National Cyber Strategy Moves Beyond Reactive Cyber Defense

The White House’s newly released National Cyber Strategy aims to shift the nation’s cybersecurity posture from reactive defense to proactive deterrence, emphasizing stronger collaboration with industry and state and local governments. National Cyber Director Sean Cairncross said Monday the strategy is designed to shape adversary behavior and strengthen resilience across critical infrastructure and federal networks.

“There are too many points of exposure to just play defense all day. That hasn’t worked. We’ve seen threats in this space escalate, and they continue to have impact,” said Cairncross at Billington’s State and Local Cybersecurity Summit. “The single most important piece of this, in my mind, is shifting the mindset of the federal government and of the private sector to get our posture where we’re not just responding — we’re shaping adversary behavior.”

The strategy, released Friday, outlines six pillars to to guide the federal government’s approach: shape adversary behavior, promote common sense regulation, modernize and secure federal government networks, secure critical infrastructure, sustain superiority in critical and emerging technologies, and build talent and capacity.

It removes “burdensome” regulations to enable “industry partners innovate quickly in emerging technologies,” according to the document.

“We are working on the information sharing component from the federal government to [state, tribal, local and territorial governments] and to the private sector to make sure that information moves at speed and that it’s actionable,” said Cairncross.

Strengthening Critical Infrastructure Security

The strategy’s fourth pillar focuses on securing critical infrastructure and supply chains, emphasizing collaboration with industry partners that own and operate the nation’s essential systems. Cairncross said the administration wants to ensure cybersecurity efforts are built around partnerships rather than compliance-driven mandates.

“If you were whacked by a foreign adversary, the government shouldn’t turn around and hand you a compliance list and say it’s your fault because you didn’t do these things,” said Cairncross. “We should be working together, because it’s the job of the [government] to defend the country from foreign adversaries and transnational criminal organizations. That’s not necessarily the role of the private sector, our state and local partners, and we have a pilot program that we are going to be launching on the law enforcement side to beef this up.”

Deputy Assistant National Cyber Director for Critical Infrastructure Seth McKinnis said collaboration between federal, state and local partners is essential, but duplicative regulations and fragmented systems can create barriers during cyber incidents. He added that the administration is working to streamline cybersecurity regulations so organizations can focus on maintaining essential services during an attack.

“We want to make sure that on your worst day when you’re dealing with a cyber incident that you’re thinking about, ‘how can I keep critical systems online? How can I ensure that my services are flowing to the people who need them the most?’ — those key customers, people in your communities and key assets — rather than having to check something off your compliance checklist,” said McKinnis.

Building the Cyber Workforce

Cairncross also emphasized the importance of the strategy’s workforce and talent pillar. The strategy describes the cyber workforce as a “strategic asset” and calls for building a stronger pipeline of talent across academia, vocational and technical programs and industry.

“It must be pragmatic and accessible … to educate and train our existing cyber workforce across industries and occupations, and to recruit the next generation to design and deploy exquisite cyber technologies and solutions,” the strategy states.

Cairncross said the administration is exploring the creation of a Cyber Academy that would consolidate existing federal cybersecurity training programs and partner with the private sector to accelerate workforce development.

“President Trump has been very clear that he wants to work on the workforce piece of the nation’s cybersecurity,” said Cairncross. “He wants us to find solutions that don’t necessarily require a four-year degree. If we’ve got certificate programs, let’s find the talent and let’s get it to work.”