Trump’s Cyber Strategy Falls Short on China, Iran, and the Threats That Matter Most

This strategy arrives at a precarious moment. The United States faces longstanding and intensifying cyber threats—from Chinese espionage and pre-positioning on critical infrastructure to ransomware campaigns that disrupt essential services—that demand sustained attention and investment. The president’s war of choice with Iran adds new urgency. Tehran-linked groups are already threatening cyberattacks on U.S. networks, and the White House’s ability to coordinate national cyber defenses will face an immediate test.

Yet the administration’s surface-level treatment of these challenges casts doubt on how seriously the administration takes the cyber threat, and whether it has the capacity to address them. Key cyber leadership posts remain vacant, and the agencies responsible for implementation have been disrupted by budget cuts and personnel turnover.  

Trump’s vision for cyberspace misses the threat landscape

For Trump, cyberspace is a hostile, militarized domain in which U.S. power is unmatched. Cyber threats, while numerous, could be dealt with relatively easily if only policymakers were willing to unleash U.S. capabilities. This vision informs a strategy that privileges offense over defense, prizes visible displays of capability over sustained institutional reform, and treats the private sector primarily as a source of energy to be unleashed rather than a source of systemic risk to be managed. Through a more muscular posture, “American power will finally stand up in cyberspace.”

Despite the combative tone, Trump’s cyber strategy says little about the threat landscape. Cybercrime is the only threat discussed with any specificity; China, Iran, North Korea, and Russia go unmentioned. The National Cyber Director is statutorily required to report annually to Congress on cybersecurity threats facing the United States—an obligation the administration does not appear to have met. Detailed threat assessments belong in such reports, not necessarily in a strategy document. More concerning is that its priorities do not appear to reflect the severity of the threat picture.

The omission of China is particularly striking. The 2025 Annual Threat Assessment identified China as the “most active and persistent cyber threat” to U.S. networks, a characterization underscored by the PRC’s Salt Typhoon and Volt Typhoon campaigns. The strategy’s claim that “the United States has capabilities that the rest of the world can only begin to imagine” does not reflect the reality that China has emerged as a peer competitor in cyberspace.

More broadly, the United States’ growing use of military force abroad—in Venezuela, Iran, and potentially elsewhere—is likely to generate new cyber threats. Adversaries that cannot match U.S. conventional power have strong incentives to retaliate asymmetrically through cyberspace. Since Operation Epic Fury began, Iranian state-aligned hackers have reportedly compromised U.S. critical infrastructure, and the FBI and NSA have warned that Iranian-affiliated cyber actors may target U.S. financial services networks. The president’s cyber strategy does not grapple with how the administration’s military adventurism will further accelerate the threats facing U.S. networks.

Offense and the demands on U.S. cyber forces

The lead pillar of this year’s cyber strategy calls for deploying “the full suite of U.S. government defensive and offensive cyber operations” to defeat adversary threats before they reach U.S. networks. I have argued previously that an offense-first approach will not substantially diminish the threat from capable nation-states like China. But this new strategy also raises concerns about whether the government has the capacity to execute its more aggressive vision.

The emphasis on offense arrives as U.S. cyber forces face growing demand to support military operations in Iran and elsewhere. These combat support missions should be the top priority for U.S. Cyber Command, but they may limit its capacity to perform counter-cyber missions in defense of domestic critical infrastructure. The command has struggled to generate sufficient forces for its current mission set, prompting calls for the creation of a cyber force. The command also went without a Senate-confirmed leader for nearly a year, and is now led by Gen. Joshua Rudd, a career special operations officer with no direct cyber experience. Whether Cyber Command can simultaneously support a war and accelerate the standalone disruption campaigns the strategy envisions is far from certain.

As the United States ramps up offensive operations and integrates cyber effects into military campaigns, it will also need allied cooperation for access, coordination, and deconfliction. This strategy does not offer a framework for any of these activities, and the administration’s broader approach to alliances has not created the reservoir of goodwill such cooperation requires. Trump’s cyber strategy states that “the distribution of cost and responsibility must be fair across the U.S. and allies who share our democratic values.” However, it does not describe what burden-sharing looks like in cyberspace.

Nor does the administration appear to be investing in the diplomatic infrastructure needed to pursue these goals. The State Department’s Bureau of Cyberspace and Digital Policy—created in 2022 to consolidate U.S. cyber diplomacy—has been dismantled. Its component offices were scattered across the department, nearly a dozen staffers were fired, and the ambassador-at-large position remains vacant. CISA’s international affairs offices were also cut.

Can the private sector step up?

