DrZeroTrust: Hey, good morning or afternoon or evening. Dr. Cunningham here, Dr. Zero Trust, whatever. ⁓ Let's run through the newly announced cybersecurity strategy that just came out from the Trump administration. And going to provide you with some analysis from ⁓ a, call it an insider that you might not necessarily have gotten in the past. So let's just go through this and then I'll provide the analysis on. Okay, so starting off President Trump's Cyber Strategy for America. This is as of March 2026. Now, let's read some of the stuff here. By the way, if your signature has got Trump in it, make a T. Like I'm just saying, that signature... I don't even know how you would call that a Donald Trump. Anyway, okay. Over the past year, the United States has shown the entire world that we have the most powerful, sophisticated, technologically advanced military on earth and it's not even close. So what? This includes not only our overwhelming conventional military strength, but also our unparalleled non-kinetic powers, aka cyber. The National Cybersecurity Strategy outlines my priorities for ensuring that America remains unrivaled in cyberspace. It calls for unprecedented coordination across government and the private sector to invest in the best technologies and continue world-class innovation and to make the most of America's cyber capabilities for both offensive and defensive missions. Sounds good, but there's more. Our cyber tools and operators are the best in the world and we are empowering them to defend America by disrupting and disorienting our adversaries and denying them a safe haven. United States has capabilities that the rest of world can only begin to imagine. Our warriors in cyberspace are working every day to ensure that anyone who would seek to harm America will pay the steepest and most terrible price. Sounds threatening. This strategy is about defending the safety, security and prosperity of the American people. As we approach the 250th anniversary of American independence, the strategy laid out in this document will help ensure that America remains the strongest, freest and greatest country in the world. American power will finally stand up in cyberspace, but there's a caveat, let me break this down for everybody here. just a couple things to read from the beginning. Cyberspace was born in America. American talent, innovation, research, and powerful government capabilities combine to create a dynamic, thriving, digital world that every American or person on the planet relies on for information, economic opportunity, and our basic way of life. Indeed, the cyber domain is key. President Trump's actions to ensure America leads the world in finance, innovation, and emergency technology, military power, and manufacturing. Okay. Freedom and safety in cyberspace, however, cannot be taken for granted. Adversaries and cyber colonels exploit cyberspace to advance authoritarianism, suppress democracy, and undermine our national and economic security. Okay. Now here's where we get into a little bit of the spin, aka bullshit. Unlike other administrations, the Trump administration will not tinker at the edges and apply partial measures and ambiguous strategies that neglect. the growing number of severity of cyber threats. President Trump will continue to address them in cyberspace directly. Okay, so let's stop there. Now, go down here and look at the actual things. Moving forward, the pillars of action. Okay, now tell me if any of this sounds familiar to you. Six policy pillars underpin the strategy and will guide implementation and measures for success. Shape adversary behavior. We've been saying that for quite a while. American citizen companies and our allies should not have to fend off sophisticated military intelligence, Colonel adversaries in cyberspace alone. We will deploy the full suite of US government defensive and offensive cyber operations. We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities. Okay. Promote common sense regulation. Good luck. Cyber defense should not be reduced to a costly checklist that delays preparedness, action, and response. We will streamline cyber regulations to reduce compliance burdens, except for CMMC, address liability, separate cyber insurance. and better align regulators with industry globally. Modernize and secure federal government networks. We will accelerate the modernization, defensibility and resilience of federal information systems by implementing cybersecurity best practices, post quantum cryptography, zero trust architecture and cloud transition. We will work to elevate the importance of cyber and government leadership and in the boardroom. We will use the best technologies and teams to constantly test and for malicious actors and federal networks. Okay, another pillar here. Secure critical infrastructure. We will identify, prioritize and harden America's critical infrastructure and secure its supply chains including defense and critical infrastructure and adjacent vendors, private companies, networks and services such as the energy grid, financial and telecommunication systems, data centers, water utilities and hospitals, securing information and operational technology supply chains, blah, blah, blah. Yes, okay, great. We've been working on that for a while too. Sustain superiority and critical and emergency technologies. Securing American innovation protecting our national intellectual advantage will be paramount. We will build secure technologies, supply chains, and protect user privacy from design to deployment, including supporting the security of cryptocurrencies and blockchain technologies. We will promote the adoption of post quantum cryptography and secure quantum computing. Six, the final pillar here. Build talent and capacity. President Trump has called America's cyber workforce a, strategic asset that, again, quote, protects the American people, the homeland, and the American way of life. It is an asset worthy of great investment and potential to our nation's economic prosperity and security. We need a pipeline that develops and shares talent. It must be pragmatic and accessible, reconciling and taking advantage of existing avenues within academia, vocational and technical schools, corporations and venture capital opportunities to educate and train our existing cyber workforce across industries and occupations. and to recruit the next generation to design and deploy exquisite. Wow. Cyber technologies and solutions. Great. We will eliminate roadblocks and prevent industry, academia, government and the military from aligning incentives and building a highly skilled