Trump's Cyber Strategy… Great, Amazing, The Best Yet
Trump's Cyber Strategy… Great, Amazing, The Best Yet
President Donald Trump's Cyber Strategy contains an ambitious array of worthwhile goals. The administration's actions over the past year, however, directly undermine many of them, barring one. It raises the question: Can aggressive offensive cyber action compensate for lukewarm defensive efforts?
The strategy, released on March 6, one-ups the Biden-era equivalent, at least superficially. Rather than five pillars, this one has six:
- Shape Adversary Behavior
- Promote Common Sense Regulation
- Modernize and Secure Federal Government Networks
- Secure Critical Infrastructure
- Sustain Superiority in Critical and Emerging Technologies
- Build Talent and Capacity
The strategy's overall vibe is dominated by that first pillar: "Shape Adversary Behavior." President Trump's foreword describes using cyber power for "disrupting and disorienting our adversaries." He concludes that "American Power will finally stand up in cyberspace."
The strategy's introduction expands on that same theme. It lauds cyber operations for supporting the "globe-spanning operation to obliterate Iran's nuclear infrastructure" and "leaving our adversaries blind and uncomprehending" during the capture of Venezuelan President Nicolás Maduro.
Although the language is far more aggressive, the first pillar feels like a continuation of one in the 2023 strategy: "Disrupt and dismantle threat actors."
One significant difference, though, is a commitment to "unleash the private sector by creating incentives to identify and disrupt adversary networks." This is the kind of game-changing thinking we look for in strategy documents. Even something as incremental as encouraging internet giants to be more active in tackling cybercrime would be a good start.
Unfortunately, the idea is just one in a string of bold promises in this pillar and would be one of the harder ones to implement. It would require detailed policy work and careful consideration of trade-offs, which is not exactly what we've come to expect from the current administration.
"Shape Adversary Behavior" is the strategy's one pillar where the rhetoric does match the Trump administration's preference for aggressive action. So we expect that we'll be hearing a lot more about hard-hitting cyber operations. After all, it's not a demonstration of American cyber power if it is kept secret!
We'd love to say the rest of the strategy contains motherhood statements, but that would be overly optimistic. Too many goals in the remaining pillars have preemptively been undermined by actions taken by the Trump administration.
Take "Modernize and Secure Federal Government Networks," for example, which contains many worthy goals. It promises the government will elevate the importance of cyber in government leadership, implement cybersecurity best practices, and "use the best technologies and teams to constantly test and hunt for malicious actors on federal networks." But you can't do all the wonderful things with one hand while dramatically cutting Cybersecurity and Infrastructure Security Agency staff with the other.
Under "Sustain Superiority in Critical and Emerging Technologies," the government says it will secure the artificial intelligence (AI) technology stack, promote innovation in AI security, rapidly adopt the technology, plus secure the data, infrastructure, and models that underpin U.S. leadership. It will also "call out and frustrate the spread of foreign AI platforms that censor, surveil, and mislead their users" (whether domestic AI platforms have the go-ahead to censor, surveil, and mislead is left unstated).
We'd love to know how the administration intends to do this. We could get behind something like a small-scale Operation Warp Speed to achieve some of these goals and drive adoption of AI in government.
But instead, the administration has picked a fight with leading AI company Anthropic. Last week the Department of Defense formally labeled the company a supply chain risk after a very public battle over how its technology could be used.
So win the AI race by attacking your own companies? That hardly feels like a focussed effort to develop capability.
We also have concerns about "Promote Common Sense Regulation." It states that defense should not be a "costly checklist" and promises to "reduce compliance burdens." This is a real problem, and just this week a Government Accountability Office report determined that there is confusing and unnecessary overlap in different federal regulations.
We are worried, however, that the overriding motivation here is not sensible regulation, but simply less regulation. According to the strategy, streamlining cybersecurity regulations will "ensure that the private sector has the agility necessary to keep pace with rapidly evolving threats." If only regulations weren't such an impediment, companies would be so much better at security!
