SaaS and the perils of cybersecurity: What President Biden understood and Waltz-Hegseth do not
SaaS, cybersecurity, the five pillars of zero trust architecture — these are matters that everyday Americans should not have to think about.
On March 7, 2025, I posted the first in a series of three articles: SaaS and the perils of cybersecurity: What we can learn from Intuit’s behavior. My interest in this topic was spurred by a sequence of events that made it clear to me that moving solely to The Cloud is a bad idea. [SaaS = Software as a Service, meaning that the vendor controls both your data and their software in the cloud. If you stop paying for their “subscription” software, you lose access to your data.]
I intended Part Two to be a simple overview of legislation and gaps in legislation surrounding cybersecurity, The Cloud, and the move to SaaS with few guardrails protecting the consumer. My experience with Intuit’s apparent backdooring into my laptop to convert a standalone, desktop version of their QuickBooks Enterprise software into SaaS, and then forcing $1800/year subscription to keep using a software that has no “service” benefit laid the foundation for this research.
Three months after bringing this to Intuit’s attention — advising them that their actions caused me to lose access to 20+ years of data — I still have no access to my data.
As I began the research for Part Two, I had no idea that I would learn three things that are painfully relevant this week following the Signal incident:
President Biden recognized the dangers that I was now encountering (and far more!) and addressed them during his term.
Within his first two days in office, President Trump undid everything that Biden worked on.
Not only did Trump undo Biden’s attempts to strengthen cybersecurity, but his people consciously bypassed the few remaining guardrails in place.
Here, therefore, is my non-techie explanation of Biden’s measures, how his directives were being implemented, Biden’s executive order four days before leaving office, how Trump undid Biden’s work, and how we saw that in living color in the Signal incident (I am calling it that instead of mentioning Jeffrey Goldberg to emphasize that Goldberg did not ask for that scandal).
If you are a technical expert, please read the primary sources I link to. Also, I welcome know-how from experts in this field. My analysis is from the perspective of a layperson who has been badly impacted by lack of regulation of SaaS and cybersecurity guidelines.
PRESIDENT BIDEN’S EXECUTIVE ORDER 14028, May 12, 2021
On May 12, 2021, President Biden issued Executive Order 14028, “On Improving the Nation’s Cybersecurity.” This has been archived here. If this is a topic you’re interested in, I recommend saving as PDF in case the Trump administration removes it completely. The version I found three weeks ago has already been deleted.
As an aside, reading the entire 34-page executive order caused a light bulb to go off for me. In the current era of Trump V2.0, we are being conditioned to accept executive orders as equivalent to legislation. EOs are not law. They are directives from the Chief Executive of the United States of America to his/her executive agencies. Memoranda.
In Biden’s EO 14028, we see this very clearly. He asked Department of OMB to provide certain information, in consultation with Secretary of Defense, Attorney General, and others, within 60 days. Secretary of Homeland Security was to provide a game plan for language to be used within 45 days, in conjunction with Secretary of Defense and others. He was very clear and very specific about deadlines and tasks that each agency was to perform.
Biden also left the fulfillment of these tasks up to each agency. He recognized that they knew more than he about cybersecurity, SaaS, and other risks, and he made it clear that he valued their input. This is how government is supposed to be run.
Although I read all 34 pages, I will rely on the best summary I found online: Covington & Burling LLP’s May 19, 2021 analysis of EO 14028. I have no connection to Covington & Burling. After reading their blog posts about regulations affecting contractors doing business with the federal government, I can say they would be on my short list if I were such a contractor.
Of particular interest to me as I seek to navigate software for small business, specifically looking for non-SaaS solutions: Biden sought private enterprise input to federal regulations. His requested actions were not top-down, “this is what we are telling you to do,” regulations. Agencies in the executive branch were instructed to ask for private sector input at every step of the way.
Covington & Burling summarized the goals of EO 14028 as follows —
“The Order:
seeks to remove obstacles to sharing threat information between the private sector and federal agencies;
mandates that software purchased by the federal government meet new cybersecurity standards;
discusses securing cloud-based systems, including information technology (IT) systems that process data, and operational technology (OT) systems that run vital machinery and infrastructure;
seeks to impose new cyber incident reporting requirements on certain IT and OT providers and software product and service vendors and establishes a Cyber Safety Review Board to review and assess such cyber incidents and other cyber incidents, and;
addresses the creation of pilot programs related to consumer labeling in connection with the cybersecurity capabilities of Internet of Things (IoT) devices.”
