Trump’s New National Cyber Strategy and the Threat of Inconsistent Defense
What the New Cyber Strategy Means for Our Cyber Future
If you’ve been watching the news at all, the contents of the Trump Administration’s new National Cyber Strategy should be of no surprise to you. Less a cyber strategy and more an Administration love letter to itself, the seven-page strategy spends about two-and-a-half pages laying out how the US will approach cybersecurity, emerging technology, regulation, and critical infrastructure over the next three years. The country was overdue for a new cyber strategy, but what arrived with a whisper late on a Friday was a short, but significant shift into an offensive posture that is short on details and abandons many of the defense-oriented pillars of the Biden cyber strategy. In two-and-a-half pages, the strategy packs in a lot.
Regulation
AI
Quantum
Blockchain
Critical Infrastructure
Offensive Cyber
The Maduro Raid
Details are scarce, but one thing is clear: the Administration views its approach to cyber much the same as it views it approach to use of military forces. Offensive capabilities are seen as the answer to the nation’s cyber problems and the strategy using not-so-subtle language to threaten malicious cyber actors of all types. But within a tangle of tough talk, there are real gaps.
The problem has never been whether the US has cyber capabilities to compete globally. The problem is that the US cannot consistently enforce cybersecurity across its critical infrastructure and private sector. For as good as American offensive cyber power may be, the attack surface for malicious actors is simply too large.
The strategy abandons many of the previous Administration’s efforts to unify defense and shift defensive burdens away from individuals and small companies. While this strategy was released quietly on the Friday, it should not go unnoticed by the cyber and emerging technology communities precisely because of its lack of detail. In a global moment where multiple conflicts are underway, this strategy signals a potential for escalation that will not only impact offensive assets but those the strategy seeks to defend.
Making Policy
Policy is easy to criticize. In the hours following the release of the Trump cybersecurity strategy, there was no doubt a cacophony of voices from the cybersecurity community decrying the document for omissions ranging from minute details to long hoped for strategic actions. I’ve been in the room when strategies and policies like this one have been written, rewritten, and every word and detail fought over. I’ve had policies that I’ve written subject to that very loud cacophony, and I’ve reflected on whether I should have done something different.
Policies and strategies are supposed to set the broadest direction for a given subject. A common refrain in policy criticism is that a policy does not come with funding or that it does not have any “teeth” to compel action. These are always valid because policies rarely include these measures…because they aren’t laws. Laws can compel behavior but that tends not to be what the community wants either because it could be (I hope you are sitting down) regulation. Instead, policies are written to create momentum behind a subject where there was none previously. They also guide how individual agencies or offices implement broader guidance. Stating the painfully obvious, a national cybersecurity strategy will not be rolled out the same way at NSA as at the Department of Transportation. But the National Cyber Strategy is intended to guide action at both places and all the agencies in between.
Seen through this lens, the Trump National Cyber Strategy looks different. Its primary focus on offensive capabilities and at times over-the-top rhetoric is not as specific as it seems. Because it is short on details, its pillars will be interpreted differently by different agencies that have widely different priorities and missions. It can feel annoying to have to pour over a 50+ page cyber strategy (like the Biden strategy), but that detail is not for the average reader. It’s there so that the agencies to which the strategy applies can evenly and consistently implement it. This is the first failure of the Trump National Cyber Strategy. It’s preference for touting Administration accomplishments over detail on the strategy’s vision is a vulnerability. It means that agencies will interpret what they need to do (if anything) very differently and particularly our defensive cybersecurity posture is likely to suffer for it.
This strategy alone was never going to wholesale fix issues, but it should have directed specific agencies to do specific things within specific timelines. The document is a quick read, and it talks tough, but the practical implementation of its goals is uncertain.
What’s Not in There
As proven the first time around, Donald Trump is not a president that hesitates to create new branches of the military. For many years, a certain corner of the cyber world has been clamoring for a US Cyber Force. This strategy did not approach the topic much less establish the branch. This is a telling omission in a document that takes a very military-first posture toward cyber. If there was going to be a moment to create such a branch, this was probably it. The creation of a Cyber Force would come with considerable complications, so its omission is not inherently bad, but it does speak to the prospects of the branch.
The strategy does mention quantum computing and post-quantum cryptography, which is a good sign. However, it seems the Administration is still stuck in the “awareness phase” of quantum and not in the implementation phase. Policy and legislative action on quantum are not in short supply. As of August of 2025, there is draft legislation to create the National Quantum Computing Cybersecurity Strategy. This is in addition to the Quantum Cybersecurity Preparedness Act of 2022, National Security Memorandum-10 of 2022, and the DHS Quantum Roadmap of 2021. The quantum cryptographic standards came out in August 2024 from NIST and are being standardized. So, what’s the problem?
The issue around quantum is not whether we know about it. It’s not whether we’ve written policy or legislation about it. It’s about whether we care enough to start taking action.
The frustrating thing about quantum is not the science and it’s not the quirks. It’s that many people refuse to take the time to understand it and action suffers as a result.
The threat to asymmetric encryption from quantum computers is one of the biggest cybersecurity threats that we will face in our generation. It received 13 words in our cybersecurity strategy.
Another glaring omission is the concept of software bill of materials or SBOM. SBOM gained popularity after major cyber events like SolarWinds when a minor piece of embedded software created a national espionage vulnerability. This led to the idea that consumers should know what additional software is baked into a software product they purchase. Few people call this a bad idea, but, again, implementation fails. Absent some compelling force, it is clear the market will not simply choose to take this on in a meaningful way. This speaks directly to another omission, which is the burden shifting envisioned in the Biden cyber strategy from individuals and small companies to large manufacturers.
The more interesting choice in this strategy is how the Trump Administration is framing the regulatory issue. The strategy says,
Cyber defense should not be reduced to a costly checklist that delays preparedness, action, and response. We will streamline cyber regulations to reduce compliance burdens, address liability, and better align regulators and industry globally. We will streamline data and cybersecurity regulations to ensure that the private sector has the agility necessary to keep pace with rapidly evolving threats.
Anyone familiar with cyber regulatory issues should be left with the question, what regulations are we talking about? In the US, we often talk about how our decentralized approach to things like critical infrastructure creates resilience. How you can’t hack our entire energy grid or our entire election system. This is true, but there’s an oft-ignored downside to this. That decentralization also means we unevenly apply cybersecurity measures. The cybersecurity posture of the financial sector is in no way the same as the posture of dams sector or the healthcare sector. This is also true among universities, private companies, and startups. Yes, we are decentralized but we are also inconsistent. Having “checklists” isn’t burdensome, it’s almost the literal least we can do. Removing some of these basic exercises like SOC2 won’t make us better, it will make us more complacent. At least now we have some level of incentive to do the bare minimum, even if it is imperfect. This is not a pro-regulation stance; it is a pro-consistency stance. As stated, the problem here isn’t whether we have a strong offensive cyber capability. The problem is that our defensive measures are not applied consistently.
What’s Next
The strategy uses tough language but will result in an exacerbation of the inconsistency problem. Strategies like this one are intended to guide broad action toward the same goal. While this strategy articulates pillars, it leaves their implementation largely up to the imagination. The removal of some basic cyber tenants like SBOM, burden shifting away from individuals, and potentially even the bare minimum cybersecurity checklists is not a step toward security.
There are a lot of very smart cybersecurity minds in the government that will see this strategy in a similar light. All of us need to hope that those people will take implementation seriously and use the lack of clear direction to move toward better policies and away from the kinds of actions that will leave us more vulnerable.
HELP!!!