Long-Awaited Trump Cyber Strategy is a Nothing Burger

The White House released a national cybersecurity strategy this week, and people had apparently been anticipating it. I wasn’t.

I took a look at it and there just isn’t much there.

The document is only about seven pages long, and more than half of it is basically preamble. Two of the pages are essentially the title page and the closing section. That leaves very little actual substance in the middle.

When you read those pages, it doesn’t really feel like a strategy document. It’s mostly statements like: cyber threats are dangerous, adversaries target the United States, and the government will act to defend its interests in cyberspace.

The actual strategy part — the “how” — just isn’t there.

Where’s The Beef?

The document outlines several pillars, things like shaping adversary behavior, securing federal networks, protecting critical infrastructure, and building cybersecurity talent. All of those sound good in theory. Nobody’s going to argue against those goals. The problem is the document doesn’t really explain how the government intends to achieve them.

A lot of the language reads like what I’d summarize as “we’re going to do more better cyber.”

We’re going to defend our networks, deter adversaries and build cyber capabilities.

Okay, but how?

One section talks about shaping adversary behavior through offensive and defensive cyber capabilities, as well as encouraging the private sector to disrupt adversary networks.

That’s something the government has talked about before, particularly the idea of allowing private companies to take a more active role in cyber defense.

But again, there’s no real detail here about what that actually looks like in practice.

Another pillar talks about promoting “common sense regulation” and reducing what the document calls costly checklists.

And that’s where I start to get skeptical.

Checklists Written in Blood

Cybersecurity Checklists Exist for a Reason. There’s a saying in aviation that every item on a pilot’s checklist is written in blood. Every step is there because something bad happened in the past when it wasn’t followed. Cybersecurity controls are a lot like that.

When we require organizations to patch certain vulnerabilities, implement authentication controls, or monitor networks, those requirements usually exist because something catastrophic happened before those controls were in place.

So dismissing those safeguards as just “costly checklists” feels simplistic.

Another part of the strategy talks about modernizing federal networks and securing critical infrastructure. Those areas were historically major responsibilities of the Cybersecurity and Infrastructure Security Agency(CISA).

That raises another obvious question: If you’re talking about expanding federal cybersecurity efforts, how does that square with the fact that the government has significantly reduced the size of agencies responsible for doing that work?

You can’t say securing federal networks and protecting infrastructure are priorities while simultaneously shrinking the organizations tasked with carrying out those missions.

That disconnect is one reason the document has drawn criticism from lawmakers. U.S. Rep. Bennie Thompson, the ranking member of the House Homeland Security Committee, described the strategy as a “mishmash of vague platitudes” and a long list of “we will” statements without a clear blueprint for execution.

That criticism honestly captures the same reaction a lot of people had reading the document.

When you strip away the language, the strategy largely boils down to statements that cybersecurity is important and the United States intends to improve its defenses.

To be clear, cybersecurity absolutely is important, but a national strategy document needs to do more than say that.

It needs to explain how the government plans to allocate resources, which agencies are responsible for what missions, how the public and private sectors will cooperate, and what concrete steps will be taken to strengthen defenses.

Without that, you don’t really have a strategy.