A (14:13)

Hi Dave. And it's my pleasure.

B (14:16)

Well, thank you so much. Really interesting article you published recently here about some executive orders from the Trump administration and how they could affect cybersecurity. What prompted you to take on this topic here?

A (14:31)

Tim, I was really hoping you'd ask that question because this was kind of an interesting way this story sort of came to me in my head, right? So in March they put out this preparedness executive order and there was one sort of big overwhelming reaction from the cyber community about the provisions that said we want state and local governments to be handling Disasters more, including cyber attacks. And the overwhelming reaction was like, from the cyber community. That was like, that's insane. States are not prepared to deal with this. And then when the June order came out, it kind of came out on a, it came out on like a Friday afternoon, like late Friday. And we wrote a story about it, but we didn't know much about it yet because the text wasn't even out yet. We just had a fact sheet. But as the months have gone on, I just kept hearing people point out little things that I had not noticed when I wrote my first stories because they were just quick first day stories. Things that I was like, wait, that's kind of a bigger deal than I would have imagined. Why didn't anybody point that out at the time? And so I started collecting all those sort of things and then also asking people about them and saying, hey, is it me or is this kind of a bigger deal than we thought it was both borders really. And the answer pretty much was, yeah, actually there's a lot in there. Now, to be fair, there are some people who say, and you know, we cover some of this in the story, that maybe some of this stuff won't get done because it requires, you know, agencies to do things and the agencies have less funding. There are people who say some of this stuff is just straight perplexing, it doesn't make a lot of sense to them. And there are some people who say actually some of these changes aren't that significant. So I don't want to oversell the story, but I did find a significant number of people who said, yeah, that's actually kind of, kind of big.

B (16:06)

Well, take us through some of the key findings here. I mean, what are some of the most important things that you cover?

A (16:13)

Yeah, and so here's another thing. Some of this stuff we haven't seen the impact of yet. For example, in the preparedness order, there is an order to review a great number of the most foundational policy documents governing critical infrastructure protection. You know, it's a disaster preparedness related order, but it's things like the National Security Memorandum NSM 22 that the Biden administration wrote in the final year, its full year, a rewrite of a decade old document on how we handle critical infrastructure protection. And it was updated to say, here are the changing threats. We need to do more to share threat information. And to be fair, there are some people who did not like that rewrite. You know, Mark Montgomery of the foundation for Defense of Democracies was among the critics of that. He thinks it's a good thing that they might be rewriting this. But, but part of the deal is that, you know, the people who are going to do that review are people like Sean Cairncross, who just got the job a week and a half ago or so. Right. Who just really finally got into the job. So we might not see some of the impact of this for a while, but those are some pretty big changes. And there's a national, national resilience strategy that that's called for in that document. The headline on the, on the, on the June order was a little bit about the digital identities provisions and how agencies would be able to do verification of those to provide benefits. That's still important. But there were things like telling, you know, that in the January Biden administrative order that a lot of this order is responding to, there was a NIST review of minimum security practices that was ordered. That's gone now. The things like contractors having to submit to CISA, essentially a certification saying, yes, we are safe, we are secure. They deleted that. And so there's a pretty significant amount of stuff that was kind of not headline making at the time that going back and plumbing into it a little bit more, you're like, oh gosh, yeah, these are potentially very major changes.

B (18:12)

There's a quote here I want to pull from this that you got from Alexandra Reeve Givens, who heads up the center for Democracy and Technology, said rolling back numerous provisions focused on improving cybersecurity and identity verification in the name of preventing fraud, waste and abuse is like claiming we need safer roads while removing guardrails from bridges. This is an evocative comparison.

A (18:40)

It is, it is. And that was not an uncommon sentiment. I think I mentioned a couple things that people thought might be good about this. But another significant consensus was that this is going to be bad for cybersecurity, that getting rid of some of these things. I didn't mention it exactly from Jake Williams, the former NSA hacker who has been a longtime cyber policy expert. He said that those sort of self attestation things that I mentioned earlier, the certifications, that's like Sarbanes Oxley for cyber and you're getting rid of it. Then you get into other areas where things Alex Sharpe with somebody I quote in the story from New York University, also security Advisor, saying that the NIST getting rid of that NIST review, if you're talking about wanting to harmonize regulations, well, you're undercutting yourself. So the administration might be not achieving its goals with these orders. In some ways things that you would think they would want to do that? They might have actually stepped on their own foot on this.

B (19:40)

You spoke with California Representative Eric Swalwell. He's the top Dem on the House Homeland Security Committee's cyber panel. So he has, I would say, an informed opinion when it comes to these things.

