The Biden administration has unveiled its National Cybersecurity Strategy, a comprehensive plan aiming to fortify the nation’s digital defenses and reshape the approach to cyber threats. While lauded by many as a significant step forward, the strategy’s success hinges not on its ambitious goals – which include streamlining regulation, bolstering the cyber workforce, and strengthening public-private partnerships – but on the administration’s ability to translate those goals into concrete action. The document, released in March 2026, signals a shift towards a more proactive and coordinated national posture in cyberspace, but faces immediate challenges in implementation and identifying key adversaries.
At its core, the strategy advocates for an aggressive defense of critical infrastructure, recognizing the increasing sophistication and frequency of cyberattacks targeting essential services. This includes everything from energy grids and financial institutions to healthcare systems and communication networks. Yet, experts suggest that a crucial element missing from the initial framework is a clear and unequivocal identification of the most significant threats. The strategy, while acknowledging the broad landscape of cyber adversaries, falls short of explicitly naming Russia and China as the primary instigators of malicious cyber activity against the United States.
Identifying the Adversary: A Critical Omission
The failure to directly address the roles of Russia and China is a notable point of contention. Both nations have a documented history of targeting American critical infrastructure, often with impunity. According to reporting from the House Homeland Security Committee in January 2025, China has been engaged in “preparation of the battlefield” on U.S. Soil through its Volt Typhoon campaign, specifically targeting critical infrastructure. The committee’s report detailed the campaign’s focus on pre-positioning for potential disruption during a crisis. Similarly, the FBI’s Internet Crime Complaint Center (IC3) issued a public service announcement in August 2025 warning about Russia’s ongoing targeting of networking devices. The IC3 advisory highlighted the vulnerability of commonly used routers and firewalls to Russian-backed cyberattacks.
Without explicitly naming these actors, the strategy risks diluting its impact and hindering effective response efforts. Shaping adversary behavior requires a clear understanding of who the adversary is, and a willingness to hold them accountable for their actions. As one cybersecurity analyst noted, “You can’t deter someone if you won’t even name them.”
Offensive Capabilities and the Private Sector’s Role
Despite this omission, the strategy does offer a strong argument for developing offensive cyber capabilities. The administration has already demonstrated a willingness to utilize these capabilities, as evidenced by reported cyber operations in both Venezuela and Iran. The New York Times reported in January 2026 on a cyberattack against Venezuela’s military, while Lawfare detailed a four-hour cyber operation against Iran.
A contentious debate surrounds the potential expansion of the private sector’s role in offensive cyber operations, with the administration reportedly considering allowing companies greater agency to “hack back” against attackers. The New York Times reported on this consideration in January 2026. While collaboration with the private sector is crucial, experts caution against granting companies unchecked authority to conduct offensive operations, citing the risk of escalating conflicts and losing control of the cyber domain.
Strengthening Defenses: Modernization and Workforce Development
The strategy rightly prioritizes securing federal networks and modernizing procurement processes. Key technologies like post-quantum cryptography, zero-trust architecture, and cloud transition are highlighted as essential components of a robust cyber defense. The Foundation for Defense of Democracies has published extensive analysis on the need for post-quantum cryptography, while the Department of Defense has emphasized the importance of zero-trust architecture in securing its networks. However, translating these technological advancements into practical implementation requires a significant overhaul of government procurement procedures.
Perhaps the most critical component of the strategy is its focus on building a skilled cyber workforce. Programs like CyberCorps: Scholarship for Service, which provides scholarships in exchange for government service, are vital to addressing the current talent shortage. However, the program has faced challenges due to recent workforce cuts and hiring freezes. The Foundation for Defense of Democracies has advocated for continued funding and support for CyberCorps. The administration’s consideration of establishing a U.S. Cyber Force, a dedicated military branch focused on cyber warfare, could also help generate a larger and more specialized cyber workforce. Analysts at the Foundation for Defense of Democracies have argued for the necessity of such a force.
Reversing Course at Homeland Security
The strategy’s success is also inextricably linked to the performance of the Cybersecurity and Infrastructure Security Agency (CISA). However, the agency has been significantly weakened in recent years under former Secretary of Homeland Security Kristi Noem, who reduced its workforce by nearly 40 percent and disrupted cybersecurity grant programs. Reporting from Alternet detailed these cuts and their impact on CISA’s ability to support state and local governments. Noem’s cancellation of the Critical Infrastructure Partnership Advisory Council further undermined federal engagement with the private sector. Reversing these trends and reinvesting in CISA is paramount to effectively defending critical infrastructure.
To truly implement the strategy’s vision, the administration is expected to issue a series of executive orders (EOs) to provide concrete deliverables and enforce accountability. These EOs should prioritize support for CISA, workforce development, and the establishment of a clear framework for aggressive action against U.S. Adversaries.
The six pillars of action outlined in the National Cybersecurity Strategy offer a promising roadmap for enhancing U.S. Cyber defenses. However, the ultimate success of this strategy will depend on the administration’s commitment to translating rhetoric into tangible results. The next key step will be the release of detailed implementation plans for each pillar, along with a clear articulation of the administration’s strategy for addressing the evolving cyber threat landscape.
If you or someone you know is struggling with mental health, please reach out for help. The National Crisis and Suicide Lifeline is available 24/7 by calling or texting 988 in the US and Canada, or by calling 111 in the UK.
What are your thoughts on the new cybersecurity strategy? Share your comments below and help us continue the conversation.
