Brief, Bold and Beautiful? Reactions on the US National Cyber Strategy

Earlier in March, the Trump administration finally published its National Cyber Strategy after months of suspense regarding the content and tone it would convey, globally, about the US’s ambitions in cyberspace. The announcement came at a strategic time: at the start of the second year of Trump’s presidency, after a series of demonstrations of US use of cyber capabilities in the operation to extract Maduro from Venezuela, and at the outset of the unfolding war in Iran.

There is no single standard for a national cyber strategy; some can be closer to an action plan, outlining budget lines and action items; others might still be lengthy and focused on elaborate ‘pillars of action’. Unlike many ‘strategies’ so far, the US National Cyber Strategy has five pages of text and has raised both praise and critiques about its level of detail and concrete action.

There is certainly no meandering when it comes to communicating ambitions in this strategy, and we have brought together a series of experts to reflect on: (i) the continuities and ruptures the NCS presents compared to its predecessors; (ii) what it means for the US’s posture on the use of offensive cyber capabilities; (iii) the role of the private sector in enabling the aspirations set out in the NCS; (iv) how realistic are the ambitions it presents on AI; and (v) what the strategy means for UK-US transatlantic relations.

Then/Now: Past, Present and Future of US NCS’s

James A. Lewis

Every US Administration since Clinton has issued some kind of cybersecurity strategy. The Trump Strategy is notable for its brevity. Biden’s strategy was almost 40 pages; this is only seven. Brevity is not necessarily bad, and an overfondness for writing long strategies rather than implementing them has been a problem in the past. But the new strategy is short on specifics. It does not assign responsibility to any agency for the various actions it calls for the US to take.

In a major shift from 2023, it promises to reverse the regulatory burden, but without identifying what regulations are burdensome. The 2023 Strategy emphasised market failure and the need for regulation, but the Biden administration had barely started to act on this by 2024. This reflects the traditional reluctance to regulate more than a few sectors (such as defence or finance). There is no mention of the Pentagon’s Cybersecurity Maturity Model Certification, which smaller companies regard as burdensome. The 2026 Strategy weaves supply chain security throughout the text, more than any of its predecessors, relying on the larger administration effort to make an American tech stack globally dominant.

Some omissions in the 2026 strategy are troubling. Unlike earlier strategies, the 2026 document does not mention any adversary by name. Nor is there much discussion of international policy beyond a general commitment to work with allies, unlike what we had seen in the previous administration’s International Cyberspace and Digital Policy Strategy.

Active defence and technological dominance form the centrepieces of the new Trump strategy, a shift in emphasis from earlier strategies, and the strategy leans more on emerging technologies than its predecessors. The US will achieve tech dominance through streamlining regulation, and it will prioritise the rapid deployment of AI tools, post-quantum cryptography (to protect privacy and intellectual property) and US-made data infrastructure.

The 2026 strategy prioritises pre-emptive disruption and offensive operations against adversaries before they can act. This is a major departure from earlier strategies, and the new strategy seeks to repair cyber deterrence’s limitations through active defence. As part of this, the 2026 Strategy says it will use private sector partnerships (always an article of faith in earlier strategies), ‘unleashing’ the private sector to ‘identify and disrupt’ opponents. This might work for cyber criminals, but not for states – when the Obama Administration’s Justice Department identified an approval process for hack back, companies were afraid to use it.

The key to the success of any strategy is not how long or complex it is, but whether the administration that issued it acts upon it. That remains the test that Trump Cybersecurity Strategy of 2026 has yet to face.

Continuities and Ruptures in the US Approach to Offensive Cyber

Erica Lonergan

The second Trump administration’s ‘Cyber Strategy for America’ unsurprisingly emphasises a robust, offensive approach to countering cyber threats. This is consistent with the more proactive, offensive turn in US cyber strategy that began during the first Trump administration, with the 2018 introduction of the new strategic concepts of ‘defend forward’ and ‘persistent engagement.’ It is also important to note that, during the Biden administration, the idea that the US government should employ all the levers of national power to disrupt malicious cyber activity was enshrined in the national cyber strategy, and persistent engagement and defend forward were integral to the Biden administration’s defence cyber strategy. In this sense, the second Trump administration’s strategy is consistent with a broader pattern in US strategic thinking, rather than representing a discontinuity. There is a growing consensus that the US should be less concerned about the escalatory implications of applying and projecting power in and through cyberspace, and more willing to employ various instruments to disrupt and defeat cyber threats, especially via preventive or pre-emptive logics.

