Policy Deep Dive: US Cyber Policy

Policy Deep Dive: US Cyber Policy

In this special policy series, the Caveat team is taking a deep dive into key topic areas that are likely to generate notable conversations and political actions throughout the next administration. This limited monthly series focuses on different policy topic areas to provide you with our analysis of how this issue is currently being addressed, how existing policies may change, and to provide thought-provoking insights. 

For this month's conversation, we’re focusing on US Cyber Policies. With a new administration comes new policy priorities, which have shifted both domestic and international cybersecurity policies.

To listen to the full conversation, head over to the Caveat Podcast for additional compelling insights. 

Key insights.

1. Federal Leadership. Over the past twenty years, the United States (US) federal government has led the nation and many of its allies in their efforts to address and minimize cyber risks.
2. International Pivots. President Trump has made a clear pivot in what foreign adversaries his administration is going to focus on and what expectations he has of traditional US allies.
3. Domestic Changes. Outside of changing the US international role, the Trump administration has also shifted domestic cyber policy to focus more on a state-led initiative.

The traditional role of US cyber.

For decades, the US has been a world leader in its efforts to secure the digital ecosystem and support allies against hostile actors.

As technology and, subsequently, cybersecurity have become more entrenched in society, the federal government has led both the nation and the world when it comes to managing and reducing cyber risks. Whether through intelligence sharing, operational support, or threat-hunting activities, federal programs and agencies have been fundamental to security efforts. 

Domestically, agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have been instrumental in providing support to both public and private entities. Regarding CISA, this agency has several key programs, such as the following:

• The Joint Cyber Defense Collaborative (JCDC): A public-private cybersecurity collaborative that aims to reduce cyber risks by unifying defense capabilities and actions of both government and industry partners.
• Cyber Hygiene Services: A program that aims to reduce risks through improved scanning efforts and vulnerability management for governments at all levels and critical infrastructure organizations for free.
• National Cyber Awareness System: A program that provides situational awareness to both technical and non-technical audiences regarding threats, issues, and security topics. 

The NSA, too, has played a critical role in both domestic and international cybersecurity efforts. Some of the key programs with the NSA include the following:

• NSA Cybersecurity Advisories: A program that leverages the agency's technical capabilities to develop advisories and mitigations on evolving cyber threats. This program provides resources like tech reports, operational risk notices, and info sheets.
• Partnership with the Defense Industrial Base (DIB): A no-cost cybersecurity service that offers any company that works with the Department of Defense (DoD) or has access to non-public DoD information. Through this partnership, the NSA helps protect against common nation-state exploitation vectors and provides attack surface management and access to non-public threat intelligence.

Outside of these programs, the US has also been a key leader internationally through intelligence sharing alliances and joint operations. For example, the Five Eyes Alliance (FVEY) is an instrumental intelligence-sharing agreement between the US, the United Kingdom, Canada, Australia, and New Zealand. More specifically, this alliance was designed to bring together law enforcement and security agencies from the members to “share intelligence, information, and threat assessments across a range of issues relating to national security.” 

Beyond the FVEYs, the US is also a leading member of NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE). For context, the CCDCOE works to support member nations by identifying and coordinating education and training solutions in cyber defences for all NATO bodies and helps to organize complex international live-fire cyber resilience exercises. Apart from these international alliances and partnerships, the US has also signed numerous bilateral cyber agreements with various allies across the globe to promote greater intelligence sharing, incident response efforts, and critical infrastructure protection.

Whether through international agreements or federal programs, the US government has been a key leader in cybersecurity efforts across the globe. The US’s proactive stance has made the nation a central figure in shaping the world’s digital security. However, under President Trump, this leadership role has faced greater scrutiny and potential uncertainty due to the administration’s shifting foreign policy priorities and increased geopolitical tension.

Thinking Ahead: 

What tangible benefits did the US get from leading the international community?

Changing international goals.

As the Trump administration has begun to enact its policy agenda, a clear pivot has been made on international cyber priorities.

Since taking office earlier this year, President Trump has begun reevaluating and shifting the US’s international cyber priorities. These changes have included shifting which nations the US supports and which are considered to be top threats. 

