To say that the actions of the Trump administration are having an impact on cybersecurity is an understatement.
Executive orders are an important and useful tool that have been used by many presidents for the good of the country – and sometimes for other ends – and some recent executive orders have been aimed at establishing and improving the cybersecurity of the country.
Meanwhile, others have, to put it lightly, the opposite impact.
First, let’s talk about two of the older executive orders from the previous administration. Then, let’s look at what has happened in the first month of the new presidency and what we might expect moving forward.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontPresident Biden focused on improving cybersecurity through executive orders 14028 and 14144, which established new frameworks and standards. However, President Trump reversed many regulatory and AI safety measures, potentially weakening cybersecurity efforts. His administration dismantled agencies like the CSRB and implemented a regulatory freeze, affecting ongoing policies. The creation of Elon Musk’s "Department of Government Efficiency" raised concerns about data security protocols and qualifications of involved personnel, posing risks to government systems.
Biden’s Executive Orders
President Biden issued two executive orders during his term in office that were aimed at cybersecurity.
The first of the two was Executive Order 14028, Improving the Nation’s Cybersecurity. This order can (for now) be found in the Federal Register if you’re interested in the full text.
This is considered a landmark executive order in the world of modern cybersecurity. It overhauled the face of our infrastructure and mandated that NIST develop a new cybersecurity framework aimed at helping organizations in the federal contractor space maintain security to fight against supply line attacks and other avenues of compromise.
The order, from 2021, has been well-implemented and resulted in a lot of work from NIST, as well as the publication of new standards, including the eventual development of CMMC 2.0.
As with many reasonable executive orders, the language used in the order is not a precise list of goals but rather directives meant to guide the people who can make ground-level decisions and build frameworks. It lays out timelines and milestones but leaves it up to other departments to determine what those mean and how they are best implemented.
Though the order set a high bar, NIST – and consequently, the government agencies and contractors beholden to it – complied, and we’ve broadly seen higher cybersecurity standards taking root since.
The second relevant executive order Biden issued during his presidency came right at the end of his term. It’s Executive Order 14144, Strengthening and Promoting Innovation in the Nation’s Cybersecurity. In some ways, this is meant to build on the foundation laid by his previous order and the years of development since. In other ways, it was a sort of last-gasp directive meant to stem the damage that was likely coming mere days later.
EO 14144 built upon the foundation laid by EO 14028. It asks the Federal Acquisition Regulation to update contracts for risk management, requires software providers to provide machine-readable development attestations and validation for them, and sets a high bar for the verification of security. It also helped to centralize validation and record-keeping with the Cybersecurity and Infrastructure Security Agency, CISA, which has been fraught since its inception.
Other elements of EO 14144 include a directive to use more end-to-end encryption, support and enable encrypted DNS protocols for government agencies, and support TLS version 1.3 or a successor version by 2030. Overall, it has a lot of technical wins for updating outdated or inconsistent government security.
It’s unclear how much of this will actually take effect in the next four years.
Trump’s Executive Orders
Where to even begin?
Throughout his entire term, President Biden signed 160 executive orders.
In the first 30 days of his second term, President Trump has signed 66 executive orders. This is more than most presidents average in an entire year (the record being held by Jimmy Carter, at an average of 80 per year).
One of the first of these was a sweeping rescission of dozens of past executive orders or their components, though it did pass over Biden’s two cybersecurity orders.
It’s already hard enough to keep track of everything being changed in the government, but this level of immediate change is unprecedented. Moreover, it’s not the only changes that may have an impact on our government’s cybersecurity. Elon Musk’s independent DOGE committee… well, we’ll get to that in a bit.
The good news – for cybersecurity, if not for the country, which isn’t a discussion we want to have on this blog – is that most of these executive orders are not focused on cybersecurity directly. The bad news is that many of them have impacts or secondary effects that can affect government security.
Ostensibly, many of the orders that impact government cybersecurity have the good of the country at heart. In practice, many of them are disbanding regulatory agencies, defunding enforcement agencies, and shifting some of the responsibility to the private sector.
Rather than comb through every executive order individually, let’s look at some of the key points that have come up throughout them in various forms.
Disbanding or Defunding Regulatory Agencies
A common talking point from the American right is that the government oversteps its bounds and that regulations are too common and too oppressive. “Cutting the red tape” is a typical refrain.
Some of the orders issued by the Trump administration in 2025 are dismantling many different regulatory agencies or hampering their ability to enforce their regulations. This can be seen everywhere, from OSHA being forced to remove publications based on a word list to more directly impactful-to-cybersecurity orders.
One of the biggest changes is the dissolution of the CSRB, the Cyber Safety Review Board. This board, part of CISA and under the purview of the Department of Homeland Security, was established in 2022 as part of Biden’s EO 14028.
Note: This is the kind of thing we mean when we say that Biden’s executive orders weren’t directly rescinded but have been targeted in other ways.
The CSRB only existed for a couple of years, but it was viewed favorably by many in the cybersecurity world for its incisive and detailed investigations into the Log4Shell crisis, the Lapsus$ attack, and the Microsoft Exchange Online breach.
