White House Unveils 6-Pillar Cyber Strategy While CISA Gets Sidelined on AI Security

On Tuesday, February 4th, White House National Cyber Director Sean Cairncross spoke at the IT Industry Council's Intersect Summit and unveiled the skeleton of a forthcoming national cybersecurity strategy. According to Federal News Network, it's built around six pillars: shaping adversary behavior, regulatory environment and industry collaboration, securing and modernizing the federal government, securing critical infrastructure, maintaining dominance in emerging technologies, and mitigating the cyber skills and workforce gap.

The inclusion of workforce gap mitigation is notable. Washington has ignored the problem for years.

CISA Is Being Left Out of the Room

Axios reported that CISA — the Cybersecurity and Infrastructure Security Agency, the organization literally created to be America's cyber defense hub — is being sidelined as the White House scrambles to build its own AI security architecture. Instead of running through CISA, the administration is constructing new frameworks around it.

The Department of Homeland Security plans to stand up an AI Information Sharing and Analysis Center — a new body that sits alongside, not inside, CISA. That's a bureaucratic end-run around the agency that has the existing expertise, existing relationships with private sector infrastructure operators, and existing legal authority.

Duplicating that structure makes the response slower and more confused.

CIRCIA Still Not Done — Three Years Later

CIRCIA — the Cyber Incident Reporting for Critical Infrastructure Act — was passed in 2022. It requires critical infrastructure companies to report cyberattacks within 72 hours. According to CISA's own Nick Andersen, executive assistant director for cybersecurity, the final regulations still haven't taken effect. The administration delayed the proposed 2024 rule until May 2026.

A law passed three years ago — designed to make sure the government actually knows when hackers hit power grids, water systems, and financial networks — still has no enforceable regulations.

Industry groups complained the 2024 proposed rule was too broad. Negotiating changes is reasonable. But a four-year runway to finalize incident reporting rules for critical infrastructure is unacceptable when Chinese and Russian state actors are actively probing those same systems right now.

What the Strategy Signals

Cairncross's framework offers more substance than the vague gesturing the Biden administration offered in its 2023 National Cybersecurity Strategy. The explicit inclusion of "shaping adversary behavior" and "maintaining dominance in emerging technologies" signals a more aggressive, offensive-minded posture — the right call.

The framing around "regulatory environment and industry collaboration" will be the real test. The conservative instinct — correct in principle — is that government should get out of the way of the private sector. But cybersecurity is different. When a ransomware gang shuts down a hospital or a pipeline, that's a national security failure, not just a business problem. Smart regulation here isn't government overreach. It's infrastructure defense.

Whether this administration can thread that needle without letting industry lobbyists gut enforcement teeth remains to be seen.

The CISA Question

Left-leaning outlets are framing the CISA sidelining as a chaotic White House stumbling into dangerous territory. The internal disorder is real.

But there's a legitimate reason the administration might want to build new AI security structures: CISA under the Biden era became ideologically compromised. The agency got dragged into domestic "disinformation" policing — work it had no statutory authority to do. Rebuilding trust with that institution takes time.

Right-leaning outlets are mostly ignoring this story entirely. If China is the "pacing threat" — and every serious defense analyst says it is — then fumbling the AI cybersecurity architecture is a strategic failure.

The Practical Impact

If you run a hospital, a water utility, an energy company, or a bank, you are still operating without final CIRCIA rules. You still don't have clarity on exactly what you're required to report, to whom, and when. The agency nominally responsible for helping you respond to attacks is being shuffled to the side while a new center gets stood up from scratch.

Cairncross's six pillars sound good on paper. But pillars without foundations are just columns waiting to fall.

The strategy preview is a step forward. The CISA sidelining is a step backward. Right now those two things are happening simultaneously — and nobody at the top seems to think that's a problem worth explaining.