The Trump administration has set out its long-awaited cyber strategy at the weekend, pledging to “sustain superiority” in emerging areas of security such as post-quantum cryptography and artificial intelligence.
The White House said that securing US innovation and protecting its current intellectual advantage will be paramount.
“We will build secure technologies and supply chains that protect user privacy from design to deployment, including supporting the security of cryptocurrencies and blockchain technologies. We will promote the adoption of post-quantum cryptography and secure quantum computing,” the White House said.
While the so-called ‘Q Day’ that the cyber industry dreads has yet to come to pass, the era of quantum computing – which promises to brick many traditional cyber defences – may be closer than anybody thinks, and work is ramping up around the world to prepare for it, with the UK’s National Cyber Security Centre (NCSC) among the bodies leading the charge.
On AI, the Trump White House pledged to secure the entire technology stack powering AI, including datacentres, and promote innovation in the area. The US will swiftly implement AI-enabled cyber tools to detect, divert and deceive threat actors, it said, as well as adopting and promoting agentic capabilities to scale network defence. On the global stage, it said it will work alongside its allies to ensure both agentic and generative AI are used in ways that address innovation and “global stability” while securing the data and models than underpin US leadership in the area. “And,” the White House said, “we will call out and frustrate the spread of foreign AI platforms that censor, surveil, and mislead their users”.
Bolder action?
The Trump administration accused its predecessors of having done little more than “tinker around the edges” and applying only partial measures and ambiguous strategies that neglected the number and severity of threats faced by the US.
Its own strategy will be different, it reasoned, echoing the “America First” rhetoric of the current administration, and acting decisively to defend US interests in the cyber realm, whether that be through takedowns and asset seizures against cyber criminals, or cyber operations in support of its recent military adventures – it referenced the use of cyber tactics in its January operation against Venezuelan president Nicolas Maduro, and in its current war on Iran.
“Adversaries are on notice that America’s cyber operators and tools are the best in the world and can be swiftly and effectively deployed to defend America’s interests,” said the White House.
Core policies
The overall strategy is formed by six policy pillars, which are:
- To shape adversary behaviour: deploying a full suite of government defensive and offensive cyber operations in tandem with private sector security companies;
- To promote common sense regulation: streamlining cyber regulations to reduce compliance burdens, address liability, and align to regulators and industry globally while emphasising strict privacy controls for US citizen data;
- To modernise and security federal networks: implementing existing cyber best practice and emphasising post-quantum readiness, zero-trust, and cloud security;
- To secure critical infrastructure: prioritising the hardening and defence of networks at datacentres, energy and utilities operators, financial services organisations, hospitals and telcos;
- To sustain superiority in critical and emerging technologies: as detailed above, working on post-quantum and AI;
- And to build talent and capacity: developing a cyber skills pipeline and addressing the barriers that are currently blocking industry, academia, government and the military from this goal.
The White House said: “This strategy makes clear the course president Trump has pursued in cyberspace, and the direction the US government will pursue with increasing impact. president Trump has acted to ensure that Americans – especially future generations – will have a strong country where they are secure and defended, and a future defined by individual freedom, economic prosperity, and opportunity.
“President Trump will continue showing those who harm our interests and attack our values in cyberspace place themselves at risk.”
Michael Bell, founder and CEO of Suzu Labs, an AI security platform, said that the White House’s six pillars were the right priorities.
“Post-quantum cryptography, private sector offensive operations, regulatory streamlining, AI security. All correct,” he said. “The strategy reads like people who understand the threat landscape were involved in writing it.
“But a strategy without a budget is a press release. The implementation plans need acquisition reform, real funding for post-quantum migration, and measurable timelines. That’s what separates policy from paper.”
Gaps overlooked?
Noting the exit of thousands of cyber professionals – many with high-level security clearance – who have fled US government services of their own accord in the past decade, Bell said the administration first needed to put in place capacity to bring these people back into the fold.
“The strategy says, ‘unleash the private sector,’ and the direction is right, but the contracting vehicles for rapid classified offensive work don’t exist yet. Build those and you have real capability. Without them, you have a slogan,” he said.
“The strategy [also] calls the cyber workforce a strategic asset [but] the same administration cut roughly a thousand CISA employees who were doing vulnerability disclosure, threat briefings, and incident coordination. The strategy promises public-private partnership, but the liability protections that made threat intelligence sharing work between government and industry expired and haven’t been replaced.
“At some point the budget has to match the strategy, or the strategy doesn’t mean anything,” he warned.
Doug Merritt, CEO of Aviatrix, a specialist in securing cloud workloads, said that while the strategy document shows a recognition in the US government that cyber and national security have become inseparable, at the same time the plan overlooks some pressing cyber gaps.
“The reality is the very nature of cyber risk has fundamentally changed. Today’s most damaging attacks rarely begin at the perimeter. They move laterally through the digital fabric connecting workloads, applications and services across cloud and hybrid environments,” said Merritt. “That complexity and nuance are often underappreciated outside the security community.
“As geopolitical tensions rise and cyber operations increasingly accompany kinetic conflict, securing the infrastructure that connects modern systems will require new approaches that embed protection directly into the architecture itself.
“If we want strategies like this one to translate into real security outcomes, the next step is closing the operational blind spots inside the cloud,” said Merritt.
