Cyber Strategy for America
The White House

The White House has unveiled a national cyber strategy that openly encourages American companies to go on the offensive against foreign hackers, a dramatic policy shift that lands as Iran-linked groups mount an escalating campaign of cyberattacks against US targets.

Released on 6 March 2026, President Trump's Cyber Strategy for America spans just three pages. But those pages carry an unmistakable message: the US government intends to 'unleash the private sector by creating incentives to identify and disrupt adversary networks.'

The language stops short of explicitly authorising so-called 'hack back' operations, where private firms strike back at attackers beyond their own networks. Such actions remain illegal under the Computer Fraud and Abuse Act, but legal analysts say the strategy's tone leaves little doubt about where the administration is headed.

Strategy Signals a New Era for Private Cyber Operations

The three-page document is strikingly brief compared with its predecessor. The Biden administration's 2023 National Cybersecurity Strategy ran to 34 pages and emphasised regulation and shifting liability onto software providers. Trump's version abandons that approach, prioritising offensive capability and private-sector mobilisation instead.

The Centre for Strategic and International Studies noted that the call for companies to 'disrupt adversary networks' resembles a modern version of letters of marque, the centuries-old practice of governments licensing private vessels to attack enemy ships.

The One Big Beautiful Bill Act, signed into law on 4 July 2025, allocated $1 billion (£790 million) over four years for offensive cyber operations, with the bulk directed at US Indo-Pacific Command. That same legislation, however, cut roughly $1.2 billion (£950 million) from civilian defensive cybersecurity budgets.

An accompanying executive order, 'Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens,' directs the Attorney General and Secretary of Homeland Security to use threat intelligence and capabilities from commercial cybersecurity firms to track and disrupt malicious actors.

Iran's Cyber Retaliation Tests US Readiness

The strategy arrives against a volatile backdrop. Since the US and Israel launched coordinated strikes on Iran on 28 February 2026, more than 60 pro-Iranian hacktivist groups have claimed cyberattacks against American, Israeli, and allied targets, according to Palo Alto Networks' Unit 42.

On 11 March, a group called Handala, linked to Iran's Ministry of Intelligence and Security, claimed responsibility for a cyberattack on Stryker, the Michigan-based medical device manufacturer. The attack wiped data from nearly 80,000 devices, disrupting hospital equipment and emergency medical systems across multiple US states, CNN reported. Handala said the attack was retaliation for a strike on an Iranian school that Tehran claims killed more than 160 children.

US intelligence agencies have since issued private warnings to companies and government bodies. DHS cautioned that Iranian-aligned groups could step up attacks on the financial sector, while the FBI and NSA warned that defence contractors with Israeli ties face heightened risk, according to CNN.

Legal Risks and the Defence Gap

The push toward offensive private-sector involvement raises complex legal questions. Operations conducted on networks beyond a company's own infrastructure could violate federal law, state computer trespass statutes, and foreign legislation, including the UK's Computer Misuse Act 1990. Misattribution of an attacker could also cause collateral damage to innocent parties.

The strategy offers no detail on legal safe harbours for companies that take such action.

Critics have pointed to a broader tension. CISA, the main federal body defending civilian networks, has seen its workforce cut by roughly a third. Senator Ron Wyden warned that expanding government hacking 'is going to invite retaliation - not just against federal agencies, but also rural hospitals, local governments and private companies who don't stand a chance against nation-state hackers.'

The Cybersecurity Information Sharing Act of 2015, which provides liability protections for companies sharing threat data with the government and private partners, is set to expire on 30 September 2026. Congress has yet to act on its reauthorisation, leaving firms in further legal uncertainty as the administration pushes them toward a more confrontational footing.

Writer's pick