Last Friday, the White House released President Trump’s Cyber Strategy for America, the most assertive presidential cybersecurity posture statement I’ve read in my career. It names adversaries directly. It treats offensive cyber operations as a legitimate instrument of national power. And it says something that needed to be said for a long time: the private sector isn’t a bystander in this fight, it’s a principal.
I mean that praise sincerely. The strategy’s six pillars, from shaping adversary behavior to building the cyber workforce, reflect a maturity of thinking that has been absent from federal cyber policy for years. The emphasis on removing burdensome regulation while raising the bar on actual security outcomes is the right balance. The explicit call to modernize federal networks and accelerate cloud adoption is overdue.
This week, dozens of cybersecurity CEOs will publish blogs that say exactly what I just said. They’ll applaud the strategy, quote their favorite pillar, and pivot to why their company was already doing it. You’ll read those blogs, nod politely, and forget them by Thursday.
I’d rather talk about what the strategy doesn’t say. Because what it misses may matter more than what it gets right.
The Surface Nobody’s Defending
Pillar Three calls for modernizing federal networks through zero-trust architecture and cloud transition. Pillar Four calls for securing critical infrastructure, energy grids, financial systems, and hospitals. Both pillars assume something that isn’t true: that once we move to the cloud, the network connecting those workloads is somehow already secure.
It isn’t.
The cloud network, the east-west traffic between workloads, applications, and services inside AWS, Azure, GCP, and OCI, is the largest unguarded attack surface in enterprise infrastructure today. We spent three decades building sophisticated perimeter defenses for on-premise networks. Then we migrated everything to the cloud and left the network layer between workloads essentially unmonitored, unsegmented, and unenforced.
We locked the front door and moved everything to a building with no walls.
This is the architectural reality of every major enterprise and federal agency running in the cloud right now. The strategy calls for zero trust, and that’s the right framework. But zero trust has been implemented almost entirely at the identity and access layer, verifying who gets in. Almost nobody is verifying what happens once they’re inside the network.
AI Agents Just Made This Urgent
This brings me to the strategy’s most forward-looking section. Pillar Five calls for sustaining American superiority in emerging technology, and it specifically names two things: securing the AI technology stack and promoting the secure deployment of agentic AI.
That language is significant. The White House is acknowledging that AI agents — autonomous software that can discover, decide, and act without human intervention — are coming to enterprise networks at scale. What the strategy doesn’t address is where those agents actually operate.
Their primary activity is traversing the cloud network to access the workloads and data needed to fulfill their objective. Moving laterally between workloads at machine speed, discovering resources, making API calls, and taking autonomous action across the very network layer that nobody is watching.
This is the collision the strategy doesn’t name: Pillar Three’s push to modernize into the cloud and Pillar Five’s embrace of agentic AI converge at the same place: the cloud network. The strategy treats them as separate priorities. In practice, they are the same problem.
And it’s not just malicious agents we need to worry about. The majority of enterprises deploying AI agents for legitimate business purposes, automating workflows, managing infrastructure, processing data, are sending autonomous software across cloud networks with little to no inspection, or segmentation, or governance. The attack surface isn’t just from adversaries. It’s from our own innovation outpacing our security architecture.
What I’ve Seen in Washington
I’ve spent the past several months engaging with policy leaders in Washington on this exact issue, meeting with White House officials, working with CISA through the Next Gen Coalition, and engaging with Congressional leaders who are drafting legislation on cloud network infrastructure security.
What I’ve learned is that the people shaping national cyber policy deeply understand endpoint security, identity management, and zero trust access. They’ve been well-briefed by an industry that excels at those layers. But the cloud network layer is new territory for most of them, because the industry hasn’t been talking about it.
That’s not a criticism, it’s a gap that the private sector has a responsibility to close. My job when I’m in Washington isn’t to sell a product. It’s to make sure the people writing these policies understand where the actual attack surface is. Because policy that doesn’t account for the cloud network is policy that protects the perimeter of a building that no longer exists.
Three Things This Strategy Needs Next
The Cyber Strategy for America is a strong foundation. Here’s how I believe it should be extended:
First, cloud network security standards. Pillar Three’s call for zero-trust architecture needs specific guidance on securing lateral traffic inside multicloud environments. The current zero-trust frameworks focus almost entirely on north-south traffic: who gets in and out. We need equivalent standards for east-west traffic: what moves between workloads once inside.
Second, AI agent traffic visibility. Pillar Five should mandate that enterprises can observe and govern how AI agents move across their cloud networks before those agents are deployed at scale. You cannot secure what you cannot see, and right now, most organizations have zero visibility into autonomous agent behavior at the network layer.
Third, public-private cloud security coalitions. Pillar One’s offensive posture requires real-time threat intelligence sharing. Today, that sharing happens primarily at the endpoint and perimeter. We need intelligence sharing at the cloud network layer, where the next generation of attacks — and the next generation of enterprise AI — actually operates.
An Invitation, Not a Critique
I want to be clear: this is the strongest cybersecurity posture statement from any administration I’ve seen. The strategic intent is right. The tone is right. The emphasis on private sector partnership is exactly what this moment requires.
What I’m offering isn’t criticism, but a commitment. The cloud network is where American enterprise and government infrastructure actually lives now, and it’s the surface that adversaries — and our own AI agents — will increasingly exploit. The strategy tells us what to defend. Let’s make sure we’re defending the right surface.
I look forward to continuing the work in Washington to help close this gap — not as a vendor, but as a builder who understands where the walls need to go.
Learn more about implementing zero trust with Practical Takeaways from NSA’s Zero Trust Guidance.
Explore the Architectural Divide in modern cloud security and how AI is widening it.
