.svg){kind=spacer}
May 13, 2026
The article is a strongly critical assessment of the new U.S. national cybersecurity strategy, written through the author’s long experience in defense planning and cyber policy. Drawing on work he did in Lithuania in the late 1990s, Vytautas Butrimas argues that any serious strategy should answer three basic questions: what must be protected, from which threats, and by what means. He uses that framework to compare the Biden administration’s 2023 cybersecurity strategy with the newer four-page document titled President Trump’s Cyber Strategy for America. In his view, the new text is too short and too vague to function as a real strategy, reading more like a political statement or press release than a resource-based national plan. Although it names broad sectors such as the energy grid, finance, telecommunications, data centers, water utilities, and hospitals, it also expands its scope to issues like intellectual property, privacy, and cryptocurrencies, creating what he sees as an unrealistically ambitious agenda without sufficient depth or prioritization.
The author’s deeper criticism is that the document remains dominated by an office-IT mindset and still fails to engage seriously with the engineering realities of critical infrastructure. He argues that while the strategy discusses cybercrime, espionage, regulation, zero trust, cloud systems, post-quantum cryptography, AI, and workforce development, it does not meaningfully address threats to industrial control systems, process environments, or the physical consequences of cyberattacks on operational technology. He also faults the strategy for its lack of international law-enforcement perspective, its unclear governance, and its failure to specify who will implement, oversee, and fund the plan. A word-count comparison in the article is used to reinforce this point: terms linked to networks, data, and information systems appear frequently, while words tied to industrial processes, electricity, pipelines, gas, refineries, and control systems are nearly absent. The conclusion is bleak but clear: this is, in the author’s view, another national cyber strategy that risks confusing rather than guiding policymakers because it sidelines the engineering community whose work sustains essential services.
