The White House last week published a new national cyber strategy promising a more assertive response to digital threats, signalling that Washington intends to rely more heavily on deterrence as cyber conflict becomes increasingly entwined with geopolitical competition.
At just a few pages long, President Trump’s Cyber Strategy for America is noticeably briefer than the documents that preceded it. Trump’s framework sets out six broad priorities — from deterring adversaries and protecting critical infrastructure to reforming cyber regulation and maintaining leadership in emerging technologies — but leaves out much of the implementation detail.
‘We are adopting AI faster than we are governing it. You cannot ban algorithms any more than you can ban mathematics. Pandora’s box is already open. The only viable path forward is governance, and zero trust provides the blueprint.’ – John Kindervag, creator of zero trust.
A central theme running through the strategy is deterrence. The document argues that the United States should no longer expect citizens and companies to “fend off sophisticated military, intelligence, and criminal adversaries in cyberspace alone.” Instead, it says Washington will deploy “the full suite of US government defensive and offensive cyber operations” while working with allies and the private sector to disrupt hostile networks and raise the costs for attackers.
“We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities,” the strategy notes. “We must detect, confront, and defeat cyber adversaries before they breach our networks and systems.
When it comes to regulation, the administration argues that cybersecurity policy should avoid becoming an overly bureaucratic compliance exercise that slows operational responses to threats.
“Cyber defense should not be reduced to a costly checklist that delays preparedness, action, and response,” the strategy states, adding that the government intends to streamline cyber and data regulations to reduce compliance burdens and better align regulators with industry.
The pages-long strategy also calls for modernising federal government networks and improving the security of public-sector systems, which have long been criticised for relying on outdated infrastructure. Protecting critical infrastructure sectors such as energy, transport, and telecommunications is presented as a parallel priority, reflecting the growing recognition that much of the infrastructure underpinning national security is owned and operated by private companies rather than governments.
“We must move away from adversary vendors and products, promoting and employing US technologies,” the document says. “We will deny our adversaries initial access, and in the event of an incident, we must be able to recover quickly. We will galvanize the role of state, local, Tribal, and territorial authorities as a complement to—not a substitute for—our national cybersecurity efforts.”
One key principle of this planned modernisation is zero trust, a cybersecurity concept based on the philosophy “never trust, always verify.”
John Kindervag, creator of zero trust, told Resilience Media that this sends a “clear message” that the future of US cyber resilience “will not be built on trust, hope, or speed alone, but on visibility, control, and deliberate design.”
“We are adopting AI faster than we are governing it. You cannot ban algorithms any more than you can ban mathematics. Pandora’s box is already open. The only viable path forward is governance, and zero trust provides the blueprint,” Kindervag added.
The document also repeatedly emphasises a closer partnership with industry — another big shift for the US government. This could imply a couple of different interpretations. Internally, agencies in the past might have been more involved in building and operating its own cybersecurity having contracted with private companies to provision a basic service; now this might be approached differently. Externally, the framework also implies a very hands-off approach to how cybersecurity might get implemented by private companies: it argues that the government should create incentives and frameworks that enable companies to identify and disrupt adversary networks and strengthen national cyber capabilities, rather than relying solely on prescriptive regulatory mandates.
Cybersecurity is also framed as part of a broader race for technological dominance. The strategy highlights artificial intelligence, advanced computing, and quantum systems as areas where US leadership will shape both economic and military power in the years ahead – a familiar theme in Washington policy circles.
For all that ambition, the strategy itself remains high-level. It sketches out direction rather than a detailed plan, reinforcing the idea that cyber policy is now treated less as an IT security issue and more as a strategic contest between states.
