What Does the New Cyber Strategy Really Mean

Critical Questions by Emily Harding

Published March 9, 2026

The Trump administration dropped its long-awaited cybersecurity strategy late on Friday, March 6. Its tone is largely commendable-it is a declaration of a more robust, more aggressive, and more proactive cyber policy. It is marked by its brevity, clocking in at four pages, plus a cover letter. However, it is more a statement of goals than a strategy. It is remarkable for what it lacks: a conversation about matching resources to these goals. Still, there are more details to come, including some executive orders reportedly in the pipeline and a robust implementation plan that remains embargoed.

In many ways, it is a statement whose time is overdue. The recently published CSIS Intelligence, National Security, and Technology Program report, A Playbook for Winning the Cyber War, called for just such a declaration to adversaries. The administration's document is a version of the Playbook's recommendation to put adversaries on notice that the United States will no longer view cyberattacks as one-offs, or the cost of doing business, but for what they are: a critical national security threat. It is past time to restore deterrence in this vital domain.

Q1: What are the strong points of the document?

A1: The document leads with a list of the Trump Administration's successes in the cyber domain, followed by a threat:

Whether destroying online scammers' networks and seizing $15 billion of their stolen money, supporting a globe-spanning operation to obliterate Iran's nuclear infrastructure, or leaving our adversaries blind and uncomprehending during a flawless military operation to bring international narco-terrorist Nicolas Maduro to justice, adversaries are on notice that America's cyber operators and tools are the best in the world and can be swiftly and effectively deployed to defend America's interests.

Where previous administrations have kept largely quiet about the United States' offensive capabilities, this strategy document is the opposite. The Trump administration has come out swinging. There is a clear statement of posture: "We will act swiftly, deliberately, and proactively to disable cyber threats to America."

Then, the document makes an absolutely critical point, for which the CSIS Playbook also advocated: "We will not confine our responses to the 'cyber' realm." U.S. strength is wasted in a proportional cyber-for-cyber campaign. U.S. adversaries are willing to engage in practices that the United States is not, such as cyber attacks on water systems and hospitals. Even in times when Washington has apparently shut down power grids, the effects have been targeted and temporary. These moral restraints are right and proper, but they also prevent Washington from attaining escalation dominance in a pure cyber-for-cyber fight. U.S. strength lies in its other tools.

Resilience is prominently featured. This is the right answer. There is no such thing as 100 percent security in the cyber domain, so the better approach is to assume there will be breaches and establish ways to work despite them. Fail and recover is a far better strategy than building ever-higher castle walls.

The strategy also leans into the necessity of pushing hard on emerging tech, including quantum and AI. Staying ahead of cyberattacks means staying ahead in critical technologies. Whoever wins the race toward AI-enabled cyber offense gains a significant, if temporary, advantage, but whoever wins the race to quantum computing wins a massive coup in decryption capability, suddenly making data stolen over the last decade readable and thus valuable.

Finally, there is a clear statement of cyber requiring a collective defense. With highly intertwined software supply chains and interdependent systems, cyber is truly a team sport. One chink in the armor can have far-reaching implications for the global economy and national security. This line is highly encouraging: "Every American should take practical steps to protect themselves and their families in cyberspace, but America's citizens do not stand alone." This sounds like a common sense approach, but it is actually a shift. Other governments, globally, have largely left defense to the victims. This more robust strategy recognizes that individuals and businesses cannot be left to manage sophisticated adversaries on their own.

Q2: What is the document lacking?

A2: The strategy gets a bit muddled in a couple of places. Most oddly, it does not name any adversary, even though China has been on a hacking spree for more than a decade. This may be a deliberate decision ahead of some high-stakes meetings between President Trump and President Xi. Further, there's a comment about fighting the curtailment of free speech, which would be better suited to a different policy line of effort. There are also some unnecessary swipes at previous administrations, who did take cybersecurity seriously, if more gently, than the Trump administration.

The document could have gone far deeper on the rise of cyber conflict as well. The Russian invasion of Ukraine, the 12-day Iran-Israel conflict, and even use of cyber operations in Venezuela and Iran by the United States demonstrate how cyber capabilities are shaping conflict. A critical initiative for this administration should be cementing how cyber policy as a field should operate in the larger geostrategic environment.

The document spends some time discussing talent, but some of the language lacks clarity or specifics. For example: "We will eliminate roadblocks that prevent industry, academia, government, and the military from aligning incentives and building a highly skilled cyber workforce." What this might mean remains unclear.

Finally, the biggest gap is of course how the United States should implement this sweeping statement of intent. There is much "we will" language and very little on the actual steps to make it so. The New York Times reported that a series of executive orders will accompany the strategy, but only one is out. There is an implementation plan, much of which is classified, that will draw out these points, but unless some of it is released to the public, it is hard to inspire real action.

Q3: What are other key points?

A3: One quite controversial point will be the strategy's direction to unleash companies to "disrupt adversary networks." This sounds much like the administration has decided to support the idea of offensive cyber by private entities, or "hack back." Such activity is currently illegal, having been categorized in the same bucket as vigilante justice. Victims are generally discouraged from seeking retribution or recovery of assets on their own, lest the state lose control of its monopoly on force. This document suggests there may be a move toward something akin to an ancient practice-letters of marque, whereby the government allows companies to engage on its behalf.

