Eye on Policy

When the Trump administration released its national cybersecurity strategy last month, regular consumers of detailed federal policy might have had a “where’s the beef?” moment.

Shortly after the strategy came out, a cataclysmic event—the war against Iran and its proxy terror groups—showed vividly why cybersecurity is not merely academic. The war has let loose a torrent of malicious activity in cyberspace. If ever it was critical to keep cyber defenses such as patches and deterrent measures up to date, it’s now.

Iran has shown surprising adeptness at coordinating physical and cyberattacks. For example, it sent malware disguised as bomb shelter information to Israeli Android phones timed to coincide with missile barrages.

Notably a cyberattack originating with the Iran group Handala stuck medical data company Stryker in mid-March, wiping data from thousands of devices.

Analysts at Flashpoint, one of the many cybersecurity firms tracking the effects of the war, put it this way: “Cyber campaigns targeting major companies are occurring alongside physical disruption to energy and logistics infrastructure. That combination is designed to amplify impact. For organizations, it means planning for concurrent disruption across multiple domains rather than treating cyber and physical risk separately.”

This as all prompted the Cybersecurity and Infrastructure Security Agency (CISA) to update its generalized set of warnings and other information for dealing with this hornet’s nest. The only mitigating factor is Iran’s clampdown on its own internet access, which limits attacks that can originate from within the country.

Russia has also stepped up its cybersecurity warfare. CISA issued a warning about a phishing campaign hitting messaging applications. “The activity targets individuals of high intelligence value, such as current and former U.S. government officials, military personnel, political figures, and journalists.” CISA stated.

So it’s a good time to look again the Trump administration’s seven-page national cybersecurity strategy, which includes five pages of text (one of which is a cover letter). It didn’t get a great deal of attention last month because it sounds more like boosterism than policy. Closer reading reveals shifts in how the government is going about cyber.

The document is vintage Trump, calling his strategy superior to anything that came before: “Unlike other Administrations, the Trump Administration will not tinker at the edges and apply partial measures and ambiguous strategies that neglect the growing number and severity of cyber threats. President Trump will continue to address threats in cyberspace directly.”

But how?

Earlier cybersecurity strategies included detailed timelines for specific steps agencies should take. This one takes a strong tone, promising “adversaries are on notice that America’s cyber operators and tools are the best in the world and can be swiftly and effectively deployed to defend America’s interests.”

The strategy mentions crucial topics in cybersecurity, such as zero trust, artificial intelligence to counter AI-powered attacks, and the increasingly urgent need to install quantum-resistant encryption, also known as post quantum cryptography. (Such cryptography is important to establish now, before quantum computers capable of cracking FIPS-140 encryption even exist. The thinking goes, adversaries can steal databases now, including their classical encryption, and simply wait to decrypt them with a future quantum computer.)

The Trump strategy promises to accelerate modernization and security of the government’s own networks, stating, “We will prioritize the security and resilience of the National Security Systems that underpin our military, intelligence, and civilian enterprises.”

In essence, the document continues the efforts already in place and underscores them with a “we really, really, really mean it” statement.

For contractors—who routinely parse out administrations’ plans, searching for clues on how to most meaningfully approach the government—this document provides little explicit direction.

Yet there are clues in the six “pillars of action” in the strategy. Three examples:

1. Unleashing offensive: In its “shape adversary behavior pillar,” the strategy states. “We will deploy the full suite of U.S. government defensive and offensive cyber operations. We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.” Companies have been reluctant to “shoot back” when it comes to cybersecurity attacks. The government has, so far as we know, operated equally cautiously.
   Key takeaway: Now is the time to openly develop and demonstrate offensive cyber capabilities.
2. Still less regulation: In the “promote common sense regulation” pillar, the strategy repeats a fundamental Trump administration tenet to reduce regulation on business. “We will streamline cyber regulations to reduce compliance burdens, address liability, and better align regulators and industry globally,” it says.
   Key takeaway: Companies should take a fresh look at compliance and other regulations that add cost and burden but not better cybersecurity and be ready to present them to regulators.
3. Better IP protection: The strategy’s “sustain superiority in critical emerging technologies” pillar urges protecting U.S. intellectual property in artificial intelligence. It states, “We will swiftly implement AI-enabled cyber tools to detect, divert, and deceive threat actors. We will rapidly adopt and promote agentic AI in ways that securely scale network defense and disruption.”

   Key takeaway: As shown in the big spat between the Defense Department and Anthropic, the administration wants unfettered use of AI in the warfighting domain. Here again, contractors that can show both offensive and defensive AI capabilities will have the edge.

“President Trump’s Cybersecurity Strategy for America” may lack detail. But it does chart a partially new course to deal with a problem that worsens by the month.