Trump's Cyber Strategy Promises Offense—But Gutted the Agency That Plays Defense

The Executive Order on Cybercrime

Signed alongside the strategy, the executive order directs the Attorney General to prioritize prosecutions of cyber enabled fraud and scam schemes. It orders federal agencies to review what operational, technical, diplomatic, and regulatory tools could be improved to combat transnational criminal organizations engaged in cyber crime.

The order also recommends establishing a Victims Restoration Program to reimburse fraud victims with seized funds. It takes specific aim at cryptocurrency enabled crimes and calls for DHS to improve training on countering cyber enabled extortion.

The Defense Gap Nobody Can Ignore

Here is where the strategy's ambitions collide with reality. The Cybersecurity and Infrastructure Security Agency, the federal government's primary civilian cyber defense body, has lost approximately one third of its workforce since early 2025. Out of roughly 3,732 full time employees, about 1,083 positions are slated for elimination under the FY2026 budget proposal, leaving just 2,649 staff. By December 2025, departures had already reduced the agency to roughly 2,400 people.

The cuts did not land randomly. The Election Security Program, which employed 14 staff members with a $39.6 million annual budget, was eliminated entirely. Fifty nine regional operations positions were cut. The Chemical Security Anti Terrorism Standards program lost 178 positions. And the proposed budget slashes nearly $500 million from CISA's overall funding while eliminating its National Risk Management Centre.

An analysis by the Bloomsbury Intelligence and Security Institute put it bluntly: "The gap between this rhetoric and the state of the civilian cyber defence apparatus is stark."

The Surveillance Contradiction

The strategy pledges to "counter the spread of the surveillance state" and authoritarian technologies. Multiple analysts have noted that this language sits uncomfortably alongside domestic surveillance concerns under the same administration. The tension is not academic. America's credibility in cyber diplomacy depends on practicing what it preaches, and that credibility has taken visible hits.

CISA itself became part of the story when its acting director was reassigned after uploading sensitive files to ChatGPT. The agency operated without Senate confirmed leadership at the time of the strategy's release.

Salt Typhoon Is Still Inside

The strategy was released against the backdrop of an unresolved crisis. The Salt Typhoon campaign, a Chinese espionage operation that breached at least nine major US telecommunications companies, has not been fully remediated. The intrusions exploited basic cybersecurity failures at the telecom providers, and the administration's own FCC rescinded cybersecurity rules for those same companies in November 2025.

Meanwhile, the finalization of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which would require mandatory breach reporting from critical sectors, has been delayed from October 2025 to May 2026. The result is a regulatory vacuum at exactly the moment the strategy calls for stronger infrastructure defense.

Offense Without Guardrails

The strategy treats espionage and preparation for destructive attacks under a single offensive mandate. Analysts warn this is a dangerous oversimplification. Espionage, conducted by all major powers including the United States, is extraordinarily difficult to deter. Preparation for destructive attacks represents a different deterrence calculus entirely.

The strategy also calls for "unleashing the private sector" to identify and disrupt adversary networks but leaves unanswered the questions of corporate liability, rules of engagement, and coordination with government operations. Without clear legal frameworks, companies face the risk of either triggering international incidents or doing nothing at all.

What the Critics Are Saying

Rep. Bennie Thompson, the ranking Democrat on the House Homeland Security Committee, called the strategy "impressively underachieving" and criticized its "vague platitudes" and "lack of basic blueprint." He pointed to the contradiction between the document's stated goals and the administration's actual record on cyber workforce and funding.

The Bloomsbury Institute's assessment projects that "a significant cyber incident targeting US critical infrastructure will expose the gap between the strategy's ambitions and diminished response capacity." Over the long term, unless defensive investment is restored, "the US is highly likely to face an increasingly asymmetric posture where offensive capability outpaces defensive resilience."

What This Means for You

A strong national cybersecurity posture protects everyone, from the government agencies managing your data to the telecom companies carrying your calls and the financial institutions holding your money. When the federal agency responsible for coordinating that defense loses a third of its staff, the effects ripple outward. Mandatory breach reporting gets delayed. Telecommunications companies operate without enforceable security requirements. Critical infrastructure becomes harder to defend.

The strategy asks you to trust that offense is the best defense. History suggests otherwise. In cybersecurity, the attacker only needs to succeed once. The defender needs to succeed every time. And right now, the defense bench is getting shorter.