The final two pillars, "Secure Critical Infrastructure" and "Build Talent and Capacity," haven't been undermined by government actions recently. But both are Sisyphean, long-term challenges. We expect we'll see incremental progress.
The current administration is fully behind the first offensive pillar, though.
It leaves us wondering whether going all in on aggressively countering cyber adversaries will make up for half-hearted commitment to the rest of the strategy.
Even very effective takedowns and disruptive cyber operations are speed bumps rather than roadblocks. They slow adversaries, but don't stop them. The U.S. government took down Volt Typhoon's botnet, for example, but that didn't stop the group for good.
Of course, there is no magic bullet that will stop America's cyber adversaries. Slowing them down is about the best that can be hoped for, so we fully endorse this.
We just hope the other pillars will get a bit of love now that the strategy has been released.
Exploits Are Too Valuable to Be Kept Secret
This week, both Risky Business Media and Techcrunch independently confirmed that the Coruna exploit kit was developed by Trenchant, a division of U.S. contractor L3Harris. This drives home the risks that advanced cyber espionage capabilities developed by private-sector contractors will be misused by adversaries. But the benefits of having these capabilities on hand still outweigh the risks of abuse.
The kit was discovered by Google's Threat Intelligence Group. There is also complementary analysis from mobile device security firm iVerify and from security researcher Daniel Wade. On this week's Risky Business podcast, hosts Patrick Gray, Adam Boileau, and James Wilson discuss the "truly exquisite" Coruna exploits. And if you want even more technical detail, Risky Business Enterprise Technology Editor James Wilson takes a ridiculously deep dive in this solo podcast.
In February this year, the former general manager of Trenchant, Peter Williams, was sentenced to seven years in prison after pleading guilty to selling exploits to a Russian zero-day broker, Operation Zero.
One concern regarding state cyber programs is that advanced cyber capabilities will be stolen and used maliciously. The WannaCry and NotPetya attacks in 2017, for example, both used the EternalBlue exploit that was stolen from the National Security Agency (NSA) by the Shadow Brokers. These attacks caused damages ranging from hundreds of millions to billions of dollars.
Prior to the Snowden leaks in 2013, it was unusual and rare to see leaks of damaging cyber-related material. Since then we've seen the Shadow Brokers leaks in 2016, Vault 7 in 2017, and now Coruna.
At this point we'd have to concede that critics of these programs are right. Exploits will leak, at least some times. But even when they are stolen and misused, we think developing these capabilities is still an overall positive.
States typically take advantage of exploits for years while malicious users get a relatively short window of opportunity. For example, the NSA used EternalBlue for five years, but the vulnerability it took advantage of was quickly patched by Microsoft once it had been stolen. In fact, it was patched the month before EternalBlue was released publicly in April. WannaCry and NotPetya occurred in May and June, respectively.
The Coruna situation is a bit different. In our view, the real damage is the harm to U.S. interests if Coruna was used for espionage. Williams's first sales occurred in 2022, but Google didn't detect Coruna being used in the wild until February 2025, at which point it was "used by the customer of a surveillance company." By July it was used in a watering hole against Ukrainian websites, and by December it was being used on fake Chinese crypto and gambling websites. In court documents, the loss to Trenchant was asserted to be more than $35 million.
By the time Google released its report, Coruna was only able to target around 10 percent of iPhones currently in use. Trenchant's customers had an ongoing capability that adversaries had for a couple of years.
At the time of Williams's guilty plea in October 2025, we argued that governments need exploits and that there was still a role for private-sector developers. We think these arguments still hold.
The trick from a government’s perspective is to maximize the benefit while reducing the risk of these capabilities going walkabouts.
It's hard to maximize those benefits by doing a lot more hacking. Operations are constrained by operational security considerations and the real risk that using a tool will result in its getting discovered.
