The Trump administration's new national cybersecurity strategy—built around offensive cyber operations—has drawn pointed critiques from analysts at the Council on Foreign Relations (CFR) and prompted a detailed counter-proposal from the Atlantic Council, sharpening a long-running debate over whether the United States can strike its way to security in cyberspace.

Writing for CFR in January 2026, international affairs fellow Matthew Ferren—who says he coauthored the 2023 National Cybersecurity Strategy and the 2024 Report on the Cybersecurity Posture of the United States—reported that the administration was preparing a strategy centered on offensive operations, with senior officials emphasizing hitting back at hackers and nation-states that had compromised U.S. networks with apparent impunity. According to Ferren, early signals suggested the strategy would treat offense as the primary solution to the country's cybersecurity challenges while the administration weakened the foundations of U.S. cyber defense.

Ferren's assessment was blunt: he characterized the adoption of an offense-first posture as a dangerous miscalculation that will not diminish Beijing's campaigns and that coincides with a significant deterioration of the cyber defenses that have kept U.S. networks and Americans safe. He argued that while Cyber Command has recorded genuine successes—dismantling ISIS propaganda infrastructure, countering Russian election interference, and disrupting ransomware groups—tools effective against terrorist propagandists and criminal networks will not work against China, whose cyber apparatus he described as operating at unprecedented scale through a vast ecosystem of contractors, universities, and technology firms.

According to Ferren, "cyber-on-cyber deterrence is an illusion," because indictments and sanctions signal disapproval but impose little meaningful cost, and there is scant evidence U.S. leaders would escalate across domains in response to intrusions. He warned that overemphasizing peacetime disruption diverts resources from preparing cyber forces for high-intensity conflict, noting that in Ukraine cyber effects proved most valuable when synchronized with kinetic strikes, electronic warfare, and intelligence operations rather than as standalone, decisive capabilities.

A Short Strategy at a Precarious Moment

In a follow-up CFR piece in March 2026, Ferren reported that the White House's released strategy was strikingly short—roughly four pages of substance, about one-seventh the length of the Biden administration's 2023 strategy. He noted that National Cyber Director Sean Cairncross described it as a high-level statement of intent with action items to come, but argued the brevity also reflected a fraying cyber apparatus suffering from institutional neglect. Ferren wrote that the strategy arrived at a precarious moment, with the United States facing intensifying Chinese espionage and pre-positioning on critical infrastructure alongside disruptive ransomware campaigns, and that implementation would fall to an Office of the National Cyber Director that must coordinate across a weakened interagency. He reported that CISA had lost roughly a third of its workforce and still lacked a Senate-confirmed director.

An Alternative Roadmap

The Atlantic Council entered the same debate in late January 2026 with a report, "The US needs a cybersecurity roadmap," by Franklin D. Kramer, Robert J. Butler, and Melanie J. Teplinsky. Rather than framing offense and defense as competing priorities, the authors argued that a national cybersecurity strategy requires an operational road map for both offensive and defensive campaigning, paired with significantly enhanced resilience for key critical infrastructures built on safe coding and zero trust architectures. They contended that such capabilities would give the president and national leadership the means to deter and defeat nation-state and criminal activity in cyberspace.

The companion volume, "Operationalizing a Cybersecurity Strategy for the United States: Part I—Operations," proposes institutional machinery to carry this out, including a Cybersecurity Planning and Operations Council headed by the national cyber director to coordinate government and private efforts, and an Integrated Cybersecurity Providers Corps drawing on high-end private-sector and cloud providers for continuous defensive campaigning.

Together, the CFR and Atlantic Council interventions frame a central question for policymakers and for the law of cyber conflict: whether escalating offensive operations can deter sophisticated state adversaries, or whether durable security depends on resilience, defense, and coordinated public-private campaigning. Readers should note these analyses reflect the views of their authors, and the institutions state they take no institutional policy positions.

Sources

- The New U.S. Cyber Strategy Misreads China's Threat — https://www.cfr.org/articles/the-trump-administrations-cyber-strategy-fundamentally-misunderstands-chinas-threat - Trump's Cyber Strategy Falls Short on Iran, China, and the Threats That Matter Most — https://www.cfr.org/articles/trumps-cyber-strategy-falls-short-on-china-iran-and-the-threats-that-matter-most - The US needs a cybersecurity roadmap — https://www.atlanticcouncil.org/in-depth-research-reports/report/the-us-needs-a-cybersecurity-roadmap/ - Operationalizing a Cybersecurity Strategy for the United States: Part I—Operations — https://www.atlanticcouncil.org/wp-content/uploads/2026/01/Cybersecurity-Strategy-for-the-United-States-Part-I-Operations.pdf