In the first of this two-part blog series, SecAlliance analysts provide insight into the direction of US cyber policy.
Mistrust and anxiety over cyber threats and intelligence sharing are increasingly surfacing. From the temporary suspension of US intelligence feeds to Ukraine, to ongoing concerns in Washington over burner phones and espionage, European capitals are watching closely — and questioning the reliability and intentions of their most powerful ally in cyberspace. Yet beneath the headlines lies a more complex, and potentially recalibrated, reality.
To borrow from Donald Rumsfeld’s often-quoted framework: there are known knowns, known unknowns, and unknown unknowns. What follows concerns only the “known knowns” - public statements, executive orders, and accessible reports - while acknowledging the full picture remains partially obscured behind closed doors.
These observable signals are what drive the current sense of cautious recalibration. Tensions are real, and transatlantic anxiety is high, but that anxiety may reflect domestic political turbulence in the US more than any deliberate cyber shift away from its allies. The central question is whether these recent warnings and suspicions point to genuine changes in US cyber strategy - or whether they merely echo the noise of Washington’s internal strife. To address that, we must first separate signal from noise, and then scrutinise what US cyber intent actually is - and what it is not.
It is entirely understandable that those in Europe are watching Washington with increased vigilance, with Washington’s mixed signals and tumultuous foreign policy contributing to a distinct sense of unease. But recent European moves - such alleged EU guidance to staff on using burner phones in the US - are not direct evidence of US hostility in cyberspace. (To be fair the European Commission later denied issuing such guidance, but the rumour itself was telling).
Reports in March 2025 also indicated that Washington had ordered a pause in US CYBERCOM’s offensive operations impacting Russia, just as European leaders were emphasising the Russian threat. Adding to the tensions, in April 2025 the Wall Street Journal reported that US agencies had quietly been tasked with intensifying espionage on Greenland and Denmark to identify local officials sympathetic to Washington’s ongoing bid for the island.
Several incidents have also raised doubts about the reliability of the US as a partner. Reports in March 2025 indicated that former British ambassadors to the US, as well as partners outside of the Five Eyes alliance - namely Israel and Saudi Arabia - feared intelligence and identities of foreign assets could inadvertently be shared with Moscow. Concerns about poor operational security (OpSec) were exacerbated by the now-infamous ‘Signal gate’ affair, in which then-National Security Adviser Waltz shared HUMINT-sourced details of an active strike on a Houthi operative in an unsecured Signal chat.
Meanwhile, further reports of issues over poor OPSEC paint a portrait not of deliberate US hostility, but rather of significant collateral risk.
The turbulence associated with a populist administration in Washington has, of course, compounded these concerns. For example, the abrupt nature of the March 2025 decision to temporarily suspend real-time SIGINT sharing with Kyiv and halt US intelligence feeds critical to Ukraine’s battlefield precision, while framed by Washington as a diplomatic lever, significantly rattled allies. Washington’s unpredictability may have also driven Kyiv to turn to France (and Japan) for geospatial support, and likely spurred EU discussions about an independent military-satellite network. Wider European voices have raised concerns over the direction of US policy and reliability of the US as an ally, Germany is calling for a ‘Euro Eyes’ intelligence network, while member states are enacting new bilateral partnerships and directly criticising the Trump administration’s wider relations with Russia. However, these developments do not necessarily constitute a US cyber turn against Europe.
The March pause in CYBERCOM strikes, in particular, was misread: officials later clarified that only select, provocative offensive actions against Russia were delayed for one day amid diplomatic talks on Ukraine. NSA activities were also never impacted. Reports of US espionage in Greenland and Denmark are also likely in reality part of more routine intelligence operations, rather than direct evidence of hostile intent: every major intelligence service almost certainly routinely collects and collates information on foreign leaders, often via open-source research and intelligence collection rather than via cyber-enabled espionage.
As one former official noted: “Intelligence collection resources are inherently limited”, meaning they are typically aimed at “perceived threats, not allied countries”. These revelations only indicate increased US interest in Greenland – and in line with public comments – do not necessarily increase the cyber threat emanating from Washington.