cyber workforce. Good fucking luck. We will harness the existing resources. Okay. That make America great. Conclusion and a final page. Okay. So that being said, and having read through this thing many, many times just to make sure that I've got my ducks in a row. All of that has been in place and been in practice for a long time. Multiple administrations going back a decade plus and I'm going show you here in a minute. Additionally, what you read there is none of that is actual policy. All of those are good ideas and we will and blah. How? What is going to be done? Where are things going to be tied? Who's getting authority? Where's the money coming from? Because in DC, that's the only thing that matters is who's got money to pay for anything. So, where is this going to go? Are you going to provide title authorities to a bunch of organizations? that need it, that should have been doing this job for a long time we're keep doing the same thing. Now, let's analyze that document and kind of run through things so that we all understand a more about the reality of what's going on here. Now, first of all, again, I'll remind everyone, I'm not a partisan person. That's all I'm going to say. Okay, so I'm looking at President Trump's Cyber Strategy for America. It's released just very recently. ⁓ This is not partisan. This is just cybersecurity. I don't care about the party in the document. I care about whether or not these things actually change and cause good outcomes. ⁓ strategy outlines six pillars. Shaping adversary behavior, streamlining regulation, modernizing federal networks, securing critical infrastructure, sustaining superiority, and building talent capacity. Those are great. None of those are outside the bounds of good ideas. But here's the problem. Most of this, pretty much all of it, is not new. Let me break this down for you. The federal government had already spent years pushing these same things and billions of dollars in January of 2022, four years ago, OMB issued M22-09, which was the federal zero trust strategy, which I know a lot about, that explicitly required agencies to meet zero trust objectives by the end of fiscal year 2024. Now it's 2026, folks. In October 2021, OMB also issued M22-01 endpoint detection response of federal systems. In November of 2022, OMB also issued M23-02 directing agencies to begin post-quantum cryptography migration planning and inventories. Subsequently, guidance was published in 2023 and again in 2025, which is basically reinforcing those same priorities. So this is 2026 talking about ZT stuff post-quantum and whatever else. when it was really began four or five years ago, right? So here we are. That leads to the real problem is that we don't have a cyber security strategy shortage. We have an execution problem. That's the truth that nobody in Washington wants to say out loud. We're drowning in memos and frameworks and strategies, maturity models, policy language, bureaucratic BS and everything else. Agencies are still fighting through legacy systems, identity sprawl, inconsistent logging, procurement message, uneven visibility and compliance programs that are sometimes better at producing paperwork and resilience. Which is why, when organizations get accreditation for they do a press release because it's that much of a pain in the ass to get through it and that much of a cost that they have to do a fucking press release about it. Okay? So I've read this, it's another national cyber strategy and the first question I ask is, does it sound any different or is it serious? My question there is, what is actually enforceable today? And whereas this document gets really weak really fast, is it talks about these pillars will guide action and resourcing through quote, follow on policy vehicles, which means they'll kick the can down the road. That's how this works. The second big problem and this one matters a lot, but most people don't even realize it, is that the federal cyber enterprise is fragmented by law and authority. You may not know this as just a general person that does or is interested in cyber. So let me give you some insight here. A lot of people think CISA is basically a National Domestic Cyber Command. It's not. CISA, C-I-S-A, is a civilian agency with Title VI authority. It has real authorities and real responsibilities, especially for the federal and civilian executive branch. The statute that CISA is tied to is responsible for carrying out cyber security infrastructure protection functions coordinated with other agencies and working with state, local, tribal, territorial and other private sector partners. That is not the same thing as having blanket authority to run and scan the domestic internet and propel anyone that is not federal government to do anything. They don't have it. Now to be accurate, CISA can do very valuable things. It issues binding operational directives for federal civilian agencies. One of them was BOD 1902, which requires federal agencies to provide cyber hygiene scanning access and remediate critical and high vulnerabilities on internet accessible systems. But I'm pretty sure I can find someone showed right now. CESA also maintains the KEV, the known Exploited Vulnerabilities Directive for the federal enterprise. Okay. So CESA has authority and insight and capabilities, but it is not a civilian agency. It is not tasked with helping everyone else. It's federal. Here's the catch, right? Outside that federal civilian environment, much of CESA's role is partnership based, consent based and voluntary, right? One of the clearest examples is the Cyber Sentry Program, which they did a big public release about whatever else, but the legality, the statute around that says, it provides continuous monitoring and detection support for critical infrastructure owners and operators upon request. and subject to their consent. That is useful. That's in the law. It's very different from a centralized national authority which could theoretically scan and secure domestic infrastructure at scale. That doesn't exist. There is no agency that can do that. The NSA legally cannot scan our domestic internet and fix things. So when any politician or policy papers talk as if there's one big national steering committee or one wheel or one person in charge of cyber, That's not true. It's all branding and it's all mismatch. The real steering wheel is split and is bifurcated across a whole bunch of different agencies with different legal names, with different missions, with different leaders. It's problematic that fragmentation is across federal. The National Cyber Director, who's the person who's put