In fact, the CSRB was in the midst of investigating a currently ongoing cyberattack known as Salt Typhoon, a massive breach of American telecoms by Chinese state actors. As of this writing, Salt Typhoon is still ongoing, while Trump’s orders have systematically dismantled the government’s ability to respond to it.
CISA itself is also under fire. Under orders, the Department of Homeland Security terminated “all current memberships on advisory committees,” of which CISA is one such committee. They also terminated the CISA election security and counter-mis/disinformation efforts.
As far as misinformation is concerned, not only did the administration issue a directive to prohibit the government from “interfering with social media platforms’ content moderation decisions” – in other words, preventing the government from mandating that social networks police disinformation – they also launched investigations into past handling of misinformation. This is concerning for a number of reasons, though it’s less in the realm of cybersecurity and more in information control.
Do Something with Artificial Intelligence
AI is a strange force in the world today. It’s a catch-all term for a variety of technologies ranging from immensely useful machine learning algorithms to large language models and generative systems. All of the major tech players – Meta, Google, Microsoft, X, OpenAI – are pouring immense amounts of money into their AI systems in an effort to make this technology worthwhile and come out ahead.
One of President Biden’s executive orders surrounding AI was aimed at placing safety and security standards on the technology to avoid leaving it an unfettered black box tool. Biden’s administration acted quickly but viewed its own actions as still too slow for the development of the technology.
A big part of Biden’s order on AI was to force AI developers to implement safety protocols and provide proof of those protocols. These included things like labeling and watermarking AI output to help minimize AI-generated misinformation and provide a route for the validation of information.
Surprising no one, President Trump immediately took aim at this and revoked the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence Executive Order. This was part of his day one flurry of orders.
In its place, Trump issued the Removing Barriers to American Leadership in Artificial Intelligence order. This order states that AI systems must be free of ideological bias, directed the Office of Management and Budget to revise rules on federal agencies adopting AI systems, and established new roles such as the Special Advisor for AI and Crypto.
For our part, anything that removes barriers and restrictions on AI is potentially a bad thing, given that there have been numerous demonstrated attacks using AI systems that allow attackers access to confidential documents the system has access to. Moreover, since these AI systems are black boxes with very little in the way of security controls, there’s no effective way to stop these attacks.
It’s a rapidly evolving ecosystem with stakeholders close to the government, so it remains to be seen what impact the orders will have in the long term.
Questionable Commitment to Cybersecurity
We’ve already mentioned that the two key executive orders Biden issued for cybersecurity were left untouched by the Trump administration, at least as of this first month in office. However, things like cutting the committees and terminating employees involved put the lie to these efforts and undercut any commitment the administration claims to make.
After all, it’s easy to say you’re in favor of security, but if you fire the security company and leave the keys under the doormat, questions need to be asked.
Another order Trump has issued is the regulatory freeze. Now, a regulatory freeze isn’t uncommon (Biden’s administration also issued one when he entered office), but it does mean that any additional rules and implementations need to be postponed. Remember how the second executive order issued by Biden happened less than a week before the end of his term? Well, nothing in it can be implemented without direct approval for at least the next two months.
This freeze also impacts other regulations, including a Department of Justice rule on bulk US sensitive data, a prohibition on ICTS transactions involving foreign adversaries, and some AI-related regulations.
Don’t worry, though; they did approve of spending half a trillion dollars on AI infrastructure.
This is another example of the ongoing goal of privatizing government services and security. Proponents claim private businesses have more of an incentive to provide better or more effective services. Opponents point out that this has never actually been true in the history of the country. Maybe this time will be different.
The Dog(e)-Shaped Elephant in the Room
Another massively questionable problem is the implementation of the meme-named Department of Government Efficiency run by the unelected foreign national Elon Musk. This “department” (which is not a department, as departments need to be established by an act of Congress; it’s merely an advisory body) has been given largely unfettered access to a variety of US Government systems, including the Consumer Financial Protection Bureau, the Department of Defense, the Federal Emergency Management Agency, the Internal Revenue Service, the National Institutes of Health, and more.
The goal of these investigations has been to “audit” systems and budgets, analyze data, and seek out fraud and wasteful spending. Audit, here, is in scare quotes because it has seemed in practice to be a lot less like an audit and a lot more like casual, untrained hunt-and-peck reviews of systems no one involved is qualified to understand.
If you’re familiar at all with government security, you might have some questions, such as:
- Are the members of DOGE cleared to access sensitive government systems?
- Are proper Zero Trust authorizations being used in these investigations?
- Is the data being extracted, copied, or handled according to proper information control procedures?
- Is the data that has been released handled appropriately, or is it sensitive or confidential?
The answer to these and similar questions is a resounding “who even knows at this point.” Elon Musk’s crew of investigators are, in some cases, barely even out of high school, which is itself already a red flag given that it can take years to be qualified to even access these systems, let alone understand what’s going on in them. Do they have security clearance? It seems like no. Is massive fraud being found? No, it’s just people misinterpreting how code works. Is any of this going to be good for the government’s long-term cybersecurity?
We’ll see what the future holds when it comes.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.