You can include “brevity” as an unannounced component of the Trump administration’s new cybersecurity strategy: The memo published Friday afternoon documenting it spans three pages, not counting Trump’s cover letter and front and back covers.
It leads off with a policy goal the administration has been building toward for a while: Shape Adversary Behavior. That is a bureaucratic way of saying that the US will punish attackers in an unstated form.
“We must detect, confront, and defeat cyber adversaries before they breach our networks and systems,” the memo reads. “We will erode their capacity and capabilities, and use all instruments of national power to raise the costs for their aggression.”
Trump’s cover letter is a little more direct. “Our warriors in cyberspace are working every day to ensure that anyone who would seek to harm America will pay the steepest and most terrible price.”
Speaking at an online event hosted Monday by the trade group USTelecom, Trump’s national cyber director, Sean Cairncross, implied that foreign attackers should carefully consider Trump’s willingness to deploy military forces. “President Trump is making very clear that if you seek to harm Americans or you seek to harm America’s interests, you will face an American consequence,” he said. “And the same is true in cyberspace.”
An executive order posted Friday provides additional detail, instructing the Defense, Homeland Security, Justice, and Treasury Departments to collaborate on ways to “prevent, disrupt, investigate, and dismantle” the transnational organizations running the scam centers behind so many “pig butchering” cons.
That EO also directs the attorney general to create a Victims Restoration Program to compensate the targets of these and other scams. In 2024, the Federal Trade Commission estimated that Americans lost a combined $12.5 billion to fraud.
The second of six “Policy Pillars” in the document marks the most dramatic break with the Biden administration’s cybersecurity strategy: a pledge to “streamline cyber regulations to reduce compliance burdens, address liability, and better align regulators and industry globally.”
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
The previous White House had emphasized detailed, prescriptive guidance to industry, backed up by formal requirements in government procurement. Cairncross described the new strategy as a break from that approach: “We’re not looking to push a compliance checklist onto industry so that the government can essentially blame-shift and say that, well, you didn’t do enough.”
The remaining four pillars don’t stray that much from previous information-security goals:
-
“Modernize and Secure Federal Government Networks,” reiterating current ambitions to strengthen federal infosec;
-
“Secure Critical Infrastructure,” which cites such sectors as water and power utilities, hospitals and telecommunications as well as their IT supply chains but leaves out voting machines and other election infrastructure;
-
“Sustain Superiority in Critical and Emerging Technologies,” a call to support uptake of cryptography that can resist codebreaking by future quantum computers as well as advances in AI security;
-
“Build Talent and Capacity,” in which the administration pledges to lower obstacles to training and hiring people to fill what Cairncross said were more than half a million open cybersecurity postings.
One security veteran professed himself unsurprised by the emphasis on imposing consequences. “We knew when he got elected in ’24 that this was going to happen,” said Bryson Bort, founder and CEO of security firm Scythe, in an interview Monday.
Recommended by Our Editors
He endorsed the strategy’s focus on post-quantum cryptography, saying that could be a reality as soon as 2027. “This is really important,” he said. “It’s another Cold War race with China.”
But even in a high-level document like this, Bort said he wanted to see something about the Cybersecurity and Infrastructure Security Agency (CISA), which is supposed to be the government’s lead office in information security but has lost a third of its workforce under Trump.
CISA doesn’t get a mention in the strategy memo, even as it cites Trump 15 times. “We’ve seen CISA get knocked down,” Bort said. “What’s the plan?”
Another security expert who led the setup of the Pentagon’s first bug-bounty program gave the strategy an overall thumbs-down for elevating public-sector offensive efforts over private-sector defenses. “The national cyber policy shift to offense first ultimately leaves the United States more vulnerable,” wrote Katie Moussouris, founder and CEO of Luta Security. “Easing expectations on private industry security and leading with offense isn’t deterrence, it’s just sparkling escalation.”
About Our Expert
Experience
Rob Pegoraro writes about interesting problems and possibilities in computers, gadgets, apps, services, telecom, and other things that beep or blink. He’s covered such developments as the evolution of the cell phone from 1G to 5G, the fall and rise of Apple, Google’s growth from obscure Yahoo rival to verb status, and the transformation of social media from CompuServe forums to Facebook’s billions of users. Pegoraro has met most of the founders of the internet and once received a single-word email reply from Steve Jobs.
Read Full Bio
![How to use TikTok [beginners, start here!]](https://blog.hootsuite.com/wp-content/uploads/2022/05/how-to-get-started-with-TikTok.png "How to use TikTok [beginners, start here!]")
