The Cybersecurity Patchwork Quilt Remains Incomplete
Trump’s first executive order on cybersecurity embraced more Biden initiatives than it overturned, but still misses the mark—accountability.

Published by The Lawfare Institute
in Cooperation With
Earlier this year, the chief information security officer for JPMorgan Chase, Patrick Opet, published an open letter on software security. Three points stood out. The first was not news to anyone following cybersecurity and its policy debates: Software providers have prioritized rapid feature development over robust security. This is exactly the point, in almost the same words, that President Biden made in March 2023 when calling for legal reform to shift liability onto those developers that fail to take reasonable precautions to secure their software. Second, Opet focused on a problem that has not received much policy attention: The rapid shift to the software-as-a-service (SaaS) delivery model is creating a major, new form of vulnerability. The SaaS model, Opet warned, is “fundamentally reshaping how companies integrate services and data,” breaking down barriers between internal and external resources and rendering some traditional approaches to cybersecurity ineffective. Third, Opet called for collective action, asking other businesses to join with him in demanding better software security, implicitly admitting that even a large and security-savvy software customer such as JPMorgan Chase could not solve the problem alone.
Opet did not mention legal or regulatory responses, but his letter screams “market failure.” Moreover, as a customer, the federal government is in exactly the same position as JPMorgan Chase and other large businesses. It is eager to take advantage of the efficiency and rapid innovation that SaaS and other cloud-based services offer, but it has not yet been successful in leveraging its procurement power to insist on better security.
On June 6, President Trump issued an executive order that began to chart the outlines of a cybersecurity policy. Much of the initial news coverage focused on Trump’s repeal of measures ordered by President Biden in the closing days of his administration. In fact, the Biden initiatives repealed by Trump on government software procurement and digital identity were modest. While pushing even incremental actions though the Biden administration took huge effort, and while the drafters of the Biden order could take pride in their work, the provisions on procurement and identity would have done little to advance the cause of software security or cybersecurity in general. What received less attention was President Trump’s preservation and adoption of a majority of the elements in the Biden order as his own. And what received almost no attention at all was what both the Trump and Biden orders left unresolved: the glaring deficiencies that remain in critical infrastructure cybersecurity (most notably in the drinking water, health care, emergency services, and telecommunications sectors) and the costs that software developers impose on American industry and American taxpayers by continuing to produce insecure software.
What Trump Repealed
President Trump’s executive order is difficult to parse because it repeals certain sections of the Biden executive order wholesale, makes “cut-and-bite” amendments to others, and replaces some with what seems to be entirely new language but that in reality changes only a few words or subsections. To help, I have prepared a redline of the Biden executive order as amended by Trump.
First, President Trump repealed Biden’s language meant to strengthen a process under which suppliers of software to the federal government must make certain attestations about their development processes. Overlooked in reporting on the changes was the fact that Trump left the attestation process in place. Software developers offering their products to the federal government must still attest that they have complied with certain secure software development practices. I have argued that the Biden administration was inexplicably selective in what practices it chose to require and that it unduly weakened the requirements with phrases such as “to the extent practicable” and “good-faith effort,” but Trump neither rejected nor strengthened the Biden approach.
Instead, Trump repealed Biden’s January directive to develop contract language requiring software developers to submit their attestations in machine-readable form and to submit documentation to validate their attestations. Also repealed was a provision of the Biden order requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop a program to verify the completeness of attestation forms.
The White House fact sheet accompanying the June 6 executive order was not wrong in stating that the repealed portions of the Biden order had imposed burdensome accounting processes that prioritized compliance checklists over genuine security investments. The software attestation process established by the Biden administration is more concrete than the vague promises of secure-by-design that the industry has almost uniformly embraced. And it was logical for the Biden administration to move beyond mere attestation by insisting that software developers show their work in the form of documentation to back up their claims.
But the attestation process says nothing about whether software is actually free of dangerous vulnerabilities, such as those that CISA has identified and which may be avoided using well-known methods. The attestation process doesn’t require developers in any way to attest to the security of their products. Rather, the attestation established by the Biden administration requires developers to attest to the process by which they develop their software. It aims, for example, to ensure that developers separate the environment in which they build software from the rest of their networks. It says they should enforce multi-factor authentication for access to their development environment. It says nothing about whether the software itself must support multi-factor authentication. Like much regulation supported by industry in the cybersecurity field, secure software development requirements focus on the process and not the outcome. They don’t actually ask whether the software is secure. And the federal attestation process does nothing to hold developers liable for vulnerabilities in their products.
