Mar 102026

The New Cyber Doctrine of the United States: The Trump Administration Issues Cyber Strategy and Executive Order Targeting Cybercrime

David Lashway, John Woods, Jennifer B. Seale, Cole R. Rianda and Philip Robbins
, , ,

The New Cyber Doctrine of the United States: The Trump Administration Issues Cyber Strategy and Executive Order Targeting Cybercrime

On March 6, 2026, the Trump Administration released President Trump’s Cyber Strategy for America, and an Executive Order targeting cyber-enabled crime, fraud, and predatory schemes.   Together these documents do more than merely outline the Administration’s response to cyber threats; they articulate a new cyber doctrine centered on imposing costs on adversaries and mobilizing both government and private-sector capabilities at scale.

The Strategy is just that: a codification of the Administration’s overarching cyber strategy—reflecting the Administration’s action orientation and priorities.  The Strategy advances a whole-of-government and whole-of-society approach to cybersecurity.  It prioritizes enhancing systems critical to the nation’s defense and welfare, and training the people needed to build, maintain, and secure them.  And it envisions cyberspace not merely as infrastructure to be defended, but as its own strategic domain in which the United States intends to outcompete and impose consequences on adversaries.

The Strategy reflects a significant mindset-shift from a posture centered on risk management and sectoral agency-based regulation toward a doctrine of risk imposition for “adversaries who seek to harm us” and securing and sustaining technological superiority in certain key technologies.  It is organized around six “Pillars of Action”: (1) Shape Adversary Behavior, (2) Promote Common Sense Regulation, (3) Modernize and Secure Federal Government Networks, (4) Secure Critical Infrastructure, (5) Sustain Superiority in Critical and Emerging Technologies, and (6) Build Talent and Capacity.

The Executive Order continues the Administration’s implementation of its cyber doctrine as reflected in the Strategy and serves as the first tactical articulation of the means the Administration will use to advance the Strategy going forward.

Pillar 1 – Shape Adversary Behavior

Pillar 1 is the Strategy’s most operationally distinctive feature.  Under this Pillar, the U.S. Government commits to “detect[ing], confront[ing], and defeat[ing] cyber adversaries”—including nation-state and criminal actors—by identifying and disrupting adversary networks and by deploying “the full suite of U.S. government defensive and offensive cyber operations.”  Pillar 1 commits to using “all instruments of national power” to raise adversary costs and builds on the Strategy’s statements that the U.S. Government will “address threats in cyberspace directly” and will “not confine [its] responses to the ‘cyber’ realm.”  As stated by U.S. National Cyber Director Sean Cairncross in his remarks at USTelecom’s Cybersecurity Innovation Forum on March 9, 2026, the Administration “is making very clear that if you seek to harm Americans or you seek to harm America’s interests, you will face an American consequence, and the same is true in cyberspace.”

Critically for industry, Pillar 1 underscores that securing U.S. cyberspace requires more than federal action; it depends on sustained, active participation by private actors.  In it, the Administration pushes to “unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.”  This language signals support for enabling capable private actors to act and reflects a reality that most of America’s cyber critical infrastructure is owned, managed, and controlled by the private sector, which has unique technical insight into the infrastructure, platforms, and payment rails on which America operates. This degree of government collaboration with and provision of resources to scale private sector capabilities has the potential to fundamentally shift the cybersecurity landscape—unlocking intelligence and capabilities that offer new avenues for responding to, and possibly preempting, attacks.

Indeed, Director Cairncross emphasized partnership with the U.S. private sector and recognized that American companies “are on the front lines of this fight” and that “our critical infrastructure by design is defended by the private sector.”  But, he said, the United States government is “coming to [the] table and saying, ‘We are ready to do our part––we are ready to protect this domain from foreign adversaries and criminals.’”  He said that the Administration is expecting the private sector, in return, “to do [its] part in really securing our systems.”

Public-private collaboration in identifying and disrupting adversary networks is not itself new, of course.  A small number of private-sector firms already have demonstrated what judicially supervised, legally structured disruption can look like when paired with strong technical execution.  For example, in January 2026, Google implemented a legal and technical approach to disrupting the IPIDEA residential proxy network.  More broadly, technology and security companies, including Microsoft, Cloudflare, CrowdStrike, Cisco, Meta, and Zscaler,[1] have participated in similar operations and other infrastructure disruption campaigns, sometimes alongside government partners.  What is new is the Strategy’s call for the use of “all instruments of national power” and the “full suite” of U.S. government operations to counter and impose costs on adversaries.

