Key Takeaways

• The newly announced “Cyber Strategy for America” (Cyber Strategy) marks an expansion and tonal shift from the previous National Cybersecurity Strategy, emphasizing a proactive stance against foreign adversaries and cybercrime through offensive operations and enhanced collaboration with the private sector.
• While the Cyber Strategy does not impose direct obligations on businesses, it signals an increasing market of government contracts for commercial cybersecurity firms, including via the recent appropriation of $1 billion from the One Big Beautiful Bill.
• The administration aims to simplify cyber regulations, potentially impacting compliance frameworks.

On March 6, 2026, the White House announced its long-anticipated “Cyber Strategy for America” (Cyber Strategy) along with an Executive Order (EO) addressing cybercrime. The Cyber Strategy is the successor document to the 2023 National Cybersecurity Strategy issued by President Biden.

National Cyber Strategy

As previously indicated by National Cyber Director Sean Cairncross, the Cyber Strategy is a high-level policy document that does not include legal or operational details. It outlines “Six Policy Pillars” that will guide the Trump administration’s implementation of cybersecurity policy, with a noted focus on assertively confronting and disrupting U.S. adversaries.

Pillar One: Shape Adversary Behavior. The administration “will deploy the full suite of … government defensive and offensive cyber operations” to defend against “military, intelligence, and criminal adversaries.” It will “counter the spread of the surveillance state and authoritarian technologies,” as well as cybercrime and intellectual property theft through aggressive actions to deny cybercriminals a “financial exit” and safe haven. It calls for a collective effort with a “fair” allocation of “cost and responsibility” by the U.S. and its allies. It also promises to “unleash the private sector by creating incentives to identify and disrupt adversary networks.”

• The potential involvement of the private sector and the prospect of “offensive” cyber operations have been talked about by administration officials for months and are expected to be a point of emphasis going forward. The administration has not provided any clarity on how the private sector will be engaged, but it appears likely that commercial cybersecurity firms and defense contractors will eventually have opportunities to support offensive operations.

Pillar Two: Promote “Common Sense” Cybersecurity Regulation. The administration will work to “streamline cyber regulations to reduce compliance burdens, address liability, and better align regulators and industry globally.” However, the administration also promises to “emphasize the right to privacy for Americans and American data.”

• The need to “streamline” regulations has been a common talking point for administration officials and members of Congress. While the Cyber Strategy does not call out any particular regulations, National Cyber Director Sean Cairncross has mentioned potentially reviewing the U.S. Security and Exchange Commission’s 2023 cyber incident disclosure rules, and Cybersecurity and Infrastructure Security Agency’s (CISA’s) proposed rules under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) have already been delayed for consolidation of additional public input.

Pillar Three: Modernize and Secure Federal Government Networks. The administration will work to secure government networks by implementing post-quantum cryptography, zero-trust architecture, and AI-powered cybersecurity solutions. It will modernize procurement and “remove barriers to entry” so that the government can buy the best technology.

Pillar Four: Secure Critical Infrastructure. The administration will harden critical infrastructure and secure its supply chain by moving away from “adversary vendors and products” and “promoting and employing U.S. technologies.” It promises to work with state, local, Tribal, and territorial governments as a complement to, and “not a substitute for,” national efforts.

Pillar Five: Sustain Superiority in Critical and Emerging Technologies. The administration will “secure the AI technology stack—including our data centers—and promote innovation in AI security,” by implementing AI-enabled cyber tools, promoting agentic AI, and by challenging the spread of “foreign AI platforms that censor, surveil, and mislead their users.” The administration will also promote “secure technologies and supply chains,” including by supporting the security of cryptocurrencies and blockchain technologies, as well as post-quantum cryptography and secure quantum computing.

Pillar Six: Build Cyber Workforce Talent and Capacity. The administration will work to “eliminate roadblocks that prevent industry, academia, government, and the military from aligning incentives and building a highly skilled cyber workforce.”

EO: Combating Cyber-Enabled Crime

The Cyber Strategy was published along with EO 14390, “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens.”

EO 14390 directs the Secretaries of Homeland Security, War, and State, as well as the Attorney General, in coordination with the Officer of the National Cyber Director and the Assistant to the President and Homeland Security Advisor, to take a range of actions to combat cyber-enabled crimes associated with Transnational Criminal Organizations (TCOs), including:

• Establishing an “operational cell” within the National Coordination Center (NCC) to lead “efforts to detect, disrupt, dismantle, and deter—including by involving the private sector as appropriate—cyber-enabled criminal activity” conducted by foreign TCOs.
• Identifying how the U.S. Departments of Justice, Homeland Security, and War can use “relevant technical capabilities, threat intelligence, and operational insights from commercial cybersecurity firms and other non-Federal entities.”
• Making recommendations to ensure that victims of cyber-enabled crimes benefit from funds that are clawed back, forfeited, or seized from the responsible TCOs.
• Engaging with foreign governments to “demand” enforcement actions against TCOs and greater cooperation with U.S. law enforcement. If foreign nations tolerate TCOs, the Secretary of State shall take steps to impose “consequences,” including the application of targeted sanctions, visa restrictions, trade penalties, and the “expulsion from the United States of foreign officials and diplomats complicit in these schemes.”

Comparison with President Trump’s Previous National Cyber Strategy

The Cyber Strategy is consistent with recent Trump administration policy pronouncements, but it represents a marked departure from President Trump’s 2018 National Cyber Strategy (2018 Strategy). The 2018 Strategy was delivered as a 26-page document which addressed 42 distinct policy elements. The Cyber Strategy is shorter, contains sharper rhetoric, and, together with EO 14390, may reflect a more engaged White House.

The emphasis on foreign adversaries; the creation of an operational cell within the NCC; the direct involvement of both the National Cyber Director and the Assistant to the President and Homeland Security Advisor; the stated intent to “demand” cooperation from foreign governments; and the emphasis on offensive cyber operations—including by “unleashing the private sector”—are all consistent with an intention to provide additional resources for action against cybercrime and more active involvement by senior administration officials.

Takeaways for the Private Sector

The Cyber Strategy and EO 14390 do not impose any obligations on the private sector. However, together with the recent appropriation (in the One Big Beautiful Bill Act) of $1 billion for offensive cyber operations, it is likely that the federal government will expand its contracts with commercial cybersecurity companies and defense contractors to support offensive operations. Additionally, the Cyber Strategy and EO 14390 highlight the importance of public comments and other engagements with the federal rulemaking process, because the administration is likely to value private sector input as it seeks to “streamline” cyber-related regulations. Companies should continue to monitor for such opportunities, for example in CISA’s upcoming town halls to discuss the proposed CIRCIA regulations.

Please reach out to any member of Wilson Sonsini’s Data, Privacy, and Cybersecurity practice or Government Contracts practice, with any questions regarding the implications of the Cyber Strategy, EO 14390, or CISA’s proposed CIRCIA regulations.