CYBER-STRATEGYTrump’s Cyber Strategy Falls Short on China, Iran, and the Threats That Matter Most
Iranian cyber retaliation is escalating. Chinese operators remain embedded in U.S. infrastructure. Ransomware groups continue to disrupt hospitals, schools, and local governments. Trump’s recently released cyber strategy raises doubts the administration is prepared to address these threats.
The White House’s recently released cyber strategy is strikingly short, with just four pages of substance—roughly one-seventh the length of the Biden administration’s 2023 strategy. National Cyber Director Sean Cairncross has described it as a high-level statement of intent, with action items to come. But the brevity also reflects a fraying cyber apparatus that is, at best, still finding its footing and, at worst, suffering from institutional neglect.
This strategy arrives at a precarious moment. The United States faces longstanding and intensifying cyber threats—from Chinese espionage and pre-positioning on critical infrastructure to ransomware campaigns that disrupt essential services—that demand sustained attention and investment. The president’s war of choice with Iran adds new urgency. Tehran-linked groups are already threatening cyberattacks on U.S. networks, and the White House’s ability to coordinate national cyber defenses will face an immediate test.
Yet the administration’s surface-level treatment of these challenges casts doubt on how seriously the administration takes the cyber threat, and whether it has the capacity to address them. Key cyber leadership posts remain vacant, and the agencies responsible for implementation have been disrupted by budget cuts and personnel turnover.
Trump’s vision for cyberspace misses the threat landscape
For Trump, cyberspace is a hostile, militarized domain in which U.S. power is unmatched. Cyber threats, while numerous, could be dealt with relatively easily if only policymakers were willing to unleash U.S. capabilities. This vision informs a strategy that privileges offense over defense, prizes visible displays of capability over sustained institutional reform, and treats the private sector primarily as a source of energy to be unleashed rather than a source of systemic risk to be managed. Through a more muscular posture, “American power will finally stand up in cyberspace.”
Despite the combative tone, Trump’s cyber strategy says little about the threat landscape. Cybercrime is the only threat discussed with any specificity; China, Iran, North Korea, and Russia go unmentioned. The National Cyber Director is statutorily required to report annually to Congress on cybersecurity threats facing the United States—an obligation the administration does not appear to have met. Detailed threat assessments belong in such reports, not necessarily in a strategy document. More concerning is that its priorities do not appear to reflect the severity of the threat picture.