I recommend reading Covington & Burling’s full blogs on this topic if you are in a related industry. There’s a wealth of information available for free.
Here I will focus only on cybersecurity and SaaS.
President Biden understood that the private sector often sees cyber threats before federal agencies do, but that because of contract regulations, communication between private and public sector is hampered. EO 14028 asked how that wall could be broken down, thereby enabling private sector to advise federal agencies of known threats, and vice versa. In fact, Biden wanted federal contracts to be amended to add language requiring incident reporting.
That EO from 2021 also asks agencies to recommend software purchases and personnel hires that would enhance national security. Biden asked the Director of OMB to develop a “federal cloud security strategy,” beef up compliance, and implement Zero Trust Architecture.
Although much of my working life has been IT- and software development-adjacent —for example, I was PCI Compliance Officer for a mid-sized print company at the same time I was its CFO — I was unfamiliar with the term, Zero Trust Architecture. Since the Cybersecurity & Infrastructure Agency (CISA) took EO 14028 seriously and created a “Zero Trust Maturity Model,” I will quote from their Web site:
Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. The goal is to prevent unauthorized access to data and services and make access control enforcement as granular as possible.
In other words, “zero trust architecture” means that a person or agency must trust nothing and must have multiple means of verifying authenticity. It’s two-factor authentication on steroids.
In April 2023, as the Biden administration continued its implementation of EO 14028, CISA defined the five pillars of its Zero Trust Maturity Model: “Identity; Devices; Network, Data, and Applications and Workloads.” If you are truly a glutton for punishment and have a high tolerance for IT-speak, here is the final version of CISA’s ZTMM before Biden left office: ZTMM 2.0.
CISA defined seven tenets of “zero trust” that were to be followed by all federal agencies. I can see at least one or two that were ignored in the Signal incident. These tenets are to be applied to all five pillars — identity, devices, network, data, and applications-workloads.
1. All data sources and computing services are considered resources.
2. All communication is secured regardless of network location.
3. Access to individual enterprise resources is granted on a per-session basis.
4. Access to resources is determined by dynamic policy.
5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.
Under that first pillar, Identity takes up three full pages of recommendations and regulations. In other words, before moving on to “pillars” two through five, make sure you know with whom you are communicating! Safeguards include tests ensuring that someone isn’t spoofing a known person (ironically, Jeffrey Goldberg was the only person on that Signal chat who did so), communicating via a short list of pre-approved contacts, auto-logging every communication including identity of those on the communication (no “S M” allowed), and definition of need-based identities.
The second pillar, Devices, similarly addresses an element of national security that was disregarded last week. While the ZTMM permits “BYOD” or bring your own device, it requires strong risk management, especially identification of unauthorized devices.
I am too much of an IT novice to understand the ZTMM standards for data, network, and applications and workloads. Suffice it to say, CISA’s ZTMM gave strong guidelines for all federal agencies and subcontractors to follow.
Back to the Covington & Burling analysis.
President Biden asked his executive departments to develop guidelines and mechanisms for ensuring that commercial software met the cybersecurity guidelines his agencies were putting in place. To be sure, the regulations would apply only to software used by federal agencies or their subcontractors. But as is often the case, the regulations enacted would impact all software, because — using the case of Intuit —subcontractors using noncompliant software and SaaS would be a problem.
I likely would have recourse against Intuit, in that I could report them for apparently backdooring into my laptop to change software from desktop, non-SaaS to SaaS. I cannot imagine that the federal agencies would look kindly on a software company altering software without full disclosure. And there was NO full disclosure when Intuit apparently backdoored QuickBooks Enterprise 2021.
In addition, Biden asked the agencies to create cybersecurity regulations for commercial software that included “standards for secure software development environments, authenticating and auditing user access, encrypting data, monitoring and alerting of cyber incidents, remediating vulnerabilities, authenticating the origin of software code, and disclosure of vulnerabilities and of conformity with secure development practices.” (Covington)
It's funny in a way — over the past several years, I have been ‘yelling’ that we need better cybersecurity legislation and standards. Until my run-in with Intuit and drilling down into what’s been happening with SaaS and cybersecurity, I had no idea that Biden and his executive departments were working on this. Where were New York Times, Washington Post, and the rest? This is certainly newsworthy!
