Immediately upon taking office on Jan. 20, President Donald Trump
rescinded nearly 80 of outgoing President Joe Biden's executive orders and memoranda. These included orders dealing with climate, diversity and oil drilling, as well as one that had put
guardrails around the development and use of artificial intelligence.
Three important Biden cybersecurity-related executive orders were left untouched, however:
Executive Order 14028, "Improving the Nation's Cybersecurity,"
Executive Order 14117, "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern," and
Executive Order 14144, "Strengthening and Promoting Innovation in the Nation's Cybersecurity."
What Trump left alone
The first executive order, issued in May 2021, ordered civilian federal agencies and their suppliers to
integrate security into software development, strengthen the security of
software supply chains, modernize
incident detection and response, and implement
zero-trust architecture.
Significantly, EO 14028 also sought to improve the federal government's efforts to counter "persistent and increasingly sophisticated malicious cyber campaigns" and removed contractual barriers against
public-private information sharing.
The second, EO 14117, forbids U.S. persons (citizens and permanent residents) from assisting with the "continuing effort of certain countries of concern to access Americans' sensitive personal data and United States Government-related data," including
biometric, health, genetic and financial information. No nations are named, but "
countries of concern" is a State Department term for nations considered hostile to the U.S., including China, Iran, North Korea and Russia.
The third executive order, EO 14144, was issued Jan. 16, 2025, just four days before Trump took office. It mandates that federal government contractors prove they meet the minimum cybersecurity requirements laid out in EO 14028.
EO 14144 also requires federal agencies to
encrypt data at rest and in transit, adopt
endpoint detection and response (EDR), adopt phishing-resistant
multi-factor authentication (MFA) and move toward standardizing and accepting
digital identity documents.
And while EO 14028 didn't mention
AI at all, and EO 14117 barely did, EO 14144 says the government must "accelerate research at the intersection of AI and cybersecurity."
Remarkably, EO 14144
singles out China right from the start as "the most active and persistent cyber threat" to the U.S., leaving little doubt that the more recent executive order was partly spurred by the 2024 revelations of
Chinese state-sponsored incursions into American telecoms and critical infrastructure systems.
Outgoing Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger
told CNN that the most recent executive order aimed "to make it costlier and harder for China, Russia, Iran and
ransomware criminals to hack."
Auguries for the next four years
Trump's acceptance of these three Biden executive orders gives a hint at what his administration's cybersecurity strategy might look like: removing barriers toward development of AI while keeping in place the requirements and efforts to strengthen the security posture of the federal government and its vendors, including recently compromised corporations like
Microsoft and
SolarWinds.
"This suggests that President Trump's office is aligned with [EO 14144's] foundational principles and that cybersecurity will remain a critical priority," wrote Okta Federal Chief Security Officer
Sean Frazier in a recent company blog post.
"However," added Frazier, "the Trump administration is sure to make some tweaks in how it combats threats against the country."
Here's what U.S. government cybersecurity policy may look like for the second Trump administration.
Tougher posture against foreign cyber threats
Frazier points out that while Biden's cybersecurity policy often dovetailed with his efforts to create greater consumer protections, Trump will probably be more aggressive towards overseas adversaries and "focus largely on the threat landscape from China and Iran."
"This is due in part to state-sponsored actors such as China's Salt Typhoon group," Frazier adds, referring to the campaign that
penetrated the networks of at least nine U.S.-based telecoms in 2024 to steal information about U.S. government employees.
That campaign, and another by a different Chinese group called
Volt Typhoon suspected of conducting digital reconnaissance of U.S. critical infrastructure, are two reasons behind the high cybersecurity standards mandated by EO 14144.
"This volatility within the geopolitical climate makes anticipating and preventing these threats even more challenging," adds Frazier, "but we can expect the Trump administration to double down its efforts in this area."
Frazier doesn't mention Russia or North Korea, the other two state-sponsored bad actors that frequently target the United States, and whose appetite for U.S. sensitive information is hinted at in EO 14117. Trump's policy towards Russia is
more ambiguous than that of any other recent American president.
