I think some caution is due. Without diving too deep, this EO is a change to existing rules. It’s about how the Federal government operates and secures its own IT infrastructure. It’s not about the commercial internet, as far as I can tell. For example, item #1 isn’t new, it’s an update to how the government decides if software is safe enough to be installed on government networks. It wouldn’t surprise me if the federal cybersecurity community will see #1 as a weakening of existing rules like FEDRAMP and various NIST standards. I suspect #1 is more of a gift to industry than an authoritarian move. Similarly, #7 is a “no duh it doesn’t apply.” You have to understand this is acknowledging the government’s classified and unclassified networks operate under different rule books. Classified networks use burdensome standards that would be overkill if you weren’t protecting national security information.
I appreciate your thoughtful pushback Blake, and I agree it’s essential we approach these developments with clear eyes and avoid jumping to conclusions.
You're absolutely right to say this EO builds on existing frameworks and, at first glance, applies only to federal systems. But the risk I’m highlighting doesn’t come from the surface-level changes, but from what these updates enable.
Item #1, for example, does appear to just update cybersecurity rules for government networks, but those rules often become de facto standards across the commercial sector, especially where platforms and infrastructure intersect. We saw this with FedRAMP and earlier NIST guidance. So while the changes might technically apply only to government-connected software, in practice, they shape what’s viable to build, use, or sell.
You make a fair point about #7 as well. Classified networks have always had different rules, but what worries me here is the explicit exemption. As civilian-facing infrastructure becomes tightly codified, while surveillance systems remain exempt, we risk creating a landscape where public tools are locked down and controlled, while the most powerful tools remain opaque and unaccountable. It’s the imbalance — and what that enables — that’s concerning.
Finally, I hear you on this potentially being a gift to industry. That may well be the case — and I really do hope that it is — but even so, I’d argue it still reflects authoritarian drift. The consolidation of infrastructure in the hands of a few, especially those aligned with a regime dismantling democratic norms, becomes coercive whether it’s driven by control or by convenience. Soft authoritarianism often looks like efficiency, until it doesn’t.
I genuinely welcome more critical reads like yours. We’re all trying to make sense of fast-moving developments, and the more angles we examine them from, the better our collective understanding will be.
Your concern of democratic accountability is 100 percent on point. However, I think that is a question of checks and balances and leadership in national security agencies, versus cybersecurity IT rule making. Classified systems will always be classified. There is nothing technically wrong with that. In the same way the public doesn't need to know the name and address of American spies inside of North Korea, it doesn't need to know how JWICS functions on a technical level or the inner workings of satellites and weapon systems. To make sure these systems are aligned with democratic values requires functional congressional oversight, which Republicans are unwilling to do, and ethical command and control within national security agencies, which the administration is undermining with its appointed leaders and politicization of the civil service and military.
Totally fair Blake, and I appreciate how clearly you’ve laid out your position. I think we’re broadly aligned on the importance of oversight and accountability, even if we’re coming at the implications of this EO from different angles.
To me, the concern isn’t with classified systems per se, but with the growing gap between opaque national security tools and increasingly regulated civilian infrastructure, especially when oversight mechanisms are being actively weakened. But I hear you, and I respect where you’re coming from.
Happy to agree to disagree here — and genuinely grateful for the chance to have a grounded, informed exchange.
You are certainly correct that NIST standards are used as best practices in industry, but though should is different than though shall.
I think the changes underlying #1 are a gift to Silicon Valley who hates the existing rules. As I understand it, the changes shift the paradigm from the government performing cybersecurity compliance checks on products before issuing an Authority to Operate (ATO) on government networks/devices to an industry self attestation.
Thus, I think the criticism is that these changes weaken federal cybersecurity standards in order to appease his campaign donors and industry.
That’s a really helpful clarification, thanks. I agree that shifting from independent checks to self-attestation weakens existing safeguards. But that’s exactly what worries me. If regime-aligned tech firms are left to define and approve their own standards, they can quietly shape the digital environment in ways that serve their interests — not the public’s. So yes, while it may be a gift to donors, it's one that clears the path for deeper, less visible forms of control.
The point is this administration will take any advantage in every loophole so it’s best to air on the side of caution and to be extremely aware! Thank you for this in depth look at the problem.
From a technical perspective, the government can still perform periodic cybersecurity compliance checks on the products to make sure the self attestations are not a false claim. You can automate routine audits, for example. Thus, if handled properly, it's not the end of the world. Do I trust it to be handled properly? No. DOGE blew through every single security protocol, whether personnel, physical, or cyber with the blessing of the President.
I have to admit that I had trouble parsing through the additions and deletions from the original Jan 2025 order, but I read the deletion of section 2(b) as eliminating the attestation requirement regarding secure software development, for software delivered under federal contracts. So, in effect, they are doing some updates to NIST 800-53 (under 2(c) from the Jan order, “establish a consortium with industry”, etc) - but I don’t see what’s left in terms of enforcement mechanisms, once industry has its say on 800-53 changes.