So it comes down to risk, where it is much easier to clamp down on personnel security. To those exploit developers who leave government service because they get fed up with restrictive security practices, we have bad news. Get ready for body scans and bag searches.
Three Reasons to Be Cheerful This Week:
- Tycoon 2FA takedown: The Tycoon phishing-as-a-service platform has been taken down by an international operation involving Europol and a number of European police forces acting alongside private-sector stakeholders. Tycoon 2FA was designed to defeat protections such as multifactor authentication, and Microsoft says it was responsible for around 62 percent of all the phishing attempts the company blocked. Microsoft seized 330 active Tycoon 2FA domains including control panels and fraudulent login pages.
- U.S. to prioritize tackling cybercrime and fraud: Last week President Trump issued an executive order to ramp up the fight against transnational organized crime scam operations. This includes prioritizing cyber fraud investigations and establishing a program to return recovered assets to victims. Risky Bulletin has further coverage.
- The U.K. to get fraud "disruption hub": The British government is launching an Online Crime Centre that will bring together government bodies, such as the National Crime Agency and the Government Communications Headquarters, alongside firms from the technology, telecom, and financial sectors. The idea is that the accounts, websites, and phone numbers used by criminals will be shut down or blocked as soon as they've been identified. The center is a result of the government's new fraud strategy and will be launched next month. The Record has further coverage.
Shorts
When Deterrence Is Kinetic
Last week the Israel Defense Forces said that they'd bombed an Islamic Revolutionary Guard Corps (IRGC) compound in Tehran that housed Iran's cyber warfare headquarters.
In the same week, Mohammad Mehdi Farhadi Ramin, an Iranian man wanted by the FBI for alleged computer crimes, was killed by U.S.-Israel strikes. There is also an unconfirmed report that the building housing an IRGC-related cyber group was struck.
We don't know how much damage has been done to Iran's cyber capability, but we suspect these kinds of strikes will have a far greater deterrent effect than even the best cyber operation could.
Risky Biz Talks
In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq talk about why an internet shutdown won’t stop U.S. cyber operations in Iran.
From Risky Bulletin:
Gen. Joshua Rudd confirmed as next CyberCom and NSA head: The U.S. Senate has confirmed Army Lt. Gen. Joshua M. Rudd as the next leader of U.S. Cyber Command and the National Security Agency.
Gen. Rudd was confirmed in a 71-29 vote on Tuesday.
He will replace Army Lt. Gen. William Hartman, who is serving as interim chief for both agencies.
Both CyberCom and NSA have been without a Congress-approved leader since President Trump fired Air Force Gen. Timothy Haugh last April.
Iranian hackers are scanning for security cameras to aid missile strikes: A sudden spike in scanning activity for internet-exposed security cameras has been recorded in Israel and countries across the Middle East. The activity has been traced back to a hacking group with ties to the Iranian government.
The scans spiked on Monday, when Iran launched missile and drone strikes in response to an Israeli and U.S. military operation that bombed and killed its political leadership over the weekend.
Security firm Check Point says the scans targeted Hikvision and Dahua security cameras and included attempts to exploit old vulnerabilities. Scans targeted Israel, Qatar, Bahrain, Kuwait, the United Arab Emirates, and Cyprus, the exact same countries where Iran carried out kinetic strikes.
New White House executive order prioritizes fight against scams and cybercrime: President Trump signed a new executive order on March 6 directing federal agencies to prioritize a crackdown against foreign scam operations and predatory forms of cybercrime.
Scam-related crimes, such as business email compromise and investment fraud, have been at the top of the FBI's list of most damaging forms of cybercrime for over half a decade.
In 2024 alone, Americans lost $12.5 billion to cyber-enabled fraud schemes, a figure that will likely be surpassed when the 2025 numbers come out in April.
The new Trump executive order directs the attorney general to prioritize investigations of cyber fraud and scam schemes. Investigations will also target ransomware, phishing campaigns, and sextortion schemes.