One emerging theme is the Trump administration’s pivot to focus the nation’s cyber efforts on Asia rather than Europe. A key example of this shift has been the administration’s pivot to deepen the US’s support for Taiwan. While US-Taiwan relations have strengthened in recent years, as seen in 2024, the Trump administration has signaled its intent to continue bolstering these ties. In March, Taiwan announced that the nation was planning on deepening its military and economic cooperation with the US. As outlined in the island’s 2025 Quadrennial Defense Review, the government emphasized its commitment to improve intelligence sharing efforts, conduct joint cybersecurity tabletop exercises, and convene “high-level” strategic dialogues with the US. 

Beyond Taiwan, the US has also reinforced its partnerships with other key allies in the region. In February, Secretary of State Marco Rubio met with the Foreign Minister of Japan, Iwaya Takeshi, and the Foreign Minister of the Republic of Korea, Cho Tae-yul, during the Munich Security Conference. During this conversation, the three nations reaffirmed their trilateral partnership and shared their commitment to “the safety, security, and prosperity of their three countries and the broader Indo-Pacific Region.” The three countries also pledged to take “decisive actions to counter threats, enhance economic resilience, and advance shared interests.” As President Trump continues to deepen ties with long-standing Asian partners, these efforts underscore the administration’s growing concern over China’s cyber aggression and regional influence.

Furthermore, during a UN speech, Liesyl Franz, the deputy assistant secretary for international cybersecurity at the State Department, emphasized the administration’s growing Pacific focus, specifically naming China and their efforts to undermine digital security. Through this messaging and increased presence in the Pacific region, the Trump administration has signaled that curbing China’s cyber operations and geopolitical influence is a top priority. However, while President Trump has shifted the US’s cyber efforts to focus on Asia, the administration has also seen a notable softening when it comes to addressing Russia and supporting traditional Western allies.

In the same UN speech, Franz pointedly omitted mentioning Russia when discussing countries of concern, which was in stark contrast to remarks from other allied nations that explicitly called out Russian cyber aggression. This omission coincides with other reports that the administration has scaled back its efforts to monitor and counter Russian cyber activity. In early March, the Secretary of Defense, Pete Hegseth, ordered US Cyber Command to indefinitely suspend all offensive cyber and information operations against Russia. While some experts stated this halt was intended to last as long as negotiations took to end the Russia-Ukraine war, there has been no update since, given how those peace talks have stalled.

Alongside the US relaxing its stance against Russia, the Trump administration has taken steps that suggest a pullback from supporting traditional cybersecurity partnerships with Western allies. A major point of tension revolves around the FVEYs alliance. In February, reports surfaced that Peter Navarro, one of President Trump’s advisors, was advocating for the US to remove Canada from this historic alliance. Navarro responded by stating that “we would never, ever jeopardize our national security, ever, with allies like Canada,” but analysts characterized this as a “non-denial denial.” Undermining the FVEYs would carry significant consequences, including losing access to Canada’s support and network and eroding other members' trust in the alliance in general. 

As President Trump pivots US international cyber efforts towards Asia, questions have emerged about the long-term implications of these moves and their geopolitical impacts on cybersecurity collaboration. While countering China’s influence is a key strategic goal, the abrupt nature of these changes has raised concerns about whether the US could lose access to critical allied support. Nonetheless, as the Trump administration reshapes the US’s global cyber efforts, it has also begun to change the US’s domestic cyber infrastructure.

Thinking Ahead: 

As the US shifts its international cyber policy goals, what will be the consequences of these changes?

Decentralizing US cyber.

Outside of changing its international role, President Trump has also begun to shift the responsibility for cyber defense from federal agencies to state and local governments.

Alongside President Trump's shifting the US’s international cyber strategy, his administration has also begun to make substantial changes to domestic cybersecurity policy. While the US federal government has largely led the nation’s cybersecurity efforts through agencies like CISA and the NSA, the Trump administration's substantial funding cuts and emphasis on state empowerment have already begun to change years of precedent. One of the key methods outlining the administration’s goals is the new National Resilience Strategy. 