While secure software development practices almost certainly do produce more secure software, the Trump White House was justified in not wanting to give them more salience. Indeed, the Biden executive order itself acknowledged the limitations of the process-based approach, stating that secure software development practices “are not sufficient to address the potential for cyber incidents from resourced and determined nation-state actors.” There is proof of this: Microsoft follows what is probably the most robust set of secure software development practices in the industry. Yet on every second Tuesday of every month of the year—dubbed “Patch Tuesday”—Microsoft issues multiple patches of software vulnerabilities in its widely used products. Patch Tuesday for this May involved 70 vulnerabilities in Windows and related products, including five zero-day flaws that were already seeing active exploitation and six that were labeled critical.
President Trump also repealed lengthy portions of the Biden executive order on digital identity. The U.S. is unique among major economies in lacking a secure digital identity infrastructure or any plan to develop one for interactions with the federal government. Having a digital ID would increase government efficiency and reduce fraud. But government-issued or government-approved identities, even if their use were voluntary, has been one of the third rails of U.S. digital policy. The last major effort to develop an identity system for online engagement with the federal government was launched by the Obama administration in 2011. Despite that effort’s careful attention to privacy, it still faced concerns about government overreach and it went nowhere.
Biden’s January executive order resurrected the issue with only modest steps, encouraging but not requiring agencies to use digital identity documents for public access to government benefits programs that require identity verification. The Biden order didn’t commit the federal government to develop digital identities. Other than a passing reference to initiatives in several states to issue mobile driver’s licenses, the Biden order didn’t say where an interoperable digital ID suitable for government uses might come from. The identity provisions repealed by Trump ventured little, and not much is lost by their repeal. The question now is whether the Trump administration develops its own approach to digital identity.
More difficult to understand is the repeal of certain provisions related to post-quantum computing. Trump retained language from the Biden order stating the problem: At some time in the near future, a “quantum computer of sufficient size and sophistication … will be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world.” Trump also retained the directive to CISA to release and regularly update a list of product categories in which products that support post-quantum cryptography (PQC) are widely available. However, he repealed language requiring agencies to use available products that support PQC and to implement PQC key establishment as soon as practicable. Hopefully, there’s another shoe to drop on PQC. Also difficult to understand is the repeal of provisions aimed at enhancing the use of artificial intelligence (AI) for cyber defense. AI can enhance the ability of defenders to analyze alerts, identify vulnerabilities in computer code, manage networks, and carry out other complex and data-intensive tasks related to cybersecurity. It only makes sense to have the government supporting and taking advantage of those enhancements.
What Trump Ratified
Confirming the theme of cybersecurity policy continuity across administrations that Dan Sutherland and I explored recently in Lawfare, President Trump embraced a lot from the Biden executive order, including provisions that direct agencies to:
Comply with National Institute of Standards and Technology (NIST)-recommended practices for cybersecurity supply chain risk and integrate cybersecurity throughout the acquisition life cycle of their procurements.
Better manage their use of open-source software, including security assessments and patching of open-source software, and develop best practices for contributing to open-source software projects.
Develop a technical capability to gain timely access to data from civilian agency networks and security operations centers, to enable CISA to identify cyber campaigns targeting multiple agencies in a timely manner and to coordinate government-wide efforts. (One might have wished that the Trump amendments would have streamlined the creation of this information sharing process, as the Biden order loaded it up with working groups and caveats granted to agencies reluctant to share data, but the Trump amendments left those speed bumps in place.)
Develop policies and practices to incentivize or require cloud service providers to produce baselines with specifications and recommendations for agency configuration of their cloud-based systems in order to secure federal data.
Take steps to continually verify that federal space systems have the requisite cybersecurity capabilities through actions including continuous assessments, testing, exercises, and modeling and simulation.
Develop cybersecurity requirements and contract language for civilian government satellites and their communications links, with specific attention to technical details such as protecting the integrity and confidentiality of commands to satellites.
Improve the way agencies manage their internet addresses, require the government’s internet service providers to implement certain internet routing security technologies, and enable the encryption of domain name system traffic related to federal systems.
Enforce encrypted and authenticated transport for all connections between an agency’s email clients and their associated servers.
Use end-to-end encryption for voice and video conferencing and instant messaging.
