Cairncross details the ‘real posture change’ in new cyber strategy

Less than a week after the White House released President Trump’s new national cyber strategy, National Cyber Director Sean Cairncross used a Cyber Focus interview to make the administration’s central argument plain: The United States has spent too long absorbing cyber blows and not enough time changing the cost calculus for the people behind them.

In his conversation with Frank Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, Cairncross cast deterrence as the strategy’s organizing principle. The goal, he said, is a “real posture change” by the U.S. government — one that moves beyond resilience alone and toward a more forward-leaning approach that makes adversaries think twice before acting.

“There has been an eagerness to shift posture here and become more forward-leaning to do something rather than simply playing defense all the time,” Cairncross said. “Resiliency is great, but … it implies that you’re taking hits.”

That framing runs through the strategy itself and through Cairncross’ explanation of it. He argued that cyber threats have grown more persistent, more aggressive, and more scalable over the past decade, while too much of the burden for dealing with them has fallen on victims and private companies. That, he suggested, has left too much of the strategic burden on organizations built to run services, not to counter foreign adversaries. In his telling, deterrence means not only hardening defenses but raising the costs for malicious actors, denying them the benefits of their activity and reducing the sense that cyber operations against U.S. targets are relatively low risk.

Cairncross pointed in particular to the overlap between hostile states and criminal groups, including the safe haven or indirect support that can allow disruptive actors to operate with limited consequences. “There is a lot that can be done to deny them the benefits of their activity, to make life harder for them online,” he said.

Just as important, he argued, Washington cannot keep treating the private sector as if it alone is responsible for confronting foreign adversaries and criminal groups. He said the government needs to be a more practical partner: sharing better information, reducing friction and stripping away excessive or overlapping cyber rules that add burden without improving security. That message aligned with the strategy’s broader push to streamline cyber rules and shift more of the burden for deterrence back onto government.

That same logic carried into the rest of the conversation. Cairncross pointed to federal modernization, critical infrastructure protection, emerging technologies such as AI and post-quantum security, and cyber workforce development as key parts of implementation. But the through line remained deterrence: not simply recovering from attacks more effectively, but changing the incentive structure for the actors behind them.

For more on this and other important cyber topics, check out the full catalog of Cyber Focus podcasts.