Srsly Risky Biz: Trump's Cyber Strategy… Great, Amazing, The Best Yet

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Thinkst.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

President Donald Trump's Cyber Strategy contains an ambitious array of worthwhile goals. The administration's actions over the past year, however, directly undermine many of them, barring one. It raises the question: Can aggressive offensive cyber action compensate for lukewarm defensive efforts?

The strategy, released last Friday, one-ups the Biden era equivalent, at least superficially. Rather than five pillars, this one has six:

1. Shape Adversary Behaviour
2. Promote Common Sense Regulation
3. Modernize and Secure Federal Government Networks
4. Secure Critical Infrastructure
5. Sustain Superiority in Critical and Emerging Technologies
6. Build Talent and Capacity

The strategy's overall vibe is dominated by that first pillar: "Shape Adversary Behaviour". President Trump's foreword describes using cyber power for "disrupting and disorienting our adversaries". He concludes that "American Power will finally stand up in cyberspace". 

The strategy's introduction expands on that same theme. It lauds cyber operations for supporting the "globe-spanning operation to obliterate Iran's nuclear infrastructure" and "leaving our adversaries blind and uncomprehending" during the capture of Venezuelan President Nicolás Maduro. 

Although the language is far more aggressive, the first pillar feels like a continuation of one in the 2023 strategy: "Disrupt and dismantle threat actors". 

One significant difference, though, is a commitment to "unleash the private sector by creating incentives to identify and disrupt adversary networks". This is the kind of game-changing thinking we look for in strategy documents. Even something as incremental as encouraging internet giants to be more active in tackling cybercrime would be a good start. 

Unfortunately, the idea is just one in a string of bold promises in this pillar and would be one of the harder ones to implement. It would require detailed policy work and careful consideration of tradeoffs, which is not exactly what we've come to expect from the current administration. 

"Shape Adversary Behaviour" is the strategy's one pillar where the rhetoric does match the Trump administration's preference for aggressive action. So we expect that we'll be hearing a lot more about hard-hitting cyber operations. After all, it's not a demonstration of American cyber power if it is kept secret!  

We'd love to say the rest of the strategy contains motherhood statements, but that would be overly optimistic. Too many goals in remaining pillars have preemptively been undermined by actions taken by the Trump administration. 

Take "Modernise and Secure Federal Government Networks", for example, which contains many worthy goals. It promises the  government will elevate the importance of cyber in government leadership, implement cyber security best practices and "use the best technologies and teams to constantly test and hunt for malicious actors on federal networks". But you can't do all the wonderful things with one hand while dramatically cutting Cybersecurity and Infrastructure Security Agency staff with the other.  

Under "Sustain Superiority in Critical and Emerging Technologies", the government says it will secure the AI technology stack, promote innovation in AI security, rapidly adopt the technology plus secure the data, infrastructure and models that underpin US leadership. It will also "call out and frustrate the spread of foreign AI platforms that censor, surveil, and mislead their users" (Whether domestic AI platforms have the go-ahead to censor, surveil and mislead is left unstated). 

We'd love to know how the administration intends to do this. We could get behind something like a small-scale Operation Warp Speed to achieve some of these goals and drive adoption of AI in government.

But instead, the administration has picked a fight with leading AI company Anthropic. Last week the Department of Defense formally labelled the company a supply chain risk after a very public battle over how its technology could be used. 

So win the AI race by attacking your own companies? That hardly feels like a focussed effort to develop capability. 

We also have concerns about "Promote Common Sense Regulation". It states that defence should not be a "costly checklist" and promises to "reduce compliance burdens". This is a real problem and just this week a Government Accountability Office report determined that there is confusing and unnecessary overlap in different federal regulations.

We are worried, however, that the overriding motivation here is not sensible regulation, but simply less regulation. According to the strategy, streamlining cyber security regulations will "ensure that the private sector has the agility necessary to keep pace with rapidly evolving threats". If only regulations weren't such an impediment, companies would be so much better at security! 

