Analyzing "President Trump's Cyber Strategy for America"

The White House has released a new national cybersecurity strategy titled "President Trump's Cyber Strategy for America" (Strategy). The Strategy was released on the same day as an executive order targeting foreign-based cybercrime and predatory schemes.

The Strategy establishes six "policy pillars" that position cybersecurity as core to the Administration's broader economic, military, and national security goals. The Strategy describes cybersecurity as a domain of conflict in which adversaries—including nation‑states and transnational criminal organizations—must be confronted and, where necessary, punished. The Strategy states that responses to cyber threats will not be limited to the "cyber realm," signaling a willingness to integrate cyber operations with diplomatic, economic, law‑enforcement, and even military tools.

How the 2026 Strategy Compares to Prior Cybersecurity Strategies

The Strategy's most obvious difference from its recent predecessors is its length. The 2026 Strategy spans just three pages in substance, compared to roughly 34 pages in the 2023 Strategy and 26 pages in the 2018 Strategy. The prior documents included extensive background discussion, detailed descriptions of the cyber threat environment, and numerous strategic objectives intended to guide implementation across the federal government. By contrast, the new Strategy, while characterized as an "unprecedented effort" to operate in a coordinated and sustained fashion across the federal government, is largely limited to announcing high-level priorities, leaving implementation details to future executive actions and agency level initiatives.

The substance of the three strategies differs significantly too—particularly comparing the 2026 Strategy with President Biden's 2023 Strategy. The 2023 Strategy devoted substantial attention to reshaping market incentives through additional regulation, shifting liability for insecure software-to-software providers, and imposing mandatory cybersecurity standards on critical infrastructure companies and government contractors. The 2026 Strategy eschews any discussion of new regulations or increased liabilities for U.S. companies, and instead focuses on challenging foreign adversaries, streamlining regulations, and increasing reliance on the private sector to identify and disrupt attacks. At the same time, the Strategy shares various high-level priorities from the 2023 document, such as protecting critical infrastructure—albeit without the introduction of mandatory cyber requirements—disrupting malicious actors' networks, modernizing federal IT systems, and developing the nation's cybersecurity workforce.

The Strategy's Six Pillars

The Strategy establishes six "policy pillars." We examine each of those pillars below.

Pillar 1: Shape Adversary Behavior

The first pillar sets the tone for the entire Strategy. Pillar 1 calls for using the "full suite" of U.S. defensive—and offensive—cyber capabilities to deter and disrupt adversaries before they can inflict harm.

Pillar 1 of the Strategy also calls for the government to "unleash the private sector" by creating incentives for companies to identify and disrupt adversary networks. This call already has re-ignited debates about whether private companies should be permitted to "hack back"—i.e., to actively counterattack malicious cyber actors to degrade and destroy their infrastructure. Hacking back is controversial, including because it may violate cybercrime laws and expose companies to further cyber attacks.

But Pillar 1 may instead be referring to something that is already common: Cloud, telecommunications, and other technology companies routinely partner with the Department of Justice (DOJ) and other agencies to identify and disrupt botnets and other infrastructure used by malicious actors to conduct cyber attacks. The Strategy may be contemplating further incentives to expand and deepen these types of partnerships.

While Pillar 1's confrontational tone distinguishes the 2026 and 2023 strategies, the Strategy's emphasis on disrupting malicious cyber attacks is not new. A pillar of the 2023 Strategy called for the federal government to use "all instruments of national power" to disrupt and dismantle threat actors capable of inflicting damage on the U.S. digital ecosystem, including by launching disruption campaigns against attackers and thwarting abuse of U.S.-based computing infrastructure. We analyzed these and other elements of the 2023 Strategy in a prior blog post. The 2026 Strategy drops a proposal from 2023 to impose know-your-customer requirements on cloud service providers that had been intended to identify malicious actors and prevent them from using cloud services to launch attacks.

Pillar 2: Promote Common‑Sense Regulation

The second pillar represents one of the clearest departures from President Biden's 2023 National Cybersecurity Strategy. The 2023 document called for additional privacy and cybersecurity laws, including "legislative efforts" to limit collection of and require robust protections for sensitive personal data. The 2026 Strategy pledges to avoid "costly checklist[s]" and streamline cyber regulations to reduce compliance burdens and provide companies with greater agility to respond to cyber threats. As we've discussed in prior posts, the Trump Administration already has reversed course on a Biden-era initiative to impose stricter security requirements on software providers to the federal government and has eliminated provisions of Biden's Executive Order 14144 that sought to codify more cybersecurity requirements for federal contractors. The Trump Administration also may be looking to pare back cybersecurity reporting rules for critical infrastructure companies and weaken or eliminate a rule from the Securities and Exchange Commission requiring public companies to disclose "material" cybersecurity incidents.