Pillar 1 goes beyond simply endorsing traditional public-private cooperation measures.  By expressly calling for “incentives” to “scale our national capabilities” through the private sector, Pillar 1 reflects a strategic shift from episodic, private sector-led tactical successes to a sustained, scaled public-private effort capable of producing strategic impact.  This is reflected in Director Cairncross’s statements that the Administration will be gathering CEOs across critical sectors “to make sure that we make clear that industry has a role to play” and “need[s] to dedicate some real resources” and that the Administration “need[s] to make our priorities clearer [to the private sector].”  In particular, he highlighted better sharing of actionable information by the government and the launch of a series of pilot programs––both on the critical infrastructure side and the federal government side––to make sure new technology and solutions can be deployed much more quickly than in the past and at a cost and an ability to scale that meet the threat.  It is further reflected in the appropriation of $1,000,000,000 to the Secretary of Defense for “offensive cyber operations” as part of efforts to “improve capabilities of United States Indo-Pacific Command.”[2]  As these incentives are developed and implemented in future executive action, the potential scale of the collective public-private response to adversaries is immense.

Perhaps just as important as what the Strategy says in Pillar 1 is what it does not say.  Although certain commentators have misinterpreted this point, the Strategy does not authorize or encourage private companies and/or individuals to “hack back.”  No executive order, no regulation, and no published guidance has been issued that directs or authorizes private company “hack backs.”  But as certain companies have already shown, the private sector can make meaningful contributions toward imposing consequences through operational and infrastructure disruption efforts that are lawful under existing authorities.

Finally, Pillar 1’s plan to confront adversaries recognizes the need for coordination with allies and fellow democracies.  The Strategy recognizes that successfully defending cyberspace is not solely the responsibility of the United States and articulates the need for shared responsibility and burden sharing.  It notes that “defending cyberspace and safeguarding freedom is a collective effort” and “the distribution of cost and responsibility must be fair across the U.S. and allies who share our democratic values.”  The United States and its allies “will work together to create real risk for adversaries who seek to harm us and impose consequences on those who do act against us.”

Cooperation to address adversary conduct in cyberspace is not new.  What is notable is the Strategy’s emphasis on burden sharing and coordinated action as an organizing principle.  As a practical matter, that framing suggests allies and close partners, including Five Eyes partners, NATO allies, and like-minded democracies such as Japan, should anticipate requests for deeper operational coordination and alignment of diplomatic, law-enforcement, economic, and military efforts in support of cyber objectives.

Pillar 2 – Promote Common Sense Regulation

Pillar 2 is the Strategy’s most direct statement of the Administration’s view that cybersecurity regulation should advance operational readiness rather than compliance formalism.  The Strategy states that “[c]yber defense should not be reduced to a costly checklist that delays preparedness, action, and response.”  Consistent with that premise, the Strategy notes that cybersecurity regulations will be streamlined “to reduce compliance burdens, address liability, and better align regulators and industry globally,” and “to ensure that the private sector has the agility necessary to keep pace with rapidly evolving threats.”

In practical terms, Pillar 2 is likely to shape the Administration’s approach to forthcoming final rules that implement statutory cybersecurity obligations, particularly where multiple regimes impose overlapping requirements while preserving targeted regulatory authorities where they directly advance national security objectives.[3]  For example, Director Cairncross emphasized at the Forum the need to ensure that incident reporting makes sense to industry and is not overly burdensome and create the space for industry to react to incidents.  That position is reflected in the Administration’s approach under the Unified Agenda of Federal Regulatory and Deregulatory Actions.[4]

At the same time, Pillar 2 makes clear that “common sense regulation” is not synonymous with total deregulation.  The Strategy expressly couples streamlining requirements with a separate commitment to “emphasize the right to privacy for Americans and American data.”  In that respect, Pillar 2 signals that the Administration will tolerate, and may affirmatively impose, heightened regulatory requirements and compliance burdens where doing so helps to combat and erode adversaries’ capacity and capabilities.  In particular, a key focus of the Administration to date has been limiting foreign-adversary access to sensitive U.S. personal data and government-related data.  Some such burdens were imposed early in the administration through the Department of Justice’s Data Security Program Rule.[5]  The same orientation is reinforced by the Federal Trade Commission’s February 2026 warning letters to data brokers regarding statutory compliance obligations under the Protecting Americans’ Data from Foreign Adversaries Act of 2024.