The final two pillars "Secure Critical Infrastructure" and "Build Talent and Capacity", haven't been undermined by government actions recently. But both are sisyphean, long-term challenges. We expect we'll see incremental progress.   

The current administration is fully behind the first offensive pillar, though.

It leaves us wondering whether going all in on aggressively countering cyber adversaries will make up for half-hearted commitment to the rest of the strategy. 

Even very effective takedowns and disruptive cyber operations are speed bumps rather than roadblocks. They slow adversaries, but don't stop them. The US government took down Volt Typhoon's botnet, for example, but that didn't stop the group for good.

Of course, there is no magic bullet that will stop America's cyber adversaries. Slowing them down is about the best that can be hoped for, so we fully endorse this. 

We just hope the other pillars will get a bit of love now the strategy has been released.  

Exploits Are Too Valuable To Be Kept Secret

This week, both Risky Business Media and Techcrunch independently confirmed that the Coruna exploit kit was developed by Trenchant, a division of US contractor L3Harris. This drives home the risks of advanced cyber espionage capabilities developed by private sector contractors, being misused by adversaries. But the benefits of having these capabilities on hand still outweigh the risks of abuse.

The kit was discovered by Google's Threat Intelligence Group. There is also complementary analysis from mobile device security firm iVerify and from security researcher Daniel Wade. On this week's Risky Business podcast, hosts Patrick Gray, Adam Boileau and James Wilson discuss the "truly exquisite" Coruna exploits. And if you want even more technical detail, Risky Business Enterprise Technology Editor James Wilson takes a ridiculously deep dive in this solo podcast.

In February this year, the former general manager of Trenchant, Peter Williams, was sentenced to seven years in prison after pleading guilty to selling exploits to a Russian 0day broker Operation Zero. 

One concern regarding state cyber programs is that advanced cyber capabilities will be stolen and used maliciously. The WannaCry and NotPetya attacks in 2017, for example, both used the EternalBlue exploit that was stolen from NSA by the Shadow Brokers. These attacks caused damages ranging from hundreds of millions to billions of dollars. 

Prior to the Snowden leaks in 2013 it was unusual and rare to see leaks of damaging cyber-related material. Since then we've seen the Shadow Brokers leaks in 2016, Vault 7 in 2017, and now Coruna. 

At this point we'd have to concede that critics of these programs are right. Exploits will leak, at least some times. But even when they are stolen and misused, we think developing these capabilities is still an overall positive.

States typically take advantage of exploits for years while malicious users get a relatively short window of opportunity. For example, the NSA used EternalBlue for five years, but the vulnerability it took advantage of was quickly patched by Microsoft once it had been stolen. In fact, it was patched the month before EternalBlue was released publicly in April. WannaCry and NotPetya occurred in May and June respectively. 

The Coruna situation is a bit different. In our view, the real damage is the harm to US interests if Coruna was used for espionage. Williams' first sales occurred in 2022, but Google didn't detect Coruna being used in the wild until February 2025, at which point it was "used by the customer of a surveillance company". By July it was used in a watering hole against Ukrainian websites and by December it was being used on fake Chinese crypto and gambling websites. In court documents the loss to Trenchant was asserted to be more than USD$35 million. 

By the time Google released its report, Coruna was only able to target around 10% of iPhones currently in use. Trenchant's customers had an ongoing capability that adversaries had for a couple of years. 

At the time of Williams' guilty plea in October last year, we argued that governments need exploits and that there was still a role for private sector developers. We think these arguments still hold. 

The trick from a government’s perspective is to maximise the benefit while reducing the risk of these capabilities going walkabouts. 

It's hard to maximize those benefits by doing a lot more hacking. Operations are constrained by OPSEC considerations and the real risk that using a tool will result in it getting discovered. 

So it comes down to risk, where it is much easier to clamp down on personnel security. To those exploit developers who leave government service because they get fed up with restrictive security practices, we have bad news. Get ready for body scans and bag searches. 

