The Trump Administration’s Cyber Strategy for America was recently released, revealing six pillars of policy that lay the foundation of this strategy. These policies are: 

• Erode adversary cyber capacity 
• Emphasize “common sense” regulation 
• Secure federal government networks
• Secure critical infrastructure 
• Continuously innovate in emerging/critical technologies 
• Build and educate the cyber workforce

These pillars of action are intended to direct implementation and establish measures of success. 

Below, security leaders share their thoughts on this new cyber strategy. 

Security Leaders Weigh In

Dave Gerry, CEO at Bugcrowd:

Anytime that an administration is publicly prioritizing cybersecurity at a very strategic level is a positive sign for the industry and for broader national security implications. It’s a meaningful first step. 

Seeing that cyber is being broken out into its own distinct national security strategy document elevates it to a first order national security issue, not just a piece of a broader defense or technology policy.

The document focuses on a number of important points: offensive deterrents, reforming the regulatory environment, modernizing the federal government and its networks, securing critical infrastructure, and workforce development. Generally speaking, these core topics align well to what the industry feels is important and shows that the Administration has been listening to industry, academia, and the government experts across the various agencies. 

The challenge with the document is the vagueness. It reads more like a high-level messaging document, which while aligned to the needs of the nation and industry, lacks the specificity needed to make decisions. The details will likely come with follow-on Executive Orders, legislation, etc. Specifically, the details need to include: timing, responsible agencies, funding and execution plans, etc.

Today, the biggest gap in the U.S. government’s approach to disrupting global cybercrime operations is speed. Adversaries move faster than the government. This is just the reality of the environment we’re in and AI has only amplified this fact. This forces the government to be in a constant state of catch up. 

The majority of federal cybersecurity policy is based on compliance frameworks, post-breach policy and incident response instead of proactive vulnerability discovery to avoid the issue before it happens. While we’ve seen things like bug bounty and vulnerability disclosure programs be successful all across the federal government, they’re still not standard practice or required for every agency or critical infrastructure operators. 

State and local governments are falling behind in terms of capability, capacity and funding. The federal programs get the attention and funding, but the cybercriminal groups are disproportionately targeting smaller, less sophisticated organizations. The same is happening in the private sector across large versus small healthcare systems, large versus small utilities, etc. 

Organizations are still paying ransom which continues the operation of the cybercrime groups by providing financial incentives to continue operating. The government appears reluctant to ban these payments outright because of the collateral damage to the victims, but until this is solved, the cybercriminals still have a path to earning and will continue to operate. 

The biggest gap isn’t in strategy, it’s in the speed of operating. Adversaries today are operating at machine speed and the government is operating at bureaucracy speed. Proactive security must become the default to help offset this velocity gap.

Alex Kreilein, Vice President, Product Security & Public Sector Solutions at Qualys:

These priorities laid out in the Cyber Strategy for America intersect at precisely the right time and place with our national goals and our adversaries’ capabilities.

The most effective way to shape adversary behavior is to fundamentally rethink how we manage and regulate our systems and operation; ensuring they are modern, risk-focused, reward-oriented, and capable of securing America’s critical infrastructure. This requires that we embrace agentic and autonomous systems to build capacity and adopt risk management as a centerpiece of national security, delivering efficiency for defenders, opportunity to organizations, and imposing high costs on attackers.

We urge the Administration to consider two additional imperatives: ensuring competition and welcoming new entrants in government contracting — so the American people receive the right tools at the best value — and redefining what “qualified” means in cybersecurity. This field is fundamentally a vocation built on skill, not solely a credentialed profession.

Execution on these strategies is foundational to America’s national security and to the security of the West.

Bruce Jenkins, Chief Information Security Officer at Black Duck:

President Trump’s Cyber Strategy for America puts operational effect ahead of “compliance theater.” From a practitioner’s perspective, the emphasis on modernizing federal systems with zero trust, post quantum cryptography, and AI enabled defense — while streamlining duplicative regulation — is directionally appropriate. The real test and historical challenge will be in execution: translating these pillars into clear requirements, faster procurement, and measurable risk reduction across government and the defense industrial base.

Kevin E. Greene, Chief Cybersecurity Technologist, Public Sector at BeyondTrust:

The new cyber strategy from the White House will necessitate a zero trust 2.0 approach that builds upon its foundational principles while incorporating deterrence and disruption concepts. Zero trust must evolve to become the core engine for cyber deterrence.

We must (re)shape adversary behavior. I use “reshape” because our cybersecurity posture has been reactive which has enabled our adversaries with the ability to preposition and gain meaningful control.

I’m excited about the new cyber strategy for several reasons: 

• It emphasizes the need to shift from reactive to proactive cybersecurity practices.  
• Defensive and offensive capabilities become central components in (re)shaping adversary behavior.
• Modernization through a zero trust 2.0 will operationalize privilege disruption and cyber deterrence capabilities.  
• AI is a privilege control plane that requires visibility plus intelligence plus protection 
• It’s an opportunity for cyber to be less risk adverse, fail fast and try new things.  

Shifting to active cyber defense will greatly maximize and enhance our offensive capabilities. Offensive capabilities are most lethal when the adversary operations are physically constrained, it’s the idea of shortening the playing field to yield greater offensive impact to further shape adversary behavior. This is a seismic shift we need to defend and protect forward.