A (19:55)

Yeah, and he, he, he had a, he had the best statement that was similar to something I'd heard from other people, which is, you know, that this administration is talking, talking about the importance of doing cybersecurity, but they're underfunding these agencies and so are they really going to be able to do these things? Mark, Mark said similar things. You know, the, the state, pushing things down to the state and local, but you're not giving them any money to deal with that. Asking NIST to do certain things that the original orders did not do and cutting their budget by 20 plus percent. You wonder whether these are goals that will be achieved. And so had to couch this story in a similar strange way where we said these actually may be big changes and why they might not be big changes and part of it might be that they might not have the money or people to do it.

B (20:46)

Well, speaking of strange ways, I mean, you dedicate a whole section here to Head Scratchers and Mysteries. I mean, that doesn't come up on every policy article here. So what are we talking about here, Tim?

A (21:02)

Yeah, so the one that caught my attention the most was when I, and I mentioned this in the very first story, but delved into it a little bit more here is there's this language saying that you can't use cyber sanctions against domestic political opponents. And my thought was like, wait a minute, who in the world would that even pertain to? And just couldn't figure it out. You know, the Congressional Research Service said they couldn't find an example of this ever having done, been done, that this seems to be existing policy. I suppose hypothetically you could use those sanctions authorities against people in the United States. But why do it? If the existing policy is this and it's never happened, why do it? I, I did put some of this in the article. People were speculating, is this about stuxnet, right? Is this, is this a thing where, like they're worried about, you know, people who were involved in the development of Stuxnet? And I'm like, so then my follow up question was, well, but okay, well, if that's the case, would the United States go after people who, who were United States people who helped create a cyber tool that helped the US Objectives and why, why Would you do that?

B (22:06)

I mean, don't you think that this administration kind of has a universal be in its bonnet about anything relating to cyber and the elections?

A (22:17)

Absolutely, yeah. I mean, it's, it also the order specifically mentions elections. So some of this might be signaling, some of this might be, oh, you know, we'll put this in here because the President will like it. I, you know, people were speculating a lot about what that was about. Another mystery was the stuff about getting rid of the digital identity identity verification language from the January Biden order because you don't want, you don't want illegal immigrants to get this, these benefits. But that's not, Nobody said that. Nobody I could found could, could say that this has ever happened. In fact, it seems as though the language would prevent people who weren't authorized to get benefits from getting them. So there's just a bunch of stuff in there that people were like, why are they doing this? This doesn't make any sense to us. And people wondering about what the, what the actual ramifications would be like if they do this. What would it look like? There were some people who said that this was under, undergirding some existing Biden administration policies and other people saying, actually, no, it's undoing them. So, so there were different views on different things. And you know, considering the fact that the Biden administration was not, you know, every chance they get still in, in, In August of 2025, the Trump administration says the, the, you know, the incompetent Biden administration and then they, they do things in this, in this order, these orders that are definitively supporting Biden administration initiatives, things I wouldn like. The CyberTrustmark initiative on labeling secure products. I would have thought maybe that, you know, if you're extremely pro business, you might think that was a bad or risky thing. No, they fully support it.

B (23:52)

Well, Tim, your guess is as good as mine.

A (23:56)

We're trying to figure it out. Dave. Dave, this isn't going away. I'm going to keep.

B (24:00)

This is an enigma wrapped in a mystery.

A (24:02)

Yeah.

B (24:04)

Well, the reporting is excellent and we will have a link to it in the show. Notes again, Tim Starks, a senior reporter at cyberscoop. Tim, thanks so much for joining us.

A (24:13)

Thanks for having me.

B (24:29)

And now a word from our sponsor, ThreatLocker, the powerful Zero Trust enterprise solution that stops ransomware in its trap. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications. They truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker support for this podcast and the following message comes from America's Navy the Navy offers new graduates hands on training and experience in careers like computer science, aviation and medicine, plus education and sign on bonuses.

A (25:18)

Parents help your grads start their career.

B (25:20)

Today@Navy.Com and finally, researchers at the University of Amsterdam decided to see what happens when 500 AI chatbots are let loose on a stripped down social network. No ads, no algorithms, no dopamine driven content feeds. Surely without those manipulative nudges the bots would live in perfect harmony, right? Wrong. Much like their human inspirations, the bots quickly self sorted into echo chambers, following only like minded peers and amplifying the loudest partisan voices across five experiments and 10,000 interactions, the results were depressingly familiar. Extremism attracted followers, and interventions like chronological feeds, hiding bios or downplaying virality barely made a dent. Sometimes making things worse, the study suggests polarization isn't just an algorithmic quirk, it's a structural feature of social media itself. In other words, it's not just the mirror that's warped, it's us. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this month. There is a link in the show notes. Do us a favor and do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign you say you'll never join the Navy, never climb Mount Fuji on a port visit, or break the sound barrier. Joining the Navy sounds crazy. Saying never actually is. Learn why@navy.com America's Navy forged by the sea.