Pillar 3 – Modernize and Secure Federal Government Networks

Pillar 3 addresses the structural vulnerability of federal information systems—due to legacy infrastructure, fragmented procurement, and inconsistent security baselines—through a modernization agenda.  The Strategy commits the Administration to “implement[ing] cybersecurity best practices, post-quantum cryptography, zero-trust architecture, and cloud transition” across federal information systems, “adopt[ing] AI-powered cybersecurity solutions to defend federal networks and deter intrusions at scale,” and “remov[ing] barriers to entry so that the government can buy and use the best technology.”

These commitments align with, and in several respects build on, pre-Strategy Trump Administration executive direction.  For example, a number of the Administration’s Executive Orders track these modernization themes, including Executive Order 14144’s direction regarding the provision to CISA of access to agency endpoint detection and response (EDR) telemetry and related cloud-security initiatives and Executive Order 14306’s emphasis on post-quantum cryptography and AI-enabled cyber defense.

Pillar 4 – Secure Critical Infrastructure

Pillar 4 commits the Administration to “identify[ing], prioritize[ing], and harden[ing] America’s critical infrastructure and secur[ing] its supply chains”; “mov[ing] away from adversary vendors and products, promoting and employing U.S. technologies;” and ensuring that state, local, Tribal, and territorial authorities serve as a “complement to—not a substitute for—our national cybersecurity efforts.”  These commitments again align with and build on pre-Strategy executive direction, including a recent proposed rule from the Federal Acquisition Regulatory Council to implement portions of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 prohibiting executive agencies from procuring or obtaining covered semiconductor products or services.

Pillar 5 – Sustain Superiority in Critical and Emerging Technologies

Pillar 5 highlights the United States’ history of superiority in critical and emerging technologies, while previewing how the Administration intends to maintain such superiority.  To do so, the Strategy commits to “build[ing] secure technologies and supply chains that protect user privacy,” including through “supporting the security of cryptocurrencies and blockchain technologies” and “promoting the adoption of post-quantum cryptography and secure quantum computing.”

The Pillar also focuses on the importance of “secur[ing] the AI technology stack” and “promot[ing] innovation in AI security.”  Here, the Strategy pledges to leverage “AI-enabled cyber tools to detect, divert, and deceive threat actors” and “adopt and promote agentic AI in ways that securely scale network defense and disruption.”  Continuing earlier themes, the Pillar signals the use of cyber diplomacy as a mechanism for ensuring AI innovation and global stability and emphasizes the Administration’s plan to “frustrate the spread of foreign AI platforms that censor, surveil, and mislead their users.”  It also builds upon America’s AI Action Plan and the Administration’s recent AI Executive Order in “promot[ing] United States national and economic security and dominance across many domains” through streamlining AI regulation, investing in AI research and deployment, building AI infrastructure, and employing diplomatic, economic, and legal mechanisms to contain adversaries and work with allies.

Pillar 6 – Build Talent and Capacity

Workforce capacity has long been recognized as one of the principal structural constraints on U.S. cyber capability, and Pillar 6 seeks to address this by advancing the strategic asset of America’s cyber workforce.  The Strategy recognizes the necessity of a “pipeline that develops and shares talent” while acknowledging the “existing avenues within academia, vocational and technical schools, corporations and venture capital opportunities” that can be leveraged.  Director Cairncross discussed at the Forum ongoing efforts to develop a cyber academy to knit together existing cyber programs in government, a foundry to scale and deploy new innovation with private capital, and an accelerator to ramp up and scale pre-seed financing and procurement.  The Strategy further pledges to “eliminate roadblocks” that limit stakeholders—such as industry, the government, and the military—from “building a highly skilled cyber workforce.”

