.png)
3 days ago
3
President Donald Trump late Friday signed a cybersecurity-focused executive order that, in the White House's words, "amends problematic elements of Obama and Biden-era Executive Orders."
In his last few days in office, President Biden signed a executive order (EO) focused on cybersecurity that aimed to eliminate the use of stolen and fake identities by criminal gangs, because they are used to "systemically defraud public benefits programs costs taxpayers and wastes Federal Government funds."
To accomplish this goal, Biden’s presidential mandate directed federal agencies to work with states to develop and issue mobile driver's licenses and the infrastructure needed to verify these types of digital ID cards.
Trump’s order wipes out a section of the Biden order, titled "Solutions to Combat Cybercrime and Fraud".
It seems an odd section of his predecessor's EO to eliminate, especially for the tough-on-crime-and-government-waste Republican administration.
President Trump’s reasoning for axing the digital identity section of Biden's directive reflects a belief that digital IDs make it easier for immigrants to access welfare payments, so don’t prevent fraud and cybercrime.
The White House said it is "removing a mandate for US government issued digital IDs for illegal aliens that would have facilitated entitlement fraud and other abuse."
Eliminating this digital ID requirement "in the name of preventing fraud, waste, and abuse is like claiming we need safer roads while removing guardrails from bridges," Center for Democracy and Technology CEO Alexandra Reeve Givens said in an email to The Register. She added that the Biden order did not mandate government-issued digital IDs for undocumented immigrants: "That's simply not true," she said.
The number one perpetrator of identity fraud today is absolutely fraud rings, criminal organizations, and nation states
"Well-established best practices like phishing-resistant standards and privacy-preserving mobile IDs are essential to making all future federal systems secure," she added. "The only beneficiaries of this step backward are hackers who want to break into federal systems, fraudsters who want to steal taxpayer money from insecure services, and legacy vendors who want to maintain lucrative contracts without implementing modern security protections."
Billions lost, but not to immigrants
Plus, according to cybersecurity and identity management experts, immigrants aren't the ones raking in billions using stolen identities to facilitate digital fraud and other crimes. Ransomware gangs and foreign-government-sponsored goons are the real source of money lost to fraud and fake identities.
"The number one perpetrator of identity fraud today is absolutely fraud rings, criminal organizations, and nation states," Jordan Burris told The Register. Burris is the public sector VP at Socure, which provides digital identity verification and fraud prevention. During the first Trump administration, he served as chief of staff to the White House federal CIO.
Jeremy Grant, a former senior executive advisor at NIST and coordinator of the Better Identity Coalition, which advocates for stronger digital security and privacy policies, also said foreign attackers use fake digital identities for financially motivated fraud.
"Chinese state-sponsored attackers have stolen billions through identity-centric attacks," Grant said on LinkedIn. "The Justice Department has noted North Korea stole more than $2 billion to fund its nuclear program through similar attacks targeted against banks and crypto exchanges, and more recently spoofed identities to place North Koreans in remote IT jobs to generate additional money to fuel its weapons of mass destruction."
- Biden signs sweeping cybersecurity order, just in time for Trump to gut it
- Trump's cyber czar pick grilled over CISA cuts: 'If we have a cyber 9/11, you're the guy'
- Dem senators pen stern letter urging Noem to reinstate cyber review board
- Why is China deep in US networks? 'They're preparing for war,' HR McMaster tells lawmakers
Burris, however, remains hopeful that axing the digital identity section of Biden’s January EO will pave the way for the Trump administration to enact more substantive protections.
"To be completely frank, the provision as it existed before was lackluster and was going to do very little towards stopping what the advanced nation-state fraud that we see today," he said. "The Trump Administration has before it now an imperative to accelerate all their efforts around anti-fraud and digital identity."
Burris has long advocated for treating digital identity as critical infrastructure — and securing it as such. He also wants to see the Trump administration develop a national strategy around digital fraud, and share signals and intelligence around fraud patterns and campaigns in real time along the lines of the cybersecurity threat-intel sharing efforts.
"What I don't want to see as we go through the remainder of this presidency and no action being taken related to digital identity," he said.
Mandated Voluntary secure-by-design software
Of course, the digital ID piece wasn't the only "problematic" section in Biden's order, according to the White House.
Another of the directives that Trump's order cut is the mandate that software companies that sell to the government must follow secure software development practices - and submit proof of doing so to CISA.
Biden's order also required the federal government to come up with a "coordinated set of practical and effective security practices to require when it procures software" – essentially minimum cybersecurity requirements.
In the new EO, Trump eliminated both requirements. Instead of forcing software providers to submit so-called "secure software development attestations" to CISA, the order makes secure-by-design practices voluntary.
It tasks NIST with setting up a public-private consortium to guide best practices for secure software development, and to issue updated recommendations on securely deploying patches and updates.
"The shift toward voluntary guidance sounds nice, however in practice it often means slower adoption and fewer safeguards," Bugcrowd CEO Dave Gerry told The Register. "It's hard to see how this makes us safer,” he added.
Secure software attestations "were put in place to reduce risk across the supply chain," Gerry added. "This order walks away from important lessons. Cybersecurity should be a nonpartisan commitment to national resilience — not a political bargaining chip." ®
