What happens when a country develops a cyber strategy that depends on the capabilities it is actively cutting?
The White House’s new cyber strategy offers exactly that kind of contradiction by pairing a strong vision for resilience and competition with policy choices that pull in the opposite direction. On the merits, it gets several important things right. It treats cyberspace as a domain of sustained strategic competition rather than a compliance problem. It puts unusual and welcome emphasis on national resilience. And it understands that offensive cyber action, paired with other tools of national power, should be part of any serious effort to shape adversary behavior.
Those are not trivial points. They go to the heart of whether the United States intends to merely endure cyber pressure from adversaries or actually contest it. The strategy is at its strongest when it recognizes that the country cannot regulate, patch, wish, or otherwise shortcut its way to better security. The document’s central logic is, in several respects, right. But it will need significant government capacity and guardrails to go from rhetoric to reality — which is precisely why the administration’s actual cyber policy choices are problematic and threaten to undermine the strategy.
A Welcome Logic of Resilience…
For years, cyber policy debates have oscillated between magical prevention and bureaucratic box-checking. The Trump administration’s strategy points in a stronger direction. It repeatedly stresses the need to harden critical infrastructure, secure supply chains, modernize federal systems, and ensure that the public and private sectors can recover quickly when disruption occurs. That resilience emphasis is especially important and is the right frame.
Resilience is not the consolation prize for failing to stop every intrusion. It is a strategic asset in its own right. A country that can absorb shocks, reconstitute essential services, and continue operating under pressure is harder to coerce. In an era when adversaries target water systems, hospitals, telecom networks, logistics platforms, and industrial control systems, recovery capacity is part of deterrence.
The strategy is also correct to foreground offensive cyber power. Its first pillar, “Shape Adversary Behavior,” makes the core point plainly: American citizens, firms, and allies should not be left to fend for themselves against state-backed operators, criminal syndicates, and proxy actors. The United States should use offensive and defensive cyber operations alongside law enforcement, sanctions, and other instruments of national power to impose costs and disrupt campaigns before they mature.
That instinct is also sound. Cybersecurity has suffered for too long from the fiction that defense is a self-contained technical exercise. Cyber conflict is a contest of misdirection, strategic patience, and political will. The strategy at least recognizes that the United States should actively contest hostile actors, not passively react to them.
…Clashes with Reality
A cyber strategy built on resilience and operational partnership requires state capacity and a robust coordination process to successfully implement it. The strategy requires institutions that can coordinate before crisis, broker trusted information during crisis, and help restore functions after crisis. Yet this administration has spent much of the past year degrading that connective tissue. It has cut the Cybersecurity and Infrastructure Security Agency’s workforce by roughly one third, which includes cuts of nearly $500 million and more than 1,000 positions in the 2026 budget and more than $700 million of additional proposed cuts in 2027. Lawmakers from both parties raised concerns about whether the agency could still meet mission demands under those conditions.
The cuts were not limited to headcount. The administration also moved against cyber support mechanisms used by individual states and local authorities. It halted funding for major information-sharing initiatives run through the Center for Internet Security, including the Elections Infrastructure Information Sharing and Analysis Center and the Multi-State Information Sharing and Analysis Center, both of which had provided actionable cyber threat support to states, localities, and election officials. The cuts forced state officials to scramble to replace cybersecurity services once provided by the Cybersecurity and Infrastructure Security Agency and other federal entities. That is no small issue — it strikes directly at the shared situational awareness and distributed recovery capacity that resilience depends on.
This contradiction matters. If the administration genuinely believes resilience is central, then cutting away the federal institutions that support resilience is misguided. It is strategic incoherence. To be clear, the Cybersecurity and Infrastructure Security Agency is not above criticism. It has had mission sprawl problems and sometimes overextended itself. It can and should be reorganized, narrowed, and sharpened. But resilience does not happen by slogan. It requires operational infrastructure: planners, liaisons, analysts, exercises, restoration frameworks, trusted channels to industry, and support mechanisms for states and localities that do not have well-resourced and trained Fortune 500 cybersecurity teams. Hollowing out those functions while praising resilience is like celebrating civil defense while shutting down the emergency operations center.
The administration’s preference is for the private sector to fill the void. That line reflects a familiar instinct: not to build public capacity, but to set incentives and expect the market to supply it. We have made versions of this argument before about transformers, supply chains, and infrastructure resilience. The pattern is the same. Private firms are indispensable, but when the federal government treats a core national security function as something the market will solve, it usually gets fragmented effort instead of durable capacity. That is the context for what follows.
Here Trump’s cyber strategy becomes both most interesting and most concerning. It says the United States will “unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.” Read straightforwardly, it points toward a far more activist role for private firms in cyber defense and perhaps even cyber disruption. Read bluntly, it resembles a cyber letters-of-marque proposition: the state encouraging private actors to conduct or support the disruption of hostile digital infrastructure in ways that blur the line between contractor, auxiliary, and quasi-sovereign operator.
There is real strategic promise in that idea, if done right. The private sector often has the talent, telemetry, infrastructure visibility, and speed that government tends to lack. Security firms already map botnets, trace ransomware ecosystems, support takedowns, notify victims, and work with the government on disruption operations. Cloud providers, telecom firms, financial intermediaries, insurers, and incident response companies all sit on vantage points the state cannot replicate. In a world of distributed infrastructure and rapid adversary adaptation, the United States cannot rely on a government-centric model. The strategy is correct in seeking a more mobilized conception of national cyber power.
