On March 6, the Trump administration released its Cyber Strategy for America. At five pages, it is a lean document by Washington standards—shorter than the strategies that preceded it and lighter in detail, reading more like an early signal of direction. But with this administration, perhaps more than any other, the document’s true significance will only become clear as the U.S. government moves toward implementation.
The strategy is organized around six pillars focused on: (1) shaping adversary behavior; (2) “common sense” regulation; (3) modernizing federal networks; (4) securing critical infrastructure; (5) sustaining emerging technology superiority; and (6) building cyber workforce talent. Several ideas across these pillars deserve close attention. But before turning to what the strategy includes, it is worth dwelling on what it does not.
Putting the Strategy into Context
U.S. cyber strategies have historically balanced ambition with the need for government-wide consensus. The 2018 Trump strategy and the 2023 Biden strategy were built on interagency processes, grounded in explicit threat assessments, and tied to named initiatives with assigned responsibilities. In many ways, the 2026 Cyber Strategy for America follows the same formal template. It signals administration priorities in key areas and deals with cybersecurity as a cross-cutting issue,both domestic and international, touching on national security and economic issues. But the document departs from precedent in several important ways.
Previous strategies opened with explicit threat assessments, naming adversaries and characterizing their capabilities and intentions. China, Russia, Iran, and North Korea have been fixtures of those sections for years. For instance, the 2018 Trump cyber strategy noted that “Russia, China, Iran, and North Korea all use cyberspace as a means to challenge the United States, its allies, and partners, often with a recklessness they would never consider in other domains.” The Biden strategy expanded the assessment to include the “cyber operations of criminal syndicates” as a threat to “national security, public safety, and economic prosperity.” The 2026 document, by contrast, contains no discussion of the threat landscape the strategy is designed to address.
Past strategies also named and affirmed commitments to specific ongoing initiatives to deliberately signal to allies, adversaries, and the interagency that programs built over years would survive political transitions. This strategy does not name any initiatives, nor does it discuss the role of any specific U.S. departments or agencies in advancing the strategy. Notably, it contains no commitment to international cyber norms or applicable law—the United Nations framework of responsible state behavior in cyberspace, the bedrock of U.S. cyber diplomacy for over a decade, is conspicuously absent. It likewise contains no references to international human rights (including the freedom of expression and assembly as well as certain privacy and non-discrimination rights), long a crucial element of U.S. foreign policy in cyberspace. Allies and partners who have built their own cyber policies around the framework (and upholding human rights) will notice. And while the strategy acknowledges that defending cyberspace is a “collective effort,” it explicitly calls for a fair “distribution of cost and responsibility” among U.S. allies, which may also signal a shifting approach to multilateralism in this context, as seen elsewhere under this administration.
Key Priorities in the Strategy
In many respects, the Trump administration’s new cyber strategy reflects the broader reorientation of U.S. foreign policy outlined in the November 2025 National Security Strategy. Where previous cyber strategies were built around collective defense—shared norms and values, allied burden-sharing, international frameworks—this one is built around American primacy.
That drive for primacy in cyberspace is perhaps clearest in its treatment of “shaping adversary behavior.” Echoing senior administration officials who have publicly embraced offensive cyber operations as a routine instrument of statecraft, the strategy states that adversaries “are on notice” that U.S. cyber capabilities “can be swiftly and effectively deployed to defend America’s interests.” The preamble references offensive cyber operations in Iran and in the capture of Nicolás Maduro in Venezuela, but does not elaborate on the strategic logic behind such operations. The administration also pledges to act “proactively to disable cyber threats” in ways “not confine[d]. . . to the ‘cyber’ realm.” These statements could reflect an increased willingness to integrate cyber into cross-domain operations, as well as new thresholds for escalation in cyberspace.
The strategy also hints at a larger role for the private sector, pledging to create incentives for companies “to identify and disrupt adversary networks.” This follows discussions on the Hill about so-called cyber “letters of marque,” as well as proposals from companies themselves to more actively participate in disrupting adversary cyber operations. What remains unclear is how far these efforts would extend, what legal authorities would govern them, their compliance with international law, and what recourse firms would have if threat actors were to retaliate.
On regulation more broadly, the strategy pledges to “streamline cyber regulations to reduce compliance burdens” and “ensure that the private sector has the agility to keep pace with rapidly evolving threats.” This follows a June 2025 executive order that rolled back Biden-era cyber regulations. It marks a sharp departure from the Biden strategy, which treated regulation as a central lever for raising baseline security standards.
The strategy’s emphasis on agentic AI is among its more forward-leaning elements, calling for its use in ways that “securely scale network defense and disruption.” AI-enabled cyber operations are no longer theoretical.The November 2025 GTG-1002 campaign, in which a Chinese state-sponsored group used Anthropic’s Claude Code model to target 30 organizations, demonstrated what these capabilities look like when deployed at scale. But offensive operations involving cyber agents will require technical, legal, and policy guardrails to manage loss-of-control risks and unintended escalation. The strategy does not grapple with what responsible deployment will demand.
Implementation is the Real Test
How the strategy shapes U.S. cyber operations, and whether it succeeds or fails, will ultimately depend on its implementation. The 2018 Trump strategy and the 2023 Biden strategy were each followed by detailed implementation plans—large frameworks that assigned specific responsibilities to specific agencies, set milestones, and provided a basis for accountability. Neither was perfect, but both served the important function of forcing strategic concepts to be translated into institutional action. The Trump administration must now turn to that task.
There is some indication that the administration plans to drive implementation through executive orders. On the same day it announced this strategy, the White House rolled out a new cybercrime-focused order. Further executive orders, including on offensive cyber operations, are expected.
The more fundamental question concerning implementation is capacity. Executing a cyber strategy requires confirmed political leadership at the relevant agencies, stable and sufficient budgets, and an experienced workforce with the technical, legal, and policy expertise the job requires. On all three counts, the Trump administration faces real constraints. Key cyber leadership positions across the interagency remain unfilled or are held by acting officials without Senate confirmation. Budget pressures have already produced significant cuts at the Cybersecurity and Infrastructure Security Agency and other cyber organizations. A combination of directed firings and voluntary departures has drained institutional knowledge from agencies that took years to build.
For now, the Cyber Strategy for America reads more like a statement of intent than a comprehensive plan. The real test will be whether clearer policy guidance, legal authorities, and institutional structures follow.