This strategy also does not resolve the perpetual confusion and ambiguity about the role of deterrence in cyber strategy and the relationship between defend forward/persistent engagement and deterrence. On the one hand, the title of the first pillar of Trump’s strategy, ‘shape adversary behaviour,’ conveys a decidedly coercive – even compellent – logic. It implies that it is indeed possible to alter the calculus of adversaries in cyberspace, through ‘imposing consequences on those who do act against us.’ This seems to suggest a rejection of the argument that coercive strategies in cyberspace are not feasible (while acknowledging that it may require using ‘all instruments of national power,’ not just offensive cyber operations.

On the other hand, much of the language within this pillar appears to be more focused on simply applying force to ‘detect, confront, and defeat’ adversaries. This is more along the lines of a fait accompli than wielding the threat or limited application of force to shape behaviour in a classic, Schellingeque sense. In this sense, it is consistent with the arguments espoused by advocates of persistent engagement, who argue that the US should conduct cyber operations simply to create or exploit an advantage, rather than to deter or change behaviour.

Finally, where this strategy differs significantly from prior strategies is the nod to a potential role for the private sector in cyber offense. The strategy notes that the US ‘will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.’ This suggests a significant shift in the government’s approach to the conduct of offensive cyber operations, though the strategy does not specify how this might be operationalised. The devil will be in the details in terms of what this means in practice. Policymakers should critically examine the kinds of risks that are likely to emerge from potentially empowering private actors to conduct offensive cyber operations against nation-state adversaries.

Weaponizing the Private Sector?

Gareth Mott

Policymakers in the US – home to the world’s most capable cybersecurity industry – have arguably dipped their toes into the possibility of permitting private-sector engagement in disruptive cyber activity. Two Congressional bills (one in 2019 and another in 2025) have been introduced by senators but did not proceed. The latter, introduced by Representative David Schweikert, would have allowed the US President to issue letters of marque and reprisal for private sector activity against online criminal enterprises.

Pre-emptive reporting late last year suggested that the US Cyber Strategy was likely to contain a desire to implement a deputization-like system. The new strategy appears to flirt with greater private sector involvement, albeit without a substantive outline, with its ambition to ‘unleash the private sector by creating incentives to identity and disrupt adversary networks and scale our national capabilities’ and to ‘establish a new level of relationship between the public and private sectors to defend America in peace and war.’

As outlined in a recent RUSI Insights paper, there is tentative interest from some private-sector actors to be more involved in disrupting cyber threats at source; for instance, with Google’s suggestion of a cyber ‘disruption unit’ that could engage in ‘legal and ethical disruption’, which has recently demonstrated success against a large proxy network. However, the Computer Fraud and Abuse Act is prohibitive if disruption is conducted against an IT system without authorisation. Bloomberg’s reporting suggested that further details – including a potential Executive Order and/or legislation – would likely follow the release of the Strategy. As cyber threats escalate against core societal services in the US and internationally, partner countries will likely watch any legislative developments – and take-up by private industry – with keen curiosity.

Translating Ambitions into Practice on AI

Pia Huesch

The US cyber strategy may look like a big bold promise to the US tech innovation ecosystem. It confirms that the Trump administration sees itself in a global competition for technological supremacy and wants to double-down on American innovation, which it seeks to protect through cyber measures. The strategy also emphasises plans to leverage AI tools for said cyber defence measures, including agentic AI to ‘securely scale network defence and disruption’. And a one-liner on adopting post-quantum cryptography and secure quantum computing is added for good measure.

