Trump’s Cyber Strategy for America: Implications for international cyber norms and diplomacy

Analysis by Diplo experts

Vladimir Radunović, Director of Cybersecurity and Diplomacy
Pavlina Ittelson, Executive Director, Diplo US
Anastasiya Kazakova, Cyber Diplomacy Knowledge Fellow; Geneva Dialogue Project Coordinator

Key takeaways:

The strategy reads less as a policy framework and more as a political declaration. Its major messages include:

• Offensive cyber operations are positioned as a core instrument of US political and military power, with no explicit grounding in existing international legal frameworks
• The private sector is cast not only as a partner, but as an operational actor, expected to deploy cyber capabilities in service of US interests
• Diplomacy is framed as a vehicle for advancing US interests directly, with allies expected to shoulder a greater share of responsibility and costs
• Domestic deregulation is signalled alongside an insistence on international industry standards and compliance – a tension not resolved by the strategy

The Trump Administration’s Cyber Strategy for America (Cyber Strategy), released in March 2026, shows a notable shift in the US approach to cybersecurity. In line with the National Security Strategy 2025, it puts the role of the US, and its interests, at the forefront, asserting a ‘strength is the best deterrent’ approach.

The Cyber Strategy is six pages long. That brevity itself is a statement. Its language and style – that of a political declaration rather than a structured strategy – is also telling. Previous US cyber strategies ran to dozens of pages, named agencies, assigned responsibilities, and engaged with international governance frameworks. This one does not. What it offers instead is a posture: assertive, military-forward, and deliberately flexible about who does what. It also omits naming adversaries or allies and unlike the US Security Strategy, leaves the position of the US towards specific countries aside.

The Cyber Strategy was published alongside an Executive Order on cybercrime (EO) and a corresponding factsheet, making reading both documents essential. The EO provides operational details, such as review timelines, coordination mechanisms, and a role for commercial cybersecurity firms. However, both documents share a common structural feature: strong declaratory language. Both documents represent a substantive break from prior US cyber strategy (if, also, analysed along with the National Security Strategy released in November 2025). Some would argue that the Administration signals a new cyber direction clearly enough, but how that direction can be implemented is a separate question. 

This analysis reads the new Cyber Strategy and presents key takeaways for all those engaged in international cyber norms and diplomacy. 

The military moves to the center

Offensive cyber operations are front and centre in this Strategy. The preamble opens with concrete examples: US cyber capabilities used in the detention of Venezuelan President Nicolás Maduro and in operations to obliterate Iran’s nuclear infrastructure. These are not presented as sensitive disclosures, but rather as achievements: named, claimed, and offered as proof of what American cyber power can do.

This marks a significant shift in doctrine. Previous US administrations maintained deliberate ambiguity around offensive cyber capabilities and rarely confirmed specific operations precisely to preserve diplomatic flexibility. The Trump Administration is now doing the opposite: publicly claiming – if not bragging about – cyber operations to signal capability and shape adversary behaviour, which also creates implications for international norms. The Cyber Strategy explicitly states that responses to threats will not be confined to the cyber realm, and cites the use of cyber capabilities in the detention of President Nicolás Maduro as an achievement. 

What makes the Maduro case particularly significant in view of international norms is not just the disclosure, but what it reveals: the USA used offensive cyber capabilities outside of any declared conflict, without imminent threat, and without invoking Article 51 of the UN Charter. This is the grey zone made explicit: cyber tools deployed to pursue political objectives against a state and individuals, now publicly admitted. This may nudge others to project their cyber power more openly as well, without fear of attribution and accountability for attacks. 

Neither the Cyber Strategy nor the EO references international humanitarian law, proportionality, or rules of engagement. For the international norms community, the absence is the message – the USA is asserting operational freedom without articulating the limits it accepts. It remains to be seen how this Cyber Strategy translates to the positions of the USA – and potentially influences the positions of other parties – at the UN Global Mechanism on developments in the field of ICTs in the context of international security and advancing responsible State behaviour in the use of ICTs, due to start at the end of March 2026. 