Did I miss a section that retained the attestation requirements? Attestation may seem minimal, but it does establish a legal basis for enforcement activity if attestations are found to be untrue.
Right - I read those as the attestation requirements, being deleted. So what’s left as a compliance mechanism to support enforcement activity?
I don’t know Fedramp and other regs - and this is still “only” an E.O. which revises what seems to be a tougher E.O. that was issued in Jan. So it made me wonder if the earlier EO simply mirrored existing law/reg requirements on security compliance, such that deletion of 2.b from an EO didn’t really have an effect.
Thank you for the deep insight. There's certainly a lot to consider as we are moving into State control. I never trusted the Cloud! Everday I consider dumping the smart phone and all tech crap. When computers came out my husband and I were excited for the future. Now, with people like Musk, Thiel, and others, the government has given them power to weaponize what once brought unity and information.
Its not too late to go back to walking to the bank and going to shop in brick and mortar. The convenience we ate up erased the actual commons of our shared humanity; seeing people face to face. I would argue all the convenience we bought chains us to machines when we could be paying more attention to our living world, which also desperately needs us, including our bodies. I treat chronic pain and the main contributors are: imbalanced overwork, and an lack of understanding how our body works, or, in neglect: doesn't work. Given tech's frailty to intense solar flares (statistically the Earth is due for), I humbly propose the great boycott to be walking away from convenience and using the necessary tech only; food, transportation, health, etc, and repairing the consequences of our pollution and disrepair of the Earth and its living systems.
This isn't progress, it's the silent wiring of an Orwellian cage.
The Executive Order doesn't just secure systems, it mandates compliance, turning our own devices and platforms into tools for pervasive, automated monitoring. Big Tech gains immunity while enforcing obedience, and encryption is neutered. This digital panopticon is being coded into existence.
Resistance isn't optional, we must act before submission becomes the only option left.
Thank you, Lori, for the context and coverage of this issue. I believe everything you presented. Here's the thing about the Internet and connectivity, which I considered yesterday, as my provider had another "service interruption" for 4 hours in the middle of the Monday workday. I went to my big library (the one in my house) with paper and pen to continue thinking and writing. No computer, no phone, no iPad. For the state to find me or observe me, someone has to get the internet service more consistent and reliable.
I'm in a similar position here, Georgia. What I suspect will happen in the near future is that 'the state finding us' won't mean a knock on the door, but increased service disruption. Apps that don't do what we want them to do. Important notifications that don't arrive.
Another reader shared this personal anecdote: "I used to work in compliance and cybersecurity in fintech. More than a few fellow fintech designers lost their jobs for being “insufficiently motivated.” Eventually I realized that that really meant being uneasy with being told to engineer in easy-to-abuse facilities for harvesting and manipulating crypto metadata. The firings happened often enough that they got a name: “getting swatted by the invisible hand.”
I'm really happy to have found your Substack. You are highlighting important issues that are not being talked about. Your insight and knowledge is so helpful for me, and you break it down in a manner that I can understand. Thank you.
Thank you for this Lori. It is a complex area and your analysis is helpful. I do agree with much of what Blake has written in comments, particularly the relationship between NIST standards and commercial systems. Of course outside of the US it tends to be ISO standards, often informed by NIST, that are significant.
Nonetheless, re. '4. State control of access to next-generation encryption', a back door requirement that is highly significant, particularly in the hands of a rogue regime. Will services such as Proton survive in the US?
And '6. Big Tech is immune from cyber accountability' about the 'foreign' clause is a concern.
The points you make in 'The Authoritarian Internet' about the power that the big tech companies wield is, and already was, a worry. It should be the role of government to protect citizens' privacy when citizens, for convenience, surrender so much sensitive personal to data to the likes of Meta & Google etc. That relies on a benign and trustworthy government.
But thank you — I really appreciate your thoughtful engagement with this. You're absolutely right that much of this depends on the integrity of the framework and the government applying it. The idea of national standards like NIST or ISO isn’t inherently authoritarian, but it’s their use as instruments of selective control that’s cause for concern.
Your question about Proton is a sharp one. If a company like Proton refuses, say, to include a government-accessible back door, or can’t get certified under these new encryption frameworks, it could face blocks or restrictions in the US market. That might not happen overnight, but the infrastructure being laid out here sets up exactly that kind of chilling effect. The fact that trust is now so entangled with alignment to state-defined criteria is a serious shift.
As for the immunity clause — yes. Quiet, surgical, and deeply consequential. It rewires accountability without triggering alarms. That’s why I focused so heavily on surfacing it: the mechanisms of power consolidation are often most dangerous when they look like routine updates.
It means a lot to know this landed with you. Thanks, as ever, for reading so carefully.
Thank you Lori for taking the trouble to respond to my brief comments; much appreciated.
