Trump Has Had a Light Touch on Cybersecurity – So Far
President Trump’s flurry of executive orders and other actions in his first few days in office sent shots across much of the U.S. government, hitting on everything from immigration and federal hiring to renaming mountains and large expanses of water.
While cybersecurity wasn’t completely spared from the stroke of a pen, it got a relatively light touch – at least so far – which some industry observers saw as an encouraging sign that the new administration is taking the issue seriously.
“In general, I’m encouraged,” Bugcrowd founder Casey Ellis told Security Boulevard. “While cybersecurity hasn’t been a core policy or campaign item in 2024, the Trump Administration does have an established track record of understanding the fundamental role cybersecurity plays in national security, resilience, and prosperity. It will be a matter of waiting and seeing what kind of White House agendas and priorities bubble to the top over the coming weeks in this area.”
Like other federal agencies, those that deal with cybersecurity issues, including CISA, will have to manage the fallout from the mostly across-the-board hiring freeze implemented by the new administration.
DHS Advisory Panels Emptied
More specifically, Trump removed all members of all advisory committees within the Department of Homeland Security (DHS). That included those serving on the Cyber Safety Review Board (CSRB), a public-private group put together to investigate major cybersecurity events, most recently the hacks by Chinese state-sponsored threat group Salt Typhoon, which has infiltrated the networks of at least nine top telecommunications companies in the United States, including Verizon, AT&T, and T-Mobile.
The Salt Typhoon incident is among a number of growing cyberattacks by the People’s Republic of China against the United States and allies that the Biden Administration was highly concerned about. How Trump will approach such attacks remains to be seen.
In addition, David Pekoske, the TSA administration who Trump appointed in his first term, was ousted. In a January 20 letter to TSA employees, Pekoske – who oversaw cybersecurity directives for the pipeline, aviation, and rail sectors under Biden – wrote that he was “advised by President-elect Trump’s transition team that my time as your Administrator will end at noon.”
Trump also repealed Biden’s 2023 executive order that recommended guardrails aimed at reducing the potential harm of the fast-emerging advanced technology on national security, workers, and consumers. Biden announced the executive order after Congress failed to pass legislation regarding AI safety and as the European Union prepared its sweeping EU AI Act regarding the issue, which was approved the following year.
Biden EOs Remain in Place
That said, what wasn’t repealed – at least not yet – were two executive orders Biden regarding cybersecurity that bookended his term in office. The first, EO 14028 – came within the first few months of his term in 2021, in the wake of high-profile attacks by threat groups linked to foreign adversaries against such companies as Colonial Energy and SolarWinds. The order called on federal civilian agencies to vastly improve their cyber defenses and encouraged private-sector companies – particularly those in such critical infrastructure sectors as communications, energy, IT, healthcare, and telecommunications – to do the same.
The second, EO 14114, was issued just days before Trump returned to office, and had a broad scope that touched on such areas as the government’s cybersecurity protections, the software supply chain, and the use of AI in defenses against attacks, and shifted policies from suggested to required. It also sought to use the power of the government’s massive IT spending – more than $100 billion a year – to influence the private sector. The EO was issued amid the rising tide of state-sponsored attacks on U.S. infrastructure from countries like China, Russia, Iran, and North Korea.
For now, both are still in place, as are other Biden-era objectives, including the National Cybersecurity Strategy from 2023 and government agencies’ initiatives for instituting requirements for when companies need to report a cyber incident.
A Hope for Bipartisanship
Some in the cybersecurity field hope that the fact that Trump hasn’t erased those EOs is a sign of bipartisan agreement in Washington DC on the importance of cybersecurity.
“It’s encouraging to see cybersecurity remain a priority across administrations, regardless of political shifts,” Stephen Kowski, field CTO for SlashNext Email Security+, told Security Boulevard. “Threats in this space are relentless, and the executive orders in question reflect an understanding of the need for secure software design, fast information sharing, and strong zero-trust architectural defenses to protect critical systems and data.”
Kowski added that “the recent breaches we’ve seen, like those impacting government agencies like the Treasury Department, highlight the real-world consequences of underestimating these risks. Continued focus on proactive measures and advanced threat detection is essential to staying ahead of attackers who are constantly evolving their tactics.”
Jason Soroko, Senior Fellow at Sectigo, told Security Boulevard the survival of Biden’s EOs reflects a “shared understanding” about the need to safeguard critical infrastructure and use the government to drive technological innovation.
“In other words, these changes to safeguard the cybersecurity posture of the U.S. government were necessary regardless of White House administration,” Soroko said. “Moving forward, monitoring the implementation of these orders and engaging with policymakers will be crucial to align organizational strategies with federal cybersecurity priorities.”
Keep Cybersecurity Orders in Place Isn’t New
Luke O’Grady, cybersecurity analyst at the law firm Venable, noted that there is a precedent for an outgoing administration to issue a cybersecurity EO in its last days. The day before Biden’s inauguration in 2021, the Trump Administration issued such an EO, which Biden kept, though he made some adjustments.
Now the industry will wait and see if Trump keeps Biden’s executive order intact, O’Grady wrote in a column for the nonprofit Center for Cybersecurity Policy days before Trump’s inauguration, pointing to the recent attacks by China-sponsored groups like Salt Typhoon and Volt Typhoon on U.S. critical infrastructure.
“This latest EO is designed to help the incoming Trump Administration begin to deal with these threats and others,” he wrote. “The EO comprises multiple sections and contains overarching directives to all federal agencies. “National Security Council staff have been briefing the incoming team on the merits of this new EO, which is admittedly far more comprehensive than [Trump’s] EO 13984. However, its future is still uncertain, especially given the incoming administration’s recent threats to revoke several other Biden Administration EOs.”
