Companies are at risk of losing a longtime partnership with the federal government in the fight against cyber criminals who wield stolen and fake identities to commit fraud, infiltrate business networks, and divert funds.
President Donald J. Trump’s June 6 cybersecurity executive order ignored decade-old efforts to strengthen digital identity verification and stripped away more recent agency directions given by President Joe Biden. His order, named “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144,” offered no substitute agency guidance at a time of rising identity-related cyber incidents in both the public and private sectors.
“I don’t see that as a step forward,” said Michael Daniel, CEO and president of Cyber Threat Alliance, and former cybersecurity coordinator on the National Security Council Staff under the Obama administration. “If you were going to strike that whole section, I would have wanted to see, what’s the alternative? How is the federal government going to help address this identity issue? Because it continues to plague us in cyberspace.”
The executive order targeted what the Trump administration called “problematic elements” in cybersecurity orders from Presidents Barack Obama and Biden, and directed federal agencies to shift their focus away from “distracting” issues.
In addition to repealing digital identity efforts, the order significantly pared down agency oversight on software providers’ cyber compliance—including from the Cybersecurity Infrastructure Security Agency—in an effort to cut “unproven and burdensome” requirements.
“They are reorienting agencies to be able to go after the things that they know are most vital to protect,” said Tony Monell, vice president of Public Sector at Black Kite and former senior cyber policy advisor in the Biden and first Trump administrations.
Authentication Woes
Identity-related security threats have been bubbling up since the birth of the internet, but they’ve intensified in the age of AI-generated deepfakes.
Last year, the US Department of State, Federal Bureau of Investigation, and New York’s Department of Financial Services issued several advisories regarding identity-linked threats and urged US companies to deploy stronger means to authenticate customer and employee identities.
Deepfakes have already been used against businesses to convince employees to share confidential information or transfer large sums of money, for example.
“It is the same organized criminals and hostile nation states exploiting the same three or four deficiencies of digital identity infrastructure to steal from government, banks, payments, health, retail, fintech, and cryptocurrency. It’s all the same stuff that we see in every sector,” said Jeremy A. Grant, Coordinator of the Better Identity Coalition, whose members include
“If we don’t start to put some technologies in place that can get ahead of these tools, we’re going to quickly see the level of attacks become much worse,” said Grant, who established the National Program Office for the National Strategy for Trusted Identities in Cyberspace under the Obama administration.
The Trump administration said in a June 6 fact sheet that Biden’s executive order included mandates for US government-issued digital IDs for “illegal aliens” that would have facilitated entitlement fraud and “other abuse.” Biden’s “digital identity mandates” are among the “inappropriate measures” the Trump administration said it’s targeting, claiming they would have enabled “illegal immigrants to improperly access public benefits.”
The Trump administration misrepresented Biden’s executive order, several cyber professionals said.
“I find it really strange that the argument that was posed was not, ‘We don’t think this will work. We think there are better strategies.’ It’s that ‘we think somehow it will actually contribute to immigrants getting IDs,’ when the whole point of having more robust identity systems is to actually do exactly the opposite,” Daniel said.
Software Supply Chain
Friday’s executive order also pared down companies’ reporting obligations, with the White House stating that Biden-era requirements were “imposing unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.”
Biden’s final cyber executive order, released days before Trump’s inauguration, had zeroed-in on supply-chain risks, requiring federal software vendors to prove they met stronger cybersecurity standards.
Companies had braced for heightened scrutiny on their cyber disclosures and prepared to raise their minimum security standards.
“These mandatory attestations and checklists that have to be done completely divert dollars and budget to compliance issues instead of using those dollars, time, effort, and resources on real efforts to strengthen cybersecurity,” said Jennifer A. Beckage, data privacy and security attorney at The Beckage Firm.
“This is probably the biggest section and takeaway for private companies,” she added.
While some providers welcomed the easing of oversight, others worried about its timing amid growing supply-chain security risks across sectors. To fill the gap left by the executive order, some cybersecurity professionals said they expected large enterprise customers to start requiring similar attestations from their suppliers.
“It’s extremely important that there be standards that are met and achieved as the software supply chain is critical to our national security,” said Chris Pierson, Blackcloak founder and CEO, who previously served on the Department of Homeland Security’s data privacy committee and cyber subcommittee. “In line with that, having robust compliance requirements and the attestation thereof is a meaningful advancement in cybersecurity—and one that has curiously been rolled back.”
To contact the reporter on this story:
To contact the editors responsible for this story: