In the final week of the Biden Administration’s term in office, former President Biden issued two high profile executive orders that could have significant ramifications for the cybersecurity and technology industries. The first, issued on January 14, 2025, is an “Executive Order on Advancing United States Leadership in Artificial Intelligence Infrastructure” (the “AI Infrastructure Order”). The second, issued on January 16, 2025, is an “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity” (the “2025 Cybersecurity Order”). Although both executive orders were issued only days before the end of the Biden Administration’s term, both have, at least as of this date, been spared from the sweeping revocation of over 78 executive orders and other memoranda (which revoked at least one, prior AI-related Executive Order) issued by President Trump on the first day of his presidency. Below, we summarize the two 2025 orders and discuss briefly what their futures may entail.
The AI Infrastructure Order
Unlike its 2023 counterpart (the “2023 AI Order”), which was revoked by the Trump Administration on January 20, 2025 and was primarily directed at the safe and responsible development and use of AI, the AI Infrastructure Order emphasizes federal support for the development of national infrastructure that will facilitate the long-term growth of the AI industry. Former President Biden’s accompanying statement declared that “[t]oday’s Executive Order enables an AI infrastructure buildout that protects national security, enhances competitiveness, powers AI with clean energy, enhances AI safety, keeps prices low for consumers, demonstrates responsible ways to scale new technologies, and promotes a competitive AI ecosystem.” Former President Biden’s statement listed several steps that federal agencies will take to promote AI development in the coming months, including to:
- Lease federal sites owned by the Department of Defense (“DoD”) and Department of Energy (“DoE”) to host gigawatt-scale AI data centers;
- Catalyze deployment of new clean energy generation to support AI infrastructure;
- Prioritize full and expeditious permitting of AI infrastructure on federal sites;
- Accelerate transmission development around federal sites;
- Facilitate interconnection of AI infrastructure to the electric grid;
- Ensure low electricity prices for consumers; and
- Advance allies and partners’ development of AI infrastructure.
As a potential initial indication on the Trump administration’s priorities, on January 23, 2024, President Trump issued a new executive order “Removing Barriers to American Leadership in Artificial Intelligence.” This executive order articulated the White House’s position on AI as “to sustain and enhance America’s global AI dominance in order to promote human flourishing, economic competitiveness, and national security.” While this latest executive order does not reference the AI Infrastructure Order or the 2025 Cybersecurity Order, its goals appear consistent with those prior orders. It requires the Office of Management and Budget (“OMB”) to revise its rules governing the use of AI systems by the federal government, which may mean changes to OMB Memoranda M-24-10 and M-24-18. It remains to be determined if such OMB updates will include guidance concerning the AI Infrastructure Order or the 2025 Cybersecurity Order.
Whether the AI Infrastructure Order aligns with the Trump Administration’s goals remains unclear. Even so, the AI Infrastructure Order contains ambitious deadlines for federal agencies, which may be viewed as not reasonably attainable by the new administration.
The 2025 Cybersecurity Order
At a high level, the 2025 Cybersecurity Order builds on several general areas of cybersecurity improvement efforts initiated in President Biden’s 2021 “Improving the Nation’s Cybersecurity” executive order, which also has not been revoked by the Trump administration to date. The 2025 Cybersecurity Order specifically identifies the People’s Republic of China as “presenting the most active and persistent cyber threat to United States Government, private sector, and critical infrastructure networks” and that additional actions are necessary to improve U.S. cybersecurity to address key threats, including those posed by China. Other highlights of the Order include:
- Improving the existing sanctions framework by permitting authorities to freeze the assets of individuals and entities involved in cyber-attacks, including ransomware threat actors.
- Enhancing the cybersecurity of federal systems through various measures, including the required adoption of phishing-resistant authentication technologies, prioritizing use of end-to-end encryption and transitioning to post-quantum cryptography capable products, and development of updated FedRAMP guidelines for cloud service providers to better secure federal data in accordance with agency requirements.
- Confronting cyber-enabled crimes by promoting privacy-preserving digital identity documents (e.g., mobile driver’s licenses) and launching an early-warning fraud pilot program to reduce potential identity fraud.
- Establishing a public/private partnership to incorporate AI into cyber defense of the energy infrastructure and directing research and development of AI-based cybersecurity tools and techniques.
- Enabling government-wide visibility of cyber-criminal activity by CISA and sharing of actionable threat information between agencies to better defend public and private sector networks.
- Mandating the development of new cybersecurity contract requirements for government systems operating in space.
Notably, and as described by the related Fact Sheet for the 2025 Cybersecurity Order, “[the 2025 Cybersecurity Order] improves the U.S. Government’s ability to use sanctions to punish cyber attackers. It amends cyber sanctions authorities to be more responsive to today’s threats, notably sophisticated ransomware attackers targeting Americans, hospitals and businesses.” The expansion of available sanctions for ransomware threat actors could be a substantial development because, as we have noted previously, the designation of ransomware actors on the U.S. Treasury Department’s Office of Foreign Asset Control (“OFAC”) Specially Designated Nationals and Blocked Persons List (“SDN List”) is relatively uncommon.
While the 2025 Cybersecurity Order is primarily directed at strengthening the nation’s cybersecurity defenses and capabilities, which may remain a priority for the Trump administration, the new administration could also take a divergent approach in implementing that priority. As the 2025 Cybersecurity Order mandates various federal government actions within the next several months, it is unclear whether the Trump administration will modify, rescind the order altogether, or permit it to remain in its current form.
Key Takeaways
Although the future of both the 2025 Cybersecurity Order and AI Infrastructure Order remain unclear, this is an area that will continue to be closely scrutinized. The Trump Administration’s decision not to revoke these orders as part of the many orders and memoranda that were repealed on January 20, 2025 may signal an intention to maintain the substance of these orders, in some form or fashion. However, given the significant overall policy changes involved in those orders and the short duration they were in effect prior to the change in administration, it remains to be seen what weight they will carry. Alston & Bird will continue to monitor for substantial developments in this rapidly evolving space.