Deregulation dressed as security

The Biden Administration’s 2023 National Cybersecurity Strategy introduced something new: the idea that software vendors should bear liability for insecure products. It represented a direct challenge to the market logic that has long disadvantaged end users. The Trump Strategy seems to replace that logic entirely by emphasising ‘common sense regulation’, which means reducing compliance burdens and giving industry ‘the agility’ to respond to threats. The accountability shift is reversed.

Meanwhile, allies and partners are expected to adopt US supply chain requirements, exclude adversary vendors, and align with US-promoted standards. The asymmetry is striking: American companies get a new wave of deregulation, while everyone else gets a compliance agenda. This dynamic (more freedom at home, more standards abroad), is not unique to cyber policy. However, its articulation will certainly not go unnoticed by governments navigating between competing technology ecosystems.

A new state-private relationship for tech and cyber competition worldwide

One of the Strategy’s more consequential moves is its explicit intention to ‘unleash the private sector’ to identify and disrupt adversary networks. Notably, the document is deliberately vague about what exactly the private sector will be encouraged or permitted to do, signaling aggression without creating legal or diplomatic accountability for specific actions. 

In case of cybercrime, however, the EO operationalises this in specific terms: it directs that commercial cybersecurity firms’ threat intelligence, technical capabilities, and operational insights be formally incorporated into federal attribution and disruption efforts. The Attorney General and Secretary of Homeland Security, supported by the Secretary of War, are tasked with building this public-private operational integration, not as an informal arrangement, but as a mandated coordination framework embedded in the National Coordination Center (NCC).

What seems as deliberate ambiguity on the scope of possible assistance from the private sector is not occurring in vacuum. In particular, last year Google announced a cyber ‘disruption unit’ within its Threat Intelligence Group, explicitly seeking ‘legal and ethical’ options for proactive offensive action. In parallel, proposals have emerged in Congress to authorise private companies to conduct offensive cyber operations through presidential ‘letters of marque’ – a mechanism last used for maritime privateers. Viewed as a whole, these developments suggest a broader normalisation of private sector offensive action that the Cyber Strategy actively encourages, but does not regulate. The Cyber Strategy will also ‘eliminate roadblocks’ that prevent greater alignment of industry and military sector, which some may read as subordinating commercial cyber power to government decisions (the case of Anthropic’s ‘disallignment’ comes to mind). 

The consequences for international norms are direct. The expectation that states are responsible for controlling offensive cyber activity originating from their territory or conducted in their interests is a foundational principle, and one that is already under strain. When a state officially mandates (or at least encourages or allows)  private sector participation in offensive cyber operations while leaving the scope of those operations undefined, the line between ‘private action’ and ‘state-sanctioned action’ becomes functionally impossible to draw. This political direction undermines a widely held norm against enabling private actors to conduct offensive cyber operations (either preventive or retaliatory), clearly articulated in the Paris Call for Trust and Security in Cyberspace, which the USA supported in 2021. Other states will certainly draw their own conclusions from such a shift, which would hardly support stabilisation efforts in cyberspace.

A strategy without an owner?

Every pillar is written in the first-person plural: ‘we will deploy’, ‘we will streamline’, ‘we will secure’. At no point does the document explain who ‘we’ is. CISA – the Cybersecurity and Infrastructure Security Agency, the operational home of US civilian cyber defense for the past several years – does not appear once in the Cyber Strategy. No sector agency is named in it. No timelines are attached to any strategic commitment, either.

This is not accidental. CISA has lost roughly 30% of its workforce and faces continued budget reductions. Its institutional absence from the Strategy reflects a real shift in where the cyber agenda is being located: toward defense and military structures. The EO confirms this: CISA appears in it only once, assigned a supporting role in providing training and technical assistance to state and local partners’ critical infrastructure, which is significantly short of its previous mandate to lead national cyber defense. No other agency is mentioned in the EO; instead, the Executive Order puts State Secretaries and the Office of the National Cyber Director in focus. There seems to be a clear mismatch between what the Cyber Strategy aims to achieve and the means that are, currently at least, committed to achieving these goals. 