There is a brief but important callout to the importance of securing federal networks: "We will accelerate the modernization, defensibility, and resilience of federal information systems by implementing cybersecurity best practices, post-quantum cryptography, zero-trust architecture, and cloud transition." This is a key line: "We will work to elevate the importance of cyber in government leadership and in the board room." Civilian, non-intelligence parts of the federal government have woefully underfunded cybersecurity for decades, in part because leadership of departments and agencies have not seen cyber as important or their job. Further, the document says, "Working across the government to modernize and create competitive procurement processes, we will remove barriers to entry so that the government can buy and use the best technology." This echoes themes from the National Defense Strategy and other Trump administration statements, which encourage adopting more off-the-shelf capabilities and doing so with minimal friction. This could be a real opportunity for U.S. cybersecurity stars to do more to help the federal government.

Q4: What Needs to Happen Next?

A4: The Playbook for Winning the Cyber War makes recommendations for how to progress from the current state of relative complacency to a robust defense and a far more active offense. Those recommendations include the following:

1. Create six new frameworks for a new era.
   • Reframe offensive operations-think like an octopus. Offensive cyber tools, at their best, are flexible, inventive, and opportunistic, akin to how an octopus hunts in the wild. Cyber offense must combine long-term planned campaigns and instant opportunism-like an octopus's central brain and tentacles.
   • Redefine proportionality and escalation to include the big picture. Policymakers' view of proportionality must expand beyond the most recent incident and consider the aggregate costs of a pattern of attacks, the long-term economic and security consequences of those attacks, and the message sent by inaction. A new policy, which could be called "cyber first-cyber optional," must begin with explicit principles that the United States is redefining proportionality in the cyber domain, bolstering defense, and putting adversaries on notice that in the future the United States will retaliate for the overall pattern of behavior, not any one attack in isolation, and will use all tools at its disposal.
   • Lay the groundwork for deterrence. Defining international norms of behavior will establish a clear baseline to facilitate future action, making it a worthwhile exercise, even if many states are likely to ignore them. Further, demonstrated will is critical to deterrence. A strong U.S. and allied response to the first cyberattack after an explicit policy goes into place will help set a new tone.
   • Get comfortable with being uncomfortable about the level of attribution. There may be moments when it is necessary, even prudent, to act before definitive attribution. Establishing consequences for malign actors is a worthwhile goal, and the benefits of sending a strong message of response could outweigh the relatively small risks of misattribution. Make a plan to act in the face of uncertainty.
   • Reimagine the cyber warriors. Cyber war is largely fought on private networks with combatants who do not wear uniforms. The cyber domain needs its own service-a Cyber Force that can be built for purpose. It should tilt heavily toward reserve service, and its physical requirements should be utterly different from those of the Marines, for example. Further, the United States must view private sector partners as real partners. It should put in place protections for cyber operators who act in conjunction with the U.S. government, as so many from the private sector did in Ukraine.
   • Focus on defense as a no-fail mission. A stronger cyber defense at home is a worthy goal in itself, but it is also the key to an unleashed U.S. offense. As long as policymakers worry that the home front is vulnerable to adversary attacks, they will hesitate to retaliate. To flip the script, the United States must make its adversaries believe that a cyberattack, particularly on U.S. critical infrastructure, will do minimal long-term damage to the United States and that retaliation, in whatever form, will be swift and painful. To create that stronger defense, the Cybersecurity and Infrastructure Security Agency needs leverage beyond its convening and cajoling efforts. Departments and agencies must be held accountable for their investments-or lack thereof-in cyber defense.
2. Establish a methodology for decisionmaking in a crisis. Researchers ran war games as a part of the playbook project, and those games demonstrated that policymakers are still unsure how to think about a response to a cyberattack. The Playbook suggests starting with answering seven questions. These questions will illuminate aggravating circumstances and suggest a set of responses that establish escalation dominance and create deterrence.
3. Run the playbook. Be bold. Match creative policy responses to the pain points of the particular attacker. Demonstrate that the United States will view a cyberattack that causes damage as just as serious as a kinetic attack. Plan for success on offense, confident in the strength of defense.

Further, if the administration is serious about pursuing these goals, they need to fix two CISAs: first, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, which was gutted in the early days of Trump II. It needs people and better tech to conduct its mission. Second, it must throw its weight behind reissuing the Cybersecurity and Information Sharing Act of 2015, a critical piece of legislation that Congress extended briefly but is due to lapse again in September.

The new cyber strategy is a departure from old versions in several important ways. It meets the moment by declaring the United States is taking a far stronger approach to ending cyber attacks, restoring deterrence, and proactively defending U.S. interests. For it to be successful, however, it needs to emulate at least one part of past administrations' strategies: It needs measurable, achievable steps forward if it is to achieve its bold goals.

Emily Harding is director of the Intelligence, National Security, and Technology (INT) Program and vice president of the Defense and Security Department (DSD) at the Center for Strategic and International Studies (CSIS).

Programs & Projects

Commentary by Emily Harding - December 5, 2025

Report by Julia Dickson and Emily Harding - September 4, 2025