How does the legislative and regulatory agenda in the US trade between security and privacy in cyberspace? How can we explain the shift in the agenda towards more security and less privacy in the past 20 years? In order to answer these questions, I use an original dataset (N=85) of US federal laws and regulations on security and privacy between 1967 and 2016. Within the database, each policy event is classified according to the extent that security and privacy compete or complement each other. The findings indicate: (1) a shift in US federal policies towards greater security at the expense of privacy since the mid-1990s; and (2) a consistent lack of mandatory cyber security and privacy protections in the private sector. I explain this shift through emphasising: (1) the broken interest alliance over privacy between businesses and civil society organisations; (2) the increased power of the executive vis-à-vis Congress; and (3) the institutional position of security agencies and internet monopolies in the online environment. The contribution of this study stems from its empirical focus on the ambivalent role of the state in cyberspace over time. I trace the way the state promotes cyber security and privacy while increasingly collecting information or allowing others to do so at the expense of privacy and cyber security. Understanding how the state chooses between security and privacy increases our understanding of how governments manage cyberspace risks in the digital age.