I have looked at some of the other commentary on last week's cybersecurity EOs, though I haven't had sufficient will/determination to look at the EOs themselves. One thing that jumped out at me was regarding sanctions for cyberattacks on U.S. critical infrastructure. Not only are sanctions now limited “only to foreign malicious actors” but also “that sanctions do not apply to election-related activities.”. In the light of Musk's claim that Trump wouldn't have won the election without his (Musk's) support (does he mean technical as well as financial?) and the information from Greg Palast, is this deliberately leaving a door open for planned election interference? Politico goes on to question "if foreign hackers engaging in efforts to undermine U.S. elections, such as Russia, could therefore be exempt from possible U.S. sanctions."
I'll add a caveat that I may be wildly misinterpreting as I have not read the source documents, but thought I'd raise the question.
You're not misinterpreting. Your instinct is solid, and the concern you're raising about a deliberate loophole for election interference is absolutely grounded in the text of the Executive Order.
Here’s the key part to look at, tucked into Section 3 of the order, which amends earlier cybersecurity-related sanctions authorities:
Sec. 3. Amendments to Executive Order 13694.
Executive Order 13694 of April 1, 2015… is hereby further amended by:
(a) striking from subsection 1(a)(ii) the phrase “any person” and inserting in lieu thereof “any foreign person”; and
(b) striking from subsection 1(a)(iii) the phrase “any person” and inserting in lieu thereof “any foreign person.”
These changes have two significant effects:
1. They limit sanctions only to "foreign persons", meaning individuals or entities who are not U.S. citizens or legally present in the United States.
2. They remove the government's power to sanction domestic actors for cyber-enabled interference — including around elections — even if they act in concert with foreign entities.
This is what makes the omission of election-related activities in the rest of the EO feel so conspicuous. There’s not a single reference to election infrastructure, electoral interference, voting systems, or misinformation campaigns in the updated scope of protected “critical infrastructure”—which used to be a core focus under prior administrations.
Now layer in what you mentioned: Musk’s assertion that Trump would not have won without his help, paired with known allegations from journalists like Greg Palast, who’s tracked systematic voter suppression and digital voter roll purges for years. It paints a worrying picture. If Musk’s “help” includes not just financial backing but also platform-level intervention (think: Twitter/X algorithm changes, suppression of turnout campaigns, boosting of right-wing narratives), then the narrowing of these sanctions becomes doubly relevant.
Finally, if we consider the implications of Politico's question: “Could foreign hackers engaging in efforts to undermine U.S. elections, such as Russia, therefore be exempt from possible U.S. sanctions?” The answer, if we take the EO at face value, seems to be yes — if their activities are framed as election-related, they are now oddly out of scope.
So to your question: Is this deliberately leaving a door open for planned election interference?—I would say yes, it appears designed to do exactly that.
This EO subtly removes key enforcement mechanisms just as Trump enters the thick of the 2026 midterm campaign cycle. And by narrowly tailoring who can be sanctioned and what counts as a threat, it creates a fog of impunity around precisely the kinds of hybrid interference tactics we’ve seen before.
This whole “everything is a distraction” is getting old. You can fight a war on more than one front. Nobody in the resistance has ever read SunTsu I suppose.
That’s a fair point, and yes — we can fight on more than one front. We have to.
But my point wasn’t that the Musk–Trump feud or the LA deployment didn’t matter. They do. Authoritarians move on multiple fronts precisely because they’re testing which ones we’ll watch, and which ones we’ll miss. My point was the danger that comes when we only respond to the noisiest front — the one designed to hold our attention — while the quieter machinery gets built somewhere else.
This post was my attempt to illuminate that quieter front, not to dismiss the others. And I completely take your point: real resistance requires breadth, depth, and discipline. Sun Tzu knew that's what was needed to win long wars, not just battles.
I really appreciate you taking the time to break all this down, Lori. I’m struggling to understand some of the changes (or significance of changes) from the previous EOs, and how Trump (Vought, Thiel, Musk) policy is changing from previous Biden/Obama EOs. I may need to print hard copies for comparison…
This is so difficult for the average citizen to decode and understand, especially when these EOs are flying at us in such a fast and furious manner. I’m in a tech-related job that at least occasionally requires me to read and analyze changes to law applicable to my work - to be sure, I’m no expert, but probably more equipped than most people in this country. And still, trying to parse all of this, it’s hard not to get discouraged and feel outmatched and helpless.
You're not alone in feeling overwhelmed Jennifer, because it's deliberately complex. The rapid-fire changes, the legal rewrites buried in executive orders, the technical language — it’s all designed to obscure, to exhaust, and to make average citizens feel powerless. But we're not powerless. And the fact that you’re engaging with this at all — questioning, trying to understand, staying alert — is in itself resistance.
Please take your time Ann— your reaction is completely human. It is a lot to take in, and your body’s response is telling you the truth of that.