EO 14028 also asked for recommendations that would encourage manufacturers of “devices” — laptops, smartphones, and the like — to include cybersecurity in their devices.
In light of the Signal incident, it’s also noteworthy that EO 14028 asked the Secretary of Homeland Security to work together with Director of OMB “to provide the Director of OMB recommendations for logging events and preserving data within an agency’s systems, including the time period for logging, and recommended logging and security requirements. It directs agencies to protect logs via encryption to ensure forensic integrity.” (Covington)
Biden recognized that this EO encompassed far more than adding regulations that agencies and subcontractors must follow. The final section of the EO asked the Secretary of Defense to adopt requirements for “National Security Systems” that are equivalent to or exceed everything laid out in the EO. “The Order allows for exceptions to such requirements ‘in circumstances necessitated by unique mission needs’ and mandates that the requirements be codified in a ‘National Security Memorandum.’” (Covington)
PRESIDENT BIDEN’S EXECUTIVE ORDER 14110, October 30, 2023
On October 30, 2023, President Biden issued Executive Order 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.” This has been archived here. If this is a topic you’re interested in, I recommend saving as PDF in case the Trump administration removes it completely.
Looking back just eighteen months, it’s impressive how that ‘old dude with dementia’ [sarcasm] or at minimum, his staff, was up-to-date on emerging technology and its impact on national security. In 2024, Covington & Burling uploaded a series of blog posts regarding the incorporation of AI into Biden’s EO 14028 and EO 14110. You can read those updates here.
PRESIDENT BIDEN’S EXECUTIVE ORDER 14144, January 16, 2025
On January 16, 2025, President Biden issued Executive Order 14144, “Strengthening and Promoting Innovation in the Nation’s Cybersecurity.” This has been archived here. If this is a topic you’re interested in, I recommend saving as PDF in case the Trump administration removes it completely.
It is noteworthy that Covington & Burling did not cover this EO in their January 2025 blogs. They added EO 14144 in March 2025 after it had largely been gutted.
In this EO, President Biden combined the work of his executive agencies resulting from EOs 14028 and 14110 and made them binding on those agencies. Again, as noted above: Not law, no legislation. Merely binding on agencies reporting to the president.
Another law firm, Gibson & Dunn, analyzed EO 14110 (and by extension, EO 14144) as follows:
“Some of the stated goals of the rescinded Biden AI EO were to (i) develop standardized metrics to assess AI safety, (ii) facilitate watermarking and clear labeling of AI-generated content, (iii) promote responsible innovation and invest in AI-related training, (iv) ensure that American workers were not negatively affected by AI developments, (v) protect privacy and civil rights including by mitigating the use of AI to discriminate based on personal information, and (vi) manage the risks arising from the government’s use of AI.” (Gibson)
As with Covington & Burling posts, if this is a topic that interests you, I recommend subscribing to the Gibson & Dunn blog.
WHAT TRUMP DID
On his first day in office, Trump revoked EO 14110. He replaced EO 14110 with his own EO 14179, “Removing Barriers to American Leadership in Artificial Intelligence.” That EO essentially eliminated all guardrails to AI. Pete Hegseth and Mike Waltz apparently were acting within the spirit of the new Trump regime when they ignored regulations that have not yet been revoked.
Trump also issued EO 14149, guaranteeing “free speech,” at least free speech as he sees it, not as it is. Content moderation on social media is going to get harder and harder.
Trump also issued EO 14178, “Strengthening American Leadership in Digital Financial Technology,” which all but removes regulation of the cryptocurrency industry.
Trump also issued EO 14179, “Removing Barriers to American Leadership in Artificial Intelligence,” mentioned above. It does what it says it does. AI is no longer regulated.
Of note: Trump did not revoke either EO 14028 or EO 14144. They are technically still in force, although you wouldn’t know that from the actions of Hegseth, Waltz, et al.
However, follow the news on this closely.
On January 23, Naomi Schalit wrote, “the new Trump administration gutted all advisory panels for the Department of Homeland Security. Among these was the well-respected Cyber Safety Review Board, or CSRB.” Schalit points out that this included the task force investigating the Salt Typhoon cyber attacks. Note that this also terminated the interface between federal government and private enterprise.
