scale data and policy validation, and balancing policy automation with human input. By carefully addressing these factors, the pilot could move beyond a theoretical exercise and establish a new benchmark for efficient cybersecurity policy enforcement."