It's as of yet unclear whether Trump's Russia policy will also apply to North Korea, a close Russian ally whose leading hacker team is thought responsible for a
massive theft of $1.5 billion in cryptocurrency in early 2025.
Fewer constraints upon AI
Biden's executive order 14110, issued in October 2023, set out "eight guiding principles and priorities" that aimed for "responsible development and use of AI" along lines that promoted ethics, equality, consumer protections and labor and civil rights.
The executive order also asked AI developers to test AI products for safety, share those test results with the government and alert the government to national-security risks related to AI.
Trump
threw EO 14110 right out the window. But he did keep EO 14144, part of which champions the use of AI in cybersecurity and calls on the federal government to "accelerate the development and deployment of AI."
It seems that Trump wants AI to be developed as speedily and with as few restrictions as possible, likely with an eye on maintaining America's competitive and geostrategic edge in AI.
"This could foster innovation and reduce bureaucratic hurdles, as AI can be used to automate threat detection, analyze vast amounts of security data, and identify suspicious patterns," says Frazier.
But, Frazier adds, attackers can also use AI to
create malware, launch campaigns and possibly even create
autonomous malware agents, "potentially making deregulation of the technology a risky move."
"Without clear guidelines and enforcement, companies might prioritize cost-cutting efforts over robust security practices, leaving them vulnerable to attacks," Frazier says, perhaps making a case for reinstituting part of Biden's rescinded AI order. "To avoid damaging consequences, security leaders should balance modernization efforts with strong cybersecurity standards and oversight."
More public-private cooperation — maybe
It's no secret that most of the American internet infrastructure is in private hands. And it's no secret that this situation can make it difficult for the U.S. government to help protect the internet. Few private companies, no matter what their relationship with the White House, want to share proprietary or sensitive data or have government employees poking around in their systems.
Biden's EO 14028 aimed to increase public-private cybersecurity cooperation by removing contractual barriers that prevented government contractors from sharing internal information.
Frazier expects the second Trump administration to extend that effort, theorizing that its "business-friendly approach to technology" will "increase collaboration between the public and private sectors to support modernization in cybersecurity."
He sees the relationship developing thus: "The government brings insights into national-level threats, while private companies offer valuable expertise in specific industries. President Trump's office will work together with businesses and cloud service providers to share
threat intelligence, coordinate incident response, and develop joint cybersecurity strategies."
That's exactly the kind of arrangement that government cybersecurity experts have long hoped for, but which private companies were reluctant to participate in during the Obama, Biden and first Trump administrations.
Short of congressional legislation that would signal a major shift in policy, it's not clear how or whether the second Trump administration could force American companies that don't directly do business with the government to comply with White House demands related to access and information sharing.
Greater emphasis on identity security
Biden's EO 14144 delves deeply into identity security, ordering civilian federal agencies to start using WebAuthn and similar "appropriate, commercial
phishing-resistant standards" of verification.
The executive order deems "strengthening the security of Federal ... identity management systems" as one of the measures "especially critical to improvement of the Nation's cybersecurity." It also states that "the Federal Government must implement ... strong identity authentication and encryption using modern, standardized, and commercially available algorithms and protocols."
Further down, the EO 14144 goes into detail about the need for public-benefits programs, like Social Security, Medicaid and the Supplemental Nutrition Assistance Program (SNAP, which provides food stamps), to accept digital identity documents in order to combat fraud and waste. The order also compels relevant federal agencies to look into helping states create appropriate digital IDs.
"Over the next four years," Frazier writes, "we can expect to see a greater emphasis on multi-factor authentication,
biometric verification, and robust identity governance systems to automate key Identity workflows, improve the user experience, and build a strong security fortress."
It's not clear whether the Trump administration will enforce all the sections of EOs 14028, 14117 and 14114, or how strongly the Biden administration had done so previously. But the fact that these executive orders are still in effect indicates that the Trump team recognizes the necessity of improving the nation's cybersecurity as much as legally possible.