When you’re ready, come back to it slowly. This wasn’t written to overwhelm anyone, but to help us see clearly — so we can act clearly. Please remember that you’re not alone. We’re facing this together, and there are ways through.
What to do: take control of your digital safety. Use tools that protect your privacy, like secure messaging apps, strong passwords, and two-factor login. Be careful about what information you share online, especially on platforms tied to big tech or government contracts. Support organisations that fight for digital rights, and stay informed about changes to tech policy.
This order quietly shifts how cybersecurity is handled in the US by cutting out earlier protections and narrowing who can be punished for attacks. It removes rules that promoted transparency and teamwork between agencies, and now focuses mostly on foreign threats—leaving domestic actors outside the scope of certain penalties. It tells government departments to start using AI and prepare for powerful future tech like quantum computers, but without saying much about oversight. On the surface it looks like a tech upgrade, but underneath, it’s about concentrating power and reducing public visibility into how cybersecurity decisions are made.
I really appreciate you hammering home the need for a one-page Executive Summary, thank you my weirdo friend. Going forward, I'm going to include them in all of my 'Vantage Point' posts, and where appropriate, a few others.
Also, I just wanted you to know that when I first came to Substack, your Notes were among the first I engaged with — they undoubtedly contributed a lot to the algorithm giving me more of what I wanted to see! As a thank you for both these things — and in solidarity — I've sent you a little something.
PS. I'm still working on the 'what to do' for this post. You'll know when it's up.
Yes David — in general, internet rules in the EU are significantly more protective of individual rights than in the United States. The EU's General Data Protection Regulation (GDPR) is one of the world’s strongest frameworks for privacy and data protection, giving users rights over how their data is collected, stored, and used, and it imposes real penalties for violations. The EU has also pushed back on surveillance and monopoly power more consistently, especially when it comes to US-based tech firms.
But many services — especially cloud infrastructure and mobile devices — still run on US-owned platforms like AWS, Google Cloud, or Apple’s ecosystem. If those services are legally compelled to comply with US rules (which they often are), EU-based users can still be affected indirectly.
That said, there are ways to reduce your exposure:
Use European or open-source alternatives where possible. For example, ProtonMail (Switzerland) instead of Gmail, or Nextcloud for file storage.
Avoid US-based cloud platforms if you’re dealing with sensitive data. Host your own services or use European providers that fall under GDPR jurisdiction.
Use Linux-based operating systems instead of Windows or MacOS, and de-Googled Android phones like those running /e/OS or GrapheneOS.
Route traffic through the EU via a reputable, non-US VPN or Tor, which can help protect against dragnet data collection.
Buy hardware from companies not under US legal jurisdiction (though this is tricky, as most supply chains are still deeply entangled with US firms).
So while it’s not always possible to fully opt out of systems impacted by US rules, it is possible to reduce your dependency and increase your digital resilience, especially if you're based in or connected to the EU.
Thank you. I use Proton mail, storage and VPN, so I appreciate the confirmation. It's a challenge to altogether avoid Google (I've tried), but I have reduced my usage.
The nature and language of these EO's is designed to appear to promote cybersecurity overall: in federal systems, and with the knock-on effect on private, commercial systems. This says we have the country and the people's security in mind, and we can better predict, and respond to threats to individuals, the populace, and the country's infrastructure.
But it quietly enables further surveillance, legitimises threat elimination without due process or oversight, and provides immunity in the event thereof.
Once again, technology created to assist, is being usurped and weaponized to enact powerful, dangerous agendas: currently regime control and totalitarianism, but additional ones may emerge as these changes take effect.
Yes, exactly this. The language of the EO is carefully constructed to sound reassuring, even benevolent. Most people reading it quickly would come away thinking it’s about making us all safer. And yet, as you so clearly point out, the mechanism it sets up can just as easily be turned inward — towards surveillance, suppression, and automated enforcement with no room for appeal.
I’m especially struck by your last line. These tools may be framed as neutral or necessary now, but once embedded, they’re available for any future agenda. That’s the real danger. It’s not just what they’re being used for today — it’s that they can be repurposed tomorrow, with no public conversation and no accountability.
I think some caution is due. Without diving too deep, this EO is a change to existing rules. It’s about how the Federal government operates and secures its own IT infrastructure. It’s not about the commercial internet, as far as I can tell. For example, item #1 isn’t new, it’s an update to how the government decides if software is safe enough to be installed on government networks. It wouldn’t surprise me if the federal cybersecurity community will see #1 as a weakening of existing rules like FEDRAMP and various NIST standards. I suspect #1 is more of a gift to industry than an authoritarian move. Similarly, #7 is a “no duh it doesn’t apply.” You have to understand this is acknowledging the government’s classified and unclassified networks operate under different rule books. Classified networks use burdensome standards that would be overkill if you weren’t protecting national security information.
