In an unprecedented move highlighting the urgency of cybersecurity threats, the White House has issued two major Executive Orders in as many days, placing encryption and data protection at the center of national security strategy.
These events come amid growing concerns over state-sponsored cyber attacks, including the recent Salt Typhoon telecommunications hack, and heightened scrutiny of foreign technology, as the ink is barely dry on a TikTok ban; also aiming to cement lasting cybersecurity reforms before the transition of power to a new administration.
A Multi-Pronged Statement on National Cybersecurity
On January 15, 2025, the first Executive Order re-established the Chief Data Officer Council, emphasizing the critical role of data management and protection in federal operations.
Just one day later, on January 16th, a comprehensive, if not imperfect, cybersecurity Executive Order was issued, mandating significant changes in how federal agencies handle data security and encryption – with an emphasis on transport layer security (TLS) – which in our opinion is not entirely sufficient given the scope of the threats we face from sophisticated foreign adversaries.
True zero trust governance requires a defense-in-depth approach that protects data in transit over the wire – but also protects data wherever it resides, for as long as it lives. By shrinking policy and access control down to the data object level, organizations can defend against both insider threats and advanced persistent threats (APTs) that are likely already lurking inside traditional networks and IT systems.
While the incoming administration will have immediate authority to modify or rescind these orders, they represent a blueprint for federal cybersecurity that the next administration will need to either build upon or replace with alternative measures to address ongoing threats.
Encryption at the Forefront: But Not All Encryption Is Created Equal
The January 16 Executive Order is comprehensive in scope - addressing everything from software supply chain security, and AI-enabled cyber defense to space systems protection and quantum computing preparation - and the focus on encryption is particularly noteworthy and nuanced.
With Transport Layer Security (TLS) emphasized as its primary encryption standard, the EO falls short of taking a strong stance on End-to-End encryption (E2EE).
While it touches on end-to-end encryption, the language is carefully caveated - "where practical" [Section 4(d)] and "where technically supported" [Section 4(e)(ii)] - effectively making nebulous its own security objectives.
Given the sobering reality of breaches like the Salt Typhoon telecommunications hack (which was first detected on federal networks), the continued hesitation is concerning. Recent incidents have made it crystal clear that traditional transport layer security isn't enough. We must utilize optimal technology in order to defend against advanced threats. When we only protect data in transit, we're locking our car but leaving our house key on the porch.
And, by qualifying its stance on E2EE, the Order unintentionally provides a roadmap for attackers by signaling exactly where our most sensitive data may be exposed.
The notion that we must choose between comprehensive encryption and operational requirements is a false dichotomy that belongs in the past. Modern cryptographic solutions are in the present and should be the future; like the Trusted Data Format (TDF) which readily enables both robust security and essential archival functions.
E2EE needs to be the foundation of federal data protection - not a conditional afterthought.
Last Minute EO, Lasting Truth: Data-Centric Security Isn’t Negotiable
Cyber threats have already evolved in scale and sophistication; we simply need to meet that level of sophistication – including thoughtfully embracing E2E encryption. Organizations need solutions that:
- Protect data throughout its entire lifecycle
- Ensure secure communication across organizational boundaries
- Maintain control over sensitive information regardless of where it travels
- Meet stringent federal compliance requirements
As federal agencies and their partners work to implement these new security requirements, Virtru's data-centric security platform offers a solution already aligned with the federal government’s vision. Virtru's approach to encryption enables organizations to:
- Deploy end-to-end encryption for email and file sharing
- Maintain persistent control over sensitive data
- Meet and exceed federal security requirements
- Protect against emerging threats while ensuring data usability
While their implementation timeline remains to be determined by the incoming administration, the security principles they outline – particularly around encryption and data protection – reflect the growing expert consensus about the importance of data-centric security.
