The Trump administration has issued a new national cyber strategy overview entitled the “Cyber Strategy for America,” a somewhat lean document compared to those from previous administrations but one that nevertheless outlines a number of significant changes.
One of the significant developments is the promise of increased pressure on international cybercrime gangs, to include what seems to be a promise of strike-first policies when these actors are identified as a threat to the country. It also states that responses to cyber threats will not be confined to the “cyber realm.” On the more purely defensive front, it also directs federal agencies to begin adoption of AI-powered cybersecurity solutions and asks the government more generally to support AI development innovations that can contribute to national security.
Trump cyber strategy promises more aggressive approach to criminal threats
The new Cyber Strategy devotes most of its introduction to the prospect of cyber threats to not just national and economic security, but individual American citizens. It states that this growing threat landscape will not be addressed with “partial measures and ambiguous strategies” but direct action involving all of America’s technological, intelligence and military advantages.
The Cyber Strategy is broken into six policy pillars meant to guide development of more specific measures and their future implementation. Each of these outlines consists of only one to two paragraphs without a large amount of specifics, making it a shorter and somewhat vaguer document than similar cyber policies laid out by prior administrations. There are some similarities to the Cyber Strategy established by Trump during his first term in 2018, such as its “defend forward” policy of increasing offensive action against known state-backed actors; that paper was also the one that established CISA as an entity.
The present order’s first pillar, “Shape Adversary Behavior,” seems to promise federal assistance to both Americans and allies in removing the ever-increasing amount of cyber threats they are asked to weather. This includes several concrete ideas, such as incentivizing private industry partners to identify and disrupt adversary networks and improve national defense capability. Cybercrime and intellectual property theft are also specifically mentioned as serious economic threats.
The second pillar, “Promote Common Sense Regulation,” promises to “streamline cyber regulations to reduce compliance burdens, address liability, and better align regulators and industry globally” in the interest of providing private partners with the agility to address emerging cyber threats.
The third and fourth pillars, “Modernize and Secure Federal Government Networks” and “Secure Critical Infrastructure,” more directly address national defense measures to be taken up by the federal government. The language here is generally vague in terms of goals, but one specific that stands out is a call for “AI-powered cybersecurity solutions” to be adopted in defense of federal networks. The critical infrastructure portion of the Cyber Strategy also calls for hardening of vendors and services, to include a move away from vendors and products located in adversary countries.”
The fifth pillar, “Sustain Superiority in Critical and Emerging Technologies,” gets into more specifics about AI. This includes mentions of the adoption of post-quantum cryptography and secure quantum computing, as well as improvement to the security of blockchain technology. It also calls for improvements to the defenses of AI data centers and the rapid adoption of agentic AI in cyber defense. Finally, “Build Talent and Capacity” calls for a pipeline to develop and share talent from within the American workforce.
John Watters, CEO and Managing Partner at iCOUNTER, expands on the optimistic vision of what this approach might look like going forward and the benefits organizations might see from it: “The Cyber Strategy for America, and accompanying Executive Order, cover common objectives of prior administrations with one bold and important difference – President Trump makes it clear that the Government will now lean in to help protect the entirety of our national interests, not just government infrastructure.”
“In a country where 90% of our critical infrastructure is in commercial hands, this is a game changer. The commercial sector has owned cyber risk without the tools or authorities required to defend forward. If our national cyber capabilities embedded in Cyber Command, NSA, and other Government agencies are tasked with defending our commercial sector, it changes the risk calculus for attackers,” noted Walters.
Michael Bell, Founder & CEO, Suzu Labs, takes a more critical view of the realities of implementation given the administration’s prior moves in this area: “The six pillars are the right priorities, and the strategy reads like people who understand the threat landscape were involved in writing it. Post-quantum cryptography, private sector offensive operations, regulatory streamlining, AI security. All correct. But a strategy without a budget is a press release. The implementation plans need acquisition reform, real funding for post-quantum migration, and measurable timelines. That’s what separates policy from paper.”
“Thousands of cleared cyber professionals left government service over the last decade. They kept their skills current. They understand operational tempo and classification requirements. The SOF community figured out contractor augmentation 20 years ago. The strategy says, ‘unleash the private sector,’ and the direction is right, but the contracting vehicles for rapid classified offensive work don’t exist yet. Build those and you have a real capability. Without them, you have a slogan,” noted Bell. “The strategy calls the cyber workforce a strategic asset. The same administration cut roughly a thousand CISA employees who were doing vulnerability disclosure, threat briefings, and incident coordination. The strategy promises public-private partnership, but the liability protections that made threat intelligence sharing work between government and industry expired and haven’t been replaced. At some point the budget has to match the strategy, or the strategy doesn’t mean anything.”
New cyber strategy shifts from regulating major tech providers to unleashing offensive capability
The Cyber Strategy paper touches on the role of the U.S. Cyber Command in military campaigns as well, such as its deployment to jam communications in the recent actions against Iran and Venezuela. It remains to be seen if this means these capabilities will also be brought to bear against foreign private criminal groups that threaten critical infrastructure, such as ransomware gangs that lock up health care facilities or local government functions. The administration has made clear that it broadly considers acts of cyber hostility against critical infrastructure to be acts of war.
The paper does specify that the attorney general will be directed to be more aggressive in prosecuting fraud and scams that originate from sources beyond national borders, and that the Secretary of State will be empowered to impose new consequences on countries that do not take sufficient action against organized scam rings within their territory.
One area that the Cyber Strategy surprisingly does not touch on directly is the issue of attacks from national rivals for espionage and potential conflict positioning purposes, particularly by China and Russia. Recent aggressive campaigns by China in particular almost certainly must have informed this strategy, but the paper avoids mentioning them directly in favor of more general statements against all types of transnational threats. The biggest question left hanging in this area is if sufficiently damaging cyber attacks, particularly those against critical infrastructure, will be treated as if they were a physical military attack going forward.
