Trump cyber policy focuses on offensive operations, harnessing AI

The Trump administration's National Cyber Strategy received a warm reception from the industry overall for focusing on promoting security around AI and quantum computing, reducing regulations, and protecting critical infrastructure.

Released Friday, the Trump security policy document reads like most other cyber policy documents from other administrations except for an emphasis on more offensive-minded cyber operations (think Venezuela and Iran), and reducing regulations that many in the industry believe force vendors to spend more time on compliance than actual security.

Security industry vendors have been especially critical of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which requires mandatory reporting of incidents within 72 hours and ransom payments within 24 hours. While the Trump administration document focuses on zero trust, there’s not much said about secure coding, which was a mainstay of the Biden-era cyber policies.

Overall, the document runs through six pillars that include more offensive cyber operations, easing up on regulations, strengthening federal networks, protecting critical infrastructure, forming cooperative relationships around government and industry around AI and other new technologies, and building up the cyber workforce.

“The emphasis on getting ahead of adversaries before they breach your network is exactly right, and long overdue as an explicit priority,” said Ido Geffen, co-founder and CEO at Novee. “We've operated in environments where waiting to detect an intrusion is already a failure. The adversary has already moved. The strategy's orientation toward being a ‘first mover’ reflects how nation-state offensive operations actually work."

Related reading:

Geffen said reducing compliance friction matters, but organizations aren't struggling primarily because of CIRCIA: they're struggling because their security testing is fundamentally episodic, in a world in which attackers operate continuously.

“On the other hand, the strategy's recognition of AI as critical to cyber defense is welcome, but it doesn't grapple with the harder truth: AI is compressing attackers' timelines dramatically,” said Geffen. “The window between vulnerability and exploitation has shrunk to minutes. That's an architectural problem, and no strategy document closes that gap. Only the organizations that commit to continuous, autonomous testing will be standing when the next wave hits.”

Denis Calderone, Principal/CTO at Suzu Labs, added that the six pillars are solid and most of the Trump policy reads like any administration's cyber priorities. Where it gets interesting, said Calderone, is the tension between “removing burdensome regulation” and everything else the strategy tries to accomplish.

“CIRCIA's mandatory breach reporting is one of the few mechanisms we have for collective defense, and if that gets gutted in the name of reducing compliance burden, we lose the very transparency that helps organizations learn from each other's incidents,” said Calderone. “We need more disclosure, not less. Also, if we're going to lean into offensive cyber, the defensive investment has to keep pace, and right now the budget isn't telling that story.”

Christian Schnedler, founder and CEO at Rilian, said the U.S. must begin imposing real and sustained costs on foreign governments, organized crime, and other malicious actors to shape their behavior and not just respond after incidents. Schnedler said the National Cyber Strategy recognizes our need to launch and sustain campaigns that erode our adversaries’ offensive capacity, disrupt their monetization channels, and reshape their risk calculus.

However, Schnedler said we can’t leave this responsibility in the hands of the Department of Justice and Department of Defense alone.

“The true opportunity of this pillar of the strategy lies in deeper operational collaboration between governments, infrastructure providers, and private cybersecurity firms,” said Schnedler. “Shaping adversary behavior is not just about spectacular offensive actions; it is about making every stage of their campaign harder, noisier, and less profitable. This model has been proven in the physical world where criminals and terrorists face private security and surveillance, local law enforcement and first responders, and the ever-present threat of national security organizations.”