John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
The Trump administration released two major cybersecurity documents last week: a National Cyber Strategy and an executive order creating a Cybercrime Victims Restoration Program. Together they paint the clearest picture yet of how this White House plans to handle cyber.
Short version: more offense, less regulation, and a plan to pay back fraud victims with money seized from criminals.
The strategy itself is four pages long. Biden’s 2023 version ran 35 pages with an implementation plan and budget. This one has neither. It says the U.S. will “dismantle networks, pursue hackers and spies,” roll back “burdensome” regulations (specifically calling out the SEC’s four-day incident disclosure rule and CISA’s CIRCIA reporting requirements), modernize federal systems, secure the AI stack somehow, and build a cyber workforce pipeline.
National Cyber Director Sean Cairncross pitched an interagency cell combining DOJ, State, FBI, and the Pentagon. He announced critical infrastructure pilots for water systems in Texas, agriculture in South Dakota, and rural hospitals. And he made it clear this isn’t about compliance checklists: “We’re not looking to push a compliance checklist onto industry so that the government can essentially blame shift.”
Rep. Bennie Thompson called it “a mishmash of vague platitudes.” That’s a partisan shot, sure. But the lack of an implementation plan is a legitimate gap no matter which side you’re on. Pledging to “impose costs” on adversaries is easy. Explaining how you’ll measure success and fund it is harder.
The more interesting piece is the executive order. It creates a Victims Restoration Program on a 90-day timeline. The idea: use funds seized from convicted cybercriminals to repay Americans who got defrauded. Not new government spending. Recycled criminal money.
The FBI estimates these scam operations steal about $12.5 billion from Americans every year. Ransomware, phishing, romance scams, sextortion, all of it. The order also sets up a National Coordination Center pulling in multiple agencies to disrupt transnational criminal orgs, and directs the State Department to pressure countries that harbor them. Sanctions, visa restrictions, diplomatic expulsion.
If it works, it’d be the first systematic U.S. pathway to compensate cybercrime victims with seized assets. That’s genuinely new. Whether it survives the 90-day window and becomes real is another question entirely.
For businesses, the biggest near-term impact is the regulatory rollback. If the SEC’s four-day disclosure rule gets weakened, public companies get more flexibility on incident disclosure timing. CIRCIA’s mandatory reporting for critical infrastructure is also under review. Security leaders who’ve been building budgets around compliance mandates should start grounding those arguments in risk and business impact instead. The regulatory floor might be dropping.
The administration is already claiming wins: a $15 billion bitcoin seizure from a Cambodian scam company and offensive cyber operations during Venezuela detainment ops. Cairncross hinted at broader threat intelligence sharing: “How we know things is extremely sensitive; what we know is less so.”
This is a direction-setting document, not an operational plan. Watch for whether an implementation plan and budget actually follow, how CIRCIA and SEC rules actually change, and whether the 90-day victims fund deadline produces anything you can point to.