Closer investigation of Washington’s priorities further negates the idea of US intent to target its allies in the cyber domain.
In January 2025, President Trump signed a flurry of Executive Orders recalibrating America’s posture. He declared a national emergency at the southern border, bolstered measures against state adversaries like China, and - crucially - designated both Latin American drug cartels and the Houthis as Foreign Terrorist Organizations (FTOs), potentially laying the legal groundwork for cyber-enabled disruption of their digital and financial networks.
The 2025 ODNI Annual Threat Assessment confirms this hierarchy, naming China as the ‘most significant military and cyber threat’, followed by Russia, Iran, North Korea and transnational criminal or terrorist networks - including newly designated cartels. No mention has been made of Europe, except in the wider context of shared threats from these adversaries.
Personnel choices reinforce these strategic priorities, with the US taking a more aggressive – yet still tightly scoped – posture in cyberspace. Former National Security Advisor Mike Waltz (reassigned in May 2025) discussed use of offensive cyber actions, including sabotage, blocking access and disrupting systems to deter China and other actors, with Senior Director for Cyber at the National Security Council Alexei Bulazel also emphasising the need for a more offensive strategy.
The wider ‘persistent engagement’ strategy of US CYBERCOM, encompassing ‘hunt forward ’operations disrupting adversarial malware within allies’ networks, underpins the precedent of offensive operations. Crucially, these strategies are aimed at hostile actors – such as China - with no indication of intent to weaponise these capabilities against an ally like Europe.
Despite undoubtedly heightened tensions, wider intelligence alliances like Five Eyes also continues to function as normal, with signals intelligence (SIGINT) in particular reportedly flowing smoothly among the US, UK, Canada, Australia and New Zealand. Officials have also separately emphasised the deep interdependence within the Five Eyes alliance, especially in SIGINT, which makes sidelining any one member – no matter how challenging their respective governments - difficult.
Per TheEconomist, each member contributes distinct capabilities: Canada leads in Arctic SIGINT, the UK in cryptography and Australia in Asia-Pacific surveillance. The alliance functions with minimal formal governance, operating largely under the informal norm that ‘America makes the rules’.
So the idea that the US would therefore deliberately conduct a cyber operation targeting members of Five Eyes remains highly unlikely and ultimately self-defeating: it would risk operational spillover into allied networks and undermining the very cohesion the alliance depends on.
Rather than the US emerging as a hostile actor, current affairs rather have laid bare the fragility of depending heavily on a single partner. Vice President J.D.Vance captured this shift in mid-April 2025: when he stated: “It’s not good for Europe to be the permanent security vassal of the United States”.
Far from signalling disengagement, this underscores a long-running American call for transatlantic burden-sharing. Former US President Obama voiced similar frustrations in a 2016 interview with Jeffrey Goldberg of SignalGate fame: “But what has been a habit over the last several decades in these circumstances, is people pushing us to act but then showing an unwillingness to put any skin in the game”. This underlying message is not new. What has changed is Europe’s apparent readiness to take that message seriously.
So, is Europe’s view of the US as a cyber adversary justified?
The “known knowns” - official statements, executive orders and open reports - tell a consistent story: the US continues to largely prioritise more traditional adversaries - China, Russia, Iran, North Korea and transnational networks - not allies in Brussels, Berlin, London or Paris.
As of this writing, there is no public indication of US cyber hostility toward Europe. The challenge lies less in hostile US cyber actions, and more in the exposure created by the turbulence that a populist administration brings. The landscape remains fluid, and continued monitoring is necessary. For now, today’s transatlantic jitters are better understood as a reaction to US domestic volatility and not as definitive proof of a covert American turn against its partners in the cyber domain.
SecAlliance produces monthly Geopolitical analysis and bi-annual PESTLE-M Horizon Scanning for the cyber domain that is released to its ‘ThreatMatch Access’ clients. For details on ThreatMatch subscriptions please contact info@secalliance.com
