America’s New Cyber Strategy: Offence, Deregulation, and the AI Stack
Offence. That’s the word that defines what the White House released on 6 March 2026. Not resilience, not defence, not cooperation. Offence.
It was also released quietly, with remarkably little fanfare, while Washington’s attention was fixed elsewhere: the expanding US-Israel conflict with Iran, which by then had already become the dominant strategic story of the week. The contrast matters. At the very moment the administration was consumed by live crisis management in the Middle East, it slipped out a seven-page cyber doctrine that says a great deal about how it intends to use power in the digital domain. The brevity is itself a signal: this is not a programme plan. It is a posture statement.
President Trump’s Cyber Strategy for America is also seven pages long. The 2023 Biden strategy was thirty-nine. The 2018 Trump strategy was forty. It tells you what posture America intends to hold. It does not tell you, in any detail, how it intends to get there.
But doctrine matters, and for allies, this one carries implications that go well beyond the Washington Beltway.
What the strategy actually says
The core frame is explicit: the US will not confine its responses to the cyber realm. It will operate “swiftly, deliberately, and proactively” and will use the “full suite” of defensive and offensive cyber operations to defeat adversaries before they breach networks. That is deterrence language, but it is also escalation language, because it frames cross-domain responses as routine instruments of policy rather than last-resort tools.
Strip away the rhetoric, and you get six pillars. The first commits to shaping adversary behaviour through offensive and defensive operations, sanctions, criminal disruption, and, notably, by “unleashing the private sector” to identify and disrupt adversary networks. The second promises to streamline cyber and data regulation, rejecting what it calls the “costly checklist” model of compliance while gesturing toward liability reform. The third targets federal network modernisation: post-quantum cryptography, zero trust, cloud migration, and AI-powered defence. The fourth is critical infrastructure, naming energy, telecoms, financial services, data centres, water, and hospitals, with a pointed instruction to move away from “adversary vendors and products.” The fifth elevates emerging technology as strategic terrain, explicitly securitising the AI stack, supporting post-quantum transition, and calling for the rapid adoption of agentic AI for both defence and disruption. The sixth targets workforce and talent pipelines across academia, industry, and the military.
Accompanying the strategy on the same day was an executive order on cybercrime and transnational scam infrastructure, and two prior OMB memoranda that now form the implementation scaffolding: M-26-05 on risk-based software and hardware assurance (rescinding Biden-era supply-chain compliance memos), and M-25-26 on overhauling the Federal Acquisition Regulation. Together, they set concrete deadlines. A 60-day review of tools to combat transnational cybercrime is due around 5 May. A 90-day victim restoration recommendation is due around 4 June. A 120-day action plan for dismantling scam centre infrastructure falls on 4 July, a date that will not be lost on anyone.
The five things that matter more than the Moon landing dates
That last analogy is deliberate. As with the space executive order from December, the most consequential elements of this strategy are not the headline commitments. They are the governance moves buried in the language.
The first is the normalisation of cross-domain response. When a government strategy explicitly states that it will use “all instruments of national power” in response to cyber incidents, it shortens the crisis ladder. If states begin routinely treating cyber events as triggers for sanctions, diplomatic expulsions, or trade penalties, the problem of escalation management becomes significantly harder. Adversaries will not wait to see whether each incident crosses a new threshold. They will assume it does.
The second is the privatisation of disruption. The strategy does not just ask the industry to defend its own networks. It creates incentive structures for private operators to participate in identifying and dismantling adversary infrastructure. The executive order explicitly contemplates involving commercial cybersecurity firms in coordinated disruption operations. That raises questions the strategy does not answer: what constitutes lawful active defence, what oversight exists, and who carries liability when disruption creates collateral spillover. These are not hypothetical concerns. There are governance gaps that will be exploited by adversaries and by domestic actors if left undefined.
The third is the AI stack as a securitised national asset. The strategy's fifth pillar is industrial policy with a security badge pinned to it. Securing AI infrastructure from design to deployment, adopting agentic AI for defence and disruption, using cyber diplomacy to oppose foreign AI platforms framed as censorship tools: this is a declaration that the AI stack is now strategic terrain. For companies operating across the US and allied markets, supply-chain assurance for AI infrastructure is about to get more political and faster than most have planned.
The strategy does not mention Anthropic directly, but the recent Pentagon-Anthropic standoff helps explain the direction of travel. If Washington now sees the AI stack as strategic terrain, then frontier AI firms are no longer just vendors. They become quasi-national assets, and disagreements over military use stop looking like ordinary contract disputes and start looking like questions of national security policy
The fourth is the deregulatory turn and its limits. Industry groups have broadly welcomed the streamlining posture, and the short-term appeal is obvious: fewer duplicative reporting requirements, faster procurement pathways, reduced compliance burden. But OMB’s M-26-05 does not remove assurance requirements. It shifts from a single mandated compliance form toward agency-specific risk-based models. The likely near-term outcome is more variation between agencies, not less friction overall. For allied firms selling into the US Government supply chain, the paperwork may lighten while the political scrutiny intensifies.
The fifth and final point is the free speech framing and its transatlantic fallout. The strategy explicitly positions freedom of speech as a stake in the cyber domain and frames the diffusion of foreign technology as embedded surveillance and censorship. That framing is designed to resonate domestically and to build political pressure in allied democracies. It will resonate with some audiences and alienate others. In Brussels, where platform governance is framed as accountability and safety rather than censorship, this language is not neutral. The transatlantic tension over digital regulation is already live. This strategy accelerates it.
