President Trump unveils new Cyber Strategy that's big on bluster, but light on detail
The White House promises to take the fight to criminal and nation-state adversaries in both offensive and defensive cyber operations.
President Trump has unveiled a new "Cyber Strategy for America" that promises to make criminals, threat actors and nation-state adversaries "feel the consequences of their actions".
In a document bristling with Trumpian bragadoccio, the White House said it would target enemies ranging from "lawless foreign hacking companies" to shadowy info-warriors polluting social media with anti-American propaganda.
The language of the briefing is certainly more stirring than the average public sector cybersecurity briefing, with Trump promising that "American power will finally stand up in cyberspace".
However, whilst the strategy goes hard on rhetoric, it does not contain much in the way of concrete announcements about how the US will actually achieve its goals in the digital realm.
Trump wrote: "Our cyber tools and operators are the best in the world-and we are empowering them to defend America by disrupting and disorienting our adversaries, and denying them a safe haven.
"The United States has capabilities that the rest of the world can only begin to imagine. Our warriors in cyberspace are working every day to ensure that anyone who would seek to harm America will pay the steepest and most terrible price."
Cyberwar like never before? Not quite...
Calling for "a level of coordination, commitment, and political will never before marshalled against cyber threats", Trump's strategy set out six policy pillars to guide its cyberwar operations (although it did not use that exact word).
The first involves "shaping adversary behaviour", focusing on offensive and defensive cyber-operations against criminal and nation-state actors.
It is worth noting that this new policy is not the first time the US has committed to offensive cyber. Modern US doctrine dates back to at least the Offensive Cyber Effects Operations (OCEO) framework formalised under Presidential Policy Directive 20 (PPD-20).
This classified strategy was signed by Barack Obama and was originally top-secret until revealed in leaks from Edward Snowden.
If you believe the US was involved in Stuxnet - a sophisticated cyber weapon that targeted Iran’s nuclear programme - then it would appear as if offensive operations have likely been part of the playbook for far longer than publicly available documents have revealed.
The Obama and Bush-era Directive reads quite differently from Trump's louder, brasher take on offensive cyber, which stated: "We must detect, confront, and defeat cyber adversaries before they breach our networks and systems. We will erode their capacity and capabilities, and use all instruments of national power to raise the costs for their aggression. We will counter the spread of the surveillance state and authoritarian technologies that monitor and repress citizens."
READ MORE: FBI warns of surge in ATM jackpotting "cash on command" attacks
The other pillars of action are:
Promoting common sense regulation: Action to cut unnecessary bureaucracy and compliance pressures.
Modernising federal networks: A drive to improve the "modernization, defensibility, and resilience" of federal information systems by implementing cybersecurity best practices, post-quantum cryptography, zero-trust architecture and cloud transformation.
Securing critical infrastructure: The protection of vital infrastructure and supply chains, including the energy grid, financial and telecommunication systems, data centres, water utilities, and hospitals.
Achieving "superiority" in emerging technologies: Maintaining America's innovative lead in AI, crypto, and other new tech to "secure the data, infrastructure, and models that underpin U.S. leadership". This pillar also included a promise top "call out and frustrate the spread of foreign AI platforms that censor, surveil, and mislead their users."
Build talent and capacity: A bid to train security professionals and "recruit the next generation to design and deploy exquisite cyber technologies", including the elimination of "roadblocks" to help industry, academia, government and the military work together to build a skilled cyber workforce."
The White House said: "President Trump has made targeting Americans a hazardous business. Our adversaries have and will increasingly feel the consequences of their actions; we will dismantle networks, pursue hackers and spies, and sanction lawless foreign hacking companies. We will unveil and embarrass online espionage, destructive propaganda and influence operations, and cultural subversion."
Never trust, always verify
Overall, the Strategy is not revolutionary - but largely a continuation of previous policies. The actual methodology is likely to remain top-secret, so we don't have details of specific cyberweapons or tactics, techniques and procedures - apart from a commitment to established paradigms like zero trust.
John Kindervag, who is now chief evangelist at Illumio and wrote the first paper on this security strategy, told Machine: "Zero Trust remains a foundational pillar of U.S. cyber strategy, underscoring that it is not a political initiative tied to a single administration but a national security imperative.
"For years, Zero Trust has been misunderstood as a product, a framework, or a checklist. In reality, it is the world’s only cybersecurity strategy – one built on the recognition that trust itself is a vulnerability."
Kindervag said that the "never trust, always verify" approach to security is vital in the current era.
READ MORE: AI hallucinations in legal filings risk "loss of public confidence", immigration tribunal warns
"What makes this moment especially critical is the rise of agentic AI," he added. "They operate with agency, often at the kernel level, and increasingly without direct human interaction. In security terms, that means AI agents can behave like insiders and potentially malicious ones.
"We are adopting AI faster than we are governing it. You cannot ban algorithms any more than you can ban mathematics. Pandora’s box is already open. The only viable path forward is governance, and Zero Trust provides the blueprint.
"Zero Trust is uniquely suited to the AI era because it doesn’t ask whether a system is 'good' or 'bad'. It asks whether a connection should exist at all. By enforcing least privilege, inspecting traffic flows, and continuously validating every interaction, organizations can constrain AI systems to do only what they are explicitly allowed to do, and nothing more.
"By reaffirming Zero Trust, the Administration has sent a clear message: the future of American cyber resilience will not be built on trust, hope, or speed alone, but on visibility, control, and deliberate design."