I appreciate your thoughtful pushback Blake, and I agree it’s essential we approach these developments with clear eyes and avoid jumping to conclusions.
You're absolutely right to say this EO builds on existing frameworks and, at first glance, applies only to federal systems. But the risk I’m highlighting doesn’t come from the surface-level changes, but from what these updates enable.
Item #1, for example, does appear to just update cybersecurity rules for government networks, but those rules often become de facto standards across the commercial sector, especially where platforms and infrastructure intersect. We saw this with FedRAMP and earlier NIST guidance. So while the changes might technically apply only to government-connected software, in practice, they shape what’s viable to build, use, or sell.
You make a fair point about #7 as well. Classified networks have always had different rules, but what worries me here is the explicit exemption. As civilian-facing infrastructure becomes tightly codified, while surveillance systems remain exempt, we risk creating a landscape where public tools are locked down and controlled, while the most powerful tools remain opaque and unaccountable. It’s the imbalance — and what that enables — that’s concerning.
Finally, I hear you on this potentially being a gift to industry. That may well be the case — and I really do hope that it is — but even so, I’d argue it still reflects authoritarian drift. The consolidation of infrastructure in the hands of a few, especially those aligned with a regime dismantling democratic norms, becomes coercive whether it’s driven by control or by convenience. Soft authoritarianism often looks like efficiency, until it doesn’t.
I genuinely welcome more critical reads like yours. We’re all trying to make sense of fast-moving developments, and the more angles we examine them from, the better our collective understanding will be.
Let’s keep going.
Good for both of you.
Your concern of democratic accountability is 100 percent on point. However, I think that is a question of checks and balances and leadership in national security agencies, versus cybersecurity IT rule making. Classified systems will always be classified. There is nothing technically wrong with that. In the same way the public doesn't need to know the name and address of American spies inside of North Korea, it doesn't need to know how JWICS functions on a technical level or the inner workings of satellites and weapon systems. To make sure these systems are aligned with democratic values requires functional congressional oversight, which Republicans are unwilling to do, and ethical command and control within national security agencies, which the administration is undermining with its appointed leaders and politicization of the civil service and military.
Totally fair Blake, and I appreciate how clearly you’ve laid out your position. I think we’re broadly aligned on the importance of oversight and accountability, even if we’re coming at the implications of this EO from different angles.
To me, the concern isn’t with classified systems per se, but with the growing gap between opaque national security tools and increasingly regulated civilian infrastructure, especially when oversight mechanisms are being actively weakened. But I hear you, and I respect where you’re coming from.
Happy to agree to disagree here — and genuinely grateful for the chance to have a grounded, informed exchange.
You are certainly correct that NIST standards are used as best practices in industry, but though should is different than though shall.
I think the changes underlying #1 are a gift to Silicon Valley who hates the existing rules. As I understand it, the changes shift the paradigm from the government performing cybersecurity compliance checks on products before issuing an Authority to Operate (ATO) on government networks/devices to an industry self attestation.
Thus, I think the criticism is that these changes weaken federal cybersecurity standards in order to appease his campaign donors and industry.
That’s a really helpful clarification, thanks. I agree that shifting from independent checks to self-attestation weakens existing safeguards. But that’s exactly what worries me. If regime-aligned tech firms are left to define and approve their own standards, they can quietly shape the digital environment in ways that serve their interests — not the public’s. So yes, while it may be a gift to donors, it's one that clears the path for deeper, less visible forms of control.
The point is this administration will take any advantage in every loophole so it’s best to air on the side of caution and to be extremely aware! Thank you for this in depth look at the problem.
From a technical perspective, the government can still perform periodic cybersecurity compliance checks on the products to make sure the self attestations are not a false claim. You can automate routine audits, for example. Thus, if handled properly, it's not the end of the world. Do I trust it to be handled properly? No. DOGE blew through every single security protocol, whether personnel, physical, or cyber with the blessing of the President.
I completely agree Blake.
I have to admit that I had trouble parsing through the additions and deletions from the original Jan 2025 order, but I read the deletion of section 2(b) as eliminating the attestation requirement regarding secure software development, for software delivered under federal contracts. So, in effect, they are doing some updates to NIST 800-53 (under 2(c) from the Jan order, “establish a consortium with industry”, etc) - but I don’t see what’s left in terms of enforcement mechanisms, once industry has its say on 800-53 changes.
Did I miss a section that retained the attestation requirements? Attestation may seem minimal, but it does establish a legal basis for enforcement activity if attestations are found to be untrue.
Deleting previous reply until I dig a little deeper on self attestation.
Right - I read those as the attestation requirements, being deleted. So what’s left as a compliance mechanism to support enforcement activity?
I don’t know Fedramp and other regs - and this is still “only” an E.O. which revises what seems to be a tougher E.O. that was issued in Jan. So it made me wonder if the earlier EO simply mirrored existing law/reg requirements on security compliance, such that deletion of 2.b from an EO didn’t really have an effect.