Signed as an Executive Order on March 19th, President Trump’s National Resilience Strategy looks to simplify federal preparedness and response policies and instead allow state and local authorities to plan for their community needs. When signing the Order, Trump stated:

“This order empowers state, local, and individual preparedness and injects common sense into infrastructure prioritization and strategic investments through risk-informed decisions that make our infrastructure, communities, and economy resilient to global and dynamic threats and hazards.”

More specifically, the Order mandates the review and recommendation for modification of numerous polices, such as National Security Memoranda, previously signed Executive Orders, and Presidential Directives. More specifically, some of the various aspects targeted for review include:

• National Security Memorandum 22, also known as the Critical Infrastructure Security and Resilience Memorandum.
• Executive Order 13618, also known as the Assignment of National Security and Emergency Preparedness Communications Functions.
• Homeland Security Presidential Directive 5, also known as the Management of Domestic Incidents.

Additionally, the Order creates a new “National Risk Registry,” which will be used to identify, describe, and measure risks to US national infrastructure, related systems, and their users to inform better spending and planning decisions. Furthermore, this registry will also be designed to help streamline federal functions so that states and local communities will be able to work with federal agencies more effectively and efficiently. With President Trump signaling his intent to scale back federal cybersecurity efforts and instead place the responsibility in the hands of state and local governments, this policy has already begun to take shape.

As the federal government scales back its cybersecurity efforts, one of the most notable reductions is occurring at CISA. In March, the CISA lost support for two key cybersecurity initiatives:

1. The Elections Infrastructure Information Sharing and Analysis Center: A program that supported state election officials in defending against cyber threats.
2. The Multi-State Information Sharing and Analysis Center: A threat-sharing program aimed to help coordinate cyber intelligence and defence efforts across state governments.

Outside of losing support for these programs, the agency also lost funding for cyber threat intelligence, cyber incident response, and state and local government engagement. When announcing these cuts, the agency stated that reducing these efforts would help “focus CISA’s work on mission-critical areas, and eliminate redundancies.” However, these cuts have created uncertainty at the state level. 

Pennsylvania’s Secretary of State, Al Schmidt, commented on these cuts, stating that “there is no difference between red states and blue states when it comes to concerns about election security, and no state can do this on their own.” Schmidt further pressed the issue in a letter to Homeland Security Secretary Kristi Noem, emphasizing that “withdrawing CISA’s support for local election officials will make elections less secure.” Furthermore, outside of cutting specific programs, reports have also emerged that President Trump is planning to scale back the size of CISA by removing at least a third of the agency’s workforce and cutting a portion of its contractors from the agency’s major threat-hunting team. These cuts could create significant lapses in security, reducing the US’s capacity to proactively identify threats and respond accordingly. 

These domestic changes mark a significant reduction in the federal government’s role in cybersecurity. While this decentralization will empower local decision-makers to potentially create more effective and rapid security solutions, the sudden loss of federal support could undermine these efforts in the short term. As this new strategy unfolds, the success of this shift will likely vary from state to state as each respective government works in different ways to build its own security systems and incident response methods.

Thinking Ahead: 

What challenges and benefits will come from states taking over more cyber responsibilities?

The future of US cyber.

As US cybersecurity policy pivots, these changes are likely to bring about greater risks and uncertainty.

As President Trump’s cyber policy begins to take shape, both internationally and domestically, this new policy marks a clear pivot in traditional US cybersecurity. As the US shifts its attention to Asia, the Trump administration has called into question the value of many long-standing Western alliances and downplayed Russian aggression. This pivot to counter China signals a recalibration of the nation’s foreign priorities. On the domestic front, President Trump’s National Resilience Strategy reflects a significant defense pivot where a decentralized state-led cybersecurity effort will be tasked with safeguarding the nation rather than the traditional federal body.

These substantial policy pivots have naturally led to significant uncertainty as many question the durability and strength of the nation’s cybersecurity. By rapidly cutting key programs at CISA and alienating traditional allies, President Trump has created potentially unnecessary risk. However, this pivot to state-led initiatives could lead to a more rapid, responsive, and effective cybersecurity program that is not bogged down by federal bureaucracy.  

As these new policies evolve, the US will face a critical test: whether this pivot will strengthen national security or leave the country exposed in a rapidly changing digital landscape.

Thinking Ahead: 

As the role of state and federal agencies changes, what efforts will the administration make next to execute its outlined strategy?