So far so good. But it is no surprise that a 7-page document offers little insights into how the Trump administration intends to actually tackle these incredibly complex issues. It is all too tempting for policy makers to jump on the latest tech buzzwords around AI in the hope that this silver bullet will finally solve the persistent challenge that is cyber security – a problem that is often seen as technical and dry while simultaneously costing the economy billions a year.

There is nothing bold or inventive in the claims made in the strategy. Securing technology dominance and the AI technology stack should be the priority of any US government, which due to its economic power and strong technology sector may actually be the only country other than China to accomplish this. Seeking to leverage AI and quantum technologies to enhance cyber resilience are key priorities, not just for the US but other governments across the globe.

But the absence of any detailed plans, including the roles and responsibility of the private sector, turns any bold plan into a wish list. In many ways, the Biden administration’s plans to shift responsibility for cyber security from user to private sector was a much bolder vision for cyber security policy in the US than the current administration’s plan: that the tools of loosely regulated tech companies will fix the networks and platforms that loosely regulated tech companies built before them.

What Does This Mean for the UK and the Transatlantic Relationship

Conrad Prince

There are plenty of consistencies between the new US strategy and what we are likely to see in the forthcoming UK strategy refresh, now overdue. These include the focus on resilience and a secure CNI, secure supply chains, protecting technology advantage, use of AI and the importance of talent.

But there are some important areas of likely divergence. The aggressive tone and emphasis on defeating cyber adversaries in the US strategy feels distinctly different from a UK strategy that rightly prioritises resilience but has often felt at its weakest when it comes to more actively countering threats.

The new US strategy calls for streamlining cyber regulation, while in the Cyber Security and Resilience Bill the UK is proceeding with a significant extension of regulation. The focus on growth makes anything beyond that seem unlikely, but there remains a strong sense in the UK that effective regulation is a key part of successful resilience.

Elsewhere, the references to protecting free speech in the US strategy feel tonally different from the UK focus on countering disinformation and Foreign Information Manipulation and Interference.

The current UK cyber strategy is 130 pages long. The US document is five pages of text. It is the US document that feels punchier, with a much clearer sense of urgency and priority. It also represents a more coherent amalgam of cyber security and offensive cyber in a single strategy than the UK has achieved.

Finally, there is the reference to allies pulling their weight. Given the lacklustre UK response to the Iran conflict, there may be opportunities here. Debates will continue over the right balance between disruption and resilience, but the UK has a credible offensive cyber capability that could help demonstrate its continuing value to the US at a challenging time for the partnership.

Concluding Thoughts

Louise Marie Hurel

Despite a growing estrangement in transatlantic relations with Europe that has defined much of the first year of the Trump administration, the US remains an undeniably central voice in shaping the tone and direction of cybersecurity governance – and especially on offensive cyber. The 2026 NCS makes clear that Washington intends to set the terms of its use of and engagement in cyberspace through offensive campaigning. Even as the nature of its partnerships with European allies grows more uncertain, other European and non-European states have publicly signalled renewed interest in developing offensive cyber capabilities of their own.

What is striking about the NCS is not what it promises, but what it deliberately leaves open. The strategy is less a roadmap than a declaration of intent, one that prioritises narrative clarity over operational specificity. Each of its pillars communicates ambition without committing to the precise mechanisms, authorities or resourcing that would be required to realise them. Whether such choices reflect strategic prudence, internal disagreement or simply the current administration's preference for flexibility over overcommitment to details, remains to be seen. We shall wait and see whether it will be followed by a series of Executive Orders which will clarify action and responsibilities. First signs of that have been reporting suggesting an upcoming EO on private sector support to offensive cyber and the EO published on 6 March on ‘Combatting Cybercrime, Fraud, and Predatory Schemes Against American Citizens’ – which is only tangentially linked to the preamble of the NCS rather than an actual pillar of the strategy.

The document can only be judged by what follows it. As the contributors to this commentary have highlighted, there are ruptures and continuities when assessing the NCS against previous administrations’ strategies. The question remains as to whether ambition will outlast the announcement.

© RUSI, 2026.

The views expressed in this Commentary are the authors', and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.