Thank you for the deep insight. There's certainly a lot to consider as we are moving into State control. I never trusted the Cloud! Everday I consider dumping the smart phone and all tech crap. When computers came out my husband and I were excited for the future. Now, with people like Musk, Thiel, and others, the government has given them power to weaponize what once brought unity and information.
I feel the same way S K. But it's difficult, when we're so reliant on them — and that's exactly what they're counting on.
Its not too late to go back to walking to the bank and going to shop in brick and mortar. The convenience we ate up erased the actual commons of our shared humanity; seeing people face to face. I would argue all the convenience we bought chains us to machines when we could be paying more attention to our living world, which also desperately needs us, including our bodies. I treat chronic pain and the main contributors are: imbalanced overwork, and an lack of understanding how our body works, or, in neglect: doesn't work. Given tech's frailty to intense solar flares (statistically the Earth is due for), I humbly propose the great boycott to be walking away from convenience and using the necessary tech only; food, transportation, health, etc, and repairing the consequences of our pollution and disrepair of the Earth and its living systems.
No dependence on kings, no kings.
This isn't progress, it's the silent wiring of an Orwellian cage.
The Executive Order doesn't just secure systems, it mandates compliance, turning our own devices and platforms into tools for pervasive, automated monitoring. Big Tech gains immunity while enforcing obedience, and encryption is neutered. This digital panopticon is being coded into existence.
Resistance isn't optional, we must act before submission becomes the only option left.
I agree, Orion.
The cloud never was neutral. Senor Taco Don's regime has simply pulled the scab off.
We're on the same page David.
Thank you, Lori, for the context and coverage of this issue. I believe everything you presented. Here's the thing about the Internet and connectivity, which I considered yesterday, as my provider had another "service interruption" for 4 hours in the middle of the Monday workday. I went to my big library (the one in my house) with paper and pen to continue thinking and writing. No computer, no phone, no iPad. For the state to find me or observe me, someone has to get the internet service more consistent and reliable.
I'm in a similar position here, Georgia. What I suspect will happen in the near future is that 'the state finding us' won't mean a knock on the door, but increased service disruption. Apps that don't do what we want them to do. Important notifications that don't arrive.
Another reader shared this personal anecdote: "I used to work in compliance and cybersecurity in fintech. More than a few fellow fintech designers lost their jobs for being “insufficiently motivated.” Eventually I realized that that really meant being uneasy with being told to engineer in easy-to-abuse facilities for harvesting and manipulating crypto metadata. The firings happened often enough that they got a name: “getting swatted by the invisible hand.”
I'm really happy to have found your Substack. You are highlighting important issues that are not being talked about. Your insight and knowledge is so helpful for me, and you break it down in a manner that I can understand. Thank you.
You're welcome Deb, I'm glad it helps.
Thank you for this Lori. It is a complex area and your analysis is helpful. I do agree with much of what Blake has written in comments, particularly the relationship between NIST standards and commercial systems. Of course outside of the US it tends to be ISO standards, often informed by NIST, that are significant.
Nonetheless, re. '4. State control of access to next-generation encryption', a back door requirement that is highly significant, particularly in the hands of a rogue regime. Will services such as Proton survive in the US?
And '6. Big Tech is immune from cyber accountability' about the 'foreign' clause is a concern.
The points you make in 'The Authoritarian Internet' about the power that the big tech companies wield is, and already was, a worry. It should be the role of government to protect citizens' privacy when citizens, for convenience, surrender so much sensitive personal to data to the likes of Meta & Google etc. That relies on a benign and trustworthy government.
"That relies on a benign and trustworthy government." It does indeed, Agnotologian. I often wonder how many of those there are left.
But thank you — I really appreciate your thoughtful engagement with this. You're absolutely right that much of this depends on the integrity of the framework and the government applying it. The idea of national standards like NIST or ISO isn’t inherently authoritarian, but it’s their use as instruments of selective control that’s cause for concern.
Your question about Proton is a sharp one. If a company like Proton refuses, say, to include a government-accessible back door, or can’t get certified under these new encryption frameworks, it could face blocks or restrictions in the US market. That might not happen overnight, but the infrastructure being laid out here sets up exactly that kind of chilling effect. The fact that trust is now so entangled with alignment to state-defined criteria is a serious shift.
As for the immunity clause — yes. Quiet, surgical, and deeply consequential. It rewires accountability without triggering alarms. That’s why I focused so heavily on surfacing it: the mechanisms of power consolidation are often most dangerous when they look like routine updates.
It means a lot to know this landed with you. Thanks, as ever, for reading so carefully.
Thank you Lori for taking the trouble to respond to my brief comments; much appreciated.