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Tycoon 2FA takedown: The Tycoon phishing-as-a-service platform has been taken down by an international operation involving Europol and a number of European police forces acting alongside private sector stakeholders. Tycoon 2FA was designed to defeat protections such as multi factor authentication, and Microsoft says it was responsible for around 62% of all the phishing attempts the company blocked. Microsoft seized 330 active Tycoon 2FA domains including control panels and fraudulent login pages. 
2. US to prioritise tackling cybercrime and fraud: Last week President Donald Trump issued an Executive Order to ramp up the fight against transnational organised crime scam operations. This includes prioritising cyber fraud investigations and establishing a program to return recovered assets to victims. Risky Bulletin has further coverage. 
3. The UK to get fraud "disruption hub": The British government is launching an Online Crime Centre that will bring together government bodies such as the National Crime Agency and GCHQ alongside firms from the technology, telecom and financial sectors. The idea is that the accounts, websites and phone numbers used by criminals will be shut down or blocked as soon as they've been identified. The Centre is a result of the government's new fraud strategy and will be launched next month. The Record has further coverage. 

Sponsor Section

In this Risky Business sponsor interview, Marco Slaviero, CTO of Thinkst, talks to Tom Uren about how the company ensures that it is a learning organization.

Shorts

When Deterrence is Kinetic 

Last week the Israel Defense Forces said that they'd bombed an Islamic Revolutionary Guard Corps compound in Tehran that housed Iran's cyber warfare headquarters. 

In the same week, Mohammad Mehdi Farhadi Ramin, an Iranian man wanted by the FBI for alleged computer crimes, was killed by US-Israeli strikes. There is also an unconfirmed report that the building housing an IRGC-related cyber group was struck. 

We don't know how much damage has been done to Iran's cyber capability, but we suspect these kinds of strikes will have a far greater deterrent effect than even the best cyber operation could.  

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about why an internet shutdown won’t stop US cyber operations in Iran.

Or watch it on YouTube!

From Risky Bulletin:

Gen. Joshua Rudd confirmed as next CyberCom and NSA head: The US Senate has confirmed Army Lt. Gen. Joshua M. Rudd as the next leader of US Cyber Command and the National Security Agency.

Gen. Rudd was confirmed in a 71-29 vote on Tuesday.

He will replace Army Lt. Gen. William Hartman, who is serving as interim chief for both agencies.

Both CyberCom and NSA have been without a Congress-approved leader since President Donald Trump fired Air Force Gen. Timothy Haugh last April.

[more on Risky Bulletin]

Iranian hackers are scanning for security cameras to aid missile strikes: A sudden spike in scanning activity for internet-exposed security cameras has been recorded in Israel and countries across the Middle East. The activity has been traced back to a hacking group with ties to the Iranian government.

The scans spiked on Monday, when Iran launched missile and drone strikes in response to an Israeli and US military operation that bombed and killed its political leadership over the weekend.

Security firm Check Point says the scans targeted Hikvision and Dahua security cameras and included attempts to exploit old vulnerabilities. Scans targeted Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus, the exact same countries where Iran carried out kinetic strikes.

[more on Risky Bulletin]

New White House EO prioritizes fight against scams and cybercrime: US President Donald Trump signed a new executive order on Friday directing federal agencies to prioritize a crackdown against foreign scam operations and predatory forms of cybercrime.

Scam-related crimes, such as business email compromise and investment fraud, have been at the top of the FBI's list of most damaging forms of cybercrime for over half-a-decade.

In 2024 alone, Americans lost $12.5 billion to cyber-enabled fraud schemes, a figure that will likely be surpassed when the 2025 numbers come out in April.

The new Trump EO directs the Attorney General to prioritize investigations of cyber fraud and scam schemes. Investigations will also target ransomware, phishing campaigns, and sextortion schemes.

[more on Risky Bulletin]