A Brief, Highly Biased Unpacking of the US’ White House Cybersecurity Strategy

On March 6, the White House announced its 2026 Cybersecurity Strategy (direct link to pdf if you don’t feel like distracting self-congratulatory scrolling bright red banner messages). The 7-page document follows a year of turmoil in the US federal government, from drastic and often seemingly random cuts to numerous agencies by the hastily created “Department of Government Efficiency” (DOGE) to a chaotic series of events that have affected the effectiveness and reputation of US cybersecurity capabilities.

The departure of respected CISA head Jen Easterly in January 2025 was followed by the disbanding of efforts to counter Russian cyber-sabotage, the firing of the head of election cybersecurity, the loss of significant funding resulting in the laying off of almost a third of CISA’s staff, and numerous other indications that the US government’s approach to information security is increasingly erratic, ideologically driven, and often seemingly self-destructive.

The release of the cybersecurity strategy reflects many of the administration’s more extreme views and priorities, while exemplifying the frequent lack of foresight and willingness to entertain realistic specifics – so let’s have a quick look.

At first glance, the six “pillars” that make up the strategy look reasonable. “Shape adversary behavior”, “promote common sense regulation”, “modernize and secure federal government networks”, “secure critical infrastructure”, “sustain superiority in critical and emerging technologies”, and “build talent and capacity” can all be easily justified. Some of these do reflect stated current administration philosophies such as “America first”, and the aggressive, confrontational approach to topics seen by the current government as anathema – among them international cooperation and regulation.

The specific wording is more troubling, though. A common theme that jumps out from the paper is the chest-thumping wording – typical of more extreme and vocal administration figures like Secretary of Defence and former Fox News morning show anchor Pete Hegseth, or Homeland Security Advisor Steven Miller. Phrases like “our warriors in cyberspace”, and “we will not confine our responses to the ‘cyber’ realm” speak to a willingness to link cyber-defence to kinetic-world offence – i.e. we won’t hesitate to deploy military and other force as a tool. In this light, the line “we must detect, confront, and defeat cyber adversaries before they breach our networks and systems” is more than a bit worrisome.

In recent decades, the NSA, DHS, and FBI have all been contributors to global cybersecurity as well as to intelligence and law enforcement actions to counter criminal and state cyber actors – despite not always acting as “the good guys”. Recently, though, US withdrawal from numerous international cooperation bodies, antagonistic rhetoric against nominal allies such as Denmark and Canada, and US actions in Venezuela and Iran have demonstrated conclusively that many of the safeguards against a much more liberal throwing around of violence have seemingly fallen by the wayside. The strategy’s wording darkly hints at a push for unilateral, hair-trigger, ruthless action in response to cyber-threats – real or perceived.

AI is mentioned 11 times in 4 pages of actual content (as is “President Trump”, for what that is worth) – not unreasonable given the prominence of AI as a topic in the security world at present. That said, phrasing like “through cyber diplomacy, we will ensure that AI—particularly generative AI and agentic AI—advances innovation and global stability” tells me absolutely nothing beyond engendering a vague suspicion that the US will seek to advance the interests of whatever AI-technology provider is currently in the administration’s good graces (not Anthropic, at the time of writing). The government’s pell-mell firing and undermining of experienced, senior functionaries and experts across almost all areas of activity also does not make the mention of AI-linked cyber-diplomacy fill me with confidence. To the contrary, it implies the type of reliance on AI tools that is a frequent hallmark of CIOs more focused on cost cutting than capability enhancement.

There are a few extremely worrisome items. One chilling example is “we will unveil and embarrass online espionage, destructive propaganda and influence operations, and cultural subversion”. The Trump administration has vocally expressed its opposition to e.g. European Union laws that restrict hate speech, and to the espousing of any form of social justice. Thus, yikes.

Some points do sound constructive. For example, the call to defend critical infrastructure, and to modernize and secure federal government networks” – absolutely, in principle. Competitive bidding and enhanced cooperation are all laudable goals. Unfortunately, reading these points in the context of the US government’s actions over the past year makes them ring false. The often random, quickly shifting favouritism shown to different corporate donors, the entertaining of foreign governments whose interests are often diametrically opposed to those of the US as a country, and the hollowing out of supervisory entities in the pursuit of twisted ideological objectives such as getting rid of “DEI” are all powerful examples that make me wonder just exactly how these finely stated goals are to be implemented.

Likewise, the final point sounds very positive – “build talent and capability”. It reads like a constructive approach to supporting education – or at least, it would if current US immigration policies and cuts to higher education grants weren’t merrily chasing both foreign and domestic talent to greener fields [1][2].

Surprisingly, I find myself agreeing with many of the elements of pillar 2 – “promote common sense regulation”. The title immediately put me on edge, given the US government’s opposition to laws such as the EU’s Digital Services Act, widely perceived as doing the bidding of US platforms such as Facebook who do not like the burden such rules impose on them to act as responsible corporate citizens. However, upon detailed reading, the section actually makes a lot of sense, and does not mention fighting unloved foreign regulation. The only element that would worry me is the mention of “we will streamline cyber regulations to […] address liability” – the cynic in me reads this as an announcement that consumers’ and citizens’ legal recourse to corporate negligence and failure to invest in cybersecurity will be undermined.

Whether the desire to “better align regulators and industry globally” is code for “we want to make sure foreign regulators do what we want them to” is left as an exercise for the reader. On its own, it’s innocuous. Again, in the context of the government’s actions and stated ideals, it’s less so. Also, “we will emphasize the right to privacy for Americans and American data” – just to be pedantic, data does not have a right to privacy. Individuals, and to some degree, organisations, do.

On the whole, the strategy is extremely light on details. That is reasonable for a high level document, but even then, it comes across more as an abstract wish list than a concrete call to action with a real plan behind it. In the words of a colleague, “it reads like it was written by Grok”. I agree.