Thought for the week: President Trump's Cyber Strategy for America, a baseline quietly reset

U.S. President Donald Trump's Cyber Strategy for America, issued last week, quietly resets the baseline for how the federal government plans to utilize defensive and offensive cyber capabilities to protect U.S. companies in the global environment.

By way of brief context, we have witnessed extraordinary developments in the cyber world over the past few weeks. The U.S. and Israel launched large-scale air and missile strikes against Iranian leadership 28 Feb., leveraging cyber and space capabilities to impede Iran's ability to see, communicate and respond to the attacks. On 11 March, an Iran-backed hacking group launched an unprecedented cyberattack against a U.S.-based medical technologies firm. The U.S. Department of Justice announced 19 March the seizure of four domains as part of an ongoing effort to disrupt hacking and other schemes by Iran's Ministry of Intelligence and Security, citing the 11 March attack on the U.S. company and other developments.

Setting aside larger geopolitical dimensions, from a U.S. company cyber defense perspective, the world has changed. We now have a concrete example of a foreign adversary carrying out a cyberattack against a U.S. company in connection with a military conflict. The cyber strategy recognizes this new reality. It specifies that U.S. companies should not have to fend off sophisticated military adversaries alone, and that the U.S. government will use its cyber capabilities for both offensive and defensive missions.

The point that U.S. companies should not miss is the implicit acknowledgment that they may become overt targets of cyberattacks in the midst of real-world military actions.

The Cyber Strategy for America is framed around six policy pillars to guide national strategy.  

1. Shape adversary behavior. The first pillar directly addresses the issue that is top of mind: "American citizens, companies, and our allies should not have to fend off sophisticated military, intelligence, and criminal adversaries in cyberspace alone. We will deploy the full suite of U.S. government defensive and offensive cyber operations. We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities."

In a world where foreign adversaries now overtly deploy cyberattacks against private-sector companies as a "non-kinetic" front in military confrontations, the U.S. government will deploy the "full suite" of defensive and offensive cyber operations to help the companies.

It's not specified, but my sense is the defensive actions could include steps such as increased threat intelligence sharing — for example, classified or declassified threat briefings, seizure of criminal or state-actor domains, and the like.

On the offensive side, we might not see all of this, but this may mean that national security authorities would engage in more forward operations, such as preemptive disruption of malicious campaigns, degradation of foreign adversary cyber units, and other actions that directly affect threat actors targeting U.S. private-sector companies.

2. Promote common sense regulation. The second pillar focuses more on commercial regulation and aligns with other administration policies to deregulate artificial intelligence and foster business development: "Cyber defense should not be reduced to a costly checklist that delays preparedness, action, and response. We will streamline cyber regulations to reduce compliance burdens, address liability, and better align regulators and industry globally."

My expectation is this means we should not expect to see federal cyber or data regulation that requires minimum standards, even though federal preemption of rapidly growing state laws on these topics arguably could have a deregulatory impact.

3. Modernize and secure federal government networks. The third pillar focuses on federal government information systems: "We will accelerate the modernization, defensibility, and resilience of federal information systems by implementing cybersecurity best practices, post-quantum cryptography, zero-trust architecture, and cloud transition."

The post-quantum cryptography point stands out, as that is an area of increasing concern given that, over time, cryptography that is reliable and secure today will come increasingly under attack.

4. Secure critical infrastructure. The fourth pillar focuses more directly on enhancing cyber protections for critical infrastructure: "We will identify, prioritize, and harden America's critical infrastructure and secure its supply chains, including defense critical infrastructure and adjacent vendors, private companies, networks, and services — such as the energy grid, financial and telecommunications systems, data centers, water utilities, and hospitals — securing information and operational technology supply chains. We must move away from adversary vendors and products, promoting and employing U.S. technologies. We will deny our adversaries initial access, and in the event of an incident, we must be able to recover quickly."

Much ground is covered by this pillar. First, a nice articulation of the "critical infrastructure" that is of most concern to the U.S. administration. Second, an indication that U.S. administration policy may continue to trend toward bans on government procurement of, and in some instances, private sector use of sensitive technologies or products. And third, an affirmative indication of intent to promote U.S. domestic products and services in this space.

5. Sustain superiority in critical and emerging technologies. The fifth pillar aims to promote superiority in AI and critical and emerging technologies: "Securing American innovation and protecting our national intellectual advantage will be paramount. ... And we will secure the AI technology stack — including our data centers — and promote innovation in AI security. We will swiftly implement AI-enabled cyber tools to detect, divert, and deceive threat actors. We will rapidly adopt and promote agentic AI in ways that security scale network defense and disruption." This suggests further promotion of private sector innovation and growth, and use of AI for cyber defense.

6. Build talent and capacity. The sixth pillar focuses on development of human talent: "President Trump has called America's cyber workforce a strategic asset that 'protects the American people, the homeland, and the American way of life.' It is an asset worthy of great investment and essential to our nation's economic prosperity and security." This pillar goes on to further develop the concepts of talent pipelines, schools, training, and the like, which are essential to the country.

What are some key takeaways for U.S. companies from this cyber security strategy? There are many points embedded in the document, but several key takeaways stand out.

U.S. companies, particularly in critical infrastructure, need to be mindful of the step change in nation state cyber risk. As illustrated in the extraordinary developments over the past few weeks, U.S. companies can be on the front lines in military conflicts, which represents a step change in the cyber threats U.S. companies face.

In particular, while companies have faced nation state threats for some time, such activities have generally focused on theft of intellectual property or data, espionage or the like. In contrast, the deployment of such nation state cyber resources for military purposes could result in the application of formidable country-level resources to carry out goals related to destruction, which could give rise to significant disruption of business operations and other consequences.    

The U.S. government plans to take defensive and offensive cyber actions to protect U.S. companies against foreign adversaries. The good news is that the U.S. government is announcing its plans to use its cyber capabilities to take defensive and offensive actions to protect U.S. companies against foreign adversaries, with a particular focus on critical infrastructure. It's likely we will not learn about many of those efforts, although some overt activities — such as the DOJ's 19 March actions described above — may become publicly available.

U.S. companies should not wait for the federal government to help with these increased cyber threats. In the aggregate, federal government actions should help reduce the frequency and severity of cyberattacks against the U.S. private sector generally, but each U.S. company, particularly those related to critical infrastructure, should revisit their existing programs given this step change in cyber risk.