Safe Mode Podcast: "What comes next for Trump's cybersecurity plan?"
Date: March 12, 2026
Host: Greg Otto (Cyberscoop)
Guests: Tim Starks (Cyberscoop) & Mike Duffy (Federal CISO)
Overview
This episode of Safe Mode Podcast dissects the newly released cybersecurity strategy by the Trump administration. Host Greg Otto and senior reporter Tim Starks break down the content, contradictions, and future implications of the administration's plan, especially its six core pillars and focus areas such as software liability, state-level responsibilities, and workforce challenges. The episode also features an address by Federal Chief Information Security Officer Mike Duffy, who outlines real-world priorities and the operational reality of securing federal systems in the age of AI.
Key Discussion Points & Insights
1. Unpacking the Trump Cybersecurity Strategy
[01:11–07:22]
- Length & Structure
- The strategy is notably brief ("about seven pages," with substantial preamble and only about "two and a half pages" of actionable content).
- Main framework: Six core pillars.
- Notable Inclusions
- Surveillance: Unexpected focus on combating global surveillance, which many found ironic given the administration's expansion of domestic surveillance.
- "I wasn't expecting them to talk about surveillance, for instance... combating it nation—not, not nationwide, but worldwide." – Tim Starks [01:36]
- AI: More specificity regarding artificial intelligence than anticipated.
- Workforce Contradictions: Calls for expanding the public-sector cyber workforce contrast with previous efforts that shrank it.
- "You set up a goal that you kneecapped yourself with over the first year of your administration..." – Greg Otto [03:15]
- Surveillance: Unexpected focus on combating global surveillance, which many found ironic given the administration's expansion of domestic surveillance.
- Contradictions & Tension
- Continues a trend from prior administrations but often reverses or undermines its own stated goals.
- "There were a lot of contradictions throughout." – Tim Starks [04:20]
- Continues a trend from prior administrations but often reverses or undermines its own stated goals.
2. Workforce Pipeline & Political Motivations
[05:50–06:52]
- Mass Layoffs vs. Hiring Push
- Contradictory approach: Cutting many cyber personnel, now seeking to rehire (though not necessarily prior experts).
- Trump administration appears motivated partly by concerns over "deep state" influences, intent on hiring "the right kind of people."
- Expertise Shortfall
- Losing experienced cybersecurity professionals is not easily solved by new hires; expertise cannot be replaced instantly.
3. What Comes Next? Implementation Pathways
[07:55–09:38]
-
Forthcoming Initiatives
- Cyber Academy: Centralizing the federal cyber workforce pipeline, with hints at additional efforts such as an accelerator and foundry for fostering cyber talent and innovation.
- Interagency Body: New body to coordinate federal cyber offense and shape adversary behavior—including not just cyber operations, but also arrests, sanctions, and diplomatic tools.
-
State-Level Pilot Programs
- Multiple pilot projects targeting critical infrastructure (e.g., beef in South Dakota, water in Texas), state law enforcement, and more.
- "Pilot programs... focus on critical infrastructure within a certain state. He mentioned beef in South Dakota... water in Texas." – Tim Starks [07:59]
- Push for more proactive state engagement, though balance between federal support and state responsibility remains ambiguous.
- "States have said we feel like the things we used to get from CISA we're not getting." – Tim Starks [09:13]
- Multiple pilot projects targeting critical infrastructure (e.g., beef in South Dakota, water in Texas), state law enforcement, and more.
4. Software Liability: Industry Tensions & Regulatory Ambiguity
[09:38–12:46]
- Contradictory Messaging
- The plan voices a desire for increased vendor accountability, but recent policies (e.g., making software bills of materials [SBOMs] voluntary) undercut these ambitions.
- "OMB rescinded a memo a couple months ago where they basically put s bombs on the back burner..." – Greg Otto [10:26]
- The plan voices a desire for increased vendor accountability, but recent policies (e.g., making software bills of materials [SBOMs] voluntary) undercut these ambitions.
- Industry Pushback
- Imposing liability would require law, regulation, or litigation—for which there is little industry enthusiasm.
- "It's a fundamentally confrontational thing to say..." – Tim Starks [11:29]
- Acknowledges complexity: No simple legislative solution, and actual robust action seems unlikely.