Follow best practices concerning the protection and management of hardware security modules, trusted execution environments, or other isolation technologies for access tokens and cryptographic keys used by cloud service providers in the provision of services to agencies, among other cloud security measures.
Incorporate management of AI software vulnerabilities into existing vulnerability management processes (something, by the way, that Andy Grotto and I recommended in 2021).
Purchase, as of Jan. 4, 2027, only those consumer Internet-of-Things products that have been given the Cyber Trust Mark, to be issued under an otherwise voluntary program overseen by the Federal Communications Commission.
By my count, the Biden order had required 58 separate agency actions. The Trump order embraced 39 of them.
What the New Administration Hasn’t Yet Addressed
The Trump administration has not yet laid out its strategy for addressing two of the major cybersecurity issues facing the United States: the persistent failure of software developers to deliver secure products and the major gaps in the cybersecurity framework for critical infrastructure. Both of these issues stymied President Biden too.
Biden’s March 2023 cybersecurity strategy said his administration would develop legislation establishing liability for software products and services, but nothing was ever put forward. Having tried to contribute to the dialogue around what such legislation would look like, I know how hard the problem is. But the Biden administration didn’t even take the smaller step of using its procurement power to say that the federal government would phase out the purchase of software containing common bugs that CISA said could be avoided by available coding techniques.
I have argued that there is a strong MAGA case for taking incremental steps to address software liability, beginning with the federal procurement process. In his June 6 order, President Trump kept in place language in the Biden order directing NIST to update its secure software development framework to address the security of software itself, now with a deadline of Dec. 1, 2025. But one cannot hold out much hope there. As Bryan Choi has explained, NIST’s latest forays in software cybersecurity disavow concrete metrics or outcomes and solicit voluntary participation instead of providing stable mandates. A stronger, more direct approach would require government vendors to attest that their software is free of specific common weaknesses, already identified by CISA, for which there are readily available avoidance techniques. Vendors would be free to choose their own solutions. But if software purchased by the government has one of these common weaknesses, and if there was a technique that could have eliminated that weakness, the vendor should be liable. That would be a truly meaningful step toward incentivizing the “genuine security investments” that the White House memo accompanying President Trump’s June 6 order called for.
On critical infrastructure, the Biden administration broke the decades-long bipartisan consensus that had left cybersecurity to industry voluntary action and instead tried to go sector-by-sector using existing authorities to establish basic requirements. In the wake of the Colonial Pipeline shutdown, the Transportation Security Administration issued binding directives for pipelines, railroads, and the aviation sector. The Coast Guard issued rules for ship-to-shore cranes made in China (which constitute 80 percent of the cranes at U.S. ports, most with software features and internet connectivity) and other marine transport facilities. However, the Biden administration failed in other sectors. For example, the administration abandoned its effort to mitigate cyber threats to drinking water systems after the water industry went to court to block it. A proposal to address the cybersecurity vulnerabilities that allowed Chinese hackers to penetrate deeply into America’s telecommunications network was not put forth until the final days of the administration (and was rejected immediately by the incoming chair of the Federal Communications Commission). And the Department of Health and Human Services’s commitment to impose cybersecurity requirements for hospitals through Medicare and Medicaid went nowhere.
The Trump administration has a strong commitment to competitive markets as environments for innovation and improvements in consumer and national welfare. However, industry concentration, which exists in many critical infrastructures, can leave both consumers and the nation insecure. The June 6 executive order should be the first step in framing the administration’s cybersecurity policy. Fundamentally, of course, Congress should be acting to advance critical infrastructure cybersecurity. But in the absence of new legislation, the Trump administration should take up the tools at hand in existing laws aimed at infrastructure safety and reliability.
Likewise, on digital identity, the June 6 order is hopefully not the last word. So long as America lacks secure identification for online transactions with the federal government, taxpayers will lose billions in fraudulent payments.
In his open letter, JPMorgan Chase’s chief information security officer urged his peers to use their market power and reject integration models that did not come with better security solutions. As a major user of software, the federal government has exactly that power: the power to refuse to purchase products that do not provide adequate security. And as the ultimate defender of the nation’s critical infrastructure against nation-state attackers, the federal government likewise has the responsibility for insisting on higher security standards for the systems that deliver water, electricity, telecommunications, health care, and other vital services. Industry pushback will be fierce, but the national security equities are strong.