What the comparisons reveal
The obvious comparison is with Biden's 2023 strategy, but the more revealing one is with the one from Trump's first term in 2018.
The 2018 strategy already framed deterrence and cost-imposition through non-cyber means as necessary responses to irresponsible behaviour. The 2026 strategy reiterates that, but goes further by normalising private-sector participation in disruption and by securitising the AI stack in ways that simply were not on the map eight years ago.
The shift from Biden is sharper on philosophy. The 2023 strategy aimed to reshape market forces, impose liability on software producers, and build mandatory security baselines. The 2026 strategy reads mandatory requirements as potential drag and centres agility and speed over baseline compliance. Both administrations wanted security. They disagree fundamentally on who bears the cost of getting there.
What China, Russia, and the EU will do
Beijing’s public response will likely frame the strategy’s offensive language and the characterisation of foreign platforms as destabilising. The PRC has already used adjacent contexts to portray the US as a troublemaker in cyberspace. Expect more of that in multilateral fora, combined with a reinforced push for cyber-sovereignty narratives and an aggressive counterintelligence posture. Supply-chain exclusion arguments will become more explicitly reciprocal.
Moscow will read the strategy as further evidence of American willingness to use cyber as statecraft and will use that in internet governance debates to argue for greater state control of global networks. If the US increases pressure on criminal and state-aligned infrastructure, Russia’s incentives to respond via proxies and influence operations below the threshold of armed conflict increase, because asymmetric disruption is cheaper than matching American industrial capacity.
The EU’s near-term reaction will be shaped less by the offensive elements and more by regulatory divergence. Brussels is implementing the Cyber Resilience Act, reinforcing the Cybersecurity Act framework, and has already signalled discomfort with US narratives that equate EU digital governance with censorship. Expect selective alignment on cybercrime and resilience, combined with quiet resistance to framing questions that directly touch on the Digital Services Act and the AI Act.
The UK is structurally closer to the US on threat assessment and telecoms de-risking. UK institutions will seek practical operational cooperation, shared intelligence, and alignment with standards. But the UK also has regulatory and assurance objectives that do not simply mirror the American deregulatory direction. The Global Coalition on Telecoms 6G security principles, launched with US partners in early March, shows where the alignment is strongest. The question is whether that alignment survives the wider friction.
What allies and industry should actually do?
The most durable allied responses will probably not mirror the US posture. They will involve conscious choices about alignment, autonomy, and where shared governance remains non-negotiable
A lot of this will start with procurement. The shift toward agency-specific risk-based assurance models is happening now. If you are a vendor in the US Government supply chain, the compliance paperwork may be simplified while exclusion decisions become faster and more politically driven. Contingency sourcing and careful management of component provenance become more strategically important in that environment, because the "move away from adversary vendors" signal is more likely to harden than to soften.
It's absolutely key to treat the AI stack as you would treat any critical infrastructure, because that is precisely how the US government now treats it. Data centres, model pipelines, and inference infrastructure are securitised assets in American doctrine. Supply-chain assurance for AI will tighten. If you have not started mapping your AI infrastructure dependencies, start now.
Get ahead of post-quantum. The strategy’s modernisation pillar is directionally clear. Post-quantum cryptography transition is a multi-year dependency programme, not a crypto refresh. Treat it accordingly, and do not wait for regulatory mandates to drive the planning.
Organisations that define their terms before operational integration becomes assumed. If the US wants allied participation in disruption operations, be explicit about the conditions: legal authority, oversight mechanisms, escalation control, and what happens when disruption creates collateral effects. The time to set those terms is before your threat intelligence pipeline becomes a node in someone else’s operational architecture.
Push for crisis stability mechanisms, not just norms statements. The Outer Space Treaty analogy applies here, too. There is no shortage of cyber principles. What is missing are practical safety rails: incident communication channels, attribution processes, and agreed behaviours for disruption operations. The 2026 strategy’s direction of travel makes those mechanisms more urgent, not less, because it expands both the geography and the tempo of potential friction.
The deeper question
Seven pages is an unusual choice for a national cyber strategy. It signals something. The Obama, Biden, and first-term Trump strategies all ran to forty pages or more, because they were trying to build cross-agency consensus and give departments something to implement. A seven-page document that says the implementation will follow through “downstream policy vehicles” is either the most confident strategy ever written, or a doctrine statement waiting for the machinery to catch up.
The honest answer is probably both. The posture is clear. America intends to be faster, more aggressive, and less constrained by compliance frameworks. The AI stack and quantum technologies are national security terrain. Private-sector disruption is a feature, not an edge case. Cross-domain retaliation is on the table as a routine tool.
What remains unspecified are the factors that will determine whether this posture holds: the resourcing levels that translate doctrine into capability, the governance model that makes private-sector disruption legally and operationally coherent, and the liability framework that clarifies who bears the cost when something goes wrong.
Those are not small gaps. They are the load-bearing uncertainties that will define whether the 2026 strategy is remembered as a turning point or a wish list.
Allies and industry cannot afford to wait for those answers. The doctrine is already shaping behaviour. The operational reality is being built through executive orders, OMB memos, bilateral arrangements, and procurement rules. If you want to shape the terms of integration rather than simply inherit them, the window is now. Not when the downstream policy vehicles arrive.
Because the cyber order is shifting, whether anyone else is ready or not.
References: President Trump’s Cyber Strategy for America (6 March 2026); Executive Order on Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens (6 March 2026); OMB M-26-05; OMB M-25-26; Biden National Cybersecurity Strategy (March 2023); Trump National Cyber Strategy (September 2018).
