I believe in using every tool available to put your best foot forward. The thoughts and experiences on this page are my own; I use AI to help ensure the grammar is accurate.
President Donald J. Trump and his administration recently published the March 2026 National Cyber Strategy, so we’ll be reviewing its contents.
Disclaimer: I understand that a lot of this has a crazy amount of intricate details, and I’m oversimplifying a lot of what you’re about to read.
Section 6: Building Cyber Talent
I want to address what I believe to be one of the most important pillars of our cyber development—the solution to finally filling these “job vacancies” in the industry.
This strategy hits on improving the pipeline across academia, vocational schools, corporations, and the military. This means removing roadblocks between those and allowing smooth transitions between them. A talking point is making these approaches accessible and developing a way to share talent.
This is great! I love the stance, but I don’t like that there are no details about what this would look like. What exactly are we going to do to achieve this?
This is a good time to deal with the elephant in the room: the contradictions.
The big irony is that the administration has made significant cuts to CISA - the primary federal agency responsible for exactly the kind of coordination this pillar describes. CISA workforce reductions, the departure of experienced leadership, and budget pressures directly undermine the talent development goals stated here.
You cannot build a cyber workforce pipeline while simultaneously dismantling the institutions that assist in training, coordinating, and employing that workforce.
Offense Is the Best Offense
The best offense is a great defense, right? Nope, offense is the best offense.
This section leans into what I would consider “privatizing the fight.” The biggest thing that stands out to me is that the US is finally considering offensive operations in cyberspace, and that’s not a bad thing.
For far too long, the US has played “defense” in its cyber posture. The US “doesn’t” partake in offensive operations, and wanting to utilize private organizations to conduct them is, in theory, a solid way to do so. Various questions initially popped up in my mind: What are the incentives for identifying and disrupting adversarial networks and infrastructure? What does this look like in practice? Are bug bounties going to be buffed up, where a higher payout is awarded? What are the criteria for these private firms to qualify for government contracts for these tasks?
The legality of these operations and the creation of “hack-back legislation,” the gray areas of malicious actors using other people’s infrastructure, and what that means for the scope of work and Rules of Engagement are all open questions. We’ve seen private organizations (Private Military Contractors) used by our government for traditional security contracts, and it’s had… mixed results - we’ll leave it at that. What’s to say this won’t create the same kind of shadow cyber-mercenary industry with limited oversight?
The Surveillance State Question
A direct quote from the March 2026 National Cyber Strategy is the promise to counter “surveillance state and authoritarian technologies that monitor and repress citizens.” This is great! Privacy prevails… no more worrying about whether AI is used for facial recognition or whether my data will be sold to the highest bidder, right?
Well, we must ask ourselves: does this apply only to foreign adversaries, or does it include domestic surveillance overreach? This isn’t an easy topic to discuss, given the arguments about national security and what does or doesn’t infringe on our rights.
Consequences for Adversaries
The March 2026 National Cyber Strategy promises “real risk” and “imposed consequences” for our adversaries. What would this look like? History shows that cyber deterrence is much harder than other forms of deterrence.
Circling back to the offensive side of this strategy, does this mean that the ROE will be like that of what our military has had for the last few years, something along the lines of - “don’t shoot until shot at and with positive ID”? Does this constitute the approval of hack-back operations, and at what point do we say, “Alright, that’s enough, stop DDoSing them”? What would the standard for consequences look like? I may be misinterpreting this whole section and oversimplifying it, but the details aren’t there.
Laws, Regulations, and Guidelines
We start leaning into what some consider the “boring” part of security: regulations, guidelines, and standards. The strategy says this administration wants to ease compliance burdens, reduce bureaucracy, and give the industry more breathing room. Now, this is not a terrible idea on a high level, since most major organizations say there’s so much regulation and oversight that it’s hard to get things done and so on.
My biggest concern with this section is that usually deregulation in technology means someone’s getting rich - probably richer. Beyond that, what does this mean for frameworks if they loosen the leash a bit? Will companies feel more compelled to maintain a higher posture, or would you see the incremental improvements slowly diminish?
Modernization in Government Systems
Zero-trust architecture, post-quantum cryptography, cloud migration, and AI-powered defense are all mentioned in the strategy, and for good reasons. They’re all legitimate concerns, and some of these are long overdue in the archaic infrastructure of some government and critical infrastructure networks.
Forcing modernization will finally provide a stable “baseline” for companies that focus on protecting critical infrastructure - like Dragos, which works on OT systems. If you know anything about OT and IoT, it’s usually based on outdated operating systems or on proprietary systems that don’t play well with most off-the-shelf modern tools.
We can’t talk about modernization without talking about the cloud, of course. There are two major players in this space: AWS and Microsoft Azure. Well, Google Cloud makes it the big 3. Will this become a small oligopoly? It probably already is.
I’m missing a major buzzword here when it comes to innovation: AI. Of course, they mention AI tools for defense, threat hunting, and all the fun stuff. I still stand firm that these tools will not replace traditional SOC analysts, but they can and will introduce new threat surfaces to our networks. There are loads of things that can go wrong with AI, from false positives to false negatives and hallucinations.
Made in America
Okay, so I actually agree with this section. I’m a firm believer in being self-sufficient with our critical infrastructure. We want to protect the populace from incidents like the one at the Littleton, Massachusetts, water treatment facility, where foreign adversaries target our drinking water and other key pillars of modern-day living. What better way to do this than to take matters into our own hands and create secure-by-design systems here in the US?
There is a question that bothers me, though: how are we going to pay for this? Replacing deeply embedded OT equipment is extraordinarily expensive and operationally risky. Utilities and municipalities don’t have the budgets for full infrastructure overhauls and can only hope that federal funding follows.
The Bottom Line
The strategy contains important priorities. The problem is the gap between ambition and operational detail. Several pillars contradict themselves through simultaneous policy actions - CISA cuts, vendor politics, deregulation without guardrails. The real test won’t be this document; it will be the follow-on implementation, budget allocations, and whether the private-sector partnership model can actually take shape.
Is this a cyber strategy, or a cyber vision statement? Bold vision, or political theater?
- Jose F. Caro
I believe in using every tool available to put your best foot forward. The thoughts and experiences on this page are my own; I use AI to help ensure the grammar is accurate.