But the letters-of-marque analogy is risky. Privateering historically gave states cheap, deniable coercive capacity. It also created profound accountability problems, warped incentives, and frequent divergence between private profit and public purpose. The cyber version would carry similar risks. A firm rewarded for disruption could overreach technically, legally, or geographically. It could misidentify infrastructure. In a domain already defined by its attribution challenges, it could impose collateral costs on innocent third parties. It could privilege commercially visible targets over strategically meaningful ones. It could create a fragmented ecosystem of state-adjacent cyber coercion that the United States would condemn if practiced by its adversaries.
That does not mean the instinct is wrong. It means the model needs more structure and guardrails.
Recommendations
To actually unleash the private sector in an effective and responsible way, Washington would need to start by treating resilience, not retaliation, as the first mission. The United States needs a structured public-private cyber auxiliary oriented around continuity of national functions. That means pre-negotiated surge arrangements, sector-specific mutual support compacts, restoration playbooks, reserve pools of technical talent, and exercises that prepare firms and governments to keep essential systems running under sustained cyber pressure. Think less freelance counter-hacking, more digital civil defense. The strategy already points toward rapid recovery as a national imperative. This is how to make that principle real.
Second, any privately enabled disruption should operate under explicit authorization, not ambient political encouragement. No firm should be improvising “active defense” on its own reading of presidential intent. If Washington wants companies to do more than share indicators and support victim response, it should establish a clear deputization framework: mission categories, approved authorities, target validation standards, liability boundaries, technical restrictions, escalation controls, and real-time supervision. The model should resemble a tightly governed reserve component, not a market for cyber vigilantism.
Third, Congress should impose mandatory oversight. A serious public-private disruption model needs reporting requirements, inspector general review, and after-action mechanisms for significant operations. It also requires doctrinal clarity. Resilience support, intelligence enrichment, takedown assistance, threat hunting, and offensive disruption are different activities. The administration should say so explicitly. If it collapses them into one vague concept of “unleashing” private actors, confusion and abuse will follow.
Fourth, Washington should align incentives with national priorities instead of market visibility. If it wants private cyber power to serve the national interest, it should channel that energy toward strategically decisive terrain: energy systems, water utilities, logistics networks, cloud concentration points, defense industrial dependencies, and state and local recovery capacity. Private actors will not naturally optimize to enhance national resilience — they will optimize for legal exposure, customer demand, and profit. That is rational private actor behavior, and highlights why strategic direction and real financial incentives in the form of grants from government remain indispensable.
Fifth, and most basically, the administration should stop cutting the state capacity required to make this work. A private-sector-heavy cyber strategy without competent federal coordination is not innovation, it is abdication. If the Cybersecurity and Infrastructure Security Agency needs reform, reform it, but in a way that doesn’t undermine the strategy. If some programs have drifted, narrow them. But if the administration wants a resilience-centered strategy built on public-private operational partnership, it needs institutions that can integrate intelligence, convene operators, support states, and help orchestrate national response. Otherwise “unleash the private sector” means offloading government responsibility onto actors who were never designed to bear it alone.
Conclusion
The long-run opportunity here is real. The United States does need a more ambitious cyber posture. It does need to think beyond compliance regimes and toward campaign pressure, continuity, and recovery. It does need a better model for mobilizing private talent and infrastructure to advance national security objectives. In that sense, Trump’s strategy is directionally right. Its emphasis on resilience is useful. Its embrace of offensive cyber is overdue. Its intuition that national cyber power extends beyond government networks is correct.
But real action and the resources for implementation will decide whether this strategy becomes durable doctrine or just another glossy pamphlet masking institutional decay. Resilience is not cheap. It is not automatic. It requires planners, operators, trusted relationships, exercises, authorities, and political discipline. Private capacity can strengthen that system. It cannot substitute for it.
The administration’s challenge, then, is not whether to unleash the private sector — it is how. Executed poorly, this becomes cyber privateering by another name: flashy, deniable, and strategically sloppy. Done well, it could help build something the United States badly needs — a more resilient national cyber posture in which public institutions set direction, private actors bring speed and ingenuity, and both are organized around continuity, recovery, and purposeful disruption. That will take real guardrails, real oversight, and real strategic intent. It will also take more state capacity than the administration has so far seemed willing to preserve.
That is the paradox at the center of the new strategy. It is right in many of its instincts. But if the White House actually wants the cyber future it describes, it will have to stop weakening the very machinery required to build it.
Jesse Humpal is a U.S. Air Force officer.
Alexander Noyes is a fellow at the Brookings Institution, a visiting scholar at Penn Washington, and co-author of War at Arm’s Length: How America Can Build Effective Partners Through Military Assistance (forthcoming).
Emily Valentine is a U.S. Air Force cyber officer.
The views expressed are those of the authors alone and do not necessarily reflect the official policy or position of the U.S. Air Force Academy, the U.S. Air Force, the Department of Defense, or the U.S. government.
Image: Petty Officer 1st Class Samuel Souvannason via DVIDS