- "What does that even look like? How do you really, truly write a legislation that would work? It's such a complicated, thorny problem." – Tim Starks [12:19]
- Imposing liability would require law, regulation, or litigation—for which there is little industry enthusiasm.
5. Implementation Uncertainty & What’s Next
[12:46–14:33]
- Lack of Specifics
- Awaiting concrete implementation guidance or executive orders; initial signs suggest a gradual, piecemeal approach rather than a single comprehensive plan.
- "I don't know if we're going to get... either of those things or if we're going to get kind of a trickle of things..." – Tim Starks [13:11]
- Possibility of executive actions, further guidance, or follow-up documents remains open.
- Awaiting concrete implementation guidance or executive orders; initial signs suggest a gradual, piecemeal approach rather than a single comprehensive plan.
6. Federal CISO Mike Duffy: Operational Reality & Priorities
[15:40–28:10]
The AI Era and Policy Adaptation
- Inflection Point
- U.S. cyber policy must move from reactive to proactive, adapting to AI's operational reality:
- "We've clearly crossed that threshold... to actually kind of an operational reality in cybersecurity when it comes to the use of artificial intelligence." – Mike Duffy [16:05]
- Policies must be enduring and adaptable, reflecting lessons learned but anticipating future threats.
- "We have to react but not be volatile. We need to be forward thinking and vigilant, but not overwrought." [16:55]
- U.S. cyber policy must move from reactive to proactive, adapting to AI's operational reality:
Core Priorities for 2026
- Three Strategic Pillars
- Enterprise Cyber Defense
- Cohesive, whole-of-government approaches to investment and response.
- Operational Resilience
- Maintaining mission capability despite persistent and changing threats.
- Securing a Modern Government
- Addressing new technological realities (e.g., cloud, AI) through modernized approaches.
- Enterprise Cyber Defense
Notable Quotes & Initiatives
- On Coordinated Response:
- "Cross-agency teams can no longer respond to massive cyber incidents... with sharing emails and phone calls and PDF files on threat intelligence. This is a different time." [19:44]
- First government-wide tabletop exercises to identify gaps in readiness and coordination.
- "Cross-agency teams can no longer respond to massive cyber incidents... with sharing emails and phone calls and PDF files on threat intelligence. This is a different time." [19:44]
- On Rationalizing Tech Stacks:
- Focused on reducing "bloat" and empowering CISOs for more strategic and nimble action during crises.
- On AI-Driven Defense:
- "We're working with agencies to transform the way that they're doing cyber defense, enabling faster detection, predictive analysis, targeted response at machine speed." [22:45]
- Private Sector Parallel:
- Government shouldn't lag behind private sector innovation; must "be there at the front of that line" and "lead the way in certain areas." [26:20]
Memorable Moments & Notable Quotes
-
"You set up a goal that you kneecapped yourself with over the first year of your administration."
— Greg Otto [03:15], on workforce contradictions -
"If you lose expert personnel, it's not like you can just suddenly hire another cyber expert, like, okay, bring in some more cyber people. It's not that easy."
— Tim Starks [06:36] -
"Pilot programs... focus on critical infrastructure within a certain state. He mentioned beef in South Dakota... water in Texas."
— Tim Starks [07:59] -
"It's a fundamentally confrontational thing to say, hey, you software companies, we're going to make you so that you are responsible for this in some way, shape or form."
— Tim Starks [11:29] -
"We can't wait for the next crisis to inspire our action."
— Mike Duffy [17:55] -
"Federal agencies... need to be there at the front of that line, in fact, sharing those use cases, those lessons learned, those insights as we lead the way in certain areas."
— Mike Duffy [26:20]
Timestamps for Key Segments
- [01:11–07:22] Trump strategy structure, notable inclusions, and contradictions
- [07:55–09:38] State pilot programs and federal-state responsibilities
- [09:38–12:46] Software liability and regulatory challenges
- [12:46–14:33] Implementation uncertainty and possible next steps
- [15:40–28:10] Mike Duffy's remarks on federal cyber priorities and operational adaptation in the AI era
Conclusion
This episode offers an essential primer on Trump’s new cybersecurity plan: its high-level ambitions, its internal contradictions, and the combination of political, practical, and technical forces shaping what comes next. Both the journalistic and federal implementation perspectives underscore the complexity and urgency of cybersecurity in 2026—especially given the challenges posed by a rapidly evolving threat landscape and the integration of AI across government operations.