Schalit says, “Among other activities, the hackers obtained call records data made by high-profile individuals and even the contents of phone calls and text messages. The phones of then presidential nominee Donald Trump were reportedly among those targeted.”
In light of the Signal incident, that does not look like such a great idea. Also, Trump’s phone was allegedly hacked? Why is Schalit one of the few voices reporting that fact?
On February 7, CISA was one of the first agencies that Elon Musk attacked. Three days later, Trump cut CISA’s funding by $10MM. On February 23, Brian Krebs reported that Trump-Musk had fired another 130 CISA employees, cut their budget further, and added Edward (“Big Balls”) Coristine to those who could access CISA’s computers. Not at all worrying, since Coristine is “former denizen of the Com, an archipelago of Discord and Telegram chat channels that function as a kind of distributed cybercriminal social network.” And the grandson of a KGB double agent. Nothing to worry about with Coristine having access to CISA computers. [Sarcasm]
On March 2, NBC reported that Secretary Hegseth ordered U.S. Cyber Command to “halt offensive cyber operations and information operations against Russia,” while simultaneously increasing cyber and information operations against Ukraine and the EU.
On March 13, Wired reported in-depth about what has happened to CISA. Keep in mind, that agency is our first line of defense against cyber attacks. And it’s being gutted. Marginalized. Bad actors given access. The current leader is apparently more concerned about staying on Trump-Musk’s good side than she is about national security.
Politico filed a similar report.
This post is not meant to be an in-depth policy report, nor is it a comprehensive analysis of the dangers posed by Trump-Musk undoing the good, healthy work of the Biden-Harris administration.
Rather, my wish is that savvy people who have deep knowledge regarding SaaS and cybersecurity will see this and act. And that their action will spur ever more knowledgeable systems analysts, software devs, and white-hat-hackers to take a stand against the undermining of US national security.
Because hear me when I say: Trump’s revocation of Biden’s AI executive order, Trump’s gutting of cybersecurity agencies, Trump’s defunding of “enforcers” — that is all playing into the hands of our enemies. He is making us vulnerable by removing our defenses.
His inept Cabinet supports the destruction of our democracy. (If they are not inept, they are complicit, which is far worse.)
SaaS, cybersecurity, the five pillars of zero trust architecture — these are matters that everyday Americans should not have to think about. We should not face issues where software vendors can backdoor into standalone software we purchased outright and change the terms of the deal after the fact. Intuit would not have been able to get away with those actions if the standards of Biden’s executive orders had been implemented, and if the Consumer Financial Protection Bureau were still in place.
Perhaps it is high time that we Democrats and centrist Republicans — Republicans who may differ from us on general policy, but who give a damn about national security — should write into law the things that Biden and his executive departments undertook.
If the current regime could breathe life into a destructive Project 2025, we should start now with Project 2027 — and put it online for everyone to see. Have those bills ready for introduction on Day One of a Democratically-controlled House and Senate in January 2027. Be prepared with documents ready for signature, documents that cannot be vetoed because they passed with strong bipartisan support.
DNC, Center for American Progress, Brookings Institution, Data for Progress, Progressive Policy Institute, Bipartisan Policy Center, Institute for Policy Studies, Roosevelt Institute — could you get together and fight the current destructive regime? And let us know how we can help your efforts?
It’s lonely writing posts like this. It can feel like shouting into the void. I’m not quite ready to “leave the earth to Satan and his slaves, leave them to their future in the grave” (Black Sabbath). I would rather save ourselves before ourselves slip away. And no, I don’t listen to Nine Inch Nails. Still.
Postscript: Since President Trump did NOT revoke Biden’s EO 14028 and EO 14144, that means that Mike Waltz, Pete Hegseth, Tulsi Gabbard, JD Vance, John Ratcliffe and the rest were still bound by those two executive orders. And failed to follow them.
The third and final part of this SaaS and cybersecurity series will cover what this means for small business and what we can do to protect ourselves when government fails.
© 2025 Denise Elaine Heap. Please message me for permission to quote.
Now More Than Ever is a reader-supported publication. To receive email notifications regarding new posts, and to amplify my voice here on Substack, please consider becoming a free or paid subscriber.