The EO and Looking Ahead

Turning certain of the Strategy’s Pillars into tactical action, the Administration also announced an Executive Order to combat cybercrime, fraud, and predatory schemes.  Consistent with the Strategy, the Order emphasizes a policy to counter such schemes “with a commensurate response that includes law enforcement, diplomacy, and potential offensive actions” and provide additional support to victims and those most at risk.  To do so, the Order directs a review of “operational, technical, diplomatic, and regulatory frameworks” that can be used to combat the transnational criminal organizations (“TCOs”) perpetrating such schemes.  It also addresses cybersecurity partnership with domestic and foreign government actors and directs the Secretary of Homeland Security to leverage the National Coordination Center to “provide training, technical assistance, and resilience building” to state, local, Tribal, and territorial partners and, importantly, the Secretary of State to engage foreign governments to “demand enforcement actions against TCOs operating within their borders and greater cooperation with United States law enforcement.”  Finally, the Order directs the Attorney General to continue prioritizing prosecutions of such schemes and to develop recommendations regarding the establishment of a Victims Restoration Program to facilitate the return of seized or forfeited funds.

This Executive Order is one important tactical action under the Strategy.  We expect additional Executive Orders and other administrative actions in the near term that will begin translating the Strategy’s doctrine of risk imposition and operational collaboration into tactical policy mechanisms and actions.


[1] See, e.g., Angus Loten, Microsoft Helps Bust Global Hacking Service, Wall Street Journal (Mar. 4, 2026), https://www.wsj.com/articles/microsoft-helps-bust-global-hacking-service-2d1a4bbc; Partners, Operation Endgame, https://www.operation-endgame.com/partners; Meta, Adversarial Threat Report, Third Quarter (Nov. 2023), https://transparency.meta.com/sr/Q3-2023-Adversarial-threat-report.

[2] One Big Beautiful Bill Act, Pub. Law No. 119-21 § 20009, https://www.congress.gov/bill/119th-congress/house-bill/1/text.

[3] Such rules include the Cybersecurity and Infrastructure Security Agency’s proposed rules implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA); the Department of Defense’s planned updates to DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting); and the Department of Health and Human Services’ proposed modifications to the HIPAA Security Rule “to strengthen the cybersecurity of electronic protected health information.”

[4] See generally Office of Information and Regulatory Affairs, Spring 2025 Unified Agenda of Regulatory and Deregulatory Actions, https://www.reginfo.gov/public/do/eAgendaMain.

[5] Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, 90 Fed. Reg. 1636 (Jan. 8, 2025).

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

David Lashway

Washington D.C.

dlashway@sidley.com

John Woods

Washington, D.C.

jwoods@sidley.com

Jennifer B. Seale

Washington, D.C.

jseale@sidley.com

Cole R. Rianda

Washington, D.C.

crianda@sidley.com

Philip Robbins

Washington, D.C.

probbins@sidley.com

You might also like
From Tallahassee to Phoenix: States Move to Enforce National Security Limits on Access to Americans’ Sensitive Personal Data

State attorneys general increasingly are asserting authority in an area once viewed as the exclusive province of federal national security regulators — scrutinizing who can access sensitive personal data of U.S. persons, where that data flows, and whether foreign governments have legal rights or practical means to control or obtain the data. Recent actions by Florida, Texas, and Arizona Attorneys General illustrate a clear and accelerating trend — national security concerns are no longer abstract policy considerations in the data privacy space; they are becoming a basis for hands-on investigative and enforcement activity at the state level, increasingly aligned with parallel developments at the federal level.

Generative AI and Privilege: Practical Lessons from Two Early Decisions and What Comes Next

In February 2026, two federal courts drew national attention by addressing generative AI in the privilege context. At first glance, the decisions appear incongruent: one denied privilege where AI was used; the other upheld work product protection in a similar context. Yet neither decision announced a shift in privilege law. Each applied existing principles to new factual settings. The practical implications are straightforward: understand the confidentiality terms governing AI platforms, ensure appropriate attorney involvement where privilege is sought, and maintain disciplined policies around AI-assisted legal analysis.

Congress Considers Right to Repair Bill for Vehicle Owners

Last week, the House Energy and Commerce Committee voted to send the Right to Equitable and Professional Auto Industry Repair (REPAIR) Act to the full U.S. House of Representatives for consideration. This legislation, if enacted, would give car owners access to their vehicle-generated data and repair data and tools from vehicle manufacturers. It would also grant owners certain rights over the use of that data, including the right to delete it, and would prevent recipients of vehicle-generated data from selling, transferring, or licensing that data absent certain exceptions. As indicated by its name, the REPAIR Act is reflective of the so-called “right to repair” movement to allow consumers and independent repair shops access to the same data for repair and maintenance that manufacturers make available to themselves or franchised dealers. It also has important implications for data privacy in modern vehicles, which generate increasingly large volumes of information.