I have looked at some of the other commentary on last week's cybersecurity EOs, though I haven't had sufficient will/determination to look at the EOs themselves. One thing that jumped out at me was regarding sanctions for cyberattacks on U.S. critical infrastructure. Not only are sanctions now limited “only to foreign malicious actors” but also “that sanctions do not apply to election-related activities.”. In the light of Musk's claim that Trump wouldn't have won the election without his (Musk's) support (does he mean technical as well as financial?) and the information from Greg Palast, is this deliberately leaving a door open for planned election interference? Politico goes on to question "if foreign hackers engaging in efforts to undermine U.S. elections, such as Russia, could therefore be exempt from possible U.S. sanctions."
I'll add a caveat that I may be wildly misinterpreting as I have not read the source documents, but thought I'd raise the question.
You're not misinterpreting. Your instinct is solid, and the concern you're raising about a deliberate loophole for election interference is absolutely grounded in the text of the Executive Order.
Here’s the key part to look at, tucked into Section 3 of the order, which amends earlier cybersecurity-related sanctions authorities:
Sec. 3. Amendments to Executive Order 13694.
Executive Order 13694 of April 1, 2015… is hereby further amended by:
(a) striking from subsection 1(a)(ii) the phrase “any person” and inserting in lieu thereof “any foreign person”; and
(b) striking from subsection 1(a)(iii) the phrase “any person” and inserting in lieu thereof “any foreign person.”
These changes have two significant effects:
1. They limit sanctions only to "foreign persons", meaning individuals or entities who are not U.S. citizens or legally present in the United States.
2. They remove the government's power to sanction domestic actors for cyber-enabled interference — including around elections — even if they act in concert with foreign entities.
This is what makes the omission of election-related activities in the rest of the EO feel so conspicuous. There’s not a single reference to election infrastructure, electoral interference, voting systems, or misinformation campaigns in the updated scope of protected “critical infrastructure”—which used to be a core focus under prior administrations.
Now layer in what you mentioned: Musk’s assertion that Trump would not have won without his help, paired with known allegations from journalists like Greg Palast, who’s tracked systematic voter suppression and digital voter roll purges for years. It paints a worrying picture. If Musk’s “help” includes not just financial backing but also platform-level intervention (think: Twitter/X algorithm changes, suppression of turnout campaigns, boosting of right-wing narratives), then the narrowing of these sanctions becomes doubly relevant.
Finally, if we consider the implications of Politico's question: “Could foreign hackers engaging in efforts to undermine U.S. elections, such as Russia, therefore be exempt from possible U.S. sanctions?” The answer, if we take the EO at face value, seems to be yes — if their activities are framed as election-related, they are now oddly out of scope.
So to your question: Is this deliberately leaving a door open for planned election interference?—I would say yes, it appears designed to do exactly that.
This EO subtly removes key enforcement mechanisms just as Trump enters the thick of the 2026 midterm campaign cycle. And by narrowly tailoring who can be sanctioned and what counts as a threat, it creates a fog of impunity around precisely the kinds of hybrid interference tactics we’ve seen before.
This whole “everything is a distraction” is getting old. You can fight a war on more than one front. Nobody in the resistance has ever read SunTsu I suppose.
That’s a fair point, and yes — we can fight on more than one front. We have to.
But my point wasn’t that the Musk–Trump feud or the LA deployment didn’t matter. They do. Authoritarians move on multiple fronts precisely because they’re testing which ones we’ll watch, and which ones we’ll miss. My point was the danger that comes when we only respond to the noisiest front — the one designed to hold our attention — while the quieter machinery gets built somewhere else.
This post was my attempt to illuminate that quieter front, not to dismiss the others. And I completely take your point: real resistance requires breadth, depth, and discipline. Sun Tzu knew that's what was needed to win long wars, not just battles.
Good bye to Linux and other open source software and hardware.
We will no longer able keep old technology operational, recycling will stop, monopolies will control our technology.
A corrupt technology world is coming.
Stop the Bill.
Exactly this, Richard.
I really appreciate you taking the time to break all this down, Lori. I’m struggling to understand some of the changes (or significance of changes) from the previous EOs, and how Trump (Vought, Thiel, Musk) policy is changing from previous Biden/Obama EOs. I may need to print hard copies for comparison…
This is so difficult for the average citizen to decode and understand, especially when these EOs are flying at us in such a fast and furious manner. I’m in a tech-related job that at least occasionally requires me to read and analyze changes to law applicable to my work - to be sure, I’m no expert, but probably more equipped than most people in this country. And still, trying to parse all of this, it’s hard not to get discouraged and feel outmatched and helpless.
You're not alone in feeling overwhelmed Jennifer, because it's deliberately complex. The rapid-fire changes, the legal rewrites buried in executive orders, the technical language — it’s all designed to obscure, to exhaust, and to make average citizens feel powerless. But we're not powerless. And the fact that you’re engaging with this at all — questioning, trying to understand, staying alert — is in itself resistance.
Thanks for distilling this for us.
You’re welcome Mary.
OMG! I need to re-read to take it all in! I shudder!
