The Trump administration is preparing to release a concise, five-page national cybersecurity strategy centered on six pillars that signal a fundamental reorientation of U.S. cybersecurity policy toward offensive operations, regulatory rollbacks, and private sector partnerships, according to public remarks by the nation's top cyber official and documents reviewed by multiple outlets.
National Cyber Director Sean Cairncross outlined the framework at the Information Technology Industry Council's Intersect Summit on February 3, describing it as "a short, to-the-point document" designed to drive "action and results" rather than serve as a sweeping policy treatise. The strategy replaces the Biden administration's 35-page 2023 plan with a document roughly one-seventh the length.
The six pillars, as confirmed by Cairncross, are: shaping adversary behavior; reforming the regulatory environment; securing and modernizing federal networks; protecting critical infrastructure; maintaining dominance in emerging technologies; and closing the cybersecurity workforce gap.
The offense-first pillar is the centerpiece
An industry document obtained by Nextgov/FCW describes its goal as "preemptive erosion" of foreign adversaries' hacking capabilities, including closer integration of cyber threat intelligence with signals intelligence operations. Cairncross said the administration intends to "dent the incentive" for adversaries to engage in malicious cyber activity and reset their "risk calculus," moving away from what he called decades of "very reactive" U.S. policy. Sources familiar with the administration's thinking told Nextgov/FCW that there is a clear intent to "take off the kid gloves" inside agencies that already have offensive authorities.
George V. Hulme
Implementation will include reexamining NSPM-13, the classified framework governing authorities for cyber operations; PPD-41, which dictates federal response to major cyber incidents; and NSM-22, which sets critical infrastructure protection standards. Executive orders targeting cybercrime and ransomware groups are also being prepared, according to four people familiar with the plans.
On the regulatory front, Cairncross said the White House wants compliance regimes to shift "so that form follows function rather than the rules being a compliance checklist". The administration is actively soliciting industry input on areas of regulatory friction—a posture business groups have welcomed after frequently clashing with the Biden White House over prescriptive mandates.
The strategy also calls for quantum-safe encryption across federal networks, expanded adoption of zero trust, federal procurement reform to break the dominance of large defense primes, the development of a U.S. cyber academy concept, and a venture capital incubator modeled on Israel's cyber startup ecosystem.
Some cybersecurity leaders welcomed the strategy's emphasis on offensive deterrence. 'Defense alone is no longer enough,' said Kemba Walden, former acting national cyber director, speaking at an Aspen Cyber Summit in November. 'Years of focusing on defense have allowed threat actors to operate with little cost. The next phase must ratchet up the consequences."
Brett Leatherman, FBI Assistant Director for the Cyber Division, separately endorsed the plan: "Sean talks about shifting the burden to the adversary. That equals imposing cost... having a strategy like that really does rally the interagency around certain lines of effort."
Critics argue the plan's core premise is flawed
In a January 25 analysis, Matthew Ferren, a Council on Foreign Relations fellow who co-authored the Biden-era 2023 strategy, warned that an offense-first strategy "fundamentally misunderstands" the China threat. China's distributed cyber apparatus—spanning military units, private contractors, universities, and technology firms—" can reconstitute faster than U.S. operators can disrupt it," Ferren wrote. He called cyber-on-cyber deterrence against Beijing "an illusion," arguing that China considers espionage and pre-positioning on U.S. infrastructure essential to its national security and will not abandon those activities regardless of U.S. offensive pressure.
George V. Hulme
The concern is compounded by the administration's simultaneous moves to weaken the defense. CISA has absorbed proposed budget cuts of roughly 17 percent, shed key personnel, and still lacks a Senate-confirmed director. Cybersecurity Dive reported that these reductions have made public-private collaboration "more challenging and scattershot." The State Department's cyber diplomacy bureau, which led allied efforts to counter Chinese telecom equipment sales abroad, has been eliminated.
The CISA cuts come with a hefty cost for Main Street.
"When you're in the middle of an incident response, the thing that determines whether you have a bad week or a catastrophe in the works is whether or not you get the right people on the response and do so quickly enough," Aaron Warner, CEO at cybersecurity consultancy ProCircular, told CYBR.SEC.Media. "We serve the mid-market, and there are a lot of [smaller] organizations we just can't serve because of their size, and CISA, at least for a while, was supposed to be tasked with supporting small and mid-market, and they are nowhere to be seen, and their budget cuts don't help," Warner said.
Cairncross acknowledged the importance of the private-sector relationship, telling the ITI audience, "We have to do this in partnership, or this mission is not going to succeed.” But Ferren countered that more offense paired with less defense "will leave the United States more vulnerable, not less," and that the strategy "promises exactly that nonexistent option" in which offensive operations solve the China problem.
This lack of defensive focus will make an already serious problem worse for organizations that depend on CISA. "In the short run, they've [these organizations] got to figure things out on their own. And it’s going to be a challenge for them. Third‑party breaches doubled last year. There’s an increase in exfiltration and ransomware, and longer dwell times because, frankly, people don't know how to look for them. And the resources for all of CISA's vulnerability assessments, penetration testing, and tabletop exercises are gone."
The strategy was originally targeted for release in January 2026, but has been delayed. Cairncross said only that it would arrive "sooner rather than later". An implementing executive order is expected to follow shortly after publication.
Warner cautioned that even if CISA is reconstituted by a future administration, restoring trust will take a long time. "Even if three years from now a fully formed version of CISA appears, how do [businesses] know that four years after that things aren't going to go sideways again? The chaotic nature of our politics tells me that a lot of this is going to end up in the hands of industry."
