Topics:
The Trump Administration unveiled two major cybersecurity actions in March that signal a more forceful U.S. posture in cyberspace, making a clear connection between national security and cyber defense, and expanding the role of the private sector in both defense and disruption.
The release of President Trump’s Cyber Strategy for America and a new Executive Order on Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens mark a shift in tone and intent, even as many details remain to be defined through implementation.
Taken together, the documents frame cyberspace less as a regulatory challenge and more as an active domain of competition, deterrence, and consequence. Both emphasize speed, attribution, and retaliation, directed not only at nation states, but also at cybercriminal groups operating with state tolerance or support.
Released on March 6, the national cyber strategy sets out a vision of cyberspace as a domain where American power—economic, technological, and military—should be asserted to protect national interests. Rather than offering a detailed implementation roadmap, the strategy functions as a statement of operating philosophy, repeatedly emphasizing deterrence, disruption, and technological superiority.
The strategy organizes its priorities around six pillars: shaping adversary behavior; promoting “common sense” regulation; modernizing federal networks; securing critical infrastructure; sustaining leadership in emerging technologies such as AI and quantum computing; and building cyber talent and capacity. While many of these themes echo earlier strategies, the tone is more explicit in its willingness to impose consequences and to reduce regulatory friction in favor of speed and innovation.
Unlike prior administrations’ more process driven approaches, the strategy signals that cyberattacks on U.S. interests may trigger swift responses, potentially extending beyond cyberspace. The Administration will have ample opportunities to prove that maxim.
Iranian-affiliated hacktivist group Handala claimed the attack that remote-wiped devices across Stryker’s network, a U.S. medical equipment manufacturer. Time will tell if the Administration attributes any of its U.S. activity in Iran as retribution under the cyber strategy for cyber activities against Stryker and other US entities.
The cyber strategy also emphasizes the Administration’s view that private companies are not merely regulated entities, but active participants in national cyber defense. This is not a new theme, but one that has been gaining attention in D.C., with calls for legislation around the theme of “active defense” and more “cyber offense.” This is an area where few companies have invested heavily in legal or technical disruptions, with notable exceptions. Implementation of the new cyber strategy and measures to understand remedies if a private sector remediation goes wrong—and accidentally impacts infrastructure beyond the scope of the bad actor—will need to be thoroughly thought through.
Running parallel to the strategy, the new executive order on cybercrime adopts an equally forceful tone, particularly toward transnational criminal organizations (TCOs) operating scam centers and ransomware campaigns. The executive order establishes a series of near-term milestones, including a government agency review and an action plan to identify and dismantle TCOs. The executive order also places renewed emphasis on domestic enforcement, directing the Department of Justice to prioritize prosecutions of cyber-enabled fraud and extortion schemes.
Despite the strong rhetoric, both the strategy and the executive order remain high level declarations of intent. Key questions for industry and policymakers alike center on how aggressively the Administration will fund these initiatives, how it will operationalize public-private collaboration, and where new expectations—or liabilities—may fall on companies.
Reporting following the strategy’s release suggests broad industry support for its objectives, but also a wait-and-see posture as agencies begin issuing sector-specific guidance and directives. For many companies, the real impact will emerge not from the strategy itself, but from follow-on actions that translate its priorities into procurement rules, regulatory adjustments, and enforcement activity. For companies considering joining the offensive security call (or the potential spillover from unintended consequences), there are a few steps companies can consider today:
Prepare for expanded public/private operational engagement. Companies with advanced threat intelligence or response capabilities may face increased expectations to share insights or support government-led disruption efforts, consistent with applicable law.
Stress-test incident response against geopolitical scenarios. The Administration’s stated willingness to impose consequences on adversaries raises the likelihood of cyber-effects that may impact the private sector, or that private sector service providers may be called upon to help prevent or mitigate.
Reassess third-party and supply chain risk. As the strategy pushes for reduced reliance on adversary-linked vendors and technologies, companies should evaluate exposure in high-risk jurisdictions, evaluate critical vendors, and transfer risks where needed.
Integrate data security into cybersecurity governance. With regulatory streamlining on the agenda, organizations should be prepared to engage policymakers on how data protection and cybersecurity requirements align—or conflict—across jurisdictions.
For all companies, the priority will be to track implementation closely. Funding decisions, agency directives, and enforcement actions will ultimately determine whether the Administration’s aggressive cyber posture translates into lasting operational change. Adversaries were put on notice by the new cyber strategy and executive order, and the private sector is now on notice, too.
Cristin is the managing partner of Advanced Cyber Law, a boutique law firm focused on cybersecurity, incident response, threat intelligence, and artificial intelligence. She and her team leverage Cristin’s 17 years as lead cybersecurity counsel at Microsoft, where she was head lawyer for the Microsoft Security Response Center, the Microsoft Threat Intelligence Center, the Government Security Program, cybersecurity law and compliance, and built Microsoft’s Digital Security Unit, fusing threat intelligence with geopolitical analysis, including Microsoft’s seminal Ukraine Report in April 2022. Cristin is also the founder and CEO of Advancing Cyber, a regulatory technology startup.