The administration’s cyber strategy promises to “unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.” But the private sector’s role remains largely undefined. The mention of incentives suggests a hands-off model that compounds already formidable legal, coordination, and accountability challenges. No public framework exists for targeting, deconfliction, or oversight of private offensive cyber operations. If the administration is developing one quietly with a small number of preferred firms, that raises its own concerns about transparency and the risk that an offensive cyber program built on opaque relationships becomes a vehicle for rewarding political allies rather than advancing national security. The White House also likely overestimates the appetite companies will have for this work. Firms that participate in operations against nation-state adversaries could become targets of retaliation and foreign legal liability, and the pool of willing participants at meaningful scale may be smaller than the administration expects.

This year’s cyber strategy is also enthusiastic about using artificial intelligence as a force multiplier, calling for the rapid adoption of agentic AI for network defense and disruption. This enthusiasm is bipartisan. Former Biden administration officials have called for AI-based “digital twins” to enable threat hunting and AI-driven vulnerability discovery and patching. These tools may very well prove useful for cyber defense, but AI is also being used to increase the speed and scale of adversary campaigns. The administration’s strategy document does not grapple with this dual-use challenge, nor with the gap between current capabilities and the agentic operations it envisions.

On the defensive side, the White House’s planned approach to regulation appears straightforward: cut compliance burdens, streamline requirements, and encourage public-private collaboration. In some sectors, companies do face overlapping or contradictory cybersecurity requirements from multiple agencies and international jurisdictions. The Biden administration launched a regulatory harmonization initiative alongside its campaign for minimum standards. To the extent the Trump administration continues that work, it deserves credit.

But the administration’s plan signals that it aspires to go well beyond harmonization to comprehensive deregulation. The administration has rescinded FCC minimum cybersecurity requirements for telecommunications companies and removed software attestation requirements for government contractors. The strategy makes no mention of new requirements in sectors that consistently underperform on cybersecurity.

This all assumes that companies will redirect dollars currently spent on compliance towards security improvements. There is little evidence this will happen. Companies consistently underinvest in cybersecurity because the costs of breaches are externalized—borne by customers, supply chain partners, and the public. In essence, the administration is asking industry to step up voluntarily but provides no plan for overcoming the structural incentives against doing so. Absent new requirements, U.S. cyber defenses will remain insufficient.

A young cyber office implements new orders

Alongside the strategy, the White House released an executive order (EO) targeting cybercrime and fraud. It may be the more revealing document—not for what it says about cybercrime, but for what it suggests about how the administration intends to govern in this space. Rather than a comprehensive implementation plan, the administration appears likely to pursue its cyber agenda through a series of discrete executive actions on specific priorities. The cybercrime EO is the first; others on ransomware and critical infrastructure are reportedly in the pipeline.

The EO’s most consequential provision calls for trade penalties against nations that harbor cybercriminals. Cross-domain consequences—tying cyber behavior to economic access—are the kind of leverage that might genuinely change state behavior, where offensive cyber operations combined with indictments and targeted sanctions have so far fallen short. But the administration paused planned sanctions against China over Salt Typhoon to avoid disrupting trade negotiations, undermining confidence that it will impose such costs when they conflict with other priorities.

Trump’s cyber strategy, his executive order, and the administration’s general approach to the cyber realm will ultimately be judged on implementation. The Office of the National Cyber Director (ONCD) will lead that effort. Cairncross has spoken ambitiously about making his office the government’s single point of coordination on cyber policy, and ONCD appears to have consolidated greater authority in the Trump cyber architecture than it has had previously.

But ONCD remains a young office and is being asked to coordinate across a weakened interagency apparatus. CISA has lost roughly a third of its workforce and still lacks a Senate-confirmed director. The State Department’s cyber bureau has been fractured. Federal agency cyber offices have absorbed cuts across the board. The strategy’s aspiration to “elevate the importance of cyber in government leadership” is difficult to square with the reality that many of the government’s most important cyber positions have been vacant, filled by officials without relevant experience, or eliminated entirely.

The administration will need to move quickly. Chinese operators remain embedded in U.S. infrastructure. Iranian cyber retaliation is escalating. Ransomware groups continue to disrupt hospitals, schools, and local governments. The White House has articulated a vision of U.S. dominance in cyberspace, but the growing gap between that vision and the government’s capacity to deliver on it leaves Americans more exposed than they should be.

This work represents the views and opinions solely of the author. The Council on Foreign Relations is an independent, nonpartisan membership organization, think tank, and publisher, and takes no institutional positions on matters of policy.