Please take your time Ann— your reaction is completely human. It is a lot to take in, and your body’s response is telling you the truth of that.
When you’re ready, come back to it slowly. This wasn’t written to overwhelm anyone, but to help us see clearly — so we can act clearly. Please remember that you’re not alone. We’re facing this together, and there are ways through.
really looking forward to a one-paragraph summary that says what's happening and what to do in very non-technical language.
What to do: take control of your digital safety. Use tools that protect your privacy, like secure messaging apps, strong passwords, and two-factor login. Be careful about what information you share online, especially on platforms tied to big tech or government contracts. Support organisations that fight for digital rights, and stay informed about changes to tech policy.
This order quietly shifts how cybersecurity is handled in the US by cutting out earlier protections and narrowing who can be punished for attacks. It removes rules that promoted transparency and teamwork between agencies, and now focuses mostly on foreign threats—leaving domestic actors outside the scope of certain penalties. It tells government departments to start using AI and prepare for powerful future tech like quantum computers, but without saying much about oversight. On the surface it looks like a tech upgrade, but underneath, it’s about concentrating power and reducing public visibility into how cybersecurity decisions are made.
I really appreciate you hammering home the need for a one-page Executive Summary, thank you my weirdo friend. Going forward, I'm going to include them in all of my 'Vantage Point' posts, and where appropriate, a few others.
Also, I just wanted you to know that when I first came to Substack, your Notes were among the first I engaged with — they undoubtedly contributed a lot to the algorithm giving me more of what I wanted to see! As a thank you for both these things — and in solidarity — I've sent you a little something.
PS. I'm still working on the 'what to do' for this post. You'll know when it's up.
Perhaps: Surveillance state is coming to the US sooner than many readers realize.
Are Internet rules in the EU more secure? Are there ways to avoid using devices impacted by the US rules?
Yes David — in general, internet rules in the EU are significantly more protective of individual rights than in the United States. The EU's General Data Protection Regulation (GDPR) is one of the world’s strongest frameworks for privacy and data protection, giving users rights over how their data is collected, stored, and used, and it imposes real penalties for violations. The EU has also pushed back on surveillance and monopoly power more consistently, especially when it comes to US-based tech firms.
But many services — especially cloud infrastructure and mobile devices — still run on US-owned platforms like AWS, Google Cloud, or Apple’s ecosystem. If those services are legally compelled to comply with US rules (which they often are), EU-based users can still be affected indirectly.
That said, there are ways to reduce your exposure:
Use European or open-source alternatives where possible. For example, ProtonMail (Switzerland) instead of Gmail, or Nextcloud for file storage.
Avoid US-based cloud platforms if you’re dealing with sensitive data. Host your own services or use European providers that fall under GDPR jurisdiction.
Use Linux-based operating systems instead of Windows or MacOS, and de-Googled Android phones like those running /e/OS or GrapheneOS.
Route traffic through the EU via a reputable, non-US VPN or Tor, which can help protect against dragnet data collection.
Buy hardware from companies not under US legal jurisdiction (though this is tricky, as most supply chains are still deeply entangled with US firms).
So while it’s not always possible to fully opt out of systems impacted by US rules, it is possible to reduce your dependency and increase your digital resilience, especially if you're based in or connected to the EU.
Thank you. I use Proton mail, storage and VPN, so I appreciate the confirmation. It's a challenge to altogether avoid Google (I've tried), but I have reduced my usage.
I’m completely with you there David. I’m in the process of weaning myself off Google — challenging indeed.
Thank you.
You're welcome Mia.
https://youtu.be/SVqIHAxDcoU
Thanks for sharing this Laura — it was an interesting watch! I've also wondered whether the Golden Dome is all it's portrayed to be.
Everything is laundered in this administration.
Beautifully put Laura.
The nature and language of these EO's is designed to appear to promote cybersecurity overall: in federal systems, and with the knock-on effect on private, commercial systems. This says we have the country and the people's security in mind, and we can better predict, and respond to threats to individuals, the populace, and the country's infrastructure.
But it quietly enables further surveillance, legitimises threat elimination without due process or oversight, and provides immunity in the event thereof.
Once again, technology created to assist, is being usurped and weaponized to enact powerful, dangerous agendas: currently regime control and totalitarianism, but additional ones may emerge as these changes take effect.
Yes, exactly this. The language of the EO is carefully constructed to sound reassuring, even benevolent. Most people reading it quickly would come away thinking it’s about making us all safer. And yet, as you so clearly point out, the mechanism it sets up can just as easily be turned inward — towards surveillance, suppression, and automated enforcement with no room for appeal.
I’m especially struck by your last line. These tools may be framed as neutral or necessary now, but once embedded, they’re available for any future agenda. That’s the real danger. It’s not just what they’re being used for today — it’s that they can be repurposed tomorrow, with no public conversation and no accountability.
Thank you for articulating this so clearly.