What has changed from previous strategies?

The clearest point of contrast is with the 2023 Biden National Cybersecurity Strategy – itself being a departure from prior approaches. Three points especially stand out:

1. The move from strengthening defensive measures to open projection of power through offensive capabilities.
2. Vendor liability is replaced by agility and deregulation. 
3. Adversary specificity: the Biden Strategy named China and Russia as strategic threats and engaged substantively with campaigns like Volt Typhoon and Salt Typhoon. The Trump Strategy names no state adversary at all (though implicitly referring to China as a key strategic competitor, as many would observe).
4. International engagement: the Biden Strategy approached multilateral cyber governance as an important arena of US policy, while the Trump Strategy treats it as a projection surface. Combined with the US withdrawal from a slew of international organisations and coalitions in January 2026, the new Cyber Strategy may contribute to undermining the credibility and implementation of the UN framework of responsible state behaviour.

Structurally, the new Strategy could also be seen as the ‘vaguest’ US cyber strategy in recent memory. Even the first cyber strategy of the Trump Administration, in 2018, named agencies and laid out more specific commitments. The deliberate flexibility of the current document appears designed to preserve executive discretion: pending, reportedly, a more detailed implementation plan from the Office of the National Cyber Director. Whether that plan will add accountability architecture or simply more declarations remains to be seen.

Implications for norms and international cyber diplomacy

The word ‘norms’ appears but once in the Strategy, linked to norms and standards, most likely a reference to technical bodies like the ITU rather than the UN-anchored GGE and OEWG frameworks (and now the soon-to-be-launched UN Global Mechanism). The document does not engage with UN cyber norms, the application of international law in cyberspace, or any of the substantive questions around responsible state behaviour that the international community has been working on – and agreed to much by consensus –  in the past 20+ years.

Allies appear, too. However, they are primarily framed as burden-sharers – someone who is expected to support US interests and carry their share of responsibility and cost. Further, ‘cyber diplomacy’ in this document seems to largely mean promoting US interests and values through international engagement, not participating in shared rule-making. For those working within international institutions and multilateral processes, that distinction has immediate practical consequences. The USA, under this administration, is likely to prefer conversations on technical standard-setting where US industry carries structural weight, over normative multilateral discussions. 

Interestingly, the EO adds another concrete diplomatic instrument the Cyber Strategy lacks: the Secretary of State is directed to demand enforcement actions from governments hosting criminal networks, and to pursue consequences through sanctions, visa restrictions, trade penalties, and expulsion of complicit foreign officials against states that tolerate predatory activity. This is a transactional, enforcement-oriented form of international engagement, not a cooperative one, and it may signal how the Trump Administration approaches cyber diplomacy in practice.

Concluding remarks

The new US Cyber Strategy is best understood more as a declaration of posture than as a policy programme. It directly communicates its direction of military dominance, private-sector mobilisation, deregulation, and US-driven standards, while leaving implementation largely to the EO and to action plans that will be further expected. The EO is the more operational document: it names responsible actors (mainly within the White House rather than agencies), sets deadlines, and mandates a coordination architecture. But it covers only the criminal threat domain. The Cyber Strategy’s larger ambitions on critical infrastructure resilience, emerging technologies, international norms, and workforce remain declarations without owners.

For the international cyber norms community, the document poses a set of questions. How do you build accountability for offensive cyber operations when one of the most powerful states is publicly claiming such operations as achievements of statecraft? How do you maintain the norm of state responsibility for cyber activity when the boundary between government and private sector offensive action is being deliberately left undefined? And, how do you advance shared rules in multilateral forums when the most powerful actors start approaching those forums as a venue for promoting their own standards, rather than negotiating common ones?

The hope is that ‘middle powers’ and developing countries will – in their own interest, and the interest of broader regional and international stability – continue to champion multilateral dialogue and responsible state behaviour in cyberspace. However, with the USA vacating its leadership role, the gravitational pull may bring them toward actors with very different normative agendas. Is the window for a middle-power ‘trendsetter’ moment opening, or closing, and will they have the political will to make the call?