Pillar 2 also promises to "emphasize the right to privacy for Americans and American data," but no further detail is provided. This may refer to initiatives to limit transfers of Americans' sensitive personal data to foreign adversaries, including implementation of DOJ's rule restricting transfers of bulk personal data to China and other "countries of concern" and the Federal Trade Commission's recent warning to data brokers about their responsibilities under the Protecting Americans' Data from Foreign Adversaries Act.

Pillar 3: Modernize and Secure Federal Government Networks

Pillar 3 emphasizes modernization of federal IT systems, faster deployment of new technologies, and improved coordination across agencies. The Strategy highlights technologies such as AI-enabled intrusion defense and deterrence, automation, cloud computing, and post-quantum cryptography as tools to strengthen federal networks and reduce systemic risk.

Pillar 3 also highlights the need to modernize federal procurement processes to ensure agencies can access cutting-edge cybersecurity tools more quickly and competitively. This emphasis aligns with recent Trump Administration executive actions to remake federal procurement, including President Trump's executive order on "Restoring Common Sense to Federal Procurement" and the ongoing "Revolutionary FAR Overhaul."

Pillar 4: Secure Critical Infrastructure

Pillar 4 calls for protecting critical infrastructure sectors, including energy, financial services, telecommunications, data centers, water utilities, hospitals, and critical supply chains. As in prior strategies, the Strategy emphasizes public-private collaboration as essential to securing these systems.

The Strategy's approach, however, differs meaningfully from the 2023 Strategy. While both documents stress collaboration, the 2023 Strategy paired that collaboration with a call for mandatory cybersecurity requirements for certain critical infrastructure sectors. The 2026 Strategy omits any reference to mandatory requirements.

Notably, Pillar 4 calls for the federal government to "galvanize" the role of state, local, Tribal, and territorial authorities to complement national cybersecurity efforts. President Trump issued an executive order in February 2025 to increase state and local authorities' responsibilities for protecting critical infrastructure.

Pillar 5: Sustain Superiority in Critical and Emerging Technologies

Pillar 5 focuses on maintaining U.S. leadership and advantages in areas such as AI, quantum computing, and post‑quantum cryptography, and support the security of cryptocurrencies and blockchain technologies. The Strategy discusses the need to secure these emerging technologies from cyber threats and to leverage AI (and specifically agentic AI) to more effectively respond to cyber threats. Pillar 5 also emphasizes the need to counter foreign AI systems used for censorship and surveillance.

Pillar 6: Build Cyber Talent and Capacity

Pillar 6 addresses the development of the U.S.'s cybersecurity workforce. This pillar is short on details but aims to "eliminate roadblocks" preventing a public-private sector build up of a "highly skilled cyber workforce."

President Trump's New Cyber Executive Order

On the same day the White House released the Strategy, President Trump issued an executive order titled "Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens" (Executive Order). The Executive Order reflects many of the Strategy's core themes, particularly efforts to proactively disrupt cyber threats.

The Executive Order targets transnational criminal organizations (TCOs) engaged in ransomware, phishing, financial fraud, "sextortion," impersonation scams, and other cyber‑enabled schemes that disproportionately harm vulnerable Americans. The Executive Order directs relevant agencies, including DOJ and the Departments of Homeland Security, State, Treasury, and Defense, in coordination with the Office of the National Cyber Director, to conduct a comprehensive review of existing operational, technical, diplomatic, and regulatory tools used to combat cyber‑enabled crime. Within 120 days, agencies must submit an action plan identifying the TCOs responsible for scam centers and cybercrime and proposing measures to prevent, disrupt, investigate, and dismantle their operations.

The Executive Order also directs DOJ to prioritize prosecutions of cyber‑enabled fraud and scam schemes and to submit recommendations regarding the establishment of a Victims Restoration Program that would return seized or forfeited funds to victims. In addition, it instructs the Secretary of State to engage foreign governments to demand enforcement action against cybercriminal organizations operating within their borders and to impose consequences—including sanctions and visa restrictions—on countries that "tolerate predatory activity."

Looking Ahead

The Strategy communicates a clear shift away from binding cyber requirements and toward deterring cyber attackers, punishing adversarial actors' nations, and deregulating industry. For technology providers and cloud service companies, the Strategy may mean fewer new compliance mandates, but increased expectations around cooperation with law enforcement and national security agencies. Given that the Strategy is brief and high level, the details of the Administration's cybersecurity priorities remain to be seen.

DWT's information security team will continue to monitor the Trump Administration's implementation of the Strategy and new Executive Order.

+++

Michael Borgia is a partner and Andrew Lewis is counsel in the privacy and security group in the Washington, D.C. and San Francisco offices of DWT. For more insights, reach out to Mike, Andrew, or another member of our privacy and security team or sign up for our alerts.