in place who also literally said during his testimony, I don't know much about cyber. The National Cyber Director exists to improve policy and coordination, but even legal analysis of that role does not tell that does not coordinate Title X offensive with Title 50 intelligence operations. So the National Cyber Director does not necessarily have Title X and Title 50 capabilities given to them by the requirements of that role. So in truth, the United States has one office which is supposed to be coordinating strategy, another agency which is responsible for civilian defense, civilian federal defense. You've got separate military authorities that all have different capabilities, different titles, etc. separate intelligence authorities with different titles, different legalities, different requirements, separate law enforcement authorities which all have different titles, different requirements, different legalities, and then you got a whole bunch of private sector stuff all lumped in there. So it's one big pile of mismatched crap and no one is actually running it or in charge of it from anyone like the National Cyber Director cannot stand up in front of the White House and say, in Domini's poetry of Fili Santi, thou shalt do this because that's not how this works. From an operational standpoint, it means the country does not have one unified domestic cybersecurity authority or leader that can see the whole board, direct everything on the chessboard and enforce any outcomes. It just doesn't exist. No matter what the White House or policy people or whatever else say, that's the legalities of the stuff that is in there. That's how it's done. That's what you need to know. Now the strategies that we put out keep underperforming because they sound centralized but they're not because the authorities are not centralized. It's not possible. They sound forceful, but where's the teeth? There's actually no teeth to any of this stuff and they sound national, but it's not national. You have national and government and law enforcement and intelligence and state and local and tribal and personal and blah, blah. None of that is run by any one org. It just doesn't exist. So when the white house puts out a document and this is for any organization, not Trump, not Biden, whatever, but it's been out there for a while. that says we will modernize, we will secure, we will shape better behavior, we will build advantage. That sounds good but no one actually has the authority to do that. There's no way to enforce standardization, enforce deadlines, attach budget consequences and punish non-performance. There is no National Cyber Defense Program. We have a national cyber narrative and a national cyber idea but we do not have a national cyber defense program or system that is currently in place. that leverages all those capabilities underneath a single command structure. It does not exist. Now, if we took this document and we put some actual shit to it made it useful, what would it look like? Well, first thing, tie funding to measurable capability. If agencies want modernization money, which they do, make them prove that they've done all the things that they said they were going to do. All the stuff that Zero Trust mandates, all the stuff that they've agreed to. Second, standardization. Right? Make sure that that happens across the government, across organizations. Third, stop using paperwork as the metric for everything. There is too much paper-based bullshit. There is too much compliance requirements, too much legality, and it's not actually helping. You shouldn't have to do a press release when you get certified in a compliance initiative. That's mind-boggling. And fourth, we should basically make sure that we do have someone that can command and control this infrastructure that is responsible for what they should do. Clarify to the public what CESA is able to direct make sure that the public knows what is voluntary and then basically make sure that everyone knows how they can interface with this because currently if you talk to a bunch of small businesses They think that CESA is going to like parachute out of planes to come help them when they got hacked That's not how this works. It is not their directive and fifth Procurement should start being used like a weapon the federal government's one of the largest buyers of anything in the world if vendors cannot support secure software provenance from when it was built to when it's deployed, logging and identity, etc., etc., then they should not be allowed to sell that stuff to the federal government. OMB's cyber budget guidance has already pushed agencies towards this and it's been in there for quite a while, but there's no force to it. So the bottom line is this. President Trump's cyber strategy is not nonsense. It points out a lot of real problems. Super great. There's a gold sticker. But... It's also very fair to say that it mostly repackages themes that the federal government has already put in place for a long time, including Zero Trust, EDR, post-quantum, blah, blah, workforce development. In truth, the deeper national problem is not that America lacks a vision, it's that we don't execute and we don't have operational capabilities and it's just a big bifurcated mess with a bunch of branding on top. So let me leave you with this. You cannot secure a nation with slogans. You cannot make the United States any safer in cyber with policy documents when there's no actual teeth to it and no real guidance on the back end. You secure it with actual authorities, enforcement, capability and consequences for negligent or nefarious actions. Until Washington does that, none of this is useful. None of it is actually helping anything. It is literally just marketing and advertising. That's the truth of matter. I have a list of references if anybody wants to read them but this goes all the way back to like 2017 honestly. This is the truth. This is what we need to know and again, it's not a partisan issue. This is just the real factual analysis of the strategy documents that have been published. The requirements that are there, the legalities that go on within the stuff that we need to know, especially small mid-sized businesses because you're on your own. There is no... parachuting cyber force that's gonna come help you when you get pwned. You don't want that in most cases because the federal government if they find something that they think is interesting, they'll take your shit and that's a problem. So that's the truth. That's what you need to know. Think for yourself. Be smart. Do the research. What else are you looking for?