Last month, President Donald Trump issued an executive order (EO) that modified several cybersecurity requirements as part of a new effort to promote innovation.
Unaffected by EO 14306 is the Defense Federal Acquisition Regulations, which require defense contractors to comply with 110 National Institute of Standards and Technology (NIST) security requirements for controlled unclassified information.
The new EO called for strengthening the nation’s cybersecurity with a focus on defending digital infrastructure and expressly named the People’s Republic of China (PRC) as the “most active and persistent threat to the United States Government, private sector, and critical infrastructure networks.”
Key Modifications of Cybersecurity Requirements
Last month’s EO modified a section on promoting security with and in artificial intelligence, notably eliminating efforts that called for collaboration with private-sector critical infrastructure entities on the use of AI to help protect the energy sector’s critical infrastructure.
The EO also removed a requirement for NIST to evaluate “common” cybersecurity practices, including programs to issue minimum cybersecurity practice guidelines, as well as a requirement for contractors and subcontractors to follow these guidelines.
Security Experts Voice Their Concern
There are already concerns that these rollbacks are unnecessary, especially at a time when cybersecurity threats continue to increase.
Willy Leichter, senior officer at PointGuard AI, and AI governance and application security expert told ClearanceJobs that this new EO may also put too much faith in AI to address the threats.
“Yes, government security can be slow and inefficient,” Leichter acknowledged. “But scrapping targeted protections designed to prevent known attack vectors is reckless. It disregards the hard lessons of SolarWinds, WannaCry, the OPM breach, and more, effectively saying: ‘Don’t worry about those—we’ve got AI now.'”
Politicizing Something That Shouldn’t be Politicized
In the case of cybersecurity, changing policy directions could have dire consequences, said Lawrence Pingree, vice president at cybersecurity provider Dispersive and former vice president of the Gartner Technology practice.
“Security is kind of self-fulfilling in a way, since if we don’t focus on a particular threat, we’ll end up breached, so we will be forced to deal with the issue regardless,” Pingree explained.
He told ClearanceJobs that the great debate in the security industry, over the years, has been whether to regulate or not.
“Most of us think it has been a vastly beneficial thing to help move the bar higher,” Pingree added, while he made a case for increased regulations, which he said have helped adoption of critical security products and capabilities.
“At the same time, [regulations] can force prioritizing potentially less valuable activity or antiquated designs,” Pingree noted. “The focus on quantum computing is essential, since it’s the long view and very impactful to security, not just from encryption, but beyond that, it also evolves features possible of general secure computing.”
Is It Streamlining Innovation?
Cybersecurity threats are evolving so rapidly that scaling back may actually hinder innovation more than help it.
“It’s unfortunate to see the federal government pivot away from requiring software vendors to attest to security, pre-release. For those of us focused on outcomes, the shift feels less like streamlining and more like offloading due diligence to the software buyer,” suggested Evan Dornbush, former NSA cybersecurity analyst and CEO of cybersecurity provider Desired Effect.
“While vendors may enjoy newfound ‘flexibility’, it’s tech consumers – and government agencies themselves – who ultimately bear the increased burden of verifying the security of their critical technology,” Dornbush told ClearanceJobs. “The move only underscores why independent vulnerability intelligence remains an indispensable layer of defense.”
Pingree concurred with that sentiment and added, “Addressing issues up front before deployment tends to offer a healthier return on investment vs. fixing things in production, but mandates that either are difficult to assess, audit, or apply also don’t work well.”
More can still be done, even before what the White House directs contractors to do.
“Enterprises should for sure secure supply chains with greater focus, but also focus effort on new emerging threats, for example, quantum computing decryption threats, remote access threats, and looming AI attacks, which are key battlegrounds for the cyber war of the future,” Pingree continued.
Finally, there remains the concern that too much focus is also being directed at the PRC and other foreign threats, while the nation remains deeply divided.
“Barely concealed is the administration’s real priority: eliminating all meaningful controls and oversight around election security, while keeping sanctions aimed only at foreign actors,” said Leichter. “That’s a green light for the next generation of homegrown hackers – Kevin Mitnick, Adrian Lamo, Kevin Poulsen – reborn